MENU

[翻译+实践]几种获取域管理员权限的方式

January 14, 2018 • 安全技术阅读设置

写在前面

一直以来对域渗透都有很强烈的兴趣,一次偶然间发现了adsecurity.org这个网站,发现有很多内容扎实的文章。
在之后的一年中,我会不断的尝试通过翻译原文(也是为了提高自己的英语水平)的形式来学习和实践文章中的知识。

另外每一篇文章中都会贴出原文的内容,因为本人翻译水准实在堪忧。如果绝对翻译的不对或者不是很恰当,请直接参考原文,如果同时能在评论中指出,那就再好不过了。

另外因为一篇文章有时会比较长,笔者主要是想翻译+实践加之都是利用零碎时间,所以一般不会一次性的都翻译出来,导致文章大多数时间会不完整,如果着急直接看原文。

正文

原文链接:Attack Methods for Gaining Domain Admin Rights in Active Directory
原文的时间:2016.01.01

There are many ways an attacker can gain Domain Admin rights in Active
Directory. This post is meant to describe some of the more popular
ones in current use. The techniques described here “assume breach”
where an attacker already has a foothold on an internal system and has
gained domain user credentials (aka post-exploitation).

在域环境中,攻击者有很多方式可以获取域管理员的权限。该文主要是介绍几种当下流行的方式。这里描述的方法都是建立在攻击者有内网权限并且获取了一个域用户的权限。

(其实有时候也会遇到,获取了一个内网的权限,但是不在域中的情况,这时就要想办法拿到一个域用户的权限)

The unfortunate reality for most enterprises, is that it often does
not take long from an attacker to go from domain user to domain admin.
The question on defenders’ minds is “how does this happen?”.

对很多企业来说有个不幸的现实是:攻击者并不需要太多的时间就能从域普通账户到域管理员。防守者想知道到底是如何发生的。

The attack frequently starts with a spear-phishing email to one or
more users enabling the attacker to get their code running on a
computer inside the target network. Once the attacker has their code
running inside the enterprise, the first step is performing
reconnaissance to discover useful resources to escalate permissions,
persist, and of course, plunder information (often the “crown jewels”
of an organization).

攻击者常常使用“鱼叉攻击”的手法,通过发送一个钓鱼邮件给一个或多个用户,获取在内网中的代码执行的权限。一旦获取一个内网权限之后,第一步通常是信息收集,收集一些提权、后门等信息。

(个人认为,一旦拿到一个内网权限,应该在简单隐藏之后尽快搜刮各种数据,一定要把能访问到的地方都翻一遍,能下载的赶紧下载,因为权限随时会丢)

While the overall process detail varies, the overall theme remains:

Malware Injection (Spear-Phish, Web Exploits, etc)
Reconnaissance(Internal)
Credential Theft
Exploitation & Privilege Escalation
Data Access & Exfiltration
Persistence (retaining access)

尽管一些方法的细节不同,但是大致的主题仍然是:

  • 恶意软件的注入(鱼叉式钓鱼、Web漏洞利用等)
  • 内网信息收集
  • 登录凭据窃取
  • 漏洞利用与提权
  • 获取机密信息与信息传出内网
  • 权限维持(各类后门)

We start with the attacker having a foothold inside the enterprise,
since this is often not difficult in modern networks. Furthermore, it
is also typically not difficult for the attacker to escalate from
having user rights on the workstation to having local administrator

  1. This escalation can occur by either exploiting an unpatched
  2. escalation vulnerability on the system or more frequently,

finding local admin passwords in SYSVOL, such as Group Policy
Preferences.

我们的攻击起始于有一个内网权限,因为这在当前网络时代的大背景下并不是很难。
(个人理解笔者这么说,主要是因为每隔一段时间都会有各种各样的漏洞爆出,甚至地下圈子中流传与交易着各种0day漏洞。另外各类结合社工的方法,加之利用各种office、flash、Adobe PDF reader等漏洞,所以外网打一个内网权限还是有方法可循的。)

而且通常对于攻击者来说从一般用户到本地管理员的提权也不是很难。这类提权可以通过利用一个未打补丁的本地提权漏洞,或者更常见的是在SYSVOL中找一个本地管理员的密码,例如GPP。

I spoke about most of these techniques when at several security conferences in 2015 (BSides, Shakacon, Black Hat, DEF CON, & DerbyCon).
我在2015年的各种安全会议中提到过。
I also covered some of these issues in the post “The Most Common Active Directory Security Issues and What You Can Do to Fix Them“.
我同时也在这个文章中多次提到该技术。

接下来就是具体的方法了:

1. Passwords in SYSVOL & Group Policy Preferences

This method is the simplest since no special “hacking” tool is

  1. All the attacker has to do is open up Windows explorer and
  2. the domain SYSVOL DFS share for XML files. Most of the time,

the following XML files will contain credentials: groups.xml,
scheduledtasks.xml, & Services.xml.

这个方法最简单,因为并不需要任何黑客工具。所有攻击者都需要打开文件浏览的窗口并且在查找域文件共享目录中的XML文件。通常这些文件会包含凭据:roups.xml、scheduledtasks.xml、Services.xml

SYSVOL is the domain-wide share in Active Directory to which all
authenticated users have read access. SYSVOL contains logon scripts,
group policy data, and other domain-wide data which needs to be
available anywhere there is a Domain Controller (since SYSVOL is
automatically synchronized and shared among all Domain Controllers).
All domain Group Policies are stored here:
\<DOMAIN>SYSVOL<DOMAIN>Policies\

SYSVOL是在域中全域共享的,所有认证域用户都有读权限。SYSVOL包含登录脚本、组策略数据,以及域控需要访问的其他域里面的数据(SYSVOL中的数据自动被所有域空所共享)所有的组策略都存储在这个位置:

\\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant
configuration data and if there is a password provided, it is AES-256 bit encrypted which
should be good enough…

当一个新的组策略创建,会在SYSVOL中创建一个与相关配置数据相关联的XML文件,如果提供了密码,那么加密方式应该是AES-256。

Except at some point prior to 2012, Microsoft published the AES
encryption key (shared secret) on MSDN which can be used to decrypt
the password. Since authenticated users (any domain user or users in a
trusted domain) have read access to SYSVOL, anyone in the domain can
search the SYSVOL share for XML files containing “cpassword” which is
the value that contains the AES encrypted password.

除了在2012年微软公布了AES加密的私钥外,任何经过身份验证的用户(任何域中用户或者受信任域中的用户)都可以查看SYSVOL中的包含AES加密密码的XML文件。

GPP-AES-Key.png

SYSVOL中的XML文件内容

With access to this XML file, the attacker can use the AES private key
to decrypt the GPP password. The PowerSploit function Get-GPPPassword
is most useful for Group Policy Preference exploitation. The
screenshot here shows a similar PowerShell function encrypting the GPP
password from an XML file found in SYSVOL.

通过访问此XML文件,攻击者可以使用AES私钥来解密GPP密码,

PowerSploit项目中的Get-GPPPassword脚本可用来解密:
使用方法:

powershell  import-modulo  .\Get-GPPpassword.ps1;Get-GppPassword

以下截图显示了从SYSVOL中的XML文件解密GPP密码:

解密GPP中的密码

Other file types may also have embedded passwords (often in
clear-text) such as vbs and bat. VBS-Scripts-In-SYSVOL

You would think that with a released patch preventing admins from
placing credentials in Group Policy Preferences, this would no longer
be an issue, though I still find credentials in SYSVOL when performing
customer security assessments.

Mitigation: Install KB2962486 on every computer used to manage GPOs
which prevents new credentials from being placed in Group Policy
Preferences. Delete existing GPP xml files in SYSVOL containing

  1. Don’t put passwords in files that are accessible by all
    1. More information on this attack method is

described in the post: Finding Passwords in SYSVOL & Exploiting Group
Policy Preferences.

Archives QR Code
QR Code for this page
Tipping QR Code