用户 ID-代理凭据网络钓鱼无法提取凭据
44748
Created On 04/14/19 23:55 PM - Last Modified 07/17/23 14:25 PM
Symptom
在启用使用用户凭 ID 据代理的域证书过滤器时 firewall ,您可能会注意到无法 firewall 接收凭据。 节目中的代理统计数据 firewall :
admin@firewall)> show user user-id-agent state rodc-1
rodc-1
Agent: rodc-1(vsys: vsys1) Host: rodc-1.domain.lab(10.1.1.254):5007
Status : conn:idle
Version : 0x5
num of connection tried : 90
num of connection succeeded : 15
num of connection failed : 75
num of status msgs rcvd : 172063
num of request of status msgs sent : 172066
num of request of ip mapping msgs sent : 859812
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 15
num of user ip mapping msgs rcvd : 0
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 0
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
num of sync domain messages sent : 0
num of sync domain messages received : 0
num of sync digest messages sent : 0
num of sync digest messages received : 0
num of sync group messages sent : 0
num of sync group messages received : 0
num of sync users messages sent : 0
num of sync users messages received : 0
num of bloomfilter requests sent : 247
num of bloomfilter response received : 247
num of bloomfilter response failed to proc : 0
num of bloomfilter resize requests sent : 0
Last heard(seconds ago) : 1
Messages State:
Job ID : 0
Sent messages : 1032154
Rcvd messages : 172325
Rcvd rate(msgs/s) : 0
Rcvd peak rate(msgs/s) : 0
Lost messages : 0
Failed to send messages : 1
Failed to enqueue messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
Credential Enforcement Status : Enabled and Pending
No credential state for agent.
用户 id.logs:
2019-03-11 15:20:50.242 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:20:55.292 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:00.896 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:05.261 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:10.382 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:15.731 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest. 2019-03-11 15:21:20.562 +1300 Warning: pan_user_group_handle_cred_stats(pan_user_group.c:10018): UIA rodc-1 error: credential enabled but no digest.
用户代理 ID 凭据诊断日志:
03/11/19 16:37:38:565 [Debug 4126]: expand groups took 0s
03/11/19 16:37:38:565 [Debug 633]: User list of 768 users unchanged.
03/11/19 16:37:38:565 [Error 716]: Unable to extract credentials.
Environment
使用基于 Windows 的用户代理进行凭据检测 ID 。
Cause
Resolution
第 1 步:检查用户 ID 凭据代理是否以"本地系统帐户"运行
启动服务.msc 并检查用户帐户如果未作为本地帐户运行,则: 右键单击 > 属性> 停止服务
导航到 登录 选项卡,并更改为 本地系统帐户
步骤 2:检查用户代理的服务帐户是否 ID 在仅读域控制器中的本地系统管理员 RODC ()
默认情况下,未向此组添加任何用户帐户。 启动 dsmgmt.exe 检查本地管理员
C:\Users\Administrator.domain.lab>dsmgmt.exe dsmgmt.exe: local roles local roles: show role administrators domain.lab\pan_svc <<<<<<< local roles:
如果看不到服务帐户,则将用户添加到本地管理员
local roles: add domain.lab\user1 administrators Successfully updated local role. local roles: show role administrators domain.lab\pan_svc domain.lab\user1 local roles:
在 ID ID 上述更改步骤 3 后重新启动用户代理和用户代理凭据服务
步骤 3:从命令行检查用户凭据是否填充到 RODC 缓存
,运行:重新padmin/prp 视图<domain controller="" cn="">显示|选择字符串 <username></username> </domain>
>repadmin /prp view WIN-VONGBAM7FQF reveal Reveal List (msDS-RevealedList): RODC "CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com": CN=WIN-VONGBAM7FQF,OU=Domain Controllers,DC=domain.lab,DC=com CN=krbtgt_21580,CN=Users,DC=domain.lab,DC=com CN=user1,CN=Users,DC=domain.lab,DC=com CN=user2,CN=Users,DC=domain.lab,DC=com
可选,您可以使用:|选择字符串 <username></username> ,如果列表太长
步骤 4: 检查 DC 上面列出的用户是否是 NOT "拒绝 RODC 密码复制组"的一部分
打开 DC 并启动活动目录用户和计算机>密码复制Policy>拒绝 RODC 密码复制组
步骤 5 :检查"RODC
导航到计算机配置">管理模板>系统>设备保护程序
启动 gpedit.msc
在右侧窗格上单击设备保护程序
,单击 Virtualization "打开基于安全
"(如果启用, 关闭凭据防护配置。
第 6 步:检查以下项目,看看是否有任何物品存在
- 第三方端点保护系统,如凭据保护/防病毒系统,可防止用户 ID 代理凭据代理执行检索凭据的代码。
- 任何组 policy 对象配置 DC 以限制"调试程序"权限,防止用户 ID 代理凭证代理。
- 本地安全局服务器服务 LSASS (),配置,以防止用户 ID 代理凭据代理。