Use Evil Maid Penetration of physical access security vulnerabilities

First step , Open the network topology , Start the experimental virtual machine , View the virtual machines separately IP Address ：

Windows 2012-2

Windows 2012-1

The second step , Enter the infiltration machine Windows 2012-2, Click the first icon on the right of the start menu to enter the server manager , Click the icon of the flag to configure after deployment , Choose to promote this server to a domain controller

In deployment configuration , Select Add New Forest (F), And fill in the root domain name of the forged domain server , The root domain name depends on the host in the domain Windows 2012-1 Fill in the fields shown in pyseclabs.com

And then click next , Enter the domain controller option and fill in the directory service restore mode password [email protected]

Next DNS Options directly select next

Other options go directly to the next step

Click next to enter the prerequisite check , Choose next

Choose to install

Click restart server after installation .

The third step , Switch to Windows 2012-1, Simulate the normal login of users , Get into CMD The command line uses commands ipconfig -all | findstr DNS

During the routine penetration test , Penetration testers should do a good job in domain name deception or resolution in advance , Make the address of the victim's host resolution server point to the forged server address , For the convenience of observing the experimental effect, the analytical steps are omitted here , Directly set the domain user configuration DNS The address is 172.16.1.100, Use command shutdown -l Unregister domain host

Step four , Enter the infiltration machine Windows 2012-2（ROGUEDC） Modify user name in administrator Password , And set that this user must change the password for the next login .

Click on the left dashboard AD DS, Right click the server name ROGUEDC The host , find Active Directory Users and computers

Click , Find the user Administrator, Right click to select reset password

Fill in the password ZkPy2020..666（ Be careful ZP All in capitals ）, Check that the user must change his password when logging in next time

Tips Administrator Your password has been changed

Step five , Switch to the target login interface , Click on PYSECLABS\Administrator, Type the modified user name and password （Administrator\ZkPy2020..666）

Prompt before login , The user's password must be changed ,

For administrator users Administrator Change your password

Prompt that your password has been changed , Explain the administrator user Administrator Your password has been modified successfully

Step six , Switch to the forged domain server , Click in the lower right corner to open the network and Sharing Center

Select change adapter settings

Right click Ethernet , Select disable

Step seven , Switch to the target login interface , Log in again with the modified user name and password , Wait patiently , It may take a long time to enter the desktop

After entering the system, use CMD command whoami Check whether the current user permission is Administrator