免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者及本公众号不为此承担任何责任。
文章正文
介绍
Darksteel是一款域内自动化信息搜集并利用的工具。
功能演示
可不填写账号密码使用本地账号进行认证查询(-d参数需要填写域名)
darksteel.exe ldap -d dc.domain.com -n domain.com -m computer____ ______ ____ __ __ ____ ______ ____ ____ __/ _` / _ / _` / / / _` /__ _/ _` / _` // L L /'/' ,L_/_/ / L_ L___ , / , < /___ _L _L __ / \ \ \` / L L L L____/ _ _ _ _ _ _\ `____ _ ____/ ____/ ____//___/ /_//_//_// //_//_/ /_____/ /_/ /___/ /___/ /___/
v2.0.0
[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER
项目主要功能
ldap当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
kerberos
针对kerberos漏洞进行利用
blast
爆破域用户
computerip
批量查询域内计算机对应的ip
____ ______ ____ __ __ ____ ______ ____ ____ __/ _` / _ / _` / / / _` /__ _/ _` / _` // L L /'/' ,L_/_/ / L_ L___ , / , < /___ _L _L __ / \ \ \` / L L L L____/ _ _ _ _ _ _\ `____ _ ____/ ____/ ____//___/ /_//_//_// //_//_/ /_____/ /_/ /___/ /___/ /___/
v2.0.0
自动化域内信息搜集、kerberos利用工具
Usage:
darksteel [command]
Available Commands:
blast 爆破域内用户
completion Generate the autocompletion script for the specified shell
computerip 查询域内计算机的ip地址
help Help about any command
kerberos kerberos利用
ldap ldap查询
Flags:
-d, --dc string 域控地址
-n, --domain string 域名
-h, --help help for darksteel
Use "darksteel [command] --help" for more information about a command.
使用实例
Ldap
1、当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -a____ ______ ____ __ __ ____ ______ ____ ____ __/ _` / _ / _` / / / _` /__ _/ _` / _` // L L /'/' ,L_/_/ / L_ L___ , / , < /___ _L _L __ / \ \ \` / L L L L____/ _ _ _ _ _ _\ `____ _ ____/ ____/ ____//___/ /_//_//_// //_//_/ /_____/ /_/ /___/ /___/ /___/v2.0.0
[*] Domain User:
Administrator
Guest
krbtgt
wanliu
qt
zz
xx
exchangeuser
qt01
ac
[*] Domain Admins:
CN=wanliu,CN=Users,DC=wanliu1,DC=com
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] AdminSDHolder:
Administrator
krbtgt
wanliu
[*] sIDHistory:
[*] Enterprise Admins:
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] OU :
Domain Controllers
Microsoft Exchange Security Groups
[*] Ca Computer:
wanliu1-WIN-KQH5FQSIJSH-CA
[*] Esc1 vulnerability template:
[*] Esc2 vulnerability template:
[*] MsSql Computer:
WIN-7UI852PL
[*] Maq Number:
10
[*] DC Computer:
WIN-KQH5FQSIJSH
[*] Acl :
qt 完全控制 ------> ac
qt 修改密码 ------> zz
qt01 拥有DCSync权限
[*] Trust Domain:
[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER
[*] Survival Computer:
WIN-KQH5FQSIJSH --> Windows Server 2012 R2 Standard
DESKTOP-AO8D722 --> Windows 10 专业版
DESKTOP-DO7D913 --> Windows 10 专业版
WIN-7UI852PL --> Windows Server 2008 R2 Enterprise
EXCHANGESERVER --> Windows Server 2016 Datacenter
[*] Exchange Servers:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
[*] Exchange Trusted Subsystem:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
[*] Exchange Organization Management:
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] Asreproast User:
xx
[*] 非约束委派机器:
CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com [WIN-KQH5FQSIJSH]
[*] 非约束委派用户:
CN=zz,CN=Users,DC=wanliu1,DC=com [zz]
[*] 约束委派机器:
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com [WIN-7UI852PL]
cifs/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
cifs/WIN-KQH5FQSIJSH.wanliu1.com
cifs/WIN-KQH5FQSIJSH
cifs/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
cifs/WIN-KQH5FQSIJSH/WANLIU1
[*] 约束委派用户:
[*] 基于资源约束委派:
CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
[*] SPN:CN=xx,CN=Users,DC=wanliu1,DC=com
cifs/admin
[*] SPN:CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com
exchangeAB/WIN-KQH5FQSIJSH
exchangeAB/WIN-KQH5FQSIJSH.wanliu1.com
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/ForestDnsZones.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/DomainDnsZones.wanliu1.com
TERMSRV/WIN-KQH5FQSIJSH
TERMSRV/WIN-KQH5FQSIJSH.wanliu1.com
DNS/WIN-KQH5FQSIJSH.wanliu1.com
GC/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH.wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH
RPC/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
HOST/WIN-KQH5FQSIJSH/WANLIU1
HOST/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
HOST/WIN-KQH5FQSIJSH
HOST/WIN-KQH5FQSIJSH.wanliu1.com
HOST/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20db9b6-b740-4670-ab3c-ead6acf58f4f/wanliu1.com
ldap/WIN-KQH5FQSIJSH/WANLIU1
ldap/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
ldap/WIN-KQH5FQSIJSH
ldap/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
[*] SPN:CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
IMAP/EXCHANGESERVER
IMAP/exchangeserver.wanliu1.com
IMAP4/EXCHANGESERVER
IMAP4/exchangeserver.wanliu1.com
POP/EXCHANGESERVER
POP/exchangeserver.wanliu1.com
POP3/EXCHANGESERVER
POP3/exchangeserver.wanliu1.com
exchangeRFR/EXCHANGESERVER
exchangeRFR/exchangeserver.wanliu1.com
exchangeAB/EXCHANGESERVER
exchangeAB/exchangeserver.wanliu1.com
exchangeMDB/EXCHANGESERVER
exchangeMDB/exchangeserver.wanliu1.com
SMTP/EXCHANGESERVER
SMTP/exchangeserver.wanliu1.com
SmtpSvc/EXCHANGESERVER
SmtpSvc/exchangeserver.wanliu1.com
TERMSRV/EXCHANGESERVER
TERMSRV/exchangeserver.wanliu1.com
WSMAN/exchangeserver
WSMAN/exchangeserver.wanliu1.com
RestrictedKrbHost/EXCHANGESERVER
HOST/EXCHANGESERVER
RestrictedKrbHost/exchangeserver.wanliu1.com
HOST/exchangeserver.wanliu1.com
[*] SPN:CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-AO8D722
TERMSRV/DESKTOP-AO8D722.wanliu1.com
RestrictedKrbHost/DESKTOP-AO8D722
HOST/DESKTOP-AO8D722
RestrictedKrbHost/DESKTOP-AO8D722.wanliu1.com
HOST/DESKTOP-AO8D722.wanliu1.com
[*] SPN:CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-DO7D913
TERMSRV/DESKTOP-DO7D913.wanliu1.com
RestrictedKrbHost/DESKTOP-DO7D913
HOST/DESKTOP-DO7D913
RestrictedKrbHost/DESKTOP-DO7D913.wanliu1.com
HOST/DESKTOP-DO7D913.wanliu1.com
[*] SPN:CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com
WSMAN/WIN-7UI852PL
WSMAN/WIN-7UI852PL.wanliu1.com
TERMSRV/WIN-7UI852PL
TERMSRV/WIN-7UI852PL.wanliu1.com
MSSQLSvc/WIN-7UI852PL.wanliu1.com:1433
MSSQLSvc/WIN-7UI852PL.wanliu1.com
RestrictedKrbHost/WIN-7UI852PL
HOST/WIN-7UI852PL
RestrictedKrbHost/WIN-7UI852PL.wanliu1.com
HOST/WIN-7UI852PL.wanliu1.com
[*] SPN:CN=krbtgt,CN=Users,DC=wanliu1,DC=com
kadmin/changepw
[*] SPN:CN=zz,CN=Users,DC=wanliu1,DC=com
mssql/DESKTOP-AO8D722
2、当我们想要查找域内某些关键字对应的user或者computer时可以使用关键字查询,来找到哪些是管理员user和管理员computer
darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -z 管理员____ ______ ____ __ __ ____ ______ ____ ____ __/ _` / _ / _` / / / _` /__ _/ _` / _` // L L /'/' ,L_/_/ / L_ L___ , / , < /___ _L _L __ / \ \ \` / L L L L____/ _ _ _ _ _ _\ `____ _ ____/ ____/ ____//___/ /_//_//_// //_//_/ /_____/ /_/ /___/ /___/ /___/v1.0.8
[*] CN=Administrators,CN=Builtin,DC=test,DC=com --> 管理员对计算机/域有不受限制的完全访问权
[*] CN=Schema Admins,CN=Users,DC=test,DC=com --> 架构的指定系统管理员
[*] CN=Enterprise Admins,CN=Users,DC=test,DC=com --> 企业的指定系统管理员
[*] CN=Domain Admins,CN=Users,DC=test,DC=com --> 指定的域管理员
[*] CN=zz,CN=Users,DC=test,DC=com --> 假管理员
获取 下载地址
https://github.com/wjlab/Darksteel
原文始发于微信公众号(Z2O安全攻防):工具推荐|域内自动化信息搜集利用工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论