Step by step, Intranet penetration, and domain fall

A few days ago, I got a shell from the station, windows2000 system. The Elevation of Privilege was successful, 3389 was not enabled, and 3389 was opened. After the server was restarted, lcx forwarded and 3389 logged on.

After entering the server, we found that only one host in the same C segment is 192.168.0.50.

 

So I felt strange. How can we say that the unit of this station is also small and small? How can we get one .... As a result, the server is in the DMZ zone again to communicate with the outside world. There must be an intranet!

For example:

 

Then I verified my conjecture and went to the Gateway. I found it was the sonicwall firewall after IE access, but there was no managed account password. Generally, there was a system preset account for Route exchange firewalls and so on, if the administrator didn't modify this account, it wouldn't be cheap for us. So he called Baidu, Google, and an official customer video to finally know that the default password of the firewall of this model is admin password.

------------------------------------------ Note the following is the first outbreak of character ---------------------------------------------------------------------------------

Next, I tried to log on to the RP. The Administrator did not change the password and the login was successful. after entering the firewall, I found that my guess was correct, and the distribution of the entire intranet FEE had a full view.

 

The current location is DMZ, which is connected to port X3 of the firewall. The local address of 192.168.0.1/24 is 192.168.0.50/24.

The IP address range of the LAN is 10.0.0.1/21.

Ping This CIDR block to allow normal communication, so there is no problem with the path to the LAN.

Now, the first thing we need to do is to map out port 3389 and forward it to every login in the province...

First, perform some operations on this DMZ server.

VNCPassView is actually not used later

 

 

Use Hscan to scan for two weak sa passwords.

 

10.0.0.40 log on to the database with a weak sa password. Use xp_mongoshell to successfully Add the admin account admin $ admin.

Use this to probe LAN information.

So I logged on to 3389 and found that the Administrator was logging on to this machine. In order not to disturb me, Telnet first.

Use IPC $ to establish a connection, open Telnet, and log on

Net view

 

 

 

View the role ipconfig/all of the local machine in the LAN

 

According to the information, there is a domain in which the machine is located. ping the Domain Server name to obtain the address 10.0.0.6.

 

Check the role of the local machine in the domain

 

It seems to be just a common role.

View domain users. net user/domain

 

A lot more. Let's see what the domain administrator is.

 

 

Obtain the initial intranet information ....

It is really uncomfortable to Telnet, and according to the time, the other party is in the early morning, why is there such a dedicated administrator still working in the early morning, no matter how he goes in directly 3389

Then, log on to WinLogonHack and wait for the domain administrator to log on to the 3389 password. At the moment, I have not used cain for sniffing. The action is too big... (Ps: Actually, the cain on my hand is still Chinese. It will be garbled when it is uploaded)

Upload GetHashes

GetHash

 

 

 

 

After N long running passwords... Finally cracked

We guess the administrator password will be the same as the domain administrator password ??

Verify the conjecture and log on to the domain management host

 

 

-------------------------------------------------- Below is the second outbreak of big character ------------------------------------------------------------

Now we know that the Domain Server is 10.0.0.6, so we try to log on remotely. I didn't expect to go directly to the server if I did not verify the login. It's not a waste of time !!

Here we will solve the problem for you, and find that the Administrator is online...

Then add the domain administrator account admin $ admin! @#

 

 

After successfully adding a domain management account, you can leave the entire domain here ~~~

This penetration is almost over. In fact, LAN is definitely not just a machine like 10.0.0.1-255.

Note the above subnet mask www.2cto.com

10.0.1.0-255 and so on...