An Intranet penetration case for foreign targets

Target Domain Name: www.2cto.com (only used to replace the target website, not this site)
 
Objective: To gain domain control through the entire intranet
 
Collect information: the website www.2cto.com is static and has no logon port. The server uses IIS6.0. Ping the ip address of the domain name: 111.111.111.111. After querying the ip address on ip866, only the website is bound. It seems that the domain name is not expected to be added. By the way, the domain name Whiose information, get a domain name registered mailbox sales@xxx.net, domain name owner, management contacts and other information. The IP address range, administrative country, and NS records are queried. After sorting out the information, I continued to scan the CIDR Block and opened port 80. Many websites with the same template are from other companies or enterprises. It is estimated that this is a hosted server, and there is little connection with the Intranet. It may be difficult to penetrate into the Intranet even if it is obtained. Then, the target is directed to the mail server, and the MX record is queried on the Internet. The mail server address mail.2cto.com is obtained, and its ip address is 222.222.222.222, it seems that it has nothing to do with the ip address of the WEB server. I scanned the ip address of the CIDR block where the email server is located and found that there are very few ip addresses with port 80, and several of them are routers. One of them has a weak snmp password "public" and the ip address is 222.222.222.221. With IP Network Browser, scan out some information about this router, get the Administrator contact mailbox xxxx@2cto.com. It is assumed that this is the Internet ip segment of the target intranet. Access the domain name mail.2cto.com. The address is redirected to owa.2cto.com, And the logon interface of Exchange Web Access is displayed. Ping the ip address of owa.2cto.com to 222.222.222.223. Recently, Exchange 2007 has no vulnerabilities available. I would like to start with other machines in the CIDR Block and sniff the vro password or email password. As a result, there are few machines in the CIDR block that have web servers and port 3389 enabled, do not take this path for the moment.
 
Social engineering Email: Since the email Server is found and it is an Exchange Server, let's try to publish a single phishing email to several social engineering users to log on. Return to the WEB page of ww.2cto.com and find several email addresses @ 2cto.com on the "contact us" page. The tool for sending anonymous emails instantly creates a phishing page and adds a form. The approximate content is that your mailbox will be suspended for any reason, enter your account and password below for verification. Unfortunately, it is displayed that the user does not exist at the time of sending. How can the mailbox published on the website not exist? Cup (it is confirmed that it does not exist later ). I can only use google's multi-collection site mailbox, and suddenly the flash of the flash, I have a Hotmail XSS in hand, if you can catch a few internal staff hotmail mailbox may be useful. Then I used the keyword mail "@ 2cto.com" and "@ hotmail.com" to go viral in google. I was lucky enough to collect more than 10 related hotmail mailboxes, how do you know that hotmail is my target employee. After the collection, it is to send a phishing email, waiting for the fish to hook up. Two days later... Check the address and URL of the received email. There are two or three passwords. Well, it's not bad. Instantly log in and read all emails as E files. Most of them are work letters, and most of them contain attachments, which lays the foundation for post-sending. I checked that there are many email addresses @ 2cto.com for contacts. Make sure that the email address owner is the email address of the target employee, and export the contact to continue sending phishing emails to the social worker. Here, we picked out some email addresses @ 2cto.com to send embedded form phishing emails, prompting that the emails are sent successfully. It seems that the previously collected addresses do not exist. Two days later... @ Hotmail.com and @ 2cto.com both have new email passwords. Use the obtained @ 2cto.com password to log on to mail.2cto.com without prompting for a wrong password. However, it is strange that an error occurs after the jump and the email content is invisible. Is it an ip address restriction? Hmm ~~ Now there are almost 10 Email passwords, but mail.2cto.com is only used to send Trojans if you do not log on to mail.2cto.com. A Trojan-free password is configured, use the obtained @ hotmail.com email box to send a Trojan to @ 2cto.com. Attachments are mandatory. First, they are afraid of exposure, and second, they are afraid that the Intranet is too restrictive.
 
Intranet penetration: after waiting for two days, remote control prompts a new host to go online on the third day ~ I immediately opened an Alibaba shell with remote control to execute ipconfig/all. Well, it is indeed an employee's machine on the Intranet. The intranet ip address is 10.10.2.2 and there is an Internet ip address 122.122.122.122, it is strange that an employee's machine has two NICs, one of which is assigned an Internet ip, and the other is an intranet ip. Is it a dial-up Internet? Or vpn? If the domain is www.2cto.com, the dns server is 10.10.2.5 (most of which is domain control) net localgroup administrators finds that the user adds the domain account that logs on to the local machine to the net view/domain in the Administrator Group. It shows that there are three domain net views ~ Oh ~ Finally, the breakthrough was opened. The next goal is domain control. Upload gsecdump.exe to the bot to capture the hash, and the online cracking will soon be cracked. Unfortunately, it is only the permission of a common domain account. Use this account password to connect to the establishment of 10.10.2.5 \ ipc $, prompting that you do not have the permission. At the same time, gsecdump.exe also caught the local administrator password and used the local administrator to log in and establish a connection to 10.10.2.5 \ ipc $, prompting that the password was incorrect. Use the local administrator to establish an ipc $ connection with other employee machines. If the prompt is "successful", the local administrator password should be common in employee machines. It may be a little difficult to directly take domain control. When you focus on the web servers in the Intranet, the Administrator will always log on to the servers in the Intranet for maintenance. Continue to view the content returned by nei view and find a \ xyznetnews machine is like an intranet server. The ip address is 10.10.5.5 and the lcx is uploaded to the broiler, directly forward port 80 of 10.10.5.5 to port 388 of another Internet broiler, 220.220.220.220. http://220.220.220.220:3388 Then you can access the web Services opened on this Intranet server. Sure enough, the web Service is opened on port 80, but there is no vulnerability. Then I tried directories such as/phpmyadmin/admin/login and went directly to the phpmyadmin directory, it seems that the Administrator has not set the mysql password. Export the pony, take out the kitchen knife, connect it, and execute the command. Haha ~ System permission limit: Uploading gsecdump.exe to capture the hash is useless. It is estimated that the password has exceeded 14 digits. Then upload Winlogonhack to record the logon password. The next day, no password, can't wait, shut down directly, the third day, the password has. But it's not a domain administrator account. I used my password to perform domain control and the logon was successful. But I am wondering why the net group "domain admins" didn't find the entire account, but why does it allow domain control, you can add any account to the domain admins group. At this point, the entire intranet is okay.
 
 
Article