本文仅用于技术讨论与学习，利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者及本公众号不为此承担任何责任。

介绍

Darksteel是一款域内自动化信息搜集并利用的工具。

功能演示

可不填写账号密码使用本地账号进行认证查询（-d参数需要填写域名）

darksteel.exe ldap -d dc.domain.com -n domain.com -m computer
 ____    ______  ____    __  __   ____    ______  ____    ____    __
/  _` /  _  /  _` / /  /  _` /__  _/  _` /  _` / 
  /   L   L   /'/' ,L_/_/ /  L_  L_  
       __   ,  /  , <  /___         _L   _L    _
  _   /   \ \  \`  / L       L   L   L 
 ____/ _ _ _ _ _ _\ `____  _  ____/ ____/ ____/
/___/  /_//_//_// //_//_/ /_____/  /_/  /___/  /___/  /___/

v2.0.0

[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER

项目主要功能

ldap
当我们拥有一个域内账号密码(hash)，可以通过ldap进行搜集域内有用信息，如spn、委派、存活计算机等等信息，为域渗透进行准备

kerberos
针对kerberos漏洞进行利用

blast
爆破域用户

computerip
批量查询域内计算机对应的ip

 ____    ______  ____    __  __   ____    ______  ____    ____    __
/  _` /  _  /  _` / /  /  _` /__  _/  _` /  _` / 
  /   L   L   /'/' ,L_/_/ /  L_  L_  
        __   ,  /  , <  /___         _L   _L    _
    _   /   \ \  \`  / L       L   L   L 
    ____/ _ _ _ _ _ _\ `____  _  ____/ ____/ ____/
    /___/  /_//_//_// //_//_/ /_____/  /_/  /___/  /___/  /___/

v2.0.0

自动化域内信息搜集、kerberos利用工具

Usage:
darksteel [command]

Available Commands:
blast 爆破域内用户
completion Generate the autocompletion script for the specified shell
computerip 查询域内计算机的ip地址
help Help about any command
kerberos kerberos利用
ldap ldap查询

Flags:
-d, --dc string 域控地址
-n, --domain string 域名
-h, --help help for darksteel

Use "darksteel [command] --help" for more information about a command.

使用实例

Ldap

1、当我们拥有一个域内账号密码(hash)，可以通过ldap进行搜集域内有用信息，如spn、委派、存活计算机等等信息，为域渗透进行准备

darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -a
 ____    ______  ____    __  __   ____    ______  ____    ____    __       
/  _` /  _  /  _` / /  /  _` /__  _/  _` /  _` /       
  /   L   L   /'/' ,L_/_/ /  L_  L_      
        __   ,  /  , <  /___         _L   _L    _
    _   /   \ \  \`  / L       L   L   L  
    ____/ _ _ _ _ _ _\ `____  _  ____/ ____/ ____/  
    /___/  /_//_//_// //_//_/ /_____/  /_/  /___/  /___/  /___/   
    
   v2.0.0

[*] Domain User:
Administrator
Guest
krbtgt
wanliu
qt
zz
xx
exchangeuser
qt01
ac

[*] Domain Admins:
CN=wanliu,CN=Users,DC=wanliu1,DC=com
CN=Administrator,CN=Users,DC=wanliu1,DC=com

[*] AdminSDHolder:
Administrator
krbtgt
wanliu

[*] sIDHistory:
[*] Enterprise Admins:
CN=Administrator,CN=Users,DC=wanliu1,DC=com

[*] OU :
Domain Controllers
Microsoft Exchange Security Groups

[*] Ca Computer:
wanliu1-WIN-KQH5FQSIJSH-CA

[*] Esc1 vulnerability template:

[*] Esc2 vulnerability template:

[*] MsSql Computer:
WIN-7UI852PL

[*] Maq Number:
10

[*] DC Computer:
WIN-KQH5FQSIJSH

[*] Acl :
qt 完全控制 ------> ac
qt 修改密码 ------> zz
qt01 拥有DCSync权限

[*] Trust Domain:

[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER

[*] Survival Computer:
WIN-KQH5FQSIJSH --> Windows Server 2012 R2 Standard
DESKTOP-AO8D722 --> Windows 10 专业版
DESKTOP-DO7D913 --> Windows 10 专业版
WIN-7UI852PL --> Windows Server 2008 R2 Enterprise
EXCHANGESERVER --> Windows Server 2016 Datacenter

[*] Exchange Servers:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com

[*] Exchange Trusted Subsystem:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com

[*] Exchange Organization Management:
CN=Administrator,CN=Users,DC=wanliu1,DC=com

[*] Asreproast User:
xx

[*] 非约束委派机器：
CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com [WIN-KQH5FQSIJSH]
[*] 非约束委派用户：
CN=zz,CN=Users,DC=wanliu1,DC=com [zz]
[*] 约束委派机器：
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com [WIN-7UI852PL]
cifs/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
cifs/WIN-KQH5FQSIJSH.wanliu1.com
cifs/WIN-KQH5FQSIJSH
cifs/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
cifs/WIN-KQH5FQSIJSH/WANLIU1
[*] 约束委派用户：
[*] 基于资源约束委派：
CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]

[*] SPN：CN=xx,CN=Users,DC=wanliu1,DC=com
cifs/admin

[*] SPN：CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com
exchangeAB/WIN-KQH5FQSIJSH
exchangeAB/WIN-KQH5FQSIJSH.wanliu1.com
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/ForestDnsZones.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/DomainDnsZones.wanliu1.com
TERMSRV/WIN-KQH5FQSIJSH
TERMSRV/WIN-KQH5FQSIJSH.wanliu1.com
DNS/WIN-KQH5FQSIJSH.wanliu1.com
GC/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH.wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH
RPC/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
HOST/WIN-KQH5FQSIJSH/WANLIU1
HOST/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
HOST/WIN-KQH5FQSIJSH
HOST/WIN-KQH5FQSIJSH.wanliu1.com
HOST/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20db9b6-b740-4670-ab3c-ead6acf58f4f/wanliu1.com
ldap/WIN-KQH5FQSIJSH/WANLIU1
ldap/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
ldap/WIN-KQH5FQSIJSH
ldap/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com

[*] SPN：CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
IMAP/EXCHANGESERVER
IMAP/exchangeserver.wanliu1.com
IMAP4/EXCHANGESERVER
IMAP4/exchangeserver.wanliu1.com
POP/EXCHANGESERVER
POP/exchangeserver.wanliu1.com
POP3/EXCHANGESERVER
POP3/exchangeserver.wanliu1.com
exchangeRFR/EXCHANGESERVER
exchangeRFR/exchangeserver.wanliu1.com
exchangeAB/EXCHANGESERVER
exchangeAB/exchangeserver.wanliu1.com
exchangeMDB/EXCHANGESERVER
exchangeMDB/exchangeserver.wanliu1.com
SMTP/EXCHANGESERVER
SMTP/exchangeserver.wanliu1.com
SmtpSvc/EXCHANGESERVER
SmtpSvc/exchangeserver.wanliu1.com
TERMSRV/EXCHANGESERVER
TERMSRV/exchangeserver.wanliu1.com
WSMAN/exchangeserver
WSMAN/exchangeserver.wanliu1.com
RestrictedKrbHost/EXCHANGESERVER
HOST/EXCHANGESERVER
RestrictedKrbHost/exchangeserver.wanliu1.com
HOST/exchangeserver.wanliu1.com

[*] SPN：CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-AO8D722
TERMSRV/DESKTOP-AO8D722.wanliu1.com
RestrictedKrbHost/DESKTOP-AO8D722
HOST/DESKTOP-AO8D722
RestrictedKrbHost/DESKTOP-AO8D722.wanliu1.com
HOST/DESKTOP-AO8D722.wanliu1.com

[*] SPN：CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-DO7D913
TERMSRV/DESKTOP-DO7D913.wanliu1.com
RestrictedKrbHost/DESKTOP-DO7D913
HOST/DESKTOP-DO7D913
RestrictedKrbHost/DESKTOP-DO7D913.wanliu1.com
HOST/DESKTOP-DO7D913.wanliu1.com

[*] SPN：CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com
WSMAN/WIN-7UI852PL
WSMAN/WIN-7UI852PL.wanliu1.com
TERMSRV/WIN-7UI852PL
TERMSRV/WIN-7UI852PL.wanliu1.com
MSSQLSvc/WIN-7UI852PL.wanliu1.com:1433
MSSQLSvc/WIN-7UI852PL.wanliu1.com
RestrictedKrbHost/WIN-7UI852PL
HOST/WIN-7UI852PL
RestrictedKrbHost/WIN-7UI852PL.wanliu1.com
HOST/WIN-7UI852PL.wanliu1.com

[*] SPN：CN=krbtgt,CN=Users,DC=wanliu1,DC=com
kadmin/changepw

[*] SPN：CN=zz,CN=Users,DC=wanliu1,DC=com
mssql/DESKTOP-AO8D722

2、当我们想要查找域内某些关键字对应的user或者computer时可以使用关键字查询，来找到哪些是管理员user和管理员computer

darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -z 管理员
 ____    ______  ____    __  __   ____    ______  ____    ____    __       
/  _` /  _  /  _` / /  /  _` /__  _/  _` /  _` /       
  /   L   L   /'/' ,L_/_/ /  L_  L_      
        __   ,  /  , <  /___         _L   _L    _
    _   /   \ \  \`  / L       L   L   L  
    ____/ _ _ _ _ _ _\ `____  _  ____/ ____/ ____/  
    /___/  /_//_//_// //_//_/ /_____/  /_/  /___/  /___/  /___/   
    
   v1.0.8

[*] CN=Administrators,CN=Builtin,DC=test,DC=com --> 管理员对计算机/域有不受限制的完全访问权
[*] CN=Schema Admins,CN=Users,DC=test,DC=com --> 架构的指定系统管理员
[*] CN=Enterprise Admins,CN=Users,DC=test,DC=com --> 企业的指定系统管理员
[*] CN=Domain Admins,CN=Users,DC=test,DC=com --> 指定的域管理员
[*] CN=zz,CN=Users,DC=test,DC=com --> 假管理员