Note one Penetration Process: The large Intranet behind a workstation

Role of Domain Server

1. centralized security management and unified security policies
2. Centralized software management limits all machines to run only necessary office software according to company requirements.
3. centralized environment management using AD can unify client desktop, IE, TCP/IP and other settings
4. the Active Directory is the foundation of the enterprise's infrastructure. It serves as the basis for unified management of the company. services such as isa, exchange, anti-virus servers, patch distribution servers, and file servers depend on domain servers.
Domain Controller (DC )"

The process is as follows:

Two days ago, we performed ORACLE Security tests on a WIN2003 host and installed the 3389 login record software.
Then, when I logged in yesterday to check the database settings of this machine, I found that this machine is actually a workstation of DC.

After logging on to the Remote Desktop, check the computer name to obtain the DC Domain Name.

I used to learn how to install and set up the DC when I was reading MCSE. Now I have returned all my knowledge to the teacher ~~
The permissions of the server have been obtained during the security test, but the user and password obtained can only be logged on to the local machine, but cannot log on to the DC Server.
So I did a penetration test to see if I can obtain the highest DC permission, "domain control administrator ".
Collect information before penetration to determine how to proceed. Run net user, net logrup, and net view under CMD to check whether there is a list of computers in the current domain or working group.

The figure shows that the Administrator actually performed "Active Directory Policy-group policy-Software Restriction policy"
Both NET and NET1 are restricted. Since the restriction policy is implemented, many common methods should not work. After thinking about it, you must first find out the IP address of the DC Server and do not even know the address of the DC Server, what should I do? However, the net view is restricted. How can this problem be viewed? Turning over the information, finding a solution, and finding a VBS, also failed.

Does the sniffing work? Passed the cain and was killed by the cute MCAFEE... You cannot turn off mackers. I thought the file was damaged, but the same file was properly decompressed and running on my computer. Why?
I want to know how to teach me.

Think... Enter the command in CMD and find that netstat can be used and ipconfig can also be used. The NIC information is displayed. This command has no restrictions.

Add the parameter/all to view details. If you know that the DNS is 10.10.1.1 and 10.10.1.2, the gateway is 10.10.1.252, And then try nslookup to query 10.10.1.2 in reverse order. This command is not restricted, and you know that it is the server No. 02 in the same domain.

Use IE to open the gateway IP address and check that the 15-level permission should be CISCO. Ignore it first.

IP: 10.10.1.1 is DC.
Failed to log in with the obtained USER and password. It seems that this account is not added to domain user, so I had to check what can be used in the hard disk on the local machine?

It's all about data, drivers, and application software. I cannot find a clue... Many Commands are restricted and sniffers are also killed. It is said that gsecdump can capture the HASH of DC, but I think this will also be
If MACFELL is killed, you will not try again. I was too easy to learn. I really couldn't think of other methods.
Exit the Remote Desktop and take a bath. While washing and thinking, I suddenly remembered that the 3389 login record was installed yesterday. After cleaning out, check the record and check that the system administrator of the local machine has logged on. Another user has logged on to this machine,
The logon DOMAIN is different.

So I used this user to log on to the local machine and check whether new information is available. The Desktop remote desktop has many connection records. It seems that this user is not a normal permission.

Well, with a try, the result of logging on to the DNS address 10.10.1.2 just now is really hard to get through iron shoes, and there is no such thing as fun in the world... (What literary talents ?)

And then use the net view command. There is no limit.

. Net user. There are hundreds of users.

So how many machines are there in the Intranet? Use AD to query more than 300 COMPUTERS

This intranet also uses Citrix server virtualization:

Citrix official:
Http://www.citrix.com.cn/products/server-vituralization.aspx

 

There are two controllers: 10.10.1.1 and 10.10.1.2.

The company has subsidiaries in the United States, Japan, the United Kingdom, and Thailand for rubber products. Because the domain name is blocked by tianchao, you can enter an IP address to view the webpage.

Summary:
Because the sniffing software does not play a role, 3389 records play a key role. This is only a penetration test process with no technical content. Let everyone laugh. After the test, the administrator can fix the ORACLE vulnerability. All other operations are restored to the original state.
It's not too early.