Talk about Intranet penetration

Preface:
Read the @ g. r0b1n article 《Introduction to intranet penetrationI can't help my impulsive mood. I wrote an article "talking about Intranet penetration Again". I hope that some friends will update "discussing Intranet penetration in detail" in my mind. I always think that, A single penetration must at least control more than 80% of the infiltrated objects in order to calculate a successful penetration. I hope my friends can give more valuable comments.Body:
I do not have the permission for a machine in the internal domain. I only have one web page with a vulnerability, and my goal is to use this web page with the vulnerability to intrude into online servers, then, from the IDC network to the office network, to the office network and then to the domain control server, many large Internet companies communicate with the O & M network on the IDC intranet, however, the O & M Intranet is generally included in the office network.
Through the web with the vulnerability, I have a shell for a linux server. After the shell is available, do not be busy with it to see if the machine has any monitoring and whether there is any log collection (if there is any monitoring, if the shell obtained by searching for web vulnerabilities has been discovered for half a day, it hurts)
Ls-al/etc/init. d. Check if there is anything here. Ip information and connection information are very important. The returned results determine how to proceed.

First, make a simple analysis. It seems that there are two IP addresses: Intranet and Internet. If there are Intranet IP addresses, I must first determine the size of the Intranet, maybe you will ask me how to judge? Actually, I don't know how to judge it. Scan nmap. Let's take a look at the port opening situation. Here we have port 10050, which is the zabbix_agent open port (the most convenient way to see this is to implement zabbix_server ). If you do not have zabbix, try to check whether there are puppet ldap and other things.
ZabbixThis is a powerful monitoring tool.System. runThe modules are very popular among the brokers.(I like it anyway.),This module can execute any command.Puppet is a tool for managing configuration files, but it can also execute arbitrary commands (many people prefer to use it to synchronize the root password ). Ldap is equivalent to windows's AD. Of course there are other things. I will not give them one by one.
Since zabbix exists in my column, I will proceed along the path of zabbix_server. First, check the zabbix configuration file. The zabbix_server ip address is in the configuration file (of course, the IP address may also be zabbix_proxy) to determine the zabbix web page IP address, if you are lucky, the default password of zabbix has not been changed, so you don't have to pay that much effort, directly log on to add a monitoring item to execute any of our commands, or you can find a way to obtain zabbix_server permissions and how to obtain permissions. This is a very complicated process and depends on the specific situation; you can decrypt the shadow file of the server that you already have permissions on, and you can also install the keyboard record.
Here is a reminder:
Any passwords collected here are saved and will be useful later. Zookeeper is lucky. The default zabbix password has not been changed,I can log on directly:

The following is a pleasant picture:
 


Now I have basically controlled the online servers. Next we should start from the office network. From here we can see that the last record is important. The IP address used to connect to the server is not someone else. It must be from the company. Of course, it may also be the Internet. If all the last record shows are Internet IP addresses, you can go to a server with only Intranet IP addresses to view the last record. After determining the IP address segment of the office network, I think it makes sense to find a server that is connected to the office network as a proxy. For details, refer to here. The office network is obviously mostly in windows, and it is really inconvenient to start a job without this proxy.
Next, scan the port of the IP address segment of the office network. First, I will scan port 1433, because the SQL server database is used for many things in the IT network (and many other ports can be used ), do not use a regular dictionary when scanning weak passwords. The success rate of a regular dictionary is not very high. You can use the password collected previously as a dictionary, or you can add a new dictionary by yourself. In fact, wooyun has a very complete example.
After obtaining the permissions of the first windows server on the Intranet, I would like to remind you that you don't have to worry about connecting them. Check whether the above services, processes, and scheduled tasks have any logon monitoring information, connection monitoring and other things are discovered by the other party here, and you will suffer even worse. After obtaining an intranet windows server, you must first determine the location of the domain and the ip addresses of some domain servers. My idea is that the domain control server may not be as weak as we think. We can find a server with a domain added (note that the server is not a personal PC) if the domain administrator is also online, it is not very convenient to get the domain control server. After confirming the information, any password is collected and saved, including the login password. For details, referIntroduction to intranet penetrationArticle.
Next, proceed to the targetYou can try a variety of methods, you can try a variety of login according to the relevant password collected by yourself, here to mention that the web in the Intranet is generally relatively weak, you can start from the web.
Unfortunately, I have scanned a weak SQL server password that is added to the domain server. This weak password is exactly the one I have collected and the domain administrator is disconnected online after I enter the server, you don't have to think too much about it. Open a shift backdoor and switch it over. Then the domain control server you want is yours.
In addition, there is one thing I think is very useful, whether in the office network or IDC network, remote management of the default password, this is because it is completely in the intranet and is relatively lazy. Few people remember to change the default password (whether you believe it or not, I believe it anyway, however, one drawback here is that you need to restart the server to obtain permissions. For windows, you need a PE). * restarting is risky and you need to be cautious *
Postscript:
After obtaining the Yu control server, you may wish to dump the hash of all domain members. For more information, see here. With this, you can log on to the mailbox, and a lot of information is in the mailbox.
I wish you a great deal of luck and a sudden increase in RP.
Leave a microblog for discussion:
Http://t.qq.com/hongygxiang
Http://weibo.com/hongygxiang