Title: Domain Penetration Widget Sharing

0x01. NetLocalGroupGetMembers

Function: Query members of the target server local management group

0x02. NetLocalGroupEnum

Function: Return all local groups on the specified server

0x03. NetGroupGetUsers

Function: Return all members of the specified server and the specified group

Query members of each group in the domain, and the IP must be a domain control IP

0x04. NetUserEnum

Function: Query all users of the target server, including hidden users

0x05. wnetaddconnection2a

Function: Establish an IPC connection, which can map the target shared directory to the local disk

0x06. WNetCancelConnection2

Function: Delete IPC connection

0x07. EnuDomainUser

Function: Enumerate domain users

1. Introduction

Applicable to: The current boundary machine permissions are working group machines. Through tools such as nltest or nbtscan, it is discovered that the intranet has a domain environment and the domain control IP is found, but the penetration idea is not in the domain user's permissions.

Prerequisite: Ability to establish an empty connection with the domain control

Implementation principle: The domain manager will have administrator users by default. The SID of the administrator domain manager is found through the Windows API, and then iterates over the SID range and enumerates domain members (domain users and domain machines).

SID range: The SIDs of domain users and domain machines are generally above 1000, so when using tools, traversing SIDs above 1000

2. Tool usage

Help:

C:\Users\Administrator\DesktopEnuDomainUser.exe

Usage: EnuDomainUser.exe DC-IP domainname\username start Sid end Sid t_num

EnuDomainUser.exe \\192.168.52.2 hack\administrator 1000 2000 100

EnuDomainUser.exe \\Domain Control IP Domain Name\Domain User Name Default Administrator Start Sid End Sid Number of Multithreads

Use demo:

EnuDomainUser.exe 192.168.52.2 hack\administrator 1000 2000 100

Parameter explanation:

192.168.52.2 is a domain control IP

hack is a domain name

administrator is the default user of domain management

1000 is the beginning of the traversal SID

2000 is the end of the traversal SID - you can set a little higher, such as 10000, 20000, etc.

100 is the number of multithreads

0x08. BlastDomainUserPwd

Function: Blasting Domain User Password

1. Introduction

Connect via IPC - Password of the blasting domain user

Combining the EnuDomainUser tool or kerbrute tool to obtain the domain user name list and then burst

If you are killed by 360, just change the exe name

Design ideas:

If you can establish an empty connection with the domain control, use the EnuDomainUser tool to enumerate and traverse all domain user names

If you cannot establish an empty connection with the domain control, use the kerbrute tool to blast the domain user name

After obtaining a batch of domain user names, start trying to break the weak password of the domain user password

If the domain user password has strength requirements, try to blast the strong password. For example: P@ssw0rd, 1qaz@WSX, etc.

2. Use of tools

Usage: BlastDomainUserPwd.exe domainComputerIp domainUser.txt password t_num

BlastDomainUserPwd.exe \\192.168.52.29 domainUser.txt password 100

BlastDomainUserPwd.exe \\Domain Machine IP Domain User Name Dictionary Password Trying to Blast Number of Multithreads

Domain User Name Dictionary Format Specification: Domain Name\Domain User Name

domain\user

Running example: BlastDomainUserPwd.exe \\192.168.52.2 domainUser.txt 1qaz@WSX 3

The domain user password successfully blasted is saved in the success.txt text of the current directory

0x09. SchtaskBackDoorWebshell

Function: Schedule task maintenance webshell

1. Applicable scenarios:

The defender discovered the webshell in the protection network and cleared it out. The vulnerability was also fixed. Then, when the website was restored, the webshell could no longer be uploaded, the webshell was rewrited through the scheduled task.

2. Conditions:

Administrator permissions, because creating scheduled tasks requires administrator permissions

3. How to use:

xxxx.exe c:\www\upload\1.jsp

4. Implementation process:

Copy the content of c:\www\upload\1.jsp to c:\windows\temp\tempsh.txt, and then create a planned task. The command executed is c:\windows\system32\cmd.exe /c copy c:\windows\temp\tempsh.txt c:\www\upload\1.jsp, triggered every half hour.

5. Video display:

0x10. regeditBypassUAC

Function: Execute exe via uac. The compiled exe is only suitable for win10, but not win7.

1. Specific process

Whitelist program registry bypassUAC

2. Video demonstration

0x11. delegationVul

Function: Detecting the constraint delegation of the internal domain

1. Constrained delegation utilization

Constrained delegation utilization

2. Video demonstration

3. Resource-based constrained delegation utilization

Resource-based constrained delegation utilization

4. Video demonstration

0x12. 360SafeBrowserDecrypt

Function:

Run directly on the target machine, but it cannot help but kill

360SafeBrowserDecrypt.exe

Drag the target machine id and assis2.db database back to local decryption

Check machine id:

reg query 'HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY' /v 'MachineGuid'

Check 360 Safe Browser Installation Directory :

reg query 'HKCR\360SeSES\DefaultIcon'

The default assis2.db database directory :

C:\Users\