AD CS Account Persistence
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Hii ni muhtasari mdogo wa sura za kudumu za mashine kutoka kwa utafiti mzuri wa https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
Katika hali ambapo cheti kinachoruhusu uthibitisho wa kikoa kinaweza kuombwa na mtumiaji, mshambuliaji ana fursa ya kuomba na kuchukua cheti hiki ili kuhifadhi kudumu kwenye mtandao. Kwa kawaida, kiolezo cha User
katika Active Directory kinaruhusu maombi kama haya, ingawa wakati mwingine kinaweza kuzuiliwa.
Kwa kutumia chombo kinachoitwa Certify, mtu anaweza kutafuta vyeti halali vinavyowezesha ufikiaji wa kudumu:
Inasisitizwa kwamba nguvu ya cheti iko katika uwezo wake wa kujiuthibitisha kama mtumiaji anayehusiana nacho, bila kujali mabadiliko yoyote ya nenosiri, mradi cheti kimebaki halali.
Vyeti vinaweza kuombwa kupitia kiolesura cha picha kwa kutumia certmgr.msc
au kupitia mstari wa amri na certreq.exe
. Pamoja na Certify, mchakato wa kuomba cheti umewekwa rahisi kama ifuatavyo:
Upon successful request, a certificate along with its private key is generated in .pem
format. To convert this into a .pfx
file, which is usable on Windows systems, the following command is utilized:
Baada ya ombi kufanikiwa, cheti pamoja na funguo yake ya faragha kinatengenezwa katika muundo wa .pem
. Ili kubadilisha hii kuwa faili ya .pfx
, ambayo inaweza kutumika kwenye mifumo ya Windows, amri ifuatayo inatumika:
Faili la .pfx
linaweza kupakiwa kwenye mfumo wa lengo na kutumika na chombo kinachoitwa Rubeus kuomba Tiketi ya Kutoa Tiketi (TGT) kwa mtumiaji, ikipanua ufikiaji wa mshambuliaji kwa muda mrefu kama cheti ni halali (kawaida mwaka mmoja):
An important warning is shared about how this technique, combined with another method outlined in the THEFT5 section, allows an attacker to persistently obtain an account’s NTLM hash without interacting with the Local Security Authority Subsystem Service (LSASS), and from a non-elevated context, providing a stealthier method for long-term credential theft.
Another method involves enrolling a compromised system’s machine account for a certificate, utilizing the default Machine
template which allows such actions. If an attacker gains elevated privileges on a system, they can use the SYSTEM account to request certificates, providing a form of persistence:
This access enables the attacker to authenticate to Kerberos as the machine account and utilize S4U2Self to obtain Kerberos service tickets for any service on the host, effectively granting the attacker persistent access to the machine.
Njia ya mwisho iliyozungumziwa inahusisha kutumia uhalali na muda wa upya wa mifano ya leseni. Kwa kuhuisha leseni kabla ya kuisha, mshambuliaji anaweza kudumisha uthibitisho kwa Active Directory bila haja ya usajili wa tiketi za ziada, ambazo zinaweza kuacha alama kwenye seva ya Mamlaka ya Leseni (CA).
Njia hii inaruhusu mbinu ya kudumu iliyopanuliwa, ikipunguza hatari ya kugunduliwa kupitia mwingiliano mdogo na seva ya CA na kuepuka uzalishaji wa vitu ambavyo vinaweza kuwajulisha wasimamizi kuhusu uvamizi.