凭据注入
当我们找到一个凭证后我们应该如何利用呢?
Runas 可以帮你解决这个问题。
当我们有一个 AD 的凭证时,我们可以在目标上运行 Runas ,将凭证注入内存中:
runas.exe /netonly /user:<domain>\<username> cmd.exe
- /netonly :
- /user : 提供域和用户的信息
- cmd.exe : 注入凭证后运行的程序
验证
当我们提供了密码进行登录后,我们如何验证我们的凭据是否正常工作,最可靠的方法时列出 SYSVOL ,任何 AD 账户都可以读取 SYSVOL 目录的内容。
C:\Tools>dir \\za.tryhackme.com\SYSVOL\Volume in drive \\za.tryhackme.com\SYSVOL is WindowsVolume Serial Number is 1634-22A9Directory of \\za.tryhackme.com\SYSVOL02/24/2022 09:57 PM <DIR> .02/24/2022 09:57 PM <DIR> ..02/24/2022 09:57 PM <JUNCTION> za.tryhackme.com [C:\Windows\SYSVOL\domain]0 File(s) 0 bytes3 Dir(s) 51,835,408,384 bytes free
通过 MMC 进行枚举
:::info GUI 方法,比较繁琐,并且适用性不高
:::
TryHackMe | Enumerating Active Directory
利用 CMD
CMD 中有一个内置命令 net可以帮助我们枚举 AD 内容。
:::info Net 命令官方文档
:::
用户
C:\>net user /domainThe request will be processed at a domain controller for domain za.tryhackme.comUser accounts for \\THMDC-------------------------------------------------------------------------------aaron.conway aaron.hancock aaron.harrisaaron.johnson aaron.lewis aaron.mooreaaron.patel aaron.smith abbie.joyceabbie.robertson abbie.taylor abbie.walkerabdul.akhtar abdul.bates abdul.holtabdul.jones abdul.wall abdul.westabdul.wilson abigail.cox abigail.cox1abigail.smith abigail.ward abigail.wheeler[....]The command completed successfully.
C:\>net user zoe.marshall /domainThe request will be processed at a domain controller for domain za.tryhackme.comUser name zoe.marshallFull Name Zoe MarshallCommentUser's commentCountry/region code 000 (System Default)Account active YesAccount expires NeverPassword last set 2/24/2022 10:06:06 PMPassword expires NeverPassword changeable 2/24/2022 10:06:06 PMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon NeverLogon hours allowed AllLocal Group MembershipsGlobal Group memberships *Domain Users *Internet AccessThe command completed successfully.
组
C:\>net group /domainThe request will be processed at a domain controller for domain za.tryhackme.comGroup Accounts for \\THMDC-------------------------------------------------------------------------------*Cloneable Domain Controllers*DnsUpdateProxy*Domain Admins*Domain Computers*Domain Controllers*Domain Guests*Domain Users[...]*Schema Admins*Server Admins*Tier 0 Admins*Tier 1 Admins*Tier 2 AdminsThe command completed successfully.
C:\>net group "Tier 1 Admins" /domainThe request will be processed at a domain controller for domain za.tryhackme.comGroup name Tier 1 AdminsCommentMembers-------------------------------------------------------------------------------t1_arthur.tyler t1_gary.moss t1_henry.millert1_jill.wallis t1_joel.stephenson t1_marian.yatest1_rosie.bryantThe command completed successfully.
密码策略
C:\>net accounts /domainThe request will be processed at a domain controller for domain za.tryhackme.comForce user logoff how long after time expires?: NeverMinimum password age (days): 0Maximum password age (days): UnlimitedMinimum password length: 0Length of password history maintained: NoneLockout threshold: NeverLockout duration (minutes): 30Lockout observation window (minutes): 30Computer role: PRIMARYThe command completed successfully.
利用 Powershell
:::info AD-RSAT 官方文档
:::
用户
PS C:\> Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *AccountExpirationDate :accountExpires : 9223372036854775807AccountLockoutTime :[...]Deleted :Department : ConsultingDescription :DisplayName : Gordon StevensDistinguishedName : CN=gordon.stevens,OU=Consulting,OU=People,DC=za,DC=tryhackme,DC=com[...]
- Identity : 正在枚举的账户名称
- Server : 指定 DC
- Properties : 显示那些属性
组
PS C:\> Get-ADGroup -Identity Administrators -Server za.tryhackme.comDistinguishedName : CN=Administrators,CN=Builtin,DC=za,DC=tryhackme,DC=comGroupCategory : SecurityGroupScope : DomainLocalName : AdministratorsObjectClass : groupObjectGUID : f4d1cbcd-4a6f-4531-8550-0394c3273c4fSamAccountName : AdministratorsSID : S-1-5-32-544
PS C:\> Get-ADGroupMember -Identity Administrators -Server za.tryhackme.comdistinguishedName : CN=Domain Admins,CN=Users,DC=za,DC=tryhackme,DC=comname : Domain AdminsobjectClass : groupobjectGUID : 8a6186e5-e20f-4f13-b1b0-067f3326f67cSamAccountName : Domain AdminsSID : S-1-5-21-3330634377-1326264276-632209373-512[...]distinguishedName : CN=Administrator,CN=Users,DC=za,DC=tryhackme,DC=com name : AdministratorobjectClass : userobjectGUID : b10fe384-bcce-450b-85c8-218e3c79b30fSamAccountName : AdministratorSID : S-1-5-21-3330634377-1326264276-632209373-500
域
查看特定域的信息
PS C:\> Get-ADDomain -Server za.tryhackme.comAllowedDNSSuffixes : {}ChildDomains : {}ComputersContainer : CN=Computers,DC=za,DC=tryhackme,DC=comDeletedObjectsContainer : CN=Deleted Objects,DC=za,DC=tryhackme,DC=comDistinguishedName : DC=za,DC=tryhackme,DC=comDNSRoot : za.tryhackme.comDomainControllersContainer : OU=Domain Controllers,DC=za,DC=tryhackme,DC=com[...]UsersContainer : CN=Users,DC=za,DC=tryhackme,DC=com
Bloodhound
我们可以利用 BloodHound 进行 AD 枚举,基本上涉及到 AD 攻击就会使用到该工具
LDAP 枚举
389, 636, 3268, 3269 - Pentesting LDAP - HackTricks
Powerview
PowerView 备忘单:PowerView 备忘单
# 使用 powershell -ep bypass 绕过 PowerSHELL 执行策略controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypassWindows PowerShellCopyright (C) Microsoft Corporation. All rights reserved.PS C:\Users\Administrator>
WMI 枚举
Offensive WMI - Active Directory Enumeration (Part 5)
参考
若有收获,就点个赞吧
0 人点赞
