Intranet penetration-domain penetration Basics

Intranet penetration-domain penetration Basics
1. Domain environment construction + recognition domain + experiment environment

1. Preface:I have always wanted to penetrate the domain, but unfortunately I have not met a good domain environment. I have read many articles about Domain penetration by others. So I set up my own environment to test ...... [This is the gap between diaosi and Gao fushuai.

Learn what domains are from building them. Then I learned how to perform domain penetration.

2. Build a dns + Domain Server

A variety of google and Baidu later. Finally, the domain environment = Nima was set up for a long time --

Finally, I set up my own domain environment in the nat environment. Domain control win2008 [192.168.233.145 dns.wilson.com]. Add a win2003 web Server [192.168.233.130 www.wilson.com]

To create a Domain Server, you must first set up a dns server and install it in the Active Directory. Then you can have a domain environment. Name your domain wilson.com [Smile ~~]

After the environment is set up. Let's take a look at the changes in the user and group of the Domain Server win2008:

We found that he added many user groups to us. The role of these groups is clearly illustrated in the figure.

The introduction of Domain Admin and Enterprise Admins is important. It is the domain administrator group and the enterprise system administrator. Having the highest privilege ....... =

At this time, we can see that the administrator user of the Domain Server has pulled the Domain Admin and Enterprise Admins user groups by default.

You can see that the administrator can manage the servers in this domain in a unified manner. This makes administrator management very convenient ....

But convenience also brings security problems .....

3. Test Environment

Then, connect kali [10.170.10.157] to the same LAN as the host machine [10.170.38.141. And try to simulate the real environment. Map port 80 of win2003 to host machine [10.170.38.141: 8080].

The following figure shows the environment:

========================================================== = Cut ============================================ ============

Ii. Test process

Well, let's assume we have no idea about the previous environment. [just install it. Starting from the web Server

1. webshell Privilege Escalation

First, we get a webshell of 10.170.38.141: 8080. After mysql root Privilege Escalation. I am going to use msf to access this Intranet.

2. web Server Information Collection

Then, we collect server information and ensure our permissions ~~~

Transfer to a vulnerable process winlogon.exe

Why is it unscientific to prompt permission issues? I am the root user and should be the system --

Regardless of getsystem's high permissions

OK

Then collect some network conditions, such as hash/plaintext passwords.

IP:

Well, the Intranet 192.168.233.0/24 is correct. OK. I want to add a route table to the Intranet first.

Then we capture the hash and plain text:

The description of "Administrator" starting with "add3" cannot be cracked, but it can be hashed and transferred.

However, if the administrator is online or has not logged out. We can capture plaintext

The password is qawsed123! @#

[I typed my previous win2003 password .. -I changed it, but it was still caught.

 

3. Collect domain environment information + locate domain control

I want to forward the port forwarding function of msf and log on to the Remote Desktop of the recipient.

OK. Let's collect the domain information.

1. ipconfig/all

The domain name is wilson.com.

Check whether there are several hosts in the current domain. Here I only have two hosts.

[There is no way to only test these machines

 

. Net view/domain.

If you are in multiple domains, the penetration will be a little painful --

[Note: 1 is my Working Group. I changed the name. Hey, net view will explain this. And it's not like this. Only these machines are available.

 

For example:

\ Dns dnsserver

\ Sqldata sqlserver

.......

......

In this way, we can find the desired machine.

For example, dns [because dns is generally a domain controller]

In addition, if the remarks are "servidor master ad [, domain control is required ....

Or if you want a database, you can check whether sqldata has any vulnerabilities.

Find ip address to analyze the Network Structure

Next, ping

View network distribution by ip Address

Hey, one or two of them are relatively simple, but when they are too much, it will hurt. =

Someone wrote the script and used it directly.

The network structure is relatively simple--only two machines

4. user and group information

Net user

Net user/domain error--[This shows all the members of the domain

Net group "domain admins"/domain -- query the domain administrator user group

Two domain control administrators

If you want to obtain the details of a user, you can use the net user domain user/domain command.

However, these two commands are sometimes executed incorrectly.

Where is domain control?

In the net view, we can find that if the remarks are servidor master ad, it is highly possible to implement domain control ..

Because dns is generally a domain control. We can use this to find domain control.

So it is easier to find dns, ipconfig/all.

192.168.233.145 [DNS + domain control

You can also find nslookup ....

4. domain control

Let's take a look at this.Http://drops.wooyun.org/tips/646

1. Overflow

Ms08_067

If the LAN contains xp/2 K, the success rate is relatively high.

However, my domain control is 2008 =

Not tested for the moment

DNS Overflow

The DNS server may be the domain controller so...

No overflow in your hands.

Weak password + controlled server password

Combine the captured plaintext with some common weak passwords. Scan the broom.

If you have a local database server, you can try to fix it. Then, collect common passwords and add them to the dictionary library for running. The success rate will be greatly improved.

Hey, because the default 2008 Security Password Policy and password strength are relatively strong, this scan is worth it. 3. keyboard record + 3389 login record

This records the key records of the online administrator ~

You can try msf.

Finally, transfer the msfprocess to assumer.exe.

There may be some inexplicable situations of not transferring

You can use Winlogon to log on 3389.

Or gina, etc.

I saw the password.-haha.

4. Counterfeit tokens

The Msf penetration guide says this: In a counterfeit attack, we will steal a Kerberos token from the target system and use it in identity authentication. To impersonate the user who created the token.

Counterfeit tokens are one of the powerful features of meterpreter. Very helpful for penetration

Then we will execute this win2003 backdoor to see [NOTE: In order to use the token of the domain administrator. I used the domain administrator to log on to the Remote Desktop.

After the incongnito module is loaded, we use the list_token-u command to list tokens.

The domain administrator account of wilson \ administrator is tested and stolen.

The command was finally stolen and the test was added to the domain administrator.

1. Impersonate_token wilson \ administrator steals the wilson \ administrato token[Add a slash.

2. Add_user Username Password-h IP \ win2008 password security mechanism password is more complicated.

3. add_group_user "Domain Admins" user-h IP is to add it to the Domain administrator

In this step, let's take a look at the msf penetration guide. I also read books.

Go to 2008 to see if test is successfully added --

OK, no problem. In this way, domain control is completed ~ Hey

5. Sniffing

Use cain.exe. This sniffing tool =

Add one tip cain.exe with a boss key. I also just found out --

Alt + del is hidden, alt + pgdwn is minimized, alt + pgup is the display software

........

Other methods .... Learning...

5. After domain control is completed

In batch-this has not been done...

Generally, a good person gets rid of domain control .. Everyone is just playing. Don't be too bad

Iii. Summary

The conclusion is finally reached ~~~

In this test, I tried my best to simulate a real penetration environment, but there were still many defects .. It is quite different from the real environment.

For example, some command tests may have errors.

For example, killing soft firewalls and so on.

And the whole process is a bit entertaining--haha

But I have already written everything I can think of =. I hope you can see something better.

Incorrect