Shulou(Shulou.com)06/01 Report--

This article mainly introduces the ways for Python security to obtain domain administrator rights, which are introduced in great detail and have a certain reference value. Friends who are interested must read it!

In most cases, attackers can obtain domain administrator privileges by locating the server to which the domain administrator is logged in, exploiting vulnerabilities to obtain server system privileges, and finding domain management accounts, processes, or authentication tokens

The first way: take advantage of GPP vulnerability to obtain domain management rights.

SYSVOL is a shared folder within a domain that stores login scripts, group policy scripts, and so on. When a domain administrator changes a password through group policy, introducing a user password into the script can cause security problems.

(1) visit the SYSVOL shared folder, search for the XML file containing "cpassword", and get the password encrypted by AES.

(2) use the gpp-decrypt that comes with kali to crack, so as to obtain the domain account password, and log in to the domain administrator account directly to obtain access rights.

The second way: get the plaintext login password of the server

System permissions are required to use the kiwi module, so we need to upgrade the shell in the current MSF to system before using this module. There are two ways to mention system, one is that the current permissions are administrator users, and the other is to use other means to promote rights to administrator users first. Administrator users can then getsystem directly to system permissions.

Meterpreter > getuidServer username: BYPASS-E97BA3FC\ Administratormeterpreter > getsystem... got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). Meterpreter > getuidServer username: NT AUTHORITY\ SYSTEM

Load kiwi module

Load kiwi

Enumerate the plaintext passwords in the system

Creds_all

The third way: use MS14-068loophole to claim rights.

MS14068 is a privilege escalation vulnerability that enables ordinary users to elevate their rights to domain control privileges. Attackers can elevate privileges by constructing specific request packets.

Attack flow:

The first step: use MS14-068 to forge and generate TGT

MS14-068.exe-u bypass@test.com-p abc123!-s Smur1-5-21-735015318-3972860336-672499796-d dc.test.com

Step 2: use mimikatz to write the TGT ticket obtained by the tool to memory and create a cache certificate

Mimikatz#kerberos::ptc TGT_bypass@test.com.ccache

Step 3: obtain domain administrator privileges. Create a test account and join the domain administrators group, so that you can log in to the domain control host at any time to operate.

PsExec.exe\\ dc cmd.exe / / add test user net user test abc123! / add / domain// add test user to domain administrator group net group "domain admins" test / add / domain// View domain administrator net group "domain admins" / domain 4th way: steal domain administrator token

When a domain control account logs in to the server, you can use token simulation to infiltrate to obtain domain control permissions.

1. Invade the server where the domain administrator is located and steal the domain administrator's token to control the entire domain.

2. Add a domain administrator directly on the meterpreter shell

IP address of add_user test abc123!-h domain control add_group_user "Domain Admins" test-h domain control IP address 5: process migration

Domain administrator privileges can be obtained by hacking into the server where the domain administrator is logged in and migrating the process to the process that the domain administrator is running.

1. Get the list of domain administrators

Net group "Domain Admins" / domain

2. Use ps to find the process that the domain administrator (TEST\ bypass) is running, and then migrate the shell process to the process run by the domain administrator. After success, you will get domain administrator privileges. As shown in the following figure:

3. Enter the shell command to get OS shell, and use the Windows command on the local machine to add a new domain administrator:

/ / add test users net user test admin@123 / add / domain// add test users to the domain administrator group net group "domain admins" test / add / domain

4. The domain administrator account test has been added successfully.

The above is all the contents of the article "what are the ways for Python to secure access to domain administrators?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.