OSCP/OSCP 공부일지
[+] AD 공격 실습
takudaddy
2023. 1. 24. 14:55
[목차]
1. AS-REP Roasting
2. Kerberoasting
1. AS-REP Roasting
# AS-REP Roasting 프로세스 설명
![](https://blog.kakaocdn.net/dn/w2KG2/btrWUdJqYFi/nKSs8It0WMoxev8UewwII0/img.png)
# 실습
1) DC(도메인 컨트롤러)에서 새 user(john smith) 생성
![](https://blog.kakaocdn.net/dn/ARdrS/btrWZWzUYnW/Wxbr0o9Rp93aYL78rp3ff0/img.png)
![](https://blog.kakaocdn.net/dn/bkS8Qm/btrWYMK3Kdc/926HLU2PRVQRYhPYnwoK8k/img.png)
![](https://blog.kakaocdn.net/dn/bgov4d/btrW4Ek9Qgr/CWyOFso37eyjUBg5Y5vK8K/img.png)
![](https://blog.kakaocdn.net/dn/bl1DZ4/btrWSvjtJb0/iYGd5W64jLeky7Gkhjz9ak/img.png)
![](https://blog.kakaocdn.net/dn/cI6vnC/btrWUdQdW8z/P2ub4LsoJFO4gdl0QvAxf0/img.png)
![](https://blog.kakaocdn.net/dn/bghbNX/btrWZXFAAUQ/z2DabBgY0a6eZqirhZkBHK/img.png)
: Kerberos 사전 인증 필요 없음 부분
체크해 줘야 insecure해지며
AS-REP 또는 인증 서버 요청과 함께
암호화된 타임스탬프를 보낼 필요가
없음을 의미함
2) 공격 시도
- 공격 대상의 usernames 유추
![](https://blog.kakaocdn.net/dn/AYJzR/btrWUIikpTI/KNJF8fiFnTNNmVB5ZRjEH1/img.png)
: 리스트업 시켜서 한 번에 조회도 가능!
![](https://blog.kakaocdn.net/dn/bVtRqk/btrWX4Syff6/bu6iAknJUwBtisqhpmDRW1/img.png)
: Note PreAuth 설정된 계정이 TGT 요청 가능한 계정!
- GetNPUsers.py
: 비번을 아무 값이나 넣었는데
![](https://blog.kakaocdn.net/dn/bHuNoT/btrWYMROMWY/l9xT6KI94HihKc0eW4TMB1/img.png)
: TGT를 발급받았고 hashcat으로 크래킹 하면
![](https://blog.kakaocdn.net/dn/56WHu/btrWS22tJNS/cpmAkZdTSLZeNZNWkmXkX0/img.png)
: 평문 비번 확인이 가능!
2. Kerberoasting
# SPN (Service Princiapl Names) 설명
https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names
- SPN 기본 포맷
: 서비스명/머신명@AD도메인명
: MSSQLsvc/takudaddy44@takuadddy.local
# Kerberos Authentication 프로세스 설명
![](https://blog.kakaocdn.net/dn/bz7bcV/btrW380WbOd/QkKqShWGsvk9klxiMHFIN0/img.png)
# 실습
1) 새 Organizational Unit 생성
![](https://blog.kakaocdn.net/dn/0lrQu/btrW0OPm7DU/rWGSbUzqYpGdvOCWBV4BYk/img.png)
![](https://blog.kakaocdn.net/dn/Ysdz7/btrW2tjSS9H/P7x1kcfNsBsCRhRAudILr0/img.png)
![](https://blog.kakaocdn.net/dn/db0Teb/btrWS2g7YR7/bRCj3X5K3C7vK9iePdKPak/img.png)
: Global Users에 mssql_svc 사용자 추가
![](https://blog.kakaocdn.net/dn/EQWkv/btrW1N3Ny49/8P4tpDK0dhmR7YW5K949n0/img.png)
: 생성 후 설정
![](https://blog.kakaocdn.net/dn/b2tpXx/btrW0PU0Qyz/xvgeqLzMUCq3suvx98KmT0/img.png)
728x90