Spn domain permeation -Kerberos Application Protocol

Others 2019-08-27 12:44:55 views: null

About SPN 0x01

Service Principal Name (SPN) is used to uniquely identify the Kerberos client to the Kerberos service instance name of the specific target computer.

 

Service principal name in a service instance (can be understood as a service, such as HTTP, MSSQL) is a unique identifier. SPN will use Kerberos authentication service instance associated with the service logon account .

 

In the internal network, SPN scan found to perform the service by querying a domain controller. This red team, you can help them identify the host running critical services, such as terminals, switches, such as Microsoft SQL, and hide them. In addition, SPN identification is the first step in an attack kerberoasting.

 

0x02 SPN Basic Configuration

Details can view Microsoft official manual

https://docs.microsoft.com/zh-cn/windows-server/networking/sdn/security/kerberos-with-spn

SPN exists in the syntax of the four elements, two essential elements and two additional elements, including <service class> and <host> as indispensable elements:

<ServiceClass> / <host>: <Port> / <-Service name> 

<-Service class > : string that identifies the service class

 <Host> : Host name services where

 <Port> : service port

 <service name>: Service Name
Common services and spn service instance name
MSSQL 

MSSQLSvc / adsmsSQLAP01.adsecurity.org, 1433 

Exchange 

exchangeMDB / adsmsEXCAS01.adsecurity.org 

RDP 

TERMSERV / adsmsEXCAS01.adsecurity.org 

WSMan / Winram / PS Remoting 

WSMAN / adsmsEXCAS01.adsecurity.org 

Hyper - 5 host 

the Microsoft Virtual Console Service / adsmsHV01. adsecurity.org 

VMWare VCenter 

STS, /adsmsVC01.adsecurity.org

 

 

Mention SPN registration

Here is an example to the SQL Server service.

 

Every time SQL Server starts, will try to start your own account registered SPN. But in the Windows domain, the default machine account entitled to register SPN ordinary, but ordinary domain user account is not authorized to register the SPN. This will lead to such a phenomenon, SQL Server if you use "Local System account" to start, Kerberos can succeed, because SQL Server then you can register on the DC SPN. If you use a domain user to start, Kerberos can not succeed, because then SPN registration does not go up.

 

 

One solution, of course, you can use the tool SetSPN -S manually registered SPN. But this is not the best way, after all, not a permanent solution manual registration. If the SPN next time lost, but also manually register again. Therefore, a better approach is to allow SQL Server to start the current account has registered power of SPN. To at giving the DC for the domain account " the Read the servicePrincipalName" and " the Write serverPrincipalName" permissions can be.

 

 

 

SetSPN

SetSPN local windows is a binary file that can be used to retrieve a mapping between user accounts and services. The utility can add, delete, or view SPN registration.

 

Here to register SPN service (MSSQL) on my dc.

 

Setspn -A MSSQLSvc/DC-1.qing.com:1433 tsvc

 

After successful registration can view the SPN has been registered by the following two commands.

setspn -Q */*
 setspn -T DC-1.qing.com -Q */*

 Note that this is written the machine FQDN

 

 

 

 

0x03 SPN scan

Attach spn scanning script for MSSQL

function Discover-PSMSSQLServers
{

<#
.SYNOPSIS
This script is used to discover Microsoft SQL servers without port scanning.
SQL discovery in the Active Directory Forest is performed by querying an Active Directory Gloabl Catalog via ADSI.

Discover-PSMSSQLServers
Author: Sean Metcalf, Twitter: @PyroTek3
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

Last Updated: 2/04/2015
Version: 2.3

.DESCRIPTION
This script is used to discover Microsoft SQL servers in the Active Directory Forest.

Currently, the script performs the following actions:
    * Queries a Global Catalog in the Active Directory root domain for all Microsoft SQL SPNs in the forest
    * Displays the Microsoft SQL server FQDNs ports and instances
    * Identifies any service accounts associated with the SQL instance and includes the account info 

REQUIRES: Active Directory user authentication. Standard user access is fine - admin access is not necessary.

.EXAMPLE
Discover-PSMSSQLServers
Perform Microsoft SQL Server discovery via AD and returns the results in a custom PowerShell object.

.NOTES
This script is used to discover Microsoft SQL servers in the Active Directory Forest and can also provide additional computer information such as OS and last bootup time.

.LINK
Blog: http://www.ADSecurity.org
Github repo: https://github.com/PyroTek3/PowerShell-AD-Recon


#>

Param
    (

    )

Write-Verbose "Get current Active Directory domain... "
$ADForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$ADForestInfoRootDomain = $ADForestInfo.RootDomain
$ADForestInfoRootDomainDN = "DC=" + $ADForestInfoRootDomain -Replace("\.",',DC=')

$ADDomainInfoLGCDN = 'GC://' + $ADForestInfoRootDomainDN

Write-Verbose "Discovering Microsoft SQL Servers in the AD Forest $ADForestInfoRootDomainDN "
$root = [ADSI]$ADDomainInfoLGCDN 
$ADSearcher = new-Object System.DirectoryServices.DirectorySearcher($root,"(serviceprincipalname=mssql*)") 
$ADSearcher.PageSize = 50000
$AllADSQLServerSPNs = $ADSearcher.FindAll() 

$AllADSQLServerSPNsCount = $AllADSQLServerSPNs.Count

Write-Output "Processing $AllADSQLServerSPNsCount (user and computer) accounts with MS SQL SPNs discovered in AD Forest $ADForestInfoRootDomainDN `r "

$AllMSSQLSPNs = $NULL
$AllMSSQLSPNHashTable =@{}
$AllMSSQLServiceAccountHashTable =@{}
ForEach ($AllADSQLServerSPNsItem in $AllADSQLServerSPNs)
    {
        $AllADSQLServerSPNsItemDomainName = $NULL
        [array]$AllADSQLServerSPNsItemArray = $AllADSQLServerSPNsItem.Path -Split(",DC=")
        [int]$DomainNameFECount = 0
        ForEach ($AllADSQLServerSPNsItemArrayItem in $AllADSQLServerSPNsItemArray)
            {
                IF ($DomainNameFECount -gt 0)
                { [string]$AllADSQLServerSPNsItemDomainName += $AllADSQLServerSPNsItemArrayItem + "." }
                $DomainNameFECount++
            }
        $AllADSQLServerSPNsItemDomainName = $AllADSQLServerSPNsItemDomainName.Substring(0,$AllADSQLServerSPNsItemDomainName.Length-1)

        ForEach ($ADSISQLServersItemSPN in $AllADSQLServerSPNsItem.properties.serviceprincipalname)
            {
                IF ( ($ADSISQLServersItemSPN -like "MSSQL*") -AND ($ADSISQLServersItemSPN -like "*:*") )
                    { 
                        IF (($AllADSQLServerSPNsItem.properties.objectcategory -like "CN=Person*") -AND ($ADSISQLServersItemSPNServerFQDN) )
                            {
                                $AllMSSQLServiceAccountHashTable.Set_Item($ADSISQLServersItemSPNServerFQDN,$AllADSQLServerSPNsItem.properties.distinguishedname)
                            }
                        $ADSISQLServersItemSPNArray1 = $ADSISQLServersItemSPN -Split("/")
                        $ADSISQLServersItemSPNArray2 = $ADSISQLServersItemSPNArray1 -Split(":")
                        [string]$ADSISQLServersItemSPNServerFQDN = $ADSISQLServersItemSPNArray2[1]
                        IF ($ADSISQLServersItemSPNServerFQDN -notlike "*$AllADSQLServerSPNsItemDomainName*" )
                            { $ADSISQLServersItemSPNServerFQDN = $ADSISQLServersItemSPNServerFQDN + "." + $AllADSQLServerSPNsItemDomainName }
                        [string]$AllMSSQLSPNsItemServerInstancePort = $ADSISQLServersItemSPNArray2[2]

                        $AllMSSQLSPNsItemServerName = $ADSISQLServersItemSPNServerFQDN -Replace(("."+ $AllADSQLServerSPNsItemDomainName),"")

                        $AllMSSQLSPNHashTableData = $AllMSSQLSPNHashTable.Get_Item($ADSISQLServersItemSPNServerFQDN)
                        IF ( ($AllMSSQLSPNHashTableData) -AND ($AllMSSQLSPNHashTableData -notlike "*$AllMSSQLSPNsItemServerInstancePort*") )
                            {
                                $AllMSSQLSPNHashTableDataUpdate = $AllMSSQLSPNHashTableData + ";" + $AllMSSQLSPNsItemServerInstancePort
                                $AllMSSQLSPNHashTable.Set_Item($ADSISQLServersItemSPNServerFQDN,$AllMSSQLSPNHashTableDataUpdate)  
                            }
                          ELSE 
                            { $AllMSSQLSPNHashTable.Set_Item($ADSISQLServersItemSPNServerFQDN,$AllMSSQLSPNsItemServerInstancePort) }
                    } 
            }
    }

###
Write-Verbose "Loop through the discovered MS SQL SPNs and build the report " 
###
$ALLSQLServerReport = @()
#$AllMSSQLServerFQDNs = $NULL
ForEach ($AllMSSQLSPNsItem in $AllMSSQLSPNHashTable.GetEnumerator())
    {
        $AllMSSQLSPNsItemServerDomainName = $NULL
        $AllMSSQLSPNsItemServerDomainDN = $NULL
        $AllMSSQLSPNsItemServiceAccountDN = $NULL
        $AllMSSQLSPNsItemServiceAccountDomainDN = $NULL

        $AllMSSQLSPNsItemServerFQDN =  $AllMSSQLSPNsItem.Name
        #[array]$AllMSSQLServerFQDNs += $AllMSSQLSPNsItemServerFQDN
        $AllMSSQLSPNsItemInstancePortArray = ($AllMSSQLSPNsItem.Value) -Split(';')

        $AllMSSQLSPNsItemServerFQDNArray = $AllMSSQLSPNsItemServerFQDN -Split('\.')
        [int]$FQDNArrayFECount = 0
        ForEach ($AllMSSQLSPNsItemServerFQDNArrayItem in $AllMSSQLSPNsItemServerFQDNArray)
            {
                IF ($FQDNArrayFECount -ge 1)
                    { 
                        [string]$AllMSSQLSPNsItemServerDomainName += $AllMSSQLSPNsItemServerFQDNArrayItem + "." 
                        [string]$AllMSSQLSPNsItemServerDomainDN += "DC=" + $AllMSSQLSPNsItemServerFQDNArrayItem + "," 
                    }
                $FQDNArrayFECount++
            }

        $AllMSSQLSPNsItemServerDomainName = $AllMSSQLSPNsItemServerDomainName.Substring(0,$AllMSSQLSPNsItemServerDomainName.Length-1)
        $AllMSSQLSPNsItemServerDomainDN = $AllMSSQLSPNsItemServerDomainDN.Substring(0,$AllMSSQLSPNsItemServerDomainDN.Length-1)
        $AllMSSQLSPNsItemServerDomainLDAPDN = "LDAP://$AllMSSQLSPNsItemServerDomainDN"

        $AllMSSQLSPNsItemServerName = $AllMSSQLSPNsItemServerFQDN -Replace(("."+$AllMSSQLSPNsItemServerDomainName),"")

        $AllMSSQLSPNsItemServiceAccountDN = $AllMSSQLServiceAccountHashTable.Get_Item($AllMSSQLSPNsItemServerFQDN)
            IF ($AllMSSQLSPNsItemServiceAccountDN)
                {
                    $ADServiceAccountSearchInfo = @()
                    $AllMSSQLSPNsItemServiceAccountDNArray = $AllMSSQLSPNsItemServiceAccountDN -Split(",")
                    ForEach ($AllMSSQLSPNsItemServiceAccountDNArrayItem in $AllMSSQLSPNsItemServiceAccountDNArray)
                        {
                            IF ($AllMSSQLSPNsItemServiceAccountDNArrayItem -like 'DC=*')
                                { [string]$AllMSSQLSPNsItemServiceAccountDomainDN += "$AllMSSQLSPNsItemServiceAccountDNArrayItem," }

                        }
                    $AllMSSQLSPNsItemServiceAccountDomainDN = $AllMSSQLSPNsItemServiceAccountDomainDN.Substring(0,$AllMSSQLSPNsItemServiceAccountDomainDN.Length-1)

                    $AllMSSQLSPNsItemServiceAccountDomainLDAPDN = "LDAP://$AllMSSQLSPNsItemServiceAccountDomainDN"

                    $ADServiceAccountSearch = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
                    $ADServiceAccountSearch.SearchRoot = $AllMSSQLSPNsItemServiceAccountDomainLDAPDN
                    $ADServiceAccountSearch.PageSize = 50000
                    $ADServiceAccountSearch.Filter = "distinguishedname=$AllMSSQLSPNsItemServiceAccountDN"
                    $ADServiceAccountSearchInfo = $ADServiceAccountSearch.FindAll() 
                    
                    IF ($ADServiceAccountSearchInfo)
                        {  
                            [string]$ADServiceAccountSAMAccountName = $ADServiceAccountInfo[0].Properties.samaccountname
                            [string]$ADServiceAccountdescription = $ADServiceAccountSearchInfo[0].Properties.description
                            [string]$ADServiceAccountpwdlastset = $ADServiceAccountSearchInfo[0].Properties.pwdlastset
                             [string]$ADServiceAccountPasswordLastSetDate = [datetime]::FromFileTimeUTC($ADServiceAccountpwdlastset)
                            [string]$ADServiceAccountlastlogon = $ADServiceAccountSearchInfo[0].Properties.lastlogon
                             [string]$ADServiceAccountLastLogonDate = [datetime]::FromFileTimeUTC($ADServiceAccountlastlogon)

                             $ADServiceAccountadmincount = $ADServiceAccountSearchInfo[0].Properties.admincount
                             
                             [string]$ADServiceAccountDistinguishedName = $ADServiceAccountSearchInfo[0].Properties.distinguishedname
                        }
                    $ADServiceAccountLDAPDN = "LDAP://"+$ADServiceAccountDistinguishedName
                     $ADServiceAccountInfo = ([adsi] $ADServiceAccountLDAPDN)
                    
                }
        ForEach ($AllMSSQLSPNsItemInstancePortArrayItem in $AllMSSQLSPNsItemInstancePortArray)
            {
                $AllMSSQLSPNsItemServerPort = $NULL
                $AllMSSQLSPNsItemServerInstance = $NULL

                $SQLServerReport = New-Object -TypeName System.Object 
                $SQLServerReport | Add-Member -MemberType NoteProperty -Name Domain -Value $AllMSSQLSPNsItemServerDomainName
                $SQLServerReport | Add-Member -MemberType NoteProperty -Name ServerName -Value $AllMSSQLSPNsItemServerFQDN

                IF ($AllMSSQLSPNsItemInstancePortArrayItem -match "^[\d\.]+$")
                    { [int]$AllMSSQLSPNsItemServerPort = $AllMSSQLSPNsItemInstancePortArrayItem }
                IF ($AllMSSQLSPNsItemInstancePortArrayItem -NOTmatch "^[\d\.]+$")
                    { [string]$AllMSSQLSPNsItemServerInstance = $AllMSSQLSPNsItemInstancePortArrayItem } 
        
                $SQLServerReport | Add-Member -MemberType NoteProperty -Name Port -Value $AllMSSQLSPNsItemServerPort
                $SQLServerReport | Add-Member -MemberType NoteProperty -Name Instance -Value $AllMSSQLSPNsItemServerInstance
                $SQLServerReport | Add-Member -MemberType NoteProperty -Name ServiceAccountDN -Value $AllMSSQLSPNsItemServiceAccountDN

                TRY
                    {
                        $ADComputerSearch = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
                        $ADComputerSearch.SearchRoot = $AllMSSQLSPNsItemServerDomainLDAPDN
                        $ADComputerSearch.PageSize = 50000
                        $ADComputerSearch.Filter = "(&(objectCategory=Computer)(name=$AllMSSQLSPNsItemServerName))"
                        $ADComputerSearchInfo = $ADComputerSearch.FindAll()
                        
                        [string]$ComputerADInfoLastLogonTimestamp = ($ADComputerSearchInfo[0].properties.lastlogontimestamp)
                        TRY { [datetime]$ComputerADInfoLLT = [datetime]::FromFileTime($ComputerADInfoLastLogonTimestamp) }
                            CATCH { }
                        
                        #$ComputerADInfo.Values

                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value ($ADComputerSearchInfo[0].properties.operatingsystem)
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name OSServicePack -Value ($ADComputerSearchInfo[0].properties.operatingsystemservicepack)
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name LastBootup -Value $ComputerADInfoLLT  
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name OSVersion -Value ($ADComputerSearchInfo[0].properties.operatingsystemversion)
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name Description -Value ($ADComputerSearchInfo[0].properties.description)
                    }
                  CATCH { } 

                IF ($AllMSSQLSPNsItemServiceAccountDN)
                    {
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctUserID -Value $ADServiceAccountSAMAccountName
                        $SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctDescription -Value $ADServiceAccountdescription
                        #$SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctPasswordLastSet -Value $ADServiceAccountPasswordLastSetDate
                        #$SQLServerReport | Add-Member -MemberType NoteProperty -Name SAadmincount -Value $ADServiceAccountadmincount
                    }

                [array]$ALLSQLServerReport += $SQLServerReport
            }
    } 

# Find all SQL service account that may be a domain-level admin in the domain
# $ALLSQLServerReport | Where {$_.SAadmincount -eq 1} | select ServerName,SrvAcctUserID,SrvAcctPasswordLastSet,SrvAcctDescription | sort SrvAcctUserID -unique | format-table -auto
return $ALLSQLServerReport

}

 

Listed below are common spn scan tool:

Because each server need to be registered SPN for the Kerberos authentication service, so this is collected without a port scan provides a perfect way to information about the environment.

 

PowerShell-AD-Recon

In addition to the development of tools Tim Medin, Sean Metcalf also developed a variety of PowerShell scripts to perform Kerberos reconnaissance. These scripts are part of PowerShell AD Recon repository, you can query the service in Active Directory, such as Exchange, Microsoft SQL, Terminal and so on. Sean will each script is bound to a particular service, depending on the SPN you want to find. The following script will identify all Microsoft SQL instances on the network.

 reference

http://en.hackdig.com/?17699.htm

GetUserSPNs:

GetUserSPNs is a powershell script Kerberoast toolset used to query the domain registered SPN.

Spn view of the current domain qing.com

 

PowerView:

PowerView by Schroeder by Will (HTTPS : development of Powershell scripts are integrated //twitter.com/harmj0y) in Powersploit and tools in Empire, PowerView relative to the above is to return according to several different users objectsid, the information returned more detailed.

 

Spn view of the current domain qing.com

 

 

 

 Temporarily write to you, free to add back

 

Guess you like

Origin www.cnblogs.com/-qing-/p/11416026.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com