"Intranet Security Attack and Defense: A Practical Guide to Penetration Testing" Reading Notes (7): Cross-domain Attack Analysis and Defense

Language 2022-04-20 12:46:57 views: null

content

foreword

In this article, continue to read and learn "Intranet Security Attack and Defense: A Practical Guide to Penetration Testing". This chapter is about cross-domain attack analysis and defense. It analyzes the typical methods of using domain trust relationships to achieve cross-domain attacks, and how to deploy a secure intranet Production environment gives advice, very brief

Large enterprises generally share resources through domain forests

  • According to different functions, the departments are logically divided into main domains and subdomains to facilitate unified management
  • At the physical layer, firewalls are usually used to divide subsidiaries and departments into different areas
  • If an attacker gets a brand new domain controller of a subsidiary or a department, but does not have all the permissions of the entire company's intranet (or the required resources are not in this domain), they will often try to obtain other departments (or domain) permissions

1. Cross-domain attack method

Common cross-domain attack methods include:

  • Conventional penetration methods (such as exploiting web vulnerabilities to gain permissions across domains)
  • Pass-the-hash attack or pass-the-ticket attack using a known domain hash value (for example, the local admin password of the DC is the same)
  • Cross-Domain Attacks Using Domain Trust Relationships

2. Cross-domain attacks using domain trust relationships

1. Introduction to Domain Trust

The role of domain trust is to solve the problem of cross-domain resource sharing in a multi-domain environment

  • By default, all users in a specific Windows domain can authenticate with resources in that domain
  • Domain environments do not unconditionally accept credentials from other domains. If users want to access resources outside the current domain boundary, they need to use domain trust
  • Domain trust is a mechanism for a domain to allow users of another domain to access the resources of this domain after being authenticated
  • Starting with Windows server 2003, domain trust relationships become bidirectional and can be passed through trust relationships
  • Only users in the Domain Admins group can manage domain trust relationships

2. Get domain information

In a domain, members of the Enterprise Admins group (present only in the root domain of the forest) have full control over all domains in the forest. By default, this group includes members with Administrator privileges on all domain controllers in the forest

Use LG.exe, a tool that can be used to enumerate remote host user and group information

//枚举域中的用户组
lg.exe <domain name>\.

//枚举远程机器的本地组用户
lg.exe \\dc

//获取远程用户中全部用户的SID
lg.exe \\dc -lu -sidsout

//获取指定组中所有成员的SID
lg.exe \\dc\administrators -sidsout

3. Use the domain trust key (NTLM Hash) to obtain the authority of the target domain

Use mimikatz to export the trust key and forge the trust ticket (with sidHistory), use asktgs to request TGS, use kirbikator to inject TGS information into memory, and obtain the permissions of the target domain.

Using mimikatz it is possible to set sidHistory when building a golden ticket, so if an attacker obtains the krbtgt hash of any domain, he can leverage sidHistory to gain full access to that forest.

4. Use the krbtgt hash value to obtain the permissions of the target domain

Use mimikatz on the DC to obtain the krbtgt hash value, construct and inject the golden ticket with ordinary user permissions in the subdomain, and obtain the permissions of the target domain

5. Use unconstrained delegation and MS-RPRN to obtain trust forest permissions

If an attacker has already gained permissions on a domain controller in the domain forest or on any server configured for unconstrained delegation
, MS-RPRN can be used to cause the domain controller of the trusting forest to send authentication to the controlled server Request to obtain the hash value of any user in the trusted forest using the captured ticket

Two tools:

3. Prevent cross-domain attacks

The external web is often configured with WAF and equipped with maintenance personnel for regular security inspections, while the intranet web (internal office, test server, etc.) is more vulnerable, often with weak passwords and vulnerabilities that have not been patched in time.

In many companies, although different domains are divided for different departments, the domain administrators may be the same group of people, so the user name and password of the domain administrators may be the same.

Therefore, it is important to check whether the local administrator password of the DC is the same as the DC local administrator password of other domains

Epilogue

This chapter is relatively short, mainly using the domain trust relationship to achieve cross-domain attacks

Guess you like

Origin blog.csdn.net/weixin_44604541/article/details/124281738
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com