hacktricks/windows-hardening/active-directory-methodology/dcsync.md

11 KiB
Raw Blame History

DCSync


使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

DCSync

DCSync权限意味着对域本身具有以下权限:DS-Replication-Get-ChangesReplicating Directory Changes AllReplicating Directory Changes In Filtered Set

关于DCSync的重要说明

  • DCSync攻击模拟域控制器的行为并要求其他域控制器使用目录复制服务远程协议MS-DRSR复制信息。由于MS-DRSR是Active Directory的有效和必要功能因此无法关闭或禁用它。
  • 默认情况下,只有域管理员、企业管理员、管理员和域控制器组具有所需的特权。
  • 如果任何帐户密码使用可逆加密存储Mimikatz中有一个选项可以返回明文密码。

枚举

使用powerview检查具有这些权限的用户:

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

本地利用

Exploit Locally本地利用是一种攻击方法旨在利用本地访问权限来获取目标系统上的敏感信息。在Active Directory环境中一种常见的本地利用方法是使用DCSync攻击。

DCSync攻击

DCSync攻击是一种利用Active Directory域控制器DC的特权来提取目标用户凭据的攻击方法。通过模拟域控制器的行为攻击者可以获取目标用户的NTLM哈希值从而进一步获取其明文密码。

以下是DCSync攻击的步骤

  1. 获取域控制器的访问权限攻击者需要获得域控制器的本地管理员或域管理员权限以执行DCSync攻击。

  2. 使用Mimikatz工具攻击者使用Mimikatz工具来执行DCSync攻击。Mimikatz是一款强大的密码提取工具可以从域控制器中提取目标用户的凭据。

  3. 提取目标用户凭据攻击者使用Mimikatz的DCSync模块来模拟域控制器的行为并提取目标用户的NTLM哈希值。

  4. 破解NTLM哈希值攻击者可以使用各种破解工具来破解目标用户的NTLM哈希值从而获取其明文密码。

DCSync攻击是一种非常有效的攻击方法因为它允许攻击者在目标系统上获取域用户的凭据从而进一步扩大攻击面。因此在保护Active Directory环境时应采取适当的措施来防止DCSync攻击的发生。

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

远程利用

DCSync is a technique that allows an attacker to impersonate a domain controller and request the replication of password data from the targeted domain controller. This technique can be used remotely to extract password hashes from the Active Directory database without the need for administrative privileges.

To exploit DCSync remotely, the attacker needs to have network access to the targeted domain controller. The attacker can use tools like Mimikatz or Impacket to perform the DCSync attack.

The steps to exploit DCSync remotely are as follows:

  1. Identify the targeted domain controller: The attacker needs to identify the domain controller that they want to impersonate and extract password data from.

  2. Obtain the domain controller's NTLM hash: The attacker needs to obtain the NTLM hash of the domain controller's computer account. This can be done by dumping the LSASS process memory or by using other techniques like Pass-the-Hash.

  3. Generate a fake domain controller: The attacker needs to generate a fake domain controller using tools like Mimikatz or Impacket. This involves creating a fake domain controller object in memory and configuring it to respond to DCSync requests.

  4. Impersonate the domain controller: The attacker needs to impersonate the targeted domain controller by injecting the fake domain controller object into the LSASS process memory. This can be done using techniques like process injection or by exploiting vulnerabilities in the LSASS process.

  5. Request password data replication: Once the attacker has successfully impersonated the domain controller, they can use the DCSync command to request the replication of password data from the targeted domain controller. This command can be executed using tools like Mimikatz or Impacket.

  6. Extract password hashes: After the replication request is made, the targeted domain controller will send the password hashes to the attacker's fake domain controller. The attacker can then extract the password hashes from the fake domain controller and use them for further attacks like password cracking or pass-the-hash.

It is important to note that exploiting DCSync remotely requires advanced knowledge of Active Directory and network security. It is also considered an unauthorized activity and should only be performed in controlled environments with proper authorization.

secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
[-history] #To dump password history, may be helpful for offline password cracking

-just-dc 生成3个文件

  • 一个包含NTLM哈希值的文件
  • 一个包含Kerberos密钥的文件
  • 一个包含启用了可逆加密的NTDS中的明文密码的文件。您可以使用以下命令获取启用了可逆加密的用户
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

持久性

如果您是域管理员,可以使用powerview将此权限授予任何用户:

Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose

然后,您可以检查用户是否正确分配了3个权限,通过在输出中查找它们(您应该能够在"ObjectType"字段中看到权限的名称):

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}

缓解措施

  • 安全事件ID 4662必须启用对象的审核策略- 对象上执行了一个操作
  • 安全事件ID 5136必须启用对象的审核策略- 修改了目录服务对象
  • 安全事件ID 4670必须启用对象的审核策略- 更改了对象的权限
  • AD ACL Scanner - 创建和比较ACL的创建报告。https://github.com/canix1/ADACLScanner

参考资料

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥


使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。
立即获取访问权限:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}