Active Directory Methodology
{{#include ../../banners/hacktricks-training.md}}
åºæ¬æŠèŠ
Active Directoryã¯ããããã¯ãŒã¯ç®¡çè ããã¡ã€ã³ããŠãŒã¶ãŒãããã³ãªããžã§ã¯ããå¹ççã«äœæããã³ç®¡çã§ããããã«ããåºç€æè¡ã§ããããã¯ã¹ã±ãŒã©ãã«ã«èšèšãããŠãããèšå€§ãªæ°ã®ãŠãŒã¶ãŒã管çå¯èœãªã°ã«ãŒãããã³ãµãã°ã«ãŒãã«æŽçããããŸããŸãªã¬ãã«ã§ã¢ã¯ã»ã¹æš©ãå¶åŸ¡ããŸãã
Active Directoryã®æ§é ã¯ããã¡ã€ã³ãããªãŒãããã³ãã©ã¬ã¹ãã®3ã€ã®äž»èŠãªå±€ã§æ§æãããŠããŸãããã¡ã€ã³ã¯ãå ±éã®ããŒã¿ããŒã¹ãå ±æãããŠãŒã¶ãŒãããã€ã¹ãªã©ã®ãªããžã§ã¯ãã®ã³ã¬ã¯ã·ã§ã³ãå«ã¿ãŸããããªãŒã¯ãå ±ææ§é ã«ãã£ãŠãªã³ã¯ããããããã®ãã¡ã€ã³ã®ã°ã«ãŒãã§ããããã©ã¬ã¹ãã¯ãä¿¡é Œé¢ä¿ãéããŠçžäºæ¥ç¶ãããè€æ°ã®ããªãŒã®ã³ã¬ã¯ã·ã§ã³ã衚ããçµç¹æ§é ã®æäžå±€ã圢æããŸããç¹å®ã®ã¢ã¯ã»ã¹ããã³éä¿¡æš©ã¯ããããã®åã¬ãã«ã§æå®ã§ããŸãã
Active Directoryå ã®äž»èŠãªæŠå¿µã«ã¯ä»¥äžãå«ãŸããŸãïŒ
- ãã£ã¬ã¯ã㪠â Active Directoryãªããžã§ã¯ãã«é¢ãããã¹ãŠã®æ å ±ãä¿æããŸãã
- ãªããžã§ã¯ã â ãã£ã¬ã¯ããªå ã®ãšã³ãã£ãã£ã瀺ãããŠãŒã¶ãŒãã°ã«ãŒãããŸãã¯å ±æãã©ã«ããŒãå«ã¿ãŸãã
- ãã¡ã€ã³ â ãã£ã¬ã¯ããªãªããžã§ã¯ãã®ã³ã³ãããšããŠæ©èœããè€æ°ã®ãã¡ã€ã³ããã©ã¬ã¹ãå ã§å ±åã§ãããããããç¬èªã®ãªããžã§ã¯ãã³ã¬ã¯ã·ã§ã³ãç¶æããŸãã
- ããªãŒ â å ±éã®ã«ãŒããã¡ã€ã³ãå ±æãããã¡ã€ã³ã®ã°ã«ãŒãã§ãã
- ãã©ã¬ã¹ã â Active Directoryã«ãããçµç¹æ§é ã®é ç¹ã§ãããä¿¡é Œé¢ä¿ãæã€è€æ°ã®ããªãŒã§æ§æãããŠããŸãã
**Active Directory Domain Services (AD DS)**ã¯ããããã¯ãŒã¯å ã®éäžç®¡çããã³éä¿¡ã«äžå¯æ¬ ãªäžé£ã®ãµãŒãã¹ãå«ã¿ãŸãããããã®ãµãŒãã¹ã«ã¯ä»¥äžãå«ãŸããŸãïŒ
- ãã¡ã€ã³ãµãŒãã¹ â ããŒã¿ã¹ãã¬ãŒãžãéäžåãããŠãŒã¶ãŒãšãã¡ã€ã³éã®çžäºäœçšã管çããèªèšŒããã³æ€çŽ¢æ©èœãå«ã¿ãŸãã
- èšŒææžãµãŒãã¹ â å®å šãªããžã¿ã«èšŒææžã®äœæãé åžãããã³ç®¡çãç£ç£ããŸãã
- 軜éãã£ã¬ã¯ããªãµãŒãã¹ â LDAPãããã³ã«ãéããŠãã£ã¬ã¯ããªå¯Ÿå¿ã¢ããªã±ãŒã·ã§ã³ããµããŒãããŸãã
- ãã£ã¬ã¯ããªé£æºãµãŒãã¹ â è€æ°ã®Webã¢ããªã±ãŒã·ã§ã³ã§ãŠãŒã¶ãŒãèªèšŒããããã®ã·ã³ã°ã«ãµã€ã³ãªã³æ©èœãæäŸããŸãã
- æš©å©ç®¡ç â èäœæš©è³æãä¿è·ãããã®ç¡èš±å¯ã®é åžããã³äœ¿çšãèŠå¶ããã®ãæ¯æŽããŸãã
- DNSãµãŒãã¹ â ãã¡ã€ã³åã®è§£æ±ºã«éèŠã§ãã
詳现ãªèª¬æã«ã€ããŠã¯ãTechTerms - Active Directory Definitionã確èªããŠãã ããã
KerberosèªèšŒ
ADãæ»æããæ¹æ³ãåŠã¶ã«ã¯ãKerberosèªèšŒããã»ã¹ãéåžžã«ããçè§£ããå¿
èŠããããŸãã
ãŸã ãã®ä»çµã¿ãããããªãå Žåã¯ãã®ããŒãžãèªãã§ãã ããã
ããŒãã·ãŒã
https://wadcoms.github.io/ã«ã¢ã¯ã»ã¹ããŠãADãåæ/æªçšããããã«å®è¡ã§ããã³ãã³ãã®æŠèŠã確èªã§ããŸãã
Active Directoryã®èª¿æ»ïŒã¯ã¬ãã³ã·ã£ã«/ã»ãã·ã§ã³ãªãïŒ
ADç°å¢ã«ã¢ã¯ã»ã¹ã§ããããã¯ã¬ãã³ã·ã£ã«/ã»ãã·ã§ã³ããªãå Žåã¯ã次ã®ããšãã§ããŸãïŒ
- ãããã¯ãŒã¯ã®ãã³ãã¹ãïŒ
- ãããã¯ãŒã¯ãã¹ãã£ã³ãããã·ã³ããªãŒãã³ããŒããèŠã€ããããããè匱æ§ãæªçšããããã¯ã¬ãã³ã·ã£ã«ãæœåºãããããŸãïŒäŸãã°ãããªã³ã¿ãŒã¯éåžžã«è峿·±ãã¿ãŒã²ããã«ãªãå¯èœæ§ããããŸãïŒã
- DNSãåæããããšã§ããã¡ã€ã³å ã®äž»èŠãªãµãŒããŒã«é¢ããæ å ±ãåŸãããšãã§ããŸãããŠã§ããããªã³ã¿ãŒãå ±æãVPNãã¡ãã£ã¢ãªã©ã
gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt
- äžè¬çãªãã³ãã¹ãææ³ã確èªããŠããããè¡ãæ¹æ³ã«é¢ãã詳现æ å ±ãèŠã€ããŠãã ããã
- smbãµãŒãã¹ã§ã®nullããã³Guestã¢ã¯ã»ã¹ã確èªããïŒããã¯ææ°ã®WindowsããŒãžã§ã³ã§ã¯æ©èœããŸããïŒïŒ
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //
- SMBãµãŒããŒãåæããæ¹æ³ã«é¢ãã詳现ãªã¬ã€ãã¯ããã«ãããŸãïŒ
{{#ref}} ../../network-services-pentesting/pentesting-smb/ {{#endref}}
- Ldapãåæãã
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
- LDAPãåæããæ¹æ³ã«é¢ãã詳现ãªã¬ã€ãã¯ããã«ãããŸãïŒå¿åã¢ã¯ã»ã¹ã«ç¹ã«æ³šæããŠãã ããïŒïŒ
{{#ref}} ../../network-services-pentesting/pentesting-ldap.md {{#endref}}
- ãããã¯ãŒã¯ãæ¯ãã
- Responderã䜿çšããŠãµãŒãã¹ãåœè£ ããŠã¯ã¬ãã³ã·ã£ã«ãåéãã
- ãªã¬ãŒæ»æãæªçšããŠãã¹ãã«ã¢ã¯ã»ã¹ãã
- æªæã®ããUPnPãµãŒãã¹ãå ¬éããŠã¯ã¬ãã³ã·ã£ã«ãåéããSDP
- OSINT:
- ãã¡ã€ã³ç°å¢å ã®å éšææžããœãŒã·ã£ã«ã¡ãã£ã¢ããµãŒãã¹ïŒäž»ã«ãŠã§ãïŒãããŠãŒã¶ãŒå/ååãæœåºããå ¬éãããŠããæ å ±ãããæœåºããŸãã
- äŒç€Ÿã®åŸæ¥å¡ã®å®å šãªååãèŠã€ãã£ãå ŽåãããŸããŸãªAD ãŠãŒã¶ãŒåã®èŠåã詊ãããšãã§ããŸãïŒãããèªã](https://activedirectorypro.com/active-directory-user-naming-convention/)ïŒãæãäžè¬çãªèŠåã¯ïŒNameSurnameãName.SurnameãNamSurïŒå3æåïŒãNam.SurãNSurnameãN.SurnameãSurnameNameãSurname.NameãSurnameNãSurname.Nã3 ã©ã³ãã ãªæåãš3ã©ã³ãã ãªæ°åïŒabc123ïŒã§ãã
- ããŒã«ïŒ
- w0Tx/generate-ad-username
- urbanadventurer/username-anarchy
ãŠãŒã¶ãŒåæ
- å¿åSMB/LDAPåæïŒ ãã³ãã¹ãSMBããã³ãã³ãã¹ãLDAPããŒãžã確èªããŠãã ããã
- KerbruteåæïŒç¡å¹ãªãŠãŒã¶ãŒåãèŠæ±ããããšããµãŒããŒã¯Kerberosãšã©ãŒã³ãŒã_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_ã䜿çšããŠå¿çãããŠãŒã¶ãŒåãç¡å¹ã§ããããšã倿ã§ããŸããæå¹ãªãŠãŒã¶ãŒåã¯ãAS-REPå¿çã§TGTãåŒãèµ·ãããããšã©ãŒ_KRB5KDC_ERR_PREAUTH_REQUIRED_ã瀺ãããŠãŒã¶ãŒãäºåèªèšŒãè¡ãå¿ èŠãããããšã瀺ããŸãã
./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
msf> use auxiliary/gather/kerberos_enumusers
crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
- OWA (Outlook Web Access) ãµãŒããŒ
ãããã¯ãŒã¯å ã«ãããã®ãµãŒããŒã®ãããããèŠã€ããå ŽåããŠãŒã¶ãŒåæãå®è¡ããããšãã§ããŸããããšãã°ãããŒã« MailSniper ã䜿çšã§ããŸãïŒ
ipmo C:\Tools\MailSniper\MailSniper.ps1
# Get info about the domain
Invoke-DomainHarvestOWA -ExchHostname [ip]
# Enumerate valid users from a list of potential usernames
Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt
# Password spraying
Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021
# Get addresses list from the compromised mail
Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
Warning
ãŠãŒã¶ãŒåã®ãªã¹ãã¯ãã®githubãªããžã㪠****ããã®ãªããžããªïŒstatistically-likely-usernamesïŒã§èŠã€ããããšãã§ããŸãã
ãã ããäºåã«å®æœãããªã³ã³ã¹ãããããäŒç€Ÿã§åããŠãã人ã ã®ååãæã£ãŠããå¿ èŠããããŸããååãšå§ãããã°ãã¹ã¯ãªããnamemash.pyã䜿çšããŠãæœåšçãªæå¹ãªãŠãŒã¶ãŒåãçæã§ããŸãã
1ã€ãŸãã¯è€æ°ã®ãŠãŒã¶ãŒåãç¥ã£ãŠããå Žå
ããŠãæå¹ãªãŠãŒã¶ãŒåã¯ãã§ã«ç¥ã£ãŠãããããã¹ã¯ãŒãã¯ãªã... ãããªã詊ããŠã¿ãŠãã ããïŒ
- ASREPRoast: ãŠãŒã¶ãŒã**DONT_REQ_PREAUTH屿§ãæã£ãŠããªãå Žåããã®ãŠãŒã¶ãŒã®ããã«AS_REPã¡ãã»ãŒãžãèŠæ±**ã§ãããŠãŒã¶ãŒã®ãã¹ã¯ãŒãã®æŽŸçã«ãã£ãŠæå·åãããããŒã¿ãå«ãŸããŸãã
- Password Spraying: çºèŠããåãŠãŒã¶ãŒã«å¯ŸããŠæãäžè¬çãªãã¹ã¯ãŒãã詊ããŠã¿ãŸããããããããããããããŠãŒã¶ãŒãæªããã¹ã¯ãŒãã䜿çšããŠãããããããŸããïŒãã¹ã¯ãŒãããªã·ãŒã«æ³šæããŠãã ããïŒïŒã
- OWAãµãŒããŒãã¹ãã¬ãŒããŠããŠãŒã¶ãŒã®ã¡ãŒã«ãµãŒããŒãžã®ã¢ã¯ã»ã¹ã詊ã¿ãããšãã§ããŸãã
{{#ref}} password-spraying.md {{#endref}}
LLMNR/NBT-NS ãã€ãºãã³ã°
ãããã¯ãŒã¯ã®ãããã³ã«ããã€ãºãã³ã°ããããšã§ãããã€ãã®ãã£ã¬ã³ãžããã·ã¥ãååŸã§ãããããããŸããïŒ
{{#ref}} ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}}
NTML ãªã¬ãŒ
ã¢ã¯ãã£ããã£ã¬ã¯ããªãåæã§ããå Žåãããå€ãã®ã¡ãŒã«ãšãããã¯ãŒã¯ã®çè§£ãåŸãããŸããNTMLã®ãªã¬ãŒæ»æ ****ã匷å¶ããŠADç°å¢ã«ã¢ã¯ã»ã¹ã§ãããããããŸããã
NTLM ã¯ã¬ãã³ã·ã£ã«ã®çé£
nullãŸãã¯ã²ã¹ããŠãŒã¶ãŒã§ä»ã®PCãå ±æã«ã¢ã¯ã»ã¹ã§ããå Žåããã¡ã€ã«ãé 眮ïŒSCFãã¡ã€ã«ãªã©ïŒããŠãäœããã®åœ¢ã§ã¢ã¯ã»ã¹ããããšãããªãã«å¯ŸããŠNTMLèªèšŒãããªã¬ãŒããNTLMãã£ã¬ã³ãžãçãããšãã§ããŸãïŒ
{{#ref}} ../ntlm/places-to-steal-ntlm-creds.md {{#endref}}
èªèšŒæ å ±/ã»ãã·ã§ã³ã䜿çšããã¢ã¯ãã£ããã£ã¬ã¯ããªã®åæ
ãã®ãã§ãŒãºã§ã¯ãæå¹ãªãã¡ã€ã³ã¢ã«ãŠã³ãã®èªèšŒæ å ±ãŸãã¯ã»ãã·ã§ã³ã䟵害ããŠããå¿ èŠããããŸãã æå¹ãªèªèšŒæ å ±ãŸãã¯ãã¡ã€ã³ãŠãŒã¶ãŒãšããŠã®ã·ã§ã«ãããå Žåãåã«ç€ºãããªãã·ã§ã³ã¯ä»ã®ãŠãŒã¶ãŒã䟵害ããããã®ãªãã·ã§ã³ãšããŠäŸç¶ãšããŠæå¹ã§ãã
èªèšŒãããåæãéå§ããåã«ãKerberosããã«ãããåé¡ãäœã§ããããç¥ã£ãŠããå¿ èŠããããŸãã
{{#ref}} kerberos-double-hop-problem.md {{#endref}}
åæ
ã¢ã«ãŠã³ãã䟵害ããããšã¯ããã¡ã€ã³å šäœã䟵害ããããã®å€§ããªã¹ãããã§ãããªããªããã¢ã¯ãã£ããã£ã¬ã¯ããªã®åæãéå§ã§ããããã§ãïŒ
ASREPRoastã«é¢ããŠã¯ãä»ããã¹ãŠã®è匱ãªãŠãŒã¶ãŒãèŠã€ããããšãã§ããPassword Sprayingã«é¢ããŠã¯ããã¹ãŠã®ãŠãŒã¶ãŒåã®ãªã¹ããååŸãã䟵害ãããã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãã空ã®ãã¹ã¯ãŒããæ°ããææãªãã¹ã¯ãŒãã詊ãããšãã§ããŸãã
- CMDã䜿çšããŠåºæ¬çãªãªã³ã³ãå®è¡ã§ããŸãã
- PowerShellã䜿çšããŠãªã³ã³ãå®è¡ããããšãã§ããããã¹ãã«ã¹æ§ããããŸãã
- PowerViewã䜿çšããŠãããè©³çŽ°ãªæ å ±ãæœåºã§ããŸãã
- ã¢ã¯ãã£ããã£ã¬ã¯ããªã®ãªã³ã³ã«æé©ãªããŒã«ã¯BloodHoundã§ããããŸãã¹ãã«ã¹æ§ã¯ãããŸããïŒäœ¿çšããåéæ¹æ³ã«ãããŸãïŒãããããæ°ã«ããªãã®ã§ããã°ããã²è©ŠããŠã¿ãŠãã ããããŠãŒã¶ãŒãRDPã§ããå ŽæãèŠã€ããããä»ã®ã°ã«ãŒããžã®ãã¹ãèŠã€ãããããŸãã
- ä»ã®èªååãããADåæããŒã«ã¯ïŒ AD Explorerã ADReconã Group3rã PingCastleã
- ADã®DNSã¬ã³ãŒãã¯ãè峿·±ãæ å ±ãå«ãã§ãããããããŸããã
- ãã£ã¬ã¯ããªãåæããããã«äœ¿çšã§ããGUIããŒã«ã¯ãSysInternalã¹ã€ãŒãã®AdExplorer.exeã§ãã
- ldapsearchã䜿çšããŠLDAPããŒã¿ããŒã¹ãæ€çŽ¢ãã_userPassword_ããã³_unixUserPassword_ãã£ãŒã«ããã_Description_ãæ¢ããŠèªèšŒæ å ±ãæ¢ãããšãã§ããŸããcf. PayloadsAllTheThingsã®ADãŠãŒã¶ãŒã³ã¡ã³ãã®ãã¹ã¯ãŒãã®ä»ã®æ¹æ³ãåç §ããŠãã ããã
- Linuxã䜿çšããŠããå Žåãpywerviewã䜿çšããŠãã¡ã€ã³ãåæããããšãã§ããŸãã
- èªååããŒã«ã詊ãããšãã§ããŸãïŒ
- tomcarver16/ADSearch
- 61106960/adPEAS
- ãã¹ãŠã®ãã¡ã€ã³ãŠãŒã¶ãŒãæœåºãã
Windowsãããã¹ãŠã®ãã¡ã€ã³ãŠãŒã¶ãŒåãååŸããã®ã¯éåžžã«ç°¡åã§ãïŒnet user /domain
ãGet-DomainUser
ãŸãã¯wmic useraccount get name,sid
ïŒãLinuxã§ã¯ã次ã®ããã«äœ¿çšã§ããŸãïŒGetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username
ãŸãã¯enum4linux -a -u "user" -p "password" <DC IP>
ã
ãã®åæã»ã¯ã·ã§ã³ã¯å°ããèŠãããããããŸããããããã¯ãã¹ãŠã®äžã§æãéèŠãªéšåã§ãããªã³ã¯ã«ã¢ã¯ã»ã¹ãïŒäž»ã«cmdãpowershellãpowerviewãBloodHoundã®ãªã³ã¯ïŒããã¡ã€ã³ãåæããæ¹æ³ãåŠã³ãå¿«é©ã«æãããŸã§ç·Žç¿ããŠãã ãããè©äŸ¡äžãããã¯DAãžã®éãèŠã€ããããäœãã§ããªããšæ±ºå®ããããã®éèŠãªç¬éã«ãªããŸãã
Kerberoast
Kerberoastingã¯ããŠãŒã¶ãŒã¢ã«ãŠã³ãã«é¢é£ä»ãããããµãŒãã¹ã«ãã£ãŠäœ¿çšãããTGSãã±ãããååŸãããã®æå·åãã¯ã©ãã¯ããããšãå«ã¿ãŸãâããã¯ãŠãŒã¶ãŒãã¹ã¯ãŒãã«åºã¥ããŠããããªãã©ã€ã³ã§è¡ãããŸãã
ããã«ã€ããŠã®è©³çްã¯ïŒ
{{#ref}} kerberoast.md {{#endref}}
ãªã¢ãŒãæ¥ç¶ïŒRDPãSSHãFTPãWin-RMãªã©ïŒ
ããã€ãã®èªèšŒæ å ±ãååŸãããããã·ã³ãžã®ã¢ã¯ã»ã¹ããããã©ããã確èªã§ããŸãããã®ããã«ã¯ãCrackMapExecã䜿çšããŠãããŒãã¹ãã£ã³ã«å¿ããŠç°ãªããããã³ã«ã§è€æ°ã®ãµãŒããŒã«æ¥ç¶ã詊ã¿ãããšãã§ããŸãã
ããŒã«ã«ç¹æš©ææ Œ
éåžžã®ãã¡ã€ã³ãŠãŒã¶ãŒãšããŠã®èªèšŒæ å ±ãŸãã¯ã»ãã·ã§ã³ã䟵害ãããã¡ã€ã³å ã®ä»»æã®ãã·ã³ã«ãã®ãŠãŒã¶ãŒã§ã¢ã¯ã»ã¹ã§ããå ŽåãããŒã«ã«ã§ç¹æš©ãææ ŒãããèªèšŒæ å ±ãæ¢ãæ¹æ³ãèŠã€ããã¹ãã§ããããã¯ãããŒã«ã«ç®¡çè æš©éãæã£ãŠããå Žåã«ã®ã¿ãä»ã®ãŠãŒã¶ãŒã®ããã·ã¥ãã¡ã¢ãªïŒLSASSïŒããã³ããŒã«ã«ïŒSAMïŒã§ãã³ãã§ããããã§ãã
ãã®æ¬ã«ã¯ãWindowsã«ãããããŒã«ã«ç¹æš©ææ Œã«é¢ããå®å šãªããŒãžãšãã§ãã¯ãªã¹ãããããŸãããŸããWinPEASã䜿çšããããšãå¿ããªãã§ãã ããã
çŸåšã®ã»ãã·ã§ã³ãã±ãã
äºæããªããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããæš©éãäžãããã±ãããçŸåšã®ãŠãŒã¶ãŒã§èŠã€ããããšã¯éåžžã«å¯èœæ§ãäœãã§ããã確èªããããšãã§ããŸãïŒ
## List all tickets (if not admin, only current user tickets)
.\Rubeus.exe triage
## Dump the interesting one by luid
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
NTML Relay
ããããªããã¢ã¯ãã£ããã£ã¬ã¯ããªãåæããããšã«æåãããªããããå€ãã®ã¡ãŒã«ãšãããã¯ãŒã¯ã®çè§£ãåŸãããšãã§ããã§ããããããªãã¯NTML ãªã¬ãŒæ»æã匷å¶ããããšãã§ãããããããŸããã
ã³ã³ãã¥ãŒã¿å ±æå ã®ã¯ã¬ãã³ã·ã£ã«ãæ¢ã
åºæ¬çãªã¯ã¬ãã³ã·ã£ã«ãæã£ãŠããã®ã§ãADå ã§å ±æãããŠããè峿·±ããã¡ã€ã«ãèŠã€ããããšãã§ããã確èªããã¹ãã§ããæåã§è¡ãããšãã§ããŸãããããã¯éåžžã«éå±ã§ç¹°ãè¿ãã®äœæ¥ã§ãïŒç¹ã«ãã§ãã¯ããå¿ èŠã®ããæ°çŸã®ããã¥ã¡ã³ããèŠã€ããå Žåã¯ãªãããã§ãïŒã
䜿çšã§ããããŒã«ã«ã€ããŠåŠã¶ã«ã¯ãã®ãªã³ã¯ããã©ããŒããŠãã ããã
NTLMã¯ã¬ãã³ã·ã£ã«ãçã
ä»ã®PCãå ±æã«ã¢ã¯ã»ã¹ã§ããå Žåããã¡ã€ã«ãé 眮ããããšãã§ããŸãïŒSCFãã¡ã€ã«ã®ãããªïŒããã«ã¢ã¯ã»ã¹ããããšãããªãã«å¯ŸããŠNTMLèªèšŒãããªã¬ãŒããã®ã§ãNTLMãã£ã¬ã³ãžãçãããšãã§ããŸãïŒ
{{#ref}} ../ntlm/places-to-steal-ntlm-creds.md {{#endref}}
CVE-2021-1675/CVE-2021-34527 PrintNightmare
ãã®è匱æ§ã«ãããèªèšŒãããä»»æã®ãŠãŒã¶ãŒããã¡ã€ã³ã³ã³ãããŒã©ãŒã䟵害ããããšãã§ããŸããã
{{#ref}} printnightmare.md {{#endref}}
ç¹æš©ã®ããã¯ã¬ãã³ã·ã£ã«/ã»ãã·ã§ã³ã䜿çšããã¢ã¯ãã£ããã£ã¬ã¯ããªã®ç¹æš©ææ Œ
以äžã®æè¡ã«ã¯ãéåžžã®ãã¡ã€ã³ãŠãŒã¶ãŒã§ã¯äžååã§ããããã®æ»æãå®è¡ããããã«ã¯ç¹å¥ãªç¹æš©/ã¯ã¬ãã³ã·ã£ã«ãå¿ èŠã§ãã
ããã·ã¥æœåº
幞éã«ããAsRepRoastãPassword SprayingãKerberoastãResponderãå«ããªã¬ãŒãEvilSSDPãããŒã«ã«ã§ã®ç¹æš©ææ Œã䜿çšããŠããŒã«ã«ç®¡çè
ã¢ã«ãŠã³ãã䟵害ããããšã«æåããããšãé¡ã£ãŠããŸãã
次ã«ãã¡ã¢ãªãšããŒã«ã«ã®ãã¹ãŠã®ããã·ã¥ããã³ãããæã§ãã
ããã·ã¥ãååŸããããã®ããŸããŸãªæ¹æ³ã«ã€ããŠãã®ããŒãžããèªã¿ãã ããã
ãã¹ã»ã¶ã»ããã·ã¥
ãŠãŒã¶ãŒã®ããã·ã¥ãæã£ãŠããå Žåãããã䜿çšããŠãªãããŸãããšãã§ããŸãã
ãã®ããã·ã¥ã䜿çšããŠNTLMèªèšŒãå®è¡ããããã®ããŒã«ã䜿çšããå¿
èŠããããŸãããŸãã¯ãæ°ããsessionlogonãäœæãããã®ããã·ã¥ãLSASSå
ã«æ³šå
¥ããããšãã§ããŸããããããã°ãä»»æã®NTLMèªèšŒãå®è¡ããããšããã®**ããã·ã¥ã䜿çšãããŸãã**æåŸã®ãªãã·ã§ã³ã¯mimikatzãè¡ãããšã§ãã
詳现ã«ã€ããŠã¯ãã®ããŒãžããèªã¿ãã ããã
ãªãŒããŒãã¹ã»ã¶ã»ããã·ã¥/ãã¹ã»ã¶ã»ããŒ
ãã®æ»æã¯ããŠãŒã¶ãŒã®NTLMããã·ã¥ã䜿çšããŠKerberosãã±ãããèŠæ±ããããšãç®çãšããŠããŸããããã¯ãäžè¬çãªNTLMãããã³ã«äžã®ãã¹ã»ã¶ã»ããã·ã¥ã®ä»£æ¿ææ®µã§ãããããã£ãŠãããã¯ç¹ã«NTLMãããã³ã«ãç¡å¹ã«ãããŠãããããã¯ãŒã¯ã§ãKerberosã®ã¿ãèªèšŒãããã³ã«ãšããŠèš±å¯ãããŠããå Žåã«åœ¹ç«ã¡ãŸãã
{{#ref}} over-pass-the-hash-pass-the-key.md {{#endref}}
ãã¹ã»ã¶ã»ãã±ãã
ãã¹ã»ã¶ã»ãã±ããïŒPTTïŒæ»æææ³ã§ã¯ãæ»æè ã¯ãŠãŒã¶ãŒã®èªèšŒãã±ãããçã代ããã«ããã¹ã¯ãŒããããã·ã¥å€ãçã¿ãŸãããã®çãŸãããã±ããã¯ããã®åŸãŠãŒã¶ãŒã«ãªãããŸãããã«äœ¿çšããããããã¯ãŒã¯å ã®ãªãœãŒã¹ããµãŒãã¹ãžã®äžæ£ã¢ã¯ã»ã¹ãåŸãããšãã§ããŸãã
{{#ref}} pass-the-ticket.md {{#endref}}
ã¯ã¬ãã³ã·ã£ã«ã®åå©çš
ããŒã«ã«ç®¡çè ã®ããã·ã¥ãŸãã¯ãã¹ã¯ãŒããæã£ãŠããå Žåã¯ãããã䜿çšããŠä»ã®PCã«ããŒã«ã«ã§ãã°ã€ã³ããããšããã¹ãã§ãã
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
Warning
泚æããŠãã ãããããã¯éåžžã«éšããããã®ã§ãããLAPSã¯ããã軜æžããŸãã
MSSQLã®æªçšãšä¿¡é Œããããªã³ã¯
ãŠãŒã¶ãŒãMSSQLã€ã³ã¹ã¿ã³ã¹ã«ã¢ã¯ã»ã¹ããæš©éãæã£ãŠããå ŽåãMSSQLãã¹ãã§ã³ãã³ããå®è¡ãããïŒSAãšããŠå®è¡ãããŠããå ŽåïŒãNetNTLMã®ããã·ã¥ãçãããšãã§ããããããã«ã¯ãªã¬ãŒ****æ»æãè¡ãããšãã§ãããããããŸããã
ãŸããMSSQLã€ã³ã¹ã¿ã³ã¹ãå¥ã®MSSQLã€ã³ã¹ã¿ã³ã¹ã«ãã£ãŠä¿¡é ŒãããŠããå ŽåïŒããŒã¿ããŒã¹ãªã³ã¯ïŒããŠãŒã¶ãŒãä¿¡é ŒãããããŒã¿ããŒã¹ã«å¯Ÿããæš©éãæã£ãŠããå Žåãä¿¡é Œé¢ä¿ãå©çšããŠä»ã®ã€ã³ã¹ã¿ã³ã¹ã§ãã¯ãšãªãå®è¡ããããšãã§ããŸãããããã®ä¿¡é Œã¯é£éããããšãã§ãããŠãŒã¶ãŒã¯ã³ãã³ããå®è¡ã§ãã誀èšå®ãããããŒã¿ããŒã¹ãèŠã€ããããšãã§ãããããããŸããã
ããŒã¿ããŒã¹éã®ãªã³ã¯ã¯ããã©ã¬ã¹ãã®ä¿¡é Œãè¶ããŠãæ©èœããŸãã
{{#ref}} abusing-ad-mssql.md {{#endref}}
å¶çŽã®ãªãå§ä»»
ADS_UF_TRUSTED_FOR_DELEGATION屿§ãæã€ã³ã³ãã¥ãŒã¿ãªããžã§ã¯ããèŠã€ããã³ã³ãã¥ãŒã¿ã«ãã¡ã€ã³æš©éãããå Žåãã³ã³ãã¥ãŒã¿ã«ãã°ã€ã³ãããã¹ãŠã®ãŠãŒã¶ãŒã®TGTãã¡ã¢ãªãããã³ãããããšãã§ããŸãã
ãããã£ãŠããã¡ã€ã³ç®¡çè
ãã³ã³ãã¥ãŒã¿ã«ãã°ã€ã³ãããšããã®TGTããã³ãããŠPass the Ticketã䜿çšããŠåœŒãåœè£
ããããšãã§ããŸãã
å¶çŽã®ããå§ä»»ã®ãããã§ãããªã³ããµãŒããŒãèªåçã«äŸµå®³ããããšããå¯èœã§ãïŒã§ããã°DCã§ããããšãé¡ã£ãŠããŸãïŒã
{{#ref}} unconstrained-delegation.md {{#endref}}
å¶çŽãããå§ä»»
ãŠãŒã¶ãŒãŸãã¯ã³ã³ãã¥ãŒã¿ããå¶çŽãããå§ä»»ããèš±å¯ãããŠããå Žåãã³ã³ãã¥ãŒã¿å
ã®ããã€ãã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããããã«ä»»æã®ãŠãŒã¶ãŒãåœè£
ããããšãã§ããŸãã
ãã®åŸããã®ãŠãŒã¶ãŒ/ã³ã³ãã¥ãŒã¿ã®ããã·ã¥ã䟵害ãããšãä»»æã®ãŠãŒã¶ãŒïŒãã¡ã€ã³ç®¡çè
ãå«ãïŒãåœè£
ããŠããã€ãã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããããšãã§ããŸãã
{{#ref}} constrained-delegation.md {{#endref}}
ãªãœãŒã¹ããŒã¹ã®å¶çŽãããå§ä»»
ãªã¢ãŒãã³ã³ãã¥ãŒã¿ã®Active Directoryãªããžã§ã¯ãã«å¯ŸããŠWRITEæš©éãæã€ããšã¯ãææ Œãããæš©éã§ã®ã³ãŒãå®è¡ãå¯èœã«ããŸãïŒ
{{#ref}} resource-based-constrained-delegation.md {{#endref}}
ACLã®æªçš
䟵害ããããŠãŒã¶ãŒã¯ããã¡ã€ã³ãªããžã§ã¯ãã®ããã€ãã«å¯ŸããŠè峿·±ãæš©éãæã£ãŠããå¯èœæ§ããããããã«ããæšªç§»åãæš©éã®ææ Œãå¯èœã«ãªããŸãã
{{#ref}} acl-persistence-abuse/ {{#endref}}
ããªã³ã¿ãŒã¹ããŒã©ãŒãµãŒãã¹ã®æªçš
ãã¡ã€ã³å ã§ã¹ããŒã«ãµãŒãã¹ããªã¹ãã³ã°ããŠããããšãçºèŠããããšã¯ãæ°ããè³æ Œæ å ±ãååŸããæš©éãææ Œãããããã«æªçšãããå¯èœæ§ããããŸãã
{{#ref}} printers-spooler-service-abuse.md {{#endref}}
第äžè ã»ãã·ã§ã³ã®æªçš
ä»ã®ãŠãŒã¶ãŒã䟵害ããããã·ã³ã«ã¢ã¯ã»ã¹ãããšãã¡ã¢ãªããè³æ Œæ
å ±ãåéããããã«ã¯åœŒãã®ããã»ã¹ã«ããŒã³ã³ã泚å
¥ããŠåœŒããåœè£
ããããšãå¯èœã§ãã
éåžžããŠãŒã¶ãŒã¯RDPãä»ããŠã·ã¹ãã ã«ã¢ã¯ã»ã¹ãããããããã§ã¯ç¬¬äžè
ã®RDPã»ãã·ã§ã³ã«å¯ŸããŠããã€ãã®æ»æãå®è¡ããæ¹æ³ã瀺ããŸãïŒ
{{#ref}} rdp-sessions-abuse.md {{#endref}}
LAPS
LAPSã¯ããã¡ã€ã³ã«åå ããŠããã³ã³ãã¥ãŒã¿äžã®ããŒã«ã«ç®¡çè ãã¹ã¯ãŒãã管çããããã®ã·ã¹ãã ãæäŸãããããã©ã³ãã åããããŠããŒã¯ã§ãé »ç¹ã«å€æŽãããããšãä¿èšŒããŸãããããã®ãã¹ã¯ãŒãã¯Active Directoryã«ä¿åãããã¢ã¯ã»ã¹ã¯ACLãéããŠèªå¯ããããŠãŒã¶ãŒã®ã¿ã«å¶åŸ¡ãããŸãããããã®ãã¹ã¯ãŒãã«ã¢ã¯ã»ã¹ããããã®ååãªæš©éãããã°ãä»ã®ã³ã³ãã¥ãŒã¿ãžã®ãããããå¯èœã«ãªããŸãã
{{#ref}} laps.md {{#endref}}
èšŒææžã®çé£
䟵害ããããã·ã³ããèšŒææžãåéããããšã¯ãç°å¢å ã§æš©éãææ Œãããæ¹æ³ãšãªãå¯èœæ§ããããŸãïŒ
{{#ref}} ad-certificates/certificate-theft.md {{#endref}}
èšŒææžãã³ãã¬ãŒãã®æªçš
è匱ãªãã³ãã¬ãŒããèšå®ãããŠããå ŽåããããæªçšããŠæš©éãææ Œãããããšãå¯èœã§ãïŒ
{{#ref}} ad-certificates/domain-escalation.md {{#endref}}
髿š©éã¢ã«ãŠã³ãã«ãããã¹ããšã¯ã¹ããã€ã
ãã¡ã€ã³è³æ Œæ å ±ã®ãã³ã
ãã¡ã€ã³ç®¡çè ãŸãã¯ããã«è¯ããšã³ã¿ãŒãã©ã€ãºç®¡çè ã®æš©éãååŸãããšããã¡ã€ã³ããŒã¿ããŒã¹ããã³ãã§ããŸãïŒntds.ditã
DCSyncæ»æã«é¢ãã詳现æ å ±ã¯ããã«ãããŸãã
NTDS.ditãçãæ¹æ³ã«é¢ãã詳现æ å ±ã¯ããã«ãããŸãã
æš©éææ ŒãšããŠã®æç¶æ§
åè¿°ã®ããã€ãã®æè¡ã¯æç¶æ§ã«äœ¿çšã§ããŸãã
äŸãã°ã次ã®ããšãã§ããŸãïŒ
- ãŠãŒã¶ãŒãKerberoastã«å¯ŸããŠè匱ã«ãã
Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
- ãŠãŒã¶ãŒãASREPRoastã«å¯ŸããŠè匱ã«ãã
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
- ãŠãŒã¶ãŒã«DCSyncæš©éãä»äžãã
Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
ã·ã«ããŒãã±ãã
ã·ã«ããŒãã±ããæ»æã¯ãç¹å®ã®ãµãŒãã¹ã®ããã«æ£åœãªãã±ããã°ã©ã³ããµãŒãã¹ïŒTGSïŒãã±ãããNTLMããã·ã¥ïŒäŸãã°ãPCã¢ã«ãŠã³ãã®ããã·ã¥ïŒã䜿çšããŠäœæããŸãããã®æ¹æ³ã¯ããµãŒãã¹æš©éã«ã¢ã¯ã»ã¹ããããã«äœ¿çšãããŸãã
{{#ref}} silver-ticket.md {{#endref}}
ãŽãŒã«ãã³ãã±ãã
ãŽãŒã«ãã³ãã±ããæ»æã¯ãæ»æè ãActive DirectoryïŒADïŒç°å¢å ã®krbtgtã¢ã«ãŠã³ãã®NTLMããã·ã¥ã«ã¢ã¯ã»ã¹ããããšãå«ã¿ãŸãããã®ã¢ã«ãŠã³ãã¯ç¹å¥ã§ããã¹ãŠã®**ãã±ããã°ã©ã³ããã±ããïŒTGTïŒ**ã«çœ²åããããã«äœ¿çšãããADãããã¯ãŒã¯å ã§ã®èªèšŒã«äžå¯æ¬ ã§ãã
æ»æè ããã®ããã·ã¥ãååŸãããšãä»»æã®ã¢ã«ãŠã³ãã®ããã«TGTãäœæããããšãã§ããŸãïŒã·ã«ããŒãã±ããæ»æïŒã
{{#ref}} golden-ticket.md {{#endref}}
ãã€ã€ã¢ã³ããã±ãã
ãããã¯ãäžè¬çãªãŽãŒã«ãã³ãã±ããæ€åºã¡ã«ããºã ãåé¿ããæ¹æ³ã§åœé ããããŽãŒã«ãã³ãã±ããã®ãããªãã®ã§ãã
{{#ref}} diamond-ticket.md {{#endref}}
èšŒææžã¢ã«ãŠã³ãã®æç¶æ§
ã¢ã«ãŠã³ãã®èšŒææžãæã£ãŠããããèŠæ±ã§ããããšã¯ããŠãŒã¶ãŒã¢ã«ãŠã³ãã«æç¶ããéåžžã«è¯ãæ¹æ³ã§ãïŒããšã圌ããã¹ã¯ãŒãã倿ŽããŠãïŒïŒ
{{#ref}} ad-certificates/account-persistence.md {{#endref}}
èšŒææžãã¡ã€ã³ã®æç¶æ§
èšŒææžã䜿çšããããšã¯ããã¡ã€ã³å ã§é«æš©éãæç¶ããããšãå¯èœã§ãïŒ
{{#ref}} ad-certificates/domain-persistence.md {{#endref}}
AdminSDHolderã°ã«ãŒã
Active Directoryã®AdminSDHolderãªããžã§ã¯ãã¯ãç¹æš©ã°ã«ãŒãïŒãã¡ã€ã³ç®¡çè ããšã³ã¿ãŒãã©ã€ãºç®¡çè ãªã©ïŒã®ã»ãã¥ãªãã£ã確ä¿ããããã«ããããã®ã°ã«ãŒãå šäœã«æšæºã®**ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ãïŒACLïŒ**ãé©çšããç¡èš±å¯ã®å€æŽãé²ããŸãããããããã®æ©èœã¯æªçšãããå¯èœæ§ããããŸããæ»æè ãAdminSDHolderã®ACLã倿ŽããŠéåžžã®ãŠãŒã¶ãŒã«å®å šãªã¢ã¯ã»ã¹ãäžãããšããã®ãŠãŒã¶ãŒã¯ãã¹ãŠã®ç¹æš©ã°ã«ãŒãã«å¯ŸããŠåºç¯ãªå¶åŸ¡ãåŸãããšã«ãªããŸãããã®ã»ãã¥ãªãã£å¯Ÿçã¯ä¿è·ãç®çãšããŠããŸãããå³éã«ç£èŠãããªãéããç¡èš±å¯ã®ã¢ã¯ã»ã¹ãèš±ãããšã«ãªããŸãã
AdminDSHolderã°ã«ãŒãã«é¢ãã詳现æ å ±ã¯ããã«ãããŸãã
DSRMè³æ Œæ å ±
ãã¹ãŠã®**ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒDCïŒ**å ã«ã¯ãããŒã«ã«ç®¡çè ã¢ã«ãŠã³ããååšããŸãããã®ãããªãã·ã³ã§ç®¡çè æš©éãååŸããããšã§ãmimikatzã䜿çšããŠããŒã«ã«ç®¡çè ã®ããã·ã¥ãæœåºã§ããŸãããã®åŸããã®ãã¹ã¯ãŒãã䜿çšã§ããããã«ããããã«ã¬ãžã¹ããªã®å€æŽãå¿ èŠã§ãããŒã«ã«ç®¡çè ã¢ã«ãŠã³ããžã®ãªã¢ãŒãã¢ã¯ã»ã¹ãå¯èœã«ãªããŸãã
{{#ref}} dsrm-credentials.md {{#endref}}
ACLæç¶æ§
ç¹å®ã®ãã¡ã€ã³ãªããžã§ã¯ãã«å¯ŸããŠãŠãŒã¶ãŒã«ç¹å¥ãªæš©éãäžããããšã§ããã®ãŠãŒã¶ãŒãå°æ¥çã«æš©éãææ Œãããããšãã§ããããã«ãªããŸãã
{{#ref}} acl-persistence-abuse/ {{#endref}}
ã»ãã¥ãªãã£èšè¿°å
ã»ãã¥ãªãã£èšè¿°åã¯ããªããžã§ã¯ãããªããžã§ã¯ãã«å¯ŸããŠæã€æš©éãä¿åããããã«äœ¿çšãããŸãããªããžã§ã¯ãã®ã»ãã¥ãªãã£èšè¿°åã«å°ãã®å€æŽãå ããããšãã§ããã°ããã®ãªããžã§ã¯ãã«å¯ŸããŠç¹æš©ã°ã«ãŒãã®ã¡ã³ããŒã§ããå¿ èŠãªãéåžžã«è峿·±ãæš©éãååŸã§ããŸãã
{{#ref}} security-descriptors.md {{#endref}}
ã¹ã±ã«ãã³ããŒ
LSASSãã¡ã¢ãªå ã§å€æŽããŠããã¹ãŠã®ãã¡ã€ã³ã¢ã«ãŠã³ãã«ã¢ã¯ã»ã¹ãèš±å¯ãããŠãããŒãµã«ãã¹ã¯ãŒãã確ç«ããŸãã
{{#ref}} skeleton-key.md {{#endref}}
ã«ã¹ã¿ã SSP
SSPïŒã»ãã¥ãªãã£ãµããŒããããã€ããŒïŒã«ã€ããŠåŠã¶
èªåã®SSPãäœæããŠããã·ã³ã«ã¢ã¯ã»ã¹ããããã«äœ¿çšãããè³æ Œæ
å ±ãå¹³æã§ãã£ããã£ããããšãã§ããŸãã\
{{#ref}} custom-ssp.md {{#endref}}
DCShadow
ADã«æ°ãããã¡ã€ã³ã³ã³ãããŒã©ãŒãç»é²ããæå®ããããªããžã§ã¯ãã«å±æ§ïŒSIDHistoryãSPNsãªã©ïŒãããã·ã¥ããŸããã倿Žã«é¢ãããã°ãæ®ããã«è¡ããŸããDAæš©éãå¿
èŠã§ãã«ãŒããã¡ã€ã³å
ã«ããå¿
èŠããããŸãã
ééã£ãããŒã¿ã䜿çšãããšãéåžžã«éããã°ã衚瀺ãããããšã«æ³šæããŠãã ããã
{{#ref}} dcshadow.md {{#endref}}
LAPSæç¶æ§
以åã«ãLAPSãã¹ã¯ãŒããèªã¿åãããã®ååãªæš©éãããå Žåã«æš©éãææ Œãããæ¹æ³ã«ã€ããŠèª¬æããŸããããããããããã®ãã¹ã¯ãŒãã¯æç¶æ§ãç¶æããããã«ã䜿çšã§ããŸãã
確èªããŠãã ããïŒ
{{#ref}} laps.md {{#endref}}
ãã©ã¬ã¹ãæš©éææ Œ - ãã¡ã€ã³ä¿¡é Œ
Microsoftã¯ãã©ã¬ã¹ããã»ãã¥ãªãã£å¢çãšèŠãªããŠããŸããããã¯ãåäžã®ãã¡ã€ã³ã䟵害ããããšãããã©ã¬ã¹ãå šäœã®äŸµå®³ã«ã€ãªããå¯èœæ§ãããããšãæå³ããŸãã
åºæ¬æ å ±
ãã¡ã€ã³ä¿¡é Œã¯ããããã¡ã€ã³ã®ãŠãŒã¶ãŒãå¥ã®ãã¡ã€ã³ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ããã»ãã¥ãªãã£ã¡ã«ããºã ã§ããããã¯ã2ã€ã®ãã¡ã€ã³ã®èªèšŒã·ã¹ãã éã«ãªã³ã¯ãäœæããèªèšŒç¢ºèªãã·ãŒã ã¬ã¹ã«æµããããšãå¯èœã«ããŸãããã¡ã€ã³ãä¿¡é Œãèšå®ãããšãç¹å®ã®ããŒã**ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒDCïŒ**å ã§äº€æãä¿æããŸããããã¯ä¿¡é Œã®æŽåæ§ã«ãšã£ãŠéèŠã§ãã
å žåçãªã·ããªãªã§ã¯ããŠãŒã¶ãŒãä¿¡é Œããããã¡ã€ã³ã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããããšããå ŽåããŸãèªåã®ãã¡ã€ã³ã®DCããã€ã³ã¿ãŒã¬ã«ã TGTãšåŒã°ããç¹å¥ãªãã±ãããèŠæ±ããå¿ èŠããããŸãããã®TGTã¯ãäž¡æ¹ã®ãã¡ã€ã³ãåæããå ±æããŒã§æå·åãããŠããŸãããŠãŒã¶ãŒã¯ãã®TGTãä¿¡é Œããããã¡ã€ã³ã®DCã«æç€ºããŠãµãŒãã¹ãã±ããïŒTGSïŒãååŸããŸããä¿¡é Œããããã¡ã€ã³ã®DCã«ãã£ãŠã€ã³ã¿ãŒã¬ã«ã TGTãæ£åžžã«æ€èšŒããããšãTGSãçºè¡ããããŠãŒã¶ãŒã¯ãµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã
æé ïŒ
- ãã¡ã€ã³1ã®ã¯ã©ã€ã¢ã³ãã³ã³ãã¥ãŒã¿ãã**ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒDC1ïŒãããã±ããã°ã©ã³ããã±ããïŒTGTïŒ**ãèŠæ±ããããã»ã¹ãéå§ããŸãã
- ã¯ã©ã€ã¢ã³ããæ£åžžã«èªèšŒããããšãDC1ã¯æ°ããTGTãçºè¡ããŸãã
- ã¯ã©ã€ã¢ã³ãã¯æ¬¡ã«ããã¡ã€ã³2ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«å¿ èŠãªã€ã³ã¿ãŒã¬ã«ã TGTãDC1ã«èŠæ±ããŸãã
- ã€ã³ã¿ãŒã¬ã«ã TGTã¯ãDC1ãšDC2ã®éã§å ±æãããä¿¡é ŒããŒã§æå·åãããŠããŸãã
- ã¯ã©ã€ã¢ã³ãã¯ã€ã³ã¿ãŒã¬ã«ã TGTã**ãã¡ã€ã³2ã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒDC2ïŒ**ã«æã£ãŠãããŸãã
- DC2ã¯ãå ±æãããä¿¡é ŒããŒã䜿çšããŠã€ã³ã¿ãŒã¬ã«ã TGTãæ€èšŒããæå¹ãªå Žåã¯ãã¯ã©ã€ã¢ã³ããã¢ã¯ã»ã¹ããããã¡ã€ã³2ã®ãµãŒããŒã®ããã®**ãã±ããã°ã©ã³ããµãŒãã¹ïŒTGSïŒ**ãçºè¡ããŸãã
- æåŸã«ãã¯ã©ã€ã¢ã³ãã¯ãã®TGSããµãŒããŒã«æç€ºãããµãŒããŒã®ã¢ã«ãŠã³ãããã·ã¥ã§æå·åãããŠããããããã¡ã€ã³2ã®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ããŸãã
ç°ãªãä¿¡é Œ
ä¿¡é Œã¯1æ¹åãŸãã¯2æ¹åã§ããããšã«æ³šæããããšãéèŠã§ãã2æ¹åã®ãªãã·ã§ã³ã§ã¯ãäž¡æ¹ã®ãã¡ã€ã³ãäºãã«ä¿¡é ŒããŸããã1æ¹åã®ä¿¡é Œé¢ä¿ã§ã¯ã1ã€ã®ãã¡ã€ã³ãä¿¡é Œããããã¡ã€ã³ã§ããããã1ã€ãä¿¡é Œãããã¡ã€ã³ã§ãããã®å Žåãä¿¡é Œããããã¡ã€ã³ããä¿¡é Œãããã¡ã€ã³å ã®ãªãœãŒã¹ã«ã®ã¿ã¢ã¯ã»ã¹ã§ããŸãã
ãã¡ã€ã³Aããã¡ã€ã³Bãä¿¡é ŒããŠããå ŽåãAã¯ä¿¡é Œãããã¡ã€ã³ã§ãããBã¯ä¿¡é Œããããã¡ã€ã³ã§ããããã«ããã¡ã€ã³Aã§ã¯ãããã¯ã¢ãŠãããŠã³ãä¿¡é Œãšãªãããã¡ã€ã³Bã§ã¯ãããã¯ã€ã³ããŠã³ãä¿¡é ŒãšãªããŸãã
ç°ãªãä¿¡é Œé¢ä¿
- 芪åä¿¡é ŒïŒããã¯åããã©ã¬ã¹ãå ã§äžè¬çãªèšå®ã§ãããåãã¡ã€ã³ã¯èªåçã«èŠªãã¡ã€ã³ãšã®åæ¹åã®æšç§»çä¿¡é Œãæã¡ãŸããåºæ¬çã«ãããã¯èªèšŒèŠæ±ã芪ãšåã®éã§ã·ãŒã ã¬ã¹ã«æµããããšãæå³ããŸãã
- ã¯ãã¹ãªã³ã¯ä¿¡é ŒïŒããã¯ãã·ã§ãŒãã«ããä¿¡é ŒããšåŒã°ããåãã¡ã€ã³éã§ç¢ºç«ãããåç §ããã»ã¹ãè¿ éåããŸããè€éãªãã©ã¬ã¹ãã§ã¯ãèªèšŒåç §ã¯éåžžããã©ã¬ã¹ãã«ãŒããŸã§äžæããã¿ãŒã²ãããã¡ã€ã³ãŸã§äžéããå¿ èŠããããŸããã¯ãã¹ãªã³ã¯ãäœæããããšã§ãæ ãççž®ãããç¹ã«å°ççã«åæ£ããç°å¢ã§æçã§ãã
- å€éšä¿¡é ŒïŒããã¯ç°ãªããç¡é¢ä¿ãªãã¡ã€ã³éã§èšå®ãããéæšç§»çã§ãã Microsoftã®ããã¥ã¡ã³ãã«ãããšãå€éšä¿¡é Œã¯ãçŸåšã®ãã©ã¬ã¹ãå€ã®ãã¡ã€ã³ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«äŸ¿å©ã§ããã©ã¬ã¹ãä¿¡é Œã§æ¥ç¶ãããŠããªããã¡ã€ã³ã«åœ¹ç«ã¡ãŸããã»ãã¥ãªãã£ã¯ãå€éšä¿¡é Œã«å¯ŸããSIDãã£ã«ã¿ãªã³ã°ã«ãã£ãŠåŒ·åãããŸãã
- ããªãŒæ ¹ä¿¡é ŒïŒãããã®ä¿¡é Œã¯ããã©ã¬ã¹ãã«ãŒããã¡ã€ã³ãšæ°ãã远å ãããããªãŒæ ¹ã®éã§èªåçã«ç¢ºç«ãããŸããäžè¬çã«ã¯ééããŸããããããªãŒæ ¹ä¿¡é Œã¯ããã©ã¬ã¹ãã«æ°ãããã¡ã€ã³ããªãŒã远å ããããã«éèŠã§ããŠããŒã¯ãªãã¡ã€ã³åãç¶æããåæ¹åã®æšç§»æ§ã確ä¿ããŸãã詳现æ å ±ã¯Microsoftã®ã¬ã€ãã§ç¢ºèªã§ããŸãã
- ãã©ã¬ã¹ãä¿¡é ŒïŒãã®ã¿ã€ãã®ä¿¡é Œã¯ã2ã€ã®ãã©ã¬ã¹ãã«ãŒããã¡ã€ã³éã®åæ¹åæšç§»çä¿¡é Œã§ãããã»ãã¥ãªãã£å¯Ÿçã匷åããããã«SIDãã£ã«ã¿ãªã³ã°ã匷å¶ããŸãã
- MITä¿¡é ŒïŒãããã®ä¿¡é Œã¯ãéWindowsã®RF4120æºæ ã®Kerberosãã¡ã€ã³ãšã®éã§ç¢ºç«ãããŸããMITä¿¡é Œã¯ãWindowsãšã³ã·ã¹ãã å€ã®KerberosããŒã¹ã®ã·ã¹ãã ãšã®çµ±åãå¿ èŠãšããç°å¢ã«ç¹åããŠããŸãã
ä¿¡é Œé¢ä¿ã®ä»ã®éã
- ä¿¡é Œé¢ä¿ã¯æšç§»çïŒAãBãä¿¡é ŒããBãCãä¿¡é Œããå ŽåãAã¯Cãä¿¡é ŒããïŒãŸãã¯éæšç§»çã§ããããšãã§ããŸãã
- ä¿¡é Œé¢ä¿ã¯åæ¹åä¿¡é ŒïŒäž¡æ¹ãäºãã«ä¿¡é ŒããïŒãŸãã¯äžæ¹åä¿¡é ŒïŒäžæ¹ã ãã仿¹ãä¿¡é ŒããïŒãšããŠèšå®ã§ããŸãã
æ»æãã¹
- ä¿¡é Œé¢ä¿ãåæãã
- ã©ã®ã»ãã¥ãªãã£ããªã³ã·ãã«ïŒãŠãŒã¶ãŒ/ã°ã«ãŒã/ã³ã³ãã¥ãŒã¿ïŒãä»ã®ãã¡ã€ã³ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ãããã確èªããŸããããããACEãšã³ããªãä»ã®ãã¡ã€ã³ã®ã°ã«ãŒãã«ããããšã«ãã£ãŠããã¡ã€ã³éã®é¢ä¿ãæ¢ããŸãïŒä¿¡é Œããã®ããã«äœæãããå¯èœæ§ããããŸãïŒã
- ãã®å Žåãkerberoastãå¥ã®ãªãã·ã§ã³ã«ãªãå¯èœæ§ããããŸãã
- ã¢ã«ãŠã³ãã䟵害ãããã¡ã€ã³ãããããããããšãã§ããŸãã
æ»æè ã¯ãä»ã®ãã¡ã€ã³ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«ãäž»ã«3ã€ã®ã¡ã«ããºã ã䜿çšã§ããŸãïŒ
- ããŒã«ã«ã°ã«ãŒãã¡ã³ããŒã·ããïŒããªã³ã·ãã«ã¯ããµãŒããŒã®ãAdministratorsãã°ã«ãŒããªã©ã®ãã·ã³ã®ããŒã«ã«ã°ã«ãŒãã«è¿œå ãããããšãããããã®ãã·ã³ã«å¯ŸããŠéèŠãªå¶åŸ¡ãäžããŸãã
- å€åœãã¡ã€ã³ã°ã«ãŒãã¡ã³ããŒã·ããïŒããªã³ã·ãã«ã¯ãå€åœãã¡ã€ã³å ã®ã°ã«ãŒãã®ã¡ã³ããŒã§ããããŸãããã ãããã®æ¹æ³ã®å¹æã¯ãä¿¡é Œã®æ§è³ªãšã°ã«ãŒãã®ç¯å²ã«äŸåããŸãã
- ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ãïŒACLïŒïŒããªã³ã·ãã«ã¯ãç¹å®ã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãæäŸããACLå ã®ACEã®ãšã³ãã£ãã£ãšããŠæå®ãããããšããããŸããACLãDACLãããã³ACEã®ã¡ã«ããºã ãæ·±ãæãäžãããæ¹ã«ã¯ããã¯ã€ãããŒããŒãAn ACE Up The Sleeveãã貎éãªãªãœãŒã¹ã§ãã
åãã芪ãžã®ãã©ã¬ã¹ãæš©éææ Œ
Get-DomainTrust
SourceName : sub.domain.local --> current domain
TargetName : domain.local --> foreign domain
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST --> WITHIN_FOREST: Both in the same forest
TrustDirection : Bidirectional --> Trust direction (2ways in this case)
WhenCreated : 2/19/2021 1:28:00 PM
WhenChanged : 2/19/2021 1:28:00 PM
Warning
2ã€ã®ä¿¡é ŒãããããŒããããŸãã1ã€ã¯ Child --> Parent çšããã1ã€ã¯ Parent --> Child çšã§ãã
çŸåšã®ãã¡ã€ã³ã§äœ¿çšãããŠãããã®ã確èªããã«ã¯ã次ã®ã³ãã³ããå®è¡ããŸãïŒInvoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
SID-History Injection
SID-Historyã€ã³ãžã§ã¯ã·ã§ã³ãæªçšããŠãå/芪ãã¡ã€ã³ã«ãšã³ã¿ãŒãã©ã€ãºç®¡çè ãšããŠææ ŒããŸãïŒ
{{#ref}} sid-history-injection.md {{#endref}}
æžã蟌ã¿å¯èœãªConfiguration NCã®æªçš
Configuration Naming Context (NC) ãã©ã®ããã«æªçšãããããçè§£ããããšã¯éèŠã§ããConfiguration NCã¯ãActive Directory (AD) ç°å¢å ã®ãã©ã¬ã¹ãå šäœã®æ§æããŒã¿ã®äžå€®ãªããžããªãšããŠæ©èœããŸãããã®ããŒã¿ã¯ãã©ã¬ã¹ãå ã®ãã¹ãŠã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒ (DC) ã«è€è£œãããæžã蟌ã¿å¯èœãªDCã¯Configuration NCã®æžã蟌ã¿å¯èœãªã³ããŒãä¿æããŸãããããæªçšããã«ã¯ãDCäžã§SYSTEMæš©éãæã€å¿ èŠããããŸããã§ããã°åDCãæãŸããã§ãã
GPOãã«ãŒãDCãµã€ãã«ãªã³ã¯ãã
Configuration NCã®Sitesã³ã³ããã«ã¯ãADãã©ã¬ã¹ãå ã®ãã¹ãŠã®ãã¡ã€ã³åå ã³ã³ãã¥ãŒã¿ã®ãµã€ãã«é¢ããæ å ±ãå«ãŸããŠããŸããä»»æã®DCã§SYSTEMæš©éãæã£ãŠæäœããããšã§ãæ»æè ã¯GPOãã«ãŒãDCãµã€ãã«ãªã³ã¯ã§ããŸãããã®ã¢ã¯ã·ã§ã³ã¯ããããã®ãµã€ãã«é©çšãããããªã·ãŒãæäœããããšã«ãã£ãŠãã«ãŒããã¡ã€ã³ãå±éºã«ãããå¯èœæ§ããããŸãã
詳现æ å ±ã«ã€ããŠã¯ãSIDãã£ã«ã¿ãªã³ã°ã®ãã€ãã¹ã«é¢ããç ç©¶ãåç §ããŠãã ããã
ãã©ã¬ã¹ãå ã®ä»»æã®gMSAã劥åãã
æ»æãã¯ãã«ã¯ããã¡ã€ã³å ã®ç¹æš©gMSAãã¿ãŒã²ããã«ããããšã§ããgMSAã®ãã¹ã¯ãŒããèšç®ããããã«å¿ èŠãªKDS RootããŒã¯ãConfiguration NCå ã«ä¿åãããŠããŸããä»»æã®DCã§SYSTEMæš©éãæã€ããšã§ãKDS RootããŒã«ã¢ã¯ã»ã¹ãããã©ã¬ã¹ãå ã®ä»»æã®gMSAã®ãã¹ã¯ãŒããèšç®ããããšãå¯èœã§ãã
詳现ãªåæã¯ãGolden gMSA Trust Attacksã®è°è«ã§ç¢ºèªã§ããŸãã
ã¹ããŒã倿޿»æ
ãã®æ¹æ³ã¯ãæ°ããç¹æš©ADãªããžã§ã¯ãã®äœæãåŸ ã€å¿ èŠããããŸããSYSTEMæš©éãæã€æ»æè ã¯ãADã¹ããŒãã倿ŽããŠãä»»æã®ãŠãŒã¶ãŒã«ãã¹ãŠã®ã¯ã©ã¹ã«å¯Ÿããå®å šãªå¶åŸ¡ãä»äžã§ããŸããããã«ãããæ°ããäœæãããADãªããžã§ã¯ããžã®äžæ£ã¢ã¯ã»ã¹ãšå¶åŸ¡ãå¯èœã«ãªãå¯èœæ§ããããŸãã
ãããªãèªã¿ç©ã¯ãã¹ããŒã倿Žä¿¡é Œæ»æã§å ¥æã§ããŸãã
ADCS ESC5ã䜿çšããŠDAããEAãž
ADCS ESC5ã®è匱æ§ã¯ããã©ã¬ã¹ãå ã®ä»»æã®ãŠãŒã¶ãŒãšããŠèªèšŒãå¯èœã«ããèšŒææžãã³ãã¬ãŒããäœæããããã«ãå ¬ééµã€ã³ãã©ã¹ãã©ã¯ã㣠(PKI) ãªããžã§ã¯ãã®å¶åŸ¡ãã¿ãŒã²ããã«ããŠããŸããPKIãªããžã§ã¯ãã¯Configuration NCã«ååšãããããæžã蟌ã¿å¯èœãªåDCã劥åããããšã§ESC5æ»æãå®è¡ã§ããŸãã
ãã®ä»¶ã«é¢ãã詳现ã¯ãDAããEAãžã®ESC5ã§èªãããšãã§ããŸããADCSããªãã·ããªãªã§ã¯ãæ»æè ã¯å¿ èŠãªã³ã³ããŒãã³ããèšå®ããèœåãæã¡ãåãã¡ã€ã³ç®¡çè ãããšã³ã¿ãŒãã©ã€ãºç®¡çè ãžã®ææ Œã§è°è«ãããŠããŸãã
å€éšãã©ã¬ã¹ããã¡ã€ã³ - äžæ¹å (ã€ã³ããŠã³ã) ãŸãã¯åæ¹å
Get-DomainTrust
SourceName : a.domain.local --> Current domain
TargetName : domain.external --> Destination domain
TrustType : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes :
TrustDirection : Inbound --> Inboud trust
WhenCreated : 2/19/2021 10:50:56 PM
WhenChanged : 2/19/2021 10:50:56 PM
ãã®ã·ããªãªã§ã¯ãããªãã®ãã¡ã€ã³ãå€éšã®ãã¡ã€ã³ã«ãã£ãŠä¿¡é ŒãããŠããŸããããã«ãããäžæãªæš©éãäžããããŸããããªãã¯ãããªãã®ãã¡ã€ã³ã®ã©ã®ããªã³ã·ãã«ãå€éšãã¡ã€ã³ã«å¯ŸããŠã©ã®ãããªã¢ã¯ã»ã¹æš©ãæã£ãŠããããèŠã€ãããããæªçšããããšããå¿ èŠããããŸãïŒ
{{#ref}} external-forest-domain-oneway-inbound.md {{#endref}}
å€éšãã©ã¬ã¹ããã¡ã€ã³ - äžæ¹åïŒã¢ãŠãããŠã³ãïŒ
Get-DomainTrust -Domain current.local
SourceName : current.local --> Current domain
TargetName : external.local --> Destination domain
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Outbound --> Outbound trust
WhenCreated : 2/19/2021 10:15:24 PM
WhenChanged : 2/19/2021 10:15:24 PM
ãã®ã·ããªãªã§ã¯ãããªãã®ãã¡ã€ã³ãç°ãªããã¡ã€ã³ã®ããªã³ã·ãã«ã«ç¹æš©ãä¿¡é ŒããŠããŸãã
ãããããã¡ã€ã³ãä¿¡é Œããããšãä¿¡é Œãããã¡ã€ã³ã¯äºæž¬å¯èœãªååã®ãŠãŒã¶ãŒãäœæããä¿¡é Œããããã¹ã¯ãŒãããã¹ã¯ãŒããšããŠäœ¿çšããŸããããã¯ãä¿¡é Œãããã¡ã€ã³ã®ãŠãŒã¶ãŒã«ã¢ã¯ã»ã¹ããŠä¿¡é Œããããã¡ã€ã³ã«å ¥ãããšãå¯èœã§ããããããåæããããã«ç¹æš©ãææ Œãããããšã詊ã¿ãããšãæå³ããŸãïŒ
{{#ref}} external-forest-domain-one-way-outbound.md {{#endref}}
ä¿¡é Œããããã¡ã€ã³ã䟵害ããå¥ã®æ¹æ³ã¯ããã¡ã€ã³ä¿¡é Œã®éæ¹åã«äœæãããSQLä¿¡é Œãªã³ã¯ãèŠã€ããããšã§ãïŒããã¯ããŸãäžè¬çã§ã¯ãããŸããïŒã
ä¿¡é Œããããã¡ã€ã³ã䟵害ããå¥ã®æ¹æ³ã¯ãä¿¡é Œããããã¡ã€ã³ã®ãŠãŒã¶ãŒãã¢ã¯ã»ã¹ã§ãããã·ã³ã§åŸ
æ©ããRDPçµç±ã§ãã°ã€ã³ããããšã§ãããã®åŸãæ»æè
ã¯RDPã»ãã·ã§ã³ããã»ã¹ã«ã³ãŒããæ³šå
¥ãããããã被害è
ã®å
ã®ãã¡ã€ã³ã«ã¢ã¯ã»ã¹ã§ããŸãã
ããã«ã被害è
ãããŒããã©ã€ããããŠã³ãããå ŽåãRDPã»ãã·ã§ã³ããã»ã¹ããæ»æè
ã¯ããŒããã©ã€ãã®ã¹ã¿ãŒãã¢ãããã©ã«ããŒã«ããã¯ãã¢ãä¿åã§ããŸãããã®æè¡ã¯RDPInceptionãšåŒã°ããŸãã
{{#ref}} rdp-sessions-abuse.md {{#endref}}
ãã¡ã€ã³ä¿¡é Œã®æªçšè»œæž
SIDãã£ã«ã¿ãªã³ã°ïŒ
- SIDå±¥æŽå±æ§ãå©çšããæ»æã®ãªã¹ã¯ã¯ããã¹ãŠã®ã€ã³ã¿ãŒãã©ã¬ã¹ãä¿¡é Œã§ããã©ã«ãã§æå¹ã«ãªã£ãŠããSIDãã£ã«ã¿ãªã³ã°ã«ãã£ãŠè»œæžãããŸããããã¯ããã€ã¯ããœããã®èŠè§£ã«åŸãããã©ã¬ã¹ããã»ãã¥ãªãã£å¢çãšèŠãªããšãã«ãã€ã³ãã©ãã©ã¬ã¹ãä¿¡é Œãå®å šã§ãããšããåæã«åºã¥ããŠããŸãã
- ããããæ³šæç¹ããããŸãïŒSIDãã£ã«ã¿ãªã³ã°ã¯ã¢ããªã±ãŒã·ã§ã³ããŠãŒã¶ãŒã¢ã¯ã»ã¹ã«åœ±é¿ãäžããå¯èœæ§ãããããã®ããææç¡å¹ã«ãããããšããããŸãã
éžæçèªèšŒïŒ
- ã€ã³ã¿ãŒãã©ã¬ã¹ãä¿¡é Œã®å ŽåãéžæçèªèšŒã䜿çšããããšã§ã2ã€ã®ãã©ã¬ã¹ãã®ãŠãŒã¶ãŒãèªåçã«èªèšŒãããªãããã«ããŸãã代ããã«ãä¿¡é Œãããã¡ã€ã³ãŸãã¯ãã©ã¬ã¹ãå ã®ãã¡ã€ã³ããµãŒããŒã«ã¢ã¯ã»ã¹ããããã«ã¯æç€ºçãªæš©éãå¿ èŠã§ãã
- ãããã®å¯Ÿçã¯ãæžã蟌ã¿å¯èœãªæ§æåã³ã³ããã¹ãïŒNCïŒã®æªçšãä¿¡é Œã¢ã«ãŠã³ããžã®æ»æããä¿è·ãããã®ã§ã¯ãªãããšã«æ³šæãå¿ èŠã§ãã
ired.teamã®ãã¡ã€ã³ä¿¡é Œã«é¢ãã詳现æ å ±ã
AD -> Azure & Azure -> AD
{{#ref}} https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity {{#endref}}
äžè¬çãªé²åŸ¡ç
ããã§è³æ Œæ å ±ãä¿è·ããæ¹æ³ã«ã€ããŠè©³ããåŠã¶ã\
è³æ Œæ å ±ä¿è·ã®ããã®é²åŸ¡ç
- ãã¡ã€ã³ç®¡çè ã®å¶éïŒãã¡ã€ã³ç®¡çè ã¯ãã¡ã€ã³ã³ã³ãããŒã©ãŒã«ã®ã¿ãã°ã€ã³ã§ããããã«ããä»ã®ãã¹ãã§ã®äœ¿çšãé¿ããããšãæšå¥šãããŸãã
- ãµãŒãã¹ã¢ã«ãŠã³ãã®ç¹æš©ïŒãµãŒãã¹ã¯ã»ãã¥ãªãã£ãç¶æããããã«ãã¡ã€ã³ç®¡çè ïŒDAïŒç¹æš©ã§å®è¡ãããã¹ãã§ã¯ãããŸããã
- äžæçç¹æš©å¶éïŒDAç¹æš©ãå¿
èŠãšããã¿ã¹ã¯ã«ã€ããŠã¯ããã®æéãå¶éããå¿
èŠããããŸããããã¯æ¬¡ã®ããã«å®çŸã§ããŸãïŒ
Add-ADGroupMember -Identity âDomain Adminsâ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)
欺çæè¡ã®å®è£
- 欺çãå®è£ ããã«ã¯ããã¹ã¯ãŒããæéåãã«ãªããªãããå§ä»»ã®ããã«ä¿¡é ŒãããŠãããšããŒã¯ããããã³ã€ãŠãŒã¶ãŒãã³ã³ãã¥ãŒã¿ã®ãããªçœ ãèšå®ããŸããå ·äœçãªã¢ãããŒãã«ã¯ãç¹å®ã®æš©å©ãæã€ãŠãŒã¶ãŒãäœæããããé«ç¹æš©ã°ã«ãŒãã«è¿œå ãããããããšãå«ãŸããŸãã
- å®çšçãªäŸãšããŠã次ã®ãããªããŒã«ã䜿çšããŸãïŒ
Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
- 欺çæè¡ã®å±éã«é¢ãã詳现ã¯ãDeploy-Deception on GitHubã§ç¢ºèªã§ããŸãã
欺çã®ç¹å®
- ãŠãŒã¶ãŒãªããžã§ã¯ãã®å ŽåïŒçãããææšã«ã¯ãç°åžžãªObjectSIDããŸããªãã°ãªã³ãäœææ¥ãäœãäžæ£ãã¹ã¯ãŒãã«ãŠã³ããå«ãŸããŸãã
- äžè¬çãªææšïŒæœåšçãªãã³ã€ãªããžã§ã¯ãã®å±æ§ãæ¬ç©ã®ãã®ãšæ¯èŒããããšã§ãäžäžèŽãæããã«ã§ããŸããHoneypotBusterã®ãããªããŒã«ã¯ããã®ãããªæ¬ºçãç¹å®ããã®ã«åœ¹ç«ã¡ãŸãã
æ€åºã·ã¹ãã ã®åé¿
- Microsoft ATAæ€åºåé¿ïŒ
- ãŠãŒã¶ãŒåæïŒãã¡ã€ã³ã³ã³ãããŒã©ãŒã§ã®ã»ãã·ã§ã³åæãé¿ããATAæ€åºãé²ããŸãã
- ãã±ããã®åœè£ ïŒãã±ããäœæã«aesããŒãå©çšããããšã§ãNTLMã«ããŠã³ã°ã¬ãŒãããã«æ€åºãåé¿ããŸãã
- DCSyncæ»æïŒATAæ€åºãé¿ããããã«ããã¡ã€ã³ã³ã³ãããŒã©ãŒããçŽæ¥å®è¡ããã®ã§ã¯ãªããéãã¡ã€ã³ã³ã³ãããŒã©ãŒããå®è¡ããããšãæšå¥šãããŸãã
åèæç®
- http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
- https://www.labofapenetrationtester.com/2018/10/deploy-deception.html
- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
{{#include ../../banners/hacktricks-training.md}}