ã¯ããã«
Active Directory (AD) ç°å¢ã®ã»ãã¥ãªãã£è©äŸ¡ããããã¬ãŒã·ã§ã³ãã¹ãã«ãããŠãäžé©åãªæš©éèšå®ãçºèŠããããšã¯éåžžã«éèŠã§ããç¹ã«ããå§ä»» (Delegation)ãã®èšå®ã¯ãæ»æè ã«ãã£ãŠæš©éææ Œãã©ãã©ã«ã ãŒãã¡ã³ãïŒæšªå±éïŒã®è¶³ããããšããŠæªçšãããå¯èœæ§ããããŸãã
ãã®ããã°èšäºã§ã¯ãImpacket ã¹ã€ãŒãã«å«ãŸãã匷åãªããŒã«ã®äžã€ãimpacket-findDelegation
(ãŸãã¯åã« `findDelegation.py`) ã«çŠç¹ãåœãŠããã®äœ¿ãæ¹ãš Active Directory ç°å¢ã«ãããå§ä»»èšå®ã®æ€åºæ¹æ³ã«ã€ããŠè©³ãã解説ããŸãããã®ããŒã«ã䜿ãããªãããšã§ãAD ç°å¢ã«æœãã»ãã¥ãªãã£ãªã¹ã¯ãå¹æçã«ç¹å®ãã察çãè¬ããããšãå¯èœã«ãªããŸããð
ãŸãã¯ãå§ä»»ãšã¯äœãããããŠãªããããéèŠãªã®ããèŠãŠãããŸãããã
å§ä»» (Delegation) ã®åºç€
Active Directory ã«ãããå§ä»»ãšã¯ãããã¢ã«ãŠã³ãïŒãŠãŒã¶ãŒãŸãã¯ã³ã³ãã¥ãŒã¿ïŒããå¥ã®ãµãŒãã¹ã«å¯ŸããŠãèªèšŒããããŠãŒã¶ãŒã®ä»£ããã«ïŒæã代ãã£ãŠïŒã¢ã¯ã»ã¹ããããšãèš±å¯ããä»çµã¿ã§ããããã«ãããå€å±€çãªã¢ããªã±ãŒã·ã§ã³æ§é ïŒäŸ: ããã³ããšã³ãã® Web ãµãŒããŒãããã¯ãšã³ãã®ããŒã¿ããŒã¹ãµãŒããŒã«ãŠãŒã¶ãŒãšããŠã¢ã¯ã»ã¹ããïŒãå®çŸã§ããŸãããããããã®äŸ¿å©ãªæ©èœã¯ãèšå®ã誀ããšæ·±å»ãªã»ãã¥ãªãã£ãªã¹ã¯ãšãªãåŸãŸãã
äž»ã«ä»¥äžã®3çš®é¡ã®å§ä»»ãååšããŸã:
-
å¶çŽãªãå§ä»» (Unconstrained Delegation)
ããã¯æãå€ããæãå±éºãªåœ¢æ ã®å§ä»»ã§ãããã®èšå®ãæå¹ã«ãªã£ãŠããã¢ã«ãŠã³ãïŒéåžžã¯ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãããµãŒãã¹ã¢ã«ãŠã³ãïŒã¯ãèªèº«ã«èªèšŒããŠããä»»æã®ãŠãŒã¶ãŒã«æã代ããããã¡ã€ã³å ã®ãããã Kerberos ãµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããŠããŸããŸããæ»æè ãå¶çŽãªãå§ä»»ãèšå®ãããã¢ã«ãŠã³ãã䟵害ããå Žåããã®ãµãŒããŒã«èªèšŒãã«æ¥ããã¡ã€ã³ç®¡çè ãªã©ã®é«ãæš©éãæã€ãŠãŒã¶ãŒã® TGT (Ticket Granting Ticket) ãã¡ã¢ãªããçªåãããã¡ã€ã³å šäœãææ¡ããå¯èœæ§ããããŸããð±
-
å¶çŽä»ãå§ä»» (Constrained Delegation – KCD)
å¶çŽãªãå§ä»»ã®ãªã¹ã¯ã軜æžããããã«å°å ¥ãããŸããããã®èšå®ã§ã¯ãå§ä»»ãèš±å¯ããã¢ã«ãŠã³ãããæå®ãããç¹å®ã®ãµãŒãã¹ã«å¯ŸããŠã®ã¿ãŠãŒã¶ãŒã«æã代ããããšãèš±å¯ããŸããããã«ãããæã代ããã®ç¯å²ãéå®ã§ããŸãã
KCD ã«ã¯ããã«2ã€ã®ããªãšãŒã·ã§ã³ããããŸã:
- Kerberos Only: ãŠãŒã¶ãŒã Kerberos ã䜿çšããŠæåã®ãµãŒãã¹ã«èªèšŒããå Žåã«ã®ã¿ãåŸç¶ã®ãµãŒãã¹ãžã®å§ä»»ãå¯èœã§ãã
- Protocol Transition (ãããã³ã«ç§»è¡): ãŠãŒã¶ãŒã Kerberos 以å€ã®èªèšŒæ¹æ³ïŒäŸ: NTLMããã©ãŒã ããŒã¹èªèšŒïŒã§æåã®ãµãŒãã¹ã«èªèšŒããå Žåã§ããæåã®ãµãŒãã¹ã Kerberos ã䜿çšããŠåŸç¶ã®æå®ããããµãŒãã¹ãžãŠãŒã¶ãŒãšããŠå§ä»»ã§ããŸããããã¯æè»æ§ãé«ãåé¢ãæªçšããããšæ»æè ãä»»æã®ãŠãŒã¶ãŒïŒç®¡çè å«ãïŒã«æã代ãã£ãŠç¹å®ã®ãµãŒãã¹ãäžæ£å©çšã§ããå¯èœæ§ããããŸãã
å¶çŽä»ãå§ä»»ã®èšå®ã¯ãå§ä»»ãè¡ãåŽïŒäŸ: ããã³ããšã³ããµãŒããŒïŒã®ã¢ã«ãŠã³ããªããžã§ã¯ã (`msDS-AllowedToDelegateTo` å±æ§ïŒã«æ ŒçŽãããŸãã
-
ãªãœãŒã¹ããŒã¹å¶çŽä»ãå§ä»» (Resource-Based Constrained Delegation – RBCD)
Windows Server 2012 ã§å°å ¥ãããæ¯èŒçæ°ããå§ä»»ã®åœ¢æ ã§ããåŸæ¥ã® KCD ãšã¯ç°ãªããå§ä»»ã®èš±å¯èšå®ã¯ãå§ä»»ãããåŽïŒäŸ: ããã¯ãšã³ãã®ããŒã¿ããŒã¹ãµãŒããŒïŒã®ãªãœãŒã¹èªèº«ãä¿æããŸããå ·äœçã«ã¯ããªãœãŒã¹ïŒã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ããªã©ïŒã® `msDS-AllowedToActOnBehalfOfOtherIdentity` å±æ§ã«ãã©ã®ããªã³ã·ãã«ïŒãŠãŒã¶ãŒãŸãã¯ã³ã³ãã¥ãŒã¿ïŒãèªåèªèº«ã«å¯ŸããŠä»ã®ãŠãŒã¶ãŒã«æã代ããããšãèš±å¯ããããæå®ããŸãã
RBCD ã®å©ç¹ã¯ããªãœãŒã¹ã®ç®¡çè ãå§ä»»ã®å¶åŸ¡æš©ãæã€ç¹ã§ããããã«ããããã¡ã€ã³ç®¡çè ã®ä»å ¥ãªãã«å§ä»»èšå®ãå¯èœã«ãªããŸããããããæ»æè ãã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ããäœæããæš©éïŒããã©ã«ãã§ãã¡ã€ã³ãŠãŒã¶ãŒã«èš±å¯ãããŠããããšãå€ãïŒããæ¢åã®ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã䟵害ããå Žåããã®ã¢ã«ãŠã³ããä¿¡é Œãã㊠RBCD ãæªçšããç¹å®ã®ãµãŒããŒïŒãã¡ã€ã³ã³ã³ãããŒã©ãŒãªã©ïŒãžã®ã¢ã¯ã»ã¹æš©ãåŸãæ»æçµè·¯ãååšããŸããð¡ïž
ðš ãªãå§ä»»èšå®ã®çºèŠãéèŠãªã®ãïŒ
ãããã®å§ä»»èšå®ãç¹ã«ãå¶çŽãªãå§ä»»ããããããã³ã«ç§»è¡ã䌎ãå¶çŽä»ãå§ä»»ãããäžé©åã«èšå®ããã RBCDãã¯ãæ»æè
ã«ãšã£ãŠæ Œå¥œã®æšçãšãªããŸãã䟵害ãããã¢ã«ãŠã³ããæªçšããããã¡ã€ã³ç®¡çè
æš©éã®å¥ªåãæ©å¯ããŒã¿ãžã®ã¢ã¯ã»ã¹ã«ã€ãªããå¯èœæ§ãããããããããã®èšå®ãå®æçã«ç£æ»ããæå°æš©éã®ååã«åŸã£ãŠé©åã«ç®¡çããããšã極ããŠéèŠã§ãã
ãã ãã泚æç¹ãšããŠããAccount is sensitive and cannot be delegatedãå±æ§ãæå¹ã«ãªã£ãŠãããŠãŒã¶ãŒãããProtected Usersãã°ã«ãŒãã®ã¡ã³ããŒã¯ããããã®å§ä»»ã¡ã«ããºã ã«ããæãæžãŸãã®å¯Ÿè±¡ããé€å€ãããŸãã
Impacket ãšã¯
Impacket ã¯ããããã¯ãŒã¯ãããã³ã«ãæ±ãããã® Python ã¯ã©ã¹ã®ã³ã¬ã¯ã·ã§ã³ã§ããç¹ã«ãSMB ã MSRPC ãšãã£ã Windows ç°å¢ã§ãã䜿ããããããã³ã«ã«çŠç¹ãåœãŠãŠãããäœã¬ãã«ã§ã®ãã±ããæäœããããã³ã«å®è£ ãžã®ã¢ã¯ã»ã¹ãæäŸããŸãã
Impacket ã¯åãªãã©ã€ãã©ãªã§ã¯ãªãããã®æ©èœã掻çšããå€ãã®äŸ¿å©ãªã¹ã¯ãªããïŒããŒã«ïŒçŸ€ãå«ãã§ããŸãããããã¯äž»ã« examples
ãã£ã¬ã¯ããªã«æ ŒçŽãããŠããããããã¬ãŒã·ã§ã³ãã¹ããã»ãã¥ãªãã£è©äŸ¡ãã·ã¹ãã 管çã¿ã¹ã¯ãªã©ãæ§ã
ãªå Žé¢ã§åœ¹ç«ã¡ãŸãã
äž»ãªã¹ã¯ãªããã®äŸ:
psexec.py
: ãªã¢ãŒãã§ã³ãã³ããå®è¡ (PsExec ã®ä»£æ¿)secretsdump.py
: SAM/LSA ã·ãŒã¯ã¬ãããNTLM ããã·ã¥ãKerberos ããŒãªã©ããã³ãsmbclient.py
: SMB/CIFS å ±æãžã®ã¢ã¯ã»ã¹GetUserSPNs.py
: Kerberoasting æ»æã®ããã® SPN ãæã€ãŠãŒã¶ãŒãæ€çŽ¢GetNPUsers.py
: AS-REP Roasting æ»æã®ããã®äºåèªèšŒäžèŠãŠãŒã¶ãŒãæ€çŽ¢ntlmrelayx.py
: NTLM ãªã¬ãŒæ»æãå®è¡- ãããŠãä»å解説ãã
findDelegation.py
: AD å ã®å§ä»»èšå®ãåæ
ãããã®ããŒã«ã¯é£æºããŠäœ¿çšãããããšãå€ããActive Directory ç°å¢ã®ã»ãã¥ãªãã£ç¶æ ãæ·±ãç解ããããã®åŒ·åãªæŠåšãšãªããŸããð§
impacket-findDelegation ã®ã€ã³ã¹ããŒã«ãšæºå
impacket-findDelegation
ã䜿çšããã«ã¯ããŸã Impacket ã¹ã€ãŒãå
šäœãã€ã³ã¹ããŒã«ããå¿
èŠããããŸããPython ãš pip
(Python ã®ããã±ãŒãžã€ã³ã¹ããŒã©) ãã·ã¹ãã ã«ã€ã³ã¹ããŒã«ãããŠããããšãåæã§ãã
æãäžè¬çãªã€ã³ã¹ããŒã«æ¹æ³ã¯ pip
ã䜿ãããšã§ã:
pip install impacket
# ãŸã㯠pip3 install impacket
ãããã¯ãGitHub ãªããžããªããçŽæ¥ã¯ããŒã³ããŠã€ã³ã¹ããŒã«ããããšãå¯èœã§ã:
git clone https://github.com/fortra/impacket.git
cd impacket/
pip install .
# ãŸã㯠python setup.py install
Kali Linux ãªã©ã®ãããã¬ãŒã·ã§ã³ãã¹ãçšãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ã¯ãImpacket ãããªã€ã³ã¹ããŒã«ãããŠããããããã±ãŒãžãããŒãžã£ãŒ (apt
) ãéããŠç°¡åã«ã€ã³ã¹ããŒã«ã§ããå ŽåããããŸãã
sudo apt update
sudo apt install python3-impacket impacket-scripts
ã€ã³ã¹ããŒã«åŸãimpacket-findDelegation
ãŸã㯠findDelegation.py
ã³ãã³ããå©çšå¯èœã«ãªããŸããïŒãã¹ãéã£ãŠããªãå Žåã¯ãImpacket ãã€ã³ã¹ããŒã«ãããã£ã¬ã¯ããªå
ã® examples
ãã£ã¬ã¯ããªã«ç§»åã㊠python findDelegation.py
ã®ããã«å®è¡ããå¿
èŠããããŸããïŒ
å®è¡ã«ã¯ãã¿ãŒã²ããã® Active Directory ãã¡ã€ã³ã«é¢ããæ å ±ãç §äŒã§ããæå¹ãªãã¡ã€ã³èªèšŒæ å ±ïŒãŠãŒã¶ãŒåãšãã¹ã¯ãŒãããŸãã¯ããã·ã¥ãKerberos ãã±ãããªã©ïŒãå¿ èŠã§ãã
åºæ¬çãªäœ¿ãæ¹
impacket-findDelegation
ã®åºæ¬çãªã³ãã³ãæ§æã¯ä»¥äžã®éãã§ã:
impacket-findDelegation [-h] [-target-domain TARGET_DOMAIN] [-ts] [-debug]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-dc-host hostname]
target
å¿ é ãã©ã¡ãŒã¿:
target
: ã¿ãŒã²ãããã¡ã€ã³ãšèªèšŒæ å ±ãæå®ããŸãã圢åŒã¯<ãã¡ã€ã³>/<ãŠãŒã¶ãŒå>[:<ãã¹ã¯ãŒã>]
ã§ãããã¹ã¯ãŒããçç¥ãããšãããã³ããã§å°ããããŸãã
éèŠãªãªãã·ã§ã³:
-dc-ip <IPã¢ãã¬ã¹>
: æ¥ç¶å ã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒ (DC) ã® IP ã¢ãã¬ã¹ãæå®ããŸããæå®ããªãå Žåãtarget
ã§æå®ããããã¡ã€ã³å (FQDN) ãã解決ããããšããŸãã-dc-host <ãã¹ãå>
: æ¥ç¶å ã® DC ã®ãã¹ãåãæå®ããŸãã
åºæ¬çãªå®è¡äŸ:
ãŠãŒã¶ãŒå svc_user
ãšãã¹ã¯ãŒã Password123
ã䜿çšããŠãcorp.local
ãã¡ã€ã³ã® DC (192.168.1.100
) ã«å¯ŸããŠå§ä»»èšå®ãæ€çŽ¢ããŸãã
impacket-findDelegation -dc-ip 192.168.1.100 corp.local/svc_user:Password123
ãã¹ã¯ãŒããã€ã³ã¿ã©ã¯ãã£ãã«å ¥åããå Žå:
impacket-findDelegation -dc-ip 192.168.1.100 corp.local/svc_user
Password:
ãã®åºæ¬ã³ãã³ããå®è¡ãããšãLDAP ã¯ãšãªãéããŠãã¡ã€ã³å ã®ãŠãŒã¶ãŒã¢ã«ãŠã³ããšã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ããæ€çŽ¢ããå§ä»»ã«é¢é£ããå±æ§ (`userAccountControl`, `msDS-AllowedToDelegateTo`, `msDS-AllowedToActOnBehalfOfOtherIdentity`) ããã§ãã¯ããŠãèšå®ãããŠããå§ä»»ã®çš®é¡ãšå¯Ÿè±¡ã衚瀺ããŸãã
äž»èŠãªãªãã·ã§ã³è§£èª¬ ð
impacket-findDelegation
ã¯ãæ€çŽ¢å¯Ÿè±¡ãèªèšŒæ¹æ³ã现ããå¶åŸ¡ããããã®æ§ã
ãªãªãã·ã§ã³ãæäŸããŠããŸãã
æ€çŽ¢å¯Ÿè±¡ãã£ã«ã¿ãªã³ã°ãªãã·ã§ã³:
ãªãã·ã§ã³ | 説æ |
---|---|
-all |
ãã¹ãŠã®ã¿ã€ãã®å§ä»»ïŒå¶çŽãªããå¶çŽä»ããRBCDïŒãæ€çŽ¢ããŸã (ããã©ã«ãã®åäœã«è¿ãã§ãããæ瀺çã«æå®ããå Žåã«)ã |
-unconstrained |
å¶çŽãªãå§ä»» (Unconstrained Delegation) ãèšå®ãããŠããã¢ã«ãŠã³ãã®ã¿ãæ€çŽ¢ããŸãã |
-constrained |
å¶çŽä»ãå§ä»» (Constrained Delegation) ãèšå®ãããŠããã¢ã«ãŠã³ãã®ã¿ãæ€çŽ¢ããŸããããã«ã¯ãããã³ã«ç§»è¡ã®æç¡ãå«ãŸããŸãã |
-rbcd |
ãªãœãŒã¹ããŒã¹å¶çŽä»ãå§ä»» (Resource-Based Constrained Delegation) ãèšå®ãããŠããã¢ã«ãŠã³ãïŒã€ãŸããä»ã®ã¢ã«ãŠã³ãããã®å§ä»»ãåãå ¥ããããã«èšå®ãããŠãããªãœãŒã¹ïŒã®ã¿ãæ€çŽ¢ããŸãã |
-user |
(æ¯èŒçæ°ãã Impacket ããŒãžã§ã³ã§å©çšå¯èœ) ç¹å®ã®ãŠãŒã¶ãŒã¢ã«ãŠã³ãã«é¢ããå§ä»»èšå®ïŒãã®ãŠãŒã¶ãŒãå§ä»»ã§ããããŸãã¯ãã®ãŠãŒã¶ãŒãžã®å§ä»»ãèš±å¯ãããŠããïŒãæ€çŽ¢ããŸãã |
-computer |
(æ¯èŒçæ°ãã Impacket ããŒãžã§ã³ã§å©çšå¯èœ) ç¹å®ã®ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã«é¢ããå§ä»»èšå®ãæ€çŽ¢ããŸãã |
èªèšŒãªãã·ã§ã³:
ãªãã·ã§ã³ | 説æ |
---|---|
-hashes <LMHASH:NTHASH> |
ãã¹ã¯ãŒãã®ä»£ããã« NTLM ããã·ã¥ïŒLM ããã·ã¥ã¯é垞空ïŒã䜿çšããŠèªèšŒããŸããäŸ: -hashes :aad3b435b51404eeaad3b435b51404ee |
-no-pass |
ãã¹ã¯ãŒãã®å
¥åãæ±ããŸããã䞻㫠-k (Kerberos èªèšŒ) ãšçµã¿åãããŠäœ¿çšããŸãã |
-k |
Kerberos èªèšŒã䜿çšããŸããäºåã« kinit ãªã©ã§ååŸããæå¹ãª TGT ã ccache ãã¡ã€ã« (KRB5CCNAME ç°å¢å€æ°ã§æå®ãããå Žæ) ã«ååšããå¿
èŠããããŸããccache ãã¡ã€ã«ãèŠã€ãããªãå Žåãç¡å¹ãªå Žåã¯ãã³ãã³ãã©ã€ã³ã§æå®ãããèªèšŒæ
å ±ïŒãŠãŒã¶ãŒå/ãã¹ã¯ãŒããªã©ïŒãè©ŠãããŸãã |
-aesKey <16é²ããŒ> |
Kerberos èªèšŒã« AES ããŒïŒ128ããããŸãã¯256ãããïŒã䜿çšããŸãã |
æ¥ç¶ã»ãã®ä»ãªãã·ã§ã³:
ãªãã·ã§ã³ | 説æ |
---|---|
-dc-ip <IPã¢ãã¬ã¹> |
æ¥ç¶å ã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒã® IP ã¢ãã¬ã¹ãæå®ããŸãã |
-dc-host <ãã¹ãå> |
æ¥ç¶å ã®ãã¡ã€ã³ã³ã³ãããŒã©ãŒã®ãã¹ãåãæå®ããŸãã |
-target-domain <ãã¡ã€ã³> |
èªèšŒã«äœ¿çšãããŠãŒã¶ãŒã¢ã«ãŠã³ãã®ãã¡ã€ã³ãšã¯ç°ãªããã¡ã€ã³ãç §äŒããå Žåã«æå®ããŸããããã«ãããä¿¡é Œé¢ä¿ã®ãããã¡ã€ã³éã®å§ä»»æ å ±ãååŸã§ããŸãã |
-ts |
ãã°åºåã«ã¿ã€ã ã¹ã¿ã³ããè¿œå ããŸãã |
-debug |
ãããã°ã¢ãŒããæå¹ã«ãããã詳现ãªæ å ±ãåºåããŸããåé¡è§£æ±ºã«åœ¹ç«ã¡ãŸãã |
ãããã®ãªãã·ã§ã³ãçµã¿åãããããšã§ãç¹å®ã®ã¿ã€ãã®å§ä»»èšå®ãæã€ã¢ã«ãŠã³ããå¹ççã«æ¢ãåºãããšãã§ããŸãã
çµã¿åããäŸ:
å¶çŽãªãå§ä»»ãèšå®ãããŠããã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã®ã¿ã Kerberos ãã±ããã䜿ã£ãŠæ€çŽ¢:
export KRB5CCNAME=/tmp/user.ccache
impacket-findDelegation -k -no-pass -dc-ip 192.168.1.100 -unconstrained corp.local/someuser
NTLM ããã·ã¥ã䜿çšããŠãRBCD ãèšå®ãããŠããã¢ã«ãŠã³ããæ€çŽ¢:
impacket-findDelegation -hashes :NTHASH_HERE -dc-ip 192.168.1.100 -rbcd corp.local/someuser
åºåçµæã®è§£é ð
impacket-findDelegation
ãå®è¡ãããšãæ€åºãããå§ä»»èšå®ã衚圢åŒã§è¡šç€ºãããŸããååã®æå³ãç解ããããšãéèŠã§ãã
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------- -------------------------- ------------------------------------------- -----------
WEBSRV01$ Computer Unconstrained N/A True
APPSRV02$ Computer Constrained (Kerberos Only) cifs/FILESRV01.corp.local True
DBSERV03$ Computer Constrained (Protocol Trans.) http/WEBSRV01.corp.local True
BACKUPSVC User Unconstrained N/A False
DC01$ Computer Resource Based Constrained Allowing: CORP\TESTPC$ True
FILESRV01$ Computer Resource Based Constrained Allowing: CORP\APPSRV02$ True
(*) Found 6 accounts with delegation rights.
åã®èª¬æ:
- AccountName: å§ä»»èšå®ããããŠããã¢ã«ãŠã³ãã® SAM ã¢ã«ãŠã³ãåïŒãŠãŒã¶ãŒãŸãã¯ã³ã³ãã¥ãŒã¿ïŒãã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã¯éåžž `$` ã§çµãããŸãã
- AccountType: ã¢ã«ãŠã³ãã®çš®é¡ (`User` ãŸã㯠`Computer`)ã
- DelegationType: æ€åºãããå§ä»»ã®çš®é¡:
Unconstrained
: å¶çŽãªãå§ä»»ãConstrained (Kerberos Only)
: å¶çŽä»ãå§ä»»ïŒKerberos ã®ã¿ïŒãConstrained (Protocol Trans.)
: å¶çŽä»ãå§ä»»ïŒãããã³ã«ç§»è¡ããïŒãResource Based Constrained
: ãªãœãŒã¹ããŒã¹å¶çŽä»ãå§ä»»ã
- DelegationRightsTo:
- å¶çŽä»ãå§ä»»ã®å Žå: å§ä»»ãèš±å¯ãããŠãããµãŒãã¹ããªã³ã·ãã«å (SPN) ã®ãªã¹ãã
- ãªãœãŒã¹ããŒã¹å¶çŽä»ãå§ä»»ã®å Žå: ãã®ã¢ã«ãŠã³ããžã®å§ä»»ãèš±å¯ãããŠããããªã³ã·ãã«ïŒ`Allowing: DOMAIN\AccountName` ã®åœ¢åŒïŒã
- å¶çŽãªãå§ä»»ã®å Žå:
N/A
ã
- SPN Exists: ãã®ã¢ã«ãŠã³ãã«ãµãŒãã¹ããªã³ã·ãã«å (SPN) ãèšå®ãããŠãããã©ãã (`True` ãŸã㯠`False`)ãKerberos å§ä»»ãæ£ããæ©èœããããã«ã¯ãéåžž SPN ãå¿
èŠã§ããç¹ã«ãµãŒãã¹ã¢ã«ãŠã³ããšããŠäœ¿çšããããŠãŒã¶ãŒã¢ã«ãŠã³ã㧠SPN ããªãå ŽåïŒäŸã®
BACKUPSVC
ïŒãæå³ããéãã«æ©èœããŠããªãå¯èœæ§ããããŸãã
ãªã¹ã¯ã®è©äŸ¡:
- Unconstrained: æãå±éºåºŠãé«ãã§ãã䟵害ããããšããã®ãµãŒããŒã«èªèšŒããé«æš©éãŠãŒã¶ãŒïŒãã¡ã€ã³ç®¡çè ãªã©ïŒã«ãªãããŸãããå¯èœæ§ããããŸããç¹ã«ãã¡ã€ã³ã³ã³ãããŒã©ãŒã§ãã®èšå®ãæå¹ã«ãªã£ãŠããå Žåã¯æ¥µããŠå±éºã§ãããŠãŒã¶ãŒã¢ã«ãŠã³ãã«èšå®ãããŠããå Žåãåæ§ã«å±éºã§ãã
- Constrained (Protocol Trans.): å±éºåºŠãé«ãã§ããæ»æè ããã®ã¢ã«ãŠã³ãã䟵害ãããããã³ã«ç§»è¡ãæªçšã§ããã°ãä»»æã®ãŠãŒã¶ãŒïŒç®¡çè å«ãïŒãšããŠãæå®ããããµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããå¯èœæ§ããããŸããå§ä»»å ãµãŒãã¹ãæ©å¯æ§ã®é«ããã®ïŒäŸ: ãã¡ã€ã³ã³ã³ãããŒã©ãŒã® CIFS ã LDAPïŒã®å Žåããªã¹ã¯ã¯ããã«å¢å€§ããŸãã
- Constrained (Kerberos Only): ãããã³ã«ç§»è¡ããããã¯å®å šã§ãããããã§ã䟵害ãããå ŽåãKerberos ã§èªèšŒããŠãããŠãŒã¶ãŒãšããŠæå®ãµãŒãã¹ã«ã¢ã¯ã»ã¹ãããå¯èœæ§ããããŸããå§ä»»å ãµãŒãã¹ã«ãã£ãŠã¯ãªã¹ã¯ãšãªããŸãã
- Resource Based Constrained: èšå®èªäœã¯æ¯èŒçæ°ããå®å šãªã¡ã«ããºã ã§ãããèšå®ãã¹ãæªçšã·ããªãªïŒäŸ: æ»æè ãäœæããã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã« DC ãžã®å§ä»»æš©éãäžããïŒã«ãããæš©éææ Œã«ç¹ããå¯èœæ§ããããŸãã誰ã誰ãžã®å§ä»»ãèš±å¯ããŠãããã泚ææ·±ã確èªããå¿ èŠããããŸãã
åºåçµæã確èªããç¹ã«å±éºåºŠã®é«ãå§ä»»èšå®ãèŠã€ãã£ãå Žåã¯ããã®èšå®ãæ¬åœã«å¿ èŠããèšå®ãããŠããã¢ã«ãŠã³ãã®ã»ãã¥ãªãã£ã¯ååããªã©ã詳现ã«èª¿æ»ããå¿ èŠããããŸããð§
å®è·µçãªã·ããªãªãšå¿çš ð
impacket-findDelegation
ã¯ãæ§ã
ãªã»ãã¥ãªãã£é¢é£ã®æŽ»åã«ãããŠéåžžã«åœ¹ç«ã¡ãŸãã
ãããã¬ãŒã·ã§ã³ãã¹ã / ã¬ããããŒã æŒç¿
æ»æè ã®èŠç¹ãã Active Directory ç°å¢ã®åŒ±ç¹ãæ¢ãéãå§ä»»èšå®ã¯æã泚ç®ãã¹ããã€ã³ãã®äžã€ã§ãã
- åæã¢ã¯ã»ã¹åŸã®æš©éææ Œ: äœæš©éãŠãŒã¶ãŒã¢ã«ãŠã³ãã䟵害ããåŸã
impacket-findDelegation
ãå®è¡ããŠã䟵害ãããŠãŒã¶ãŒãèªã¿åããç¯å²ã§å§ä»»èšå®ãæ¢ããŸããããå¶çŽãªãå§ä»»ãæã€ãµãŒããŒãèŠã€ããã°ããã®ãµãŒããŒãžã®ã¢ã¯ã»ã¹æš©ãååŸãããã¡ã€ã³ç®¡çè ããã°ã€ã³ããŠããã®ãåŸ ã€ãã匷å¶èªèšŒïŒäŸ: Printer Bug, PetitPotamïŒãå©çšããŠç®¡çè ã® TGT ãçªåãããã¡ã€ã³ç®¡çè æš©éãåŸãããšãè©Šã¿ãŸãã - ã©ãã©ã«ã ãŒãã¡ã³ã: å¶çŽä»ãå§ä»»ïŒç¹ã«ãããã³ã«ç§»è¡ããïŒãæã€ã¢ã«ãŠã³ãã䟵害ããå Žåãå§ä»»å
ã®ãµãŒãã¹ (
DelegationRightsTo
) ã確èªããŸãããããã®ãµãŒãã¹ãä»ã®ãµãŒããŒïŒãã¡ã€ã«ãµãŒããŒãããŒã¿ããŒã¹ãµãŒããŒãªã©ïŒã§åäœããŠããã䟵害ããã¢ã«ãŠã³ãããã®ãµãŒããŒäžã®ç®¡çè ãæ©å¯ããŒã¿ã«ã¢ã¯ã»ã¹ã§ãããŠãŒã¶ãŒã«æã代ããããªããããã足æããã«æšªå±éïŒã©ãã©ã«ã ãŒãã¡ã³ãïŒãè¡ããŸããImpacket ã®getST.py
ã䜿ã£ãŠæã代ããçšã®ãµãŒãã¹ãã±ãããååŸããpsexec.py
ãsmbclient.py
ãªã©ã§å©çšããŸãã - RBCD æ»æãã¹ã®æ¢çŽ¢: ãã¡ã€ã³ãŠãŒã¶ãŒãããã©ã«ãã§ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ããäœæã§ããïŒ
ms-DS-MachineAccountQuota
ã 0 ãã倧ããïŒç°å¢ã§ã¯ãRBCD ãæªçšããæš©éææ Œãå¯èœã§ããæ»æè ã¯ãŸããèªèº«ã®å¶åŸ¡äžã«ããã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ããäœæïŒãŸãã¯æ¢åã®äŸµå®³æžã¿ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãã䜿çšïŒãã次ã«æžã蟌ã¿æš©éãæã€å¥ã®ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãïŒçæ³çã«ã¯ãã¡ã€ã³ã³ã³ãããŒã©ãŒïŒã® `msDS-AllowedToActOnBehalfOfOtherIdentity` å±æ§ãç·šéããŠãèªèº«ã®ã¢ã«ãŠã³ãã«å§ä»»æš©éãäžããŸãããã®åŸãgetST.py
ã§ãã¡ã€ã³ç®¡çè ãªã©ã®é«æš©éãŠãŒã¶ãŒãšããŠã¿ãŒã²ããã³ã³ãã¥ãŒã¿ãžã®ãµãŒãã¹ãã±ãããååŸããã¢ã¯ã»ã¹ããŸããimpacket-findDelegation -rbcd
ã¯ãæ¢åã® RBCD èšå®ãçºèŠããã®ã«åœ¹ç«ã¡ãŸãã
ã»ãã¥ãªãã£ç£æ» / ãã©ã¬ã³ãžãã¯èª¿æ»
é²åŸ¡åŽã®èŠç¹ãããããã®ããŒã«ã¯äŸ¡å€ããããŸãã
- å®æçãªèšå®ç£æ»: å®æçã«
impacket-findDelegation
ãïŒååãªæš©éãæã€ã¢ã«ãŠã³ãã§ïŒå®è¡ããæå³ããªãããŸãã¯éå°ãªå§ä»»èšå®ãååšããªããã確èªããŸããç¹ã«ãå¶çŽãªãå§ä»»ã¯ååãšããŠé¿ããã¹ãã§ãããèŠã€ãã£ãå Žåã¯æ£åœãªçç±ãããããä»ã®æ¹æ³ã§ä»£æ¿ã§ããªãããæ€èšããŸãã - ã€ã³ã·ãã³ã察å¿: ã»ãã¥ãªãã£ã€ã³ã·ãã³ãçºçæãæ»æè ãã©ã®ããã«æš©éææ Œã暪å±éãè¡ã£ããã調æ»ããäžç°ãšããŠãé¢é£ããã¢ã«ãŠã³ãã®å§ä»»èšå®ã確èªããŸããäžå¯©ãª RBCD èšå®ãªã©ãæ»æã®çè·¡ã§ããå¯èœæ§ããããŸãã
- æ§æãã¹ã®çºèŠ: èšå®ãã¹ã«ããäžèŠãªå§ä»»ãæå¹ã«ãªã£ãŠããã±ãŒã¹ãçºèŠããä¿®æ£ããããšã§æ»æ察象é å (Attack Surface) ãåæžããŸãã
ãããã®ã·ããªãªã§ impacket-findDelegation
ã掻çšããããšã§ãActive Directory ç°å¢ã®ã»ãã¥ãªãã£äœå¶ã匷åããæœåšçãªè
åšãæªç¶ã«é²ãããããã¯è¿
éã«å¯Ÿå¿ããããšãå¯èœã«ãªããŸããð¡ïž
泚æç¹ãšãã¹ããã©ã¯ãã£ã¹ â ïž
impacket-findDelegation
ã¯åŒ·åãªããŒã«ã§ããã䜿çšã«ããã£ãŠã¯ä»¥äžã®ç¹ã«æ³šæãããã¹ããã©ã¯ãã£ã¹ã«åŸãããšãéèŠã§ãã
-
å¿
èŠãªæš©é:
ãã®ããŒã«ã¯ãActive Directory ã«å¯Ÿã㊠LDAP ã¯ãšãªãå®è¡ãããŠãŒã¶ãŒãªããžã§ã¯ããã³ã³ãã¥ãŒã¿ãªããžã§ã¯ãã®å±æ§ïŒ`userAccountControl`, `msDS-AllowedToDelegateTo`, `msDS-AllowedToActOnBehalfOfOtherIdentity` ãªã©ïŒãèªã¿åãå¿ èŠããããŸãããã®ãããå®è¡ã«ã¯å°ãªããšããã¡ã€ã³å ã®èªèšŒæžã¿ãŠãŒã¶ãŒïŒAuthenticated UsersïŒæš©éãå¿ èŠã§ãããã¡ã€ã³å šäœã®å æ¬çãªæ å ±ãåŸãããã«ã¯ãããé«ãæš©éïŒäŸ: Domain Admins ãŸãã¯å§ä»»ãããèªã¿åãæš©éãæã€ã¢ã«ãŠã³ãïŒãå¿ èŠã«ãªãå ŽåããããŸãã
-
ç°å¢ãžã®åœ±é¿:
éåžžã
impacket-findDelegation
ã®å®è¡èªäœã¯èªã¿åãæäœãäžå¿ã§ãããActive Directory ç°å¢ã«çŽæ¥çãªå€æŽãå ãããã®ã§ã¯ãããŸãããããããå€æ°ã®ãªããžã§ã¯ããç §äŒããããã倧èŠæš¡ãªç°å¢ã§ã¯ãã¡ã€ã³ã³ã³ãããŒã©ãŒã«äžæçãªè² è·ããããå¯èœæ§ããããŸããå®è¡ããæé垯ãé »åºŠã«ã¯é æ ®ãå¿ èŠã§ãã -
誀æ€ç¥ã®å¯èœæ§:
ããŒã«ã¯å±æ§å€ã«åºã¥ããŠå§ä»»èšå®ãå ±åããŸããããã®èšå®ãå®éã«æªçšå¯èœãããããã¯æå³ãããæ£åœãªèšå®ã§ããããŸã§ã¯å€æããŸãããæ€åºãããçµæã«ã€ããŠã¯ãå¿ ããã®èæ¯ãæèã確èªãããªã¹ã¯ãè©äŸ¡ããå¿ èŠããããŸãã
-
æ€åºåŸã®å¯Ÿç:
å±éºãªå§ä»»èšå®ïŒç¹ã«å¶çŽãªãå§ä»»ïŒãçºèŠãããå Žåã以äžã®å¯Ÿçãæ€èšããŸãã
- èšå®ã®ç¡å¹åãŸãã¯å€æŽ: å¯èœã§ããã°ãå¶çŽãªãå§ä»»ãç¡å¹ã«ããããããå®å šãªå¶çŽä»ãå§ä»»ïŒKerberos Only ãŸã㯠RBCDïŒã«å€æŽããŸãã
- æå°æš©éã®ååã®é©çš: å§ä»»ãå¿ èŠãªå Žåã§ããå§ä»»å ãµãŒãã¹ãå¿ èŠæå°éã«éå®ããŸãããããã³ã«ç§»è¡ãå¿ èŠãªãå Žåã¯ç¡å¹ã«ããŸãã
- ã¢ã«ãŠã³ãä¿è·ã®åŒ·å: å§ä»»ãèšå®ãããŠããã¢ã«ãŠã³ãïŒç¹ã«ã³ã³ãã¥ãŒã¿ã¢ã«ãŠã³ãããµãŒãã¹ã¢ã«ãŠã³ãïŒã®ãã¹ã¯ãŒã匷床ãé«ããå®æçãªå€æŽãå®æœããã¢ã¯ã»ã¹æš©éãæå°éã«ããŸãã
- ãProtected Usersãã°ã«ãŒãã®æŽ»çš: ãã¡ã€ã³ç®¡çè ãªã©ã®ç¹æš©ã¢ã«ãŠã³ãããProtected Usersãã°ã«ãŒãã«è¿œå ããããšã§ãå§ä»»ã«ããæãæžãŸããå«ãå€ãã®æ»æããä¿è·ã§ããŸãã
- é«äŸ¡å€ã¢ã«ãŠã³ãã®å§ä»»çŠæ¢: ç¹æš©ã¢ã«ãŠã³ãã«å¯ŸããŠãAccount is sensitive and cannot be delegatedããã©ã°ãèšå®ããŸãã
-
å®æçãªç£æ»:
Active Directory ã®èšå®ã¯æéãšãšãã«å€åããå¯èœæ§ãããããã
impacket-findDelegation
ãªã©ã®ããŒã«ãçšããå§ä»»èšå®ã®ç£æ»ãå®æçã«å®æœããã»ãã¥ãªãã£äœå¶ãç¶æããããšãéèŠã§ãã -
ä»ã®ããŒã«ãšã®é£æº:
BloodHound ãªã©ã® Active Directory å¯èŠåã»åæããŒã«ãšçµã¿åãããããšã§ãå§ä»»èšå®ãã©ã®ããã«æš©éææ Œãã¹ã«ç¹ããããããå ·äœçã«ææ¡ã§ããŸãã
ãããã®ç¹ãèæ ®ãã責任ãæã£ãŠããŒã«ã䜿çšããããšã§ãActive Directory ã®ã»ãã¥ãªãã£åŒ·åã«å€§ããè²¢ç®ã§ããŸããâ
ãŸãšã
impacket-findDelegation
ã¯ãActive Directory ç°å¢ã«ãããæœåšçãªã»ãã¥ãªãã£ãªã¹ã¯ã§ãããå§ä»»èšå®ããå¹ççã«çºèŠããããã®éåžžã«åŒ·åãªããŒã«ã§ããå¶çŽãªãå§ä»»ãå¶çŽä»ãå§ä»»ããªãœãŒã¹ããŒã¹å¶çŽä»ãå§ä»»ãšãã£ãæ§ã
ãªã¿ã€ãã®å§ä»»ãæ€åºãããã®è©³çŽ°æ
å ±ã衚瀺ããããšãã§ããŸãã
ãã®ããŒã«ã掻çšããããšã§ããããã¬ãŒã·ã§ã³ãã¹ã¿ãŒãã¬ããããŒã ã¯æ»æçµè·¯ãçºèŠããã»ãã¥ãªãã£ç®¡çè ã¯èšå®ãã¹ãéå°ãªæš©éãçºèŠããŠä¿®æ£ããããšãå¯èœã«ãªããŸããç¹ã«ãå¶çŽãªãå§ä»»ããããã³ã«ç§»è¡ã䌎ãå¶çŽä»ãå§ä»»ã¯ãæ»æè ã«ãã£ãŠæªçšãããããããã¡ã€ã³å šäœã®äŸµå®³ã«ã€ãªããå¯èœæ§ããããããéç¹çã«ãã§ãã¯ãã¹ãé ç®ã§ãã
ããããããŒã«ã®åºåçµæãéµåã¿ã«ãããæ€åºãããå§ä»»èšå®ãæã€å®éã®æå³ããªã¹ã¯ãè©äŸ¡ããæå°æš©éã®ååã«åºã¥ããé©åãªå¯Ÿçãè¬ããããšãäžå¯æ¬ ã§ããå®æçãªç£æ»ãšé©åãªèšå®ç®¡çãéããŠãActive Directory ç°å¢ãããå®å šã«ä¿ã€åªåãç¶ç¶ããŸãããã ðª
ãã®ããã°èšäºããimpacket-findDelegation
ã®ç解ãšæŽ»çšã®äžå©ãšãªãã°å¹žãã§ããð
ã³ã¡ã³ã