AD域渗透:Windows Credential Manager 凭证提取分析
AD域渗透:Windows Credential Manager 凭证提取分析
Active Directory (AD) 是 Microsoft 开发的目录服务,用于管理企业网络中的用户、计算机和资源。它提供集中身份验证和授权机制,但其复杂性也使其成为网络攻击的主要目标。AD 渗透测试涉及模拟攻击者行为,以识别和利用系统弱点,如凭证存储、权限配置和访问控制漏洞。常见攻击向量包括凭证枚举、权限提升和横向移动,最终可能导致域控制器(Domain Controller)接管。
在 AD 环境中,渗透通常从初始访问开始(如 RDP 或钓鱼),然后利用本地工具提取凭证。Windows Credential Manager 是关键组件,它存储用户名、密码和证书,用于自动登录应用和网络资源。
正文
Windows Authentication Process
Windows 客户端认证过程涉及多个模块,负责登录、凭证检索和验证。在 Windows 的各种认证机制中,Kerberos 是最广泛使用且最复杂的之一。 本地安全管理局 (LSA)是一个受保护的子系统,负责认证用户、管理本地登录、监督本地安全的所有方面,并提供用户名与安全标识符(SID)之间的转换服务。
**Windows 认证流程图**
本地交互式登录通过多个组件的协调来处理:登录进程(WinLogon)、登录用户界面进程(LogonUI)、 凭证提供者、本地安全管理局子系统服务(LSASS)、 一个或多个认证包,以及安全账户管理器(SAM))或 Active Directory。在此语境下,认证包是负责执行认证检查的动态链接库(DLL)。例如,对于非域加入和交互式登录,通常使用 Msv1_0.dll 认证包。
such as:WinLogon 是一个可信的系统进程,负责管理与安全相关的用户交互,例如:
- 启动
LogonUI以在登录时提示输入凭证 - 处理密码更改
- 工作站的锁定和解锁
本地安全管理局子系统服务 (LSASS)由多个模块组成,管理所有认证流程。它位于文件系统中, %SystemRoot%\System32\Lsass.exe 负责执行本地安全策略、认证用户并将安全审计日志转发到事件日志 。本质上,LSASS 作为基于 Windows 作系统的守门人。这里有更详细的 LSASS 架构示意表。
| Authentication Packages | Description |
|---|---|
Lsasrv.dll |
The LSA Server service both enforces security policies and acts as |
| the security package manager for the LSA. The LSA contains the Negotiate | |
| function, which selects either the NTLM or Kerberos protocol after | |
| determining which protocol is to be successful. | |
Msv1_0.dll |
Authentication package for local machine logons that don't require custom authentication. |
Samsrv.dll |
The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs. |
Kerberos.dll |
Security package loaded by the LSA for Kerberos-based authentication on a machine. |
Netlogon.dll |
Network-based logon service. |
Ntdsa.dll |
This library is used to create new records and folders in the Windows registry. |
凭证管理器是自 Server 2008、R2 和 Windows 7 以来内置的功能。关于其工作原理的详尽文档不公开,但本质上,它允许用户和应用程序安全存储与其他系统和网站相关的凭证。凭据存储在计算机上用户和系统配置文件(MITRE ATT&CK)下的特殊加密文件夹中:
%UserProfile%\AppData\Local\Microsoft\Vault\%UserProfile%\AppData\Local\Microsoft\Credentials\%UserProfile%\AppData\Roaming\Microsoft\Vault\%ProgramData%\Microsoft\Vault\%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\
Windows Vault and Credential Manager
每个保险库文件夹包含一个带有 AES 密钥(AES-128 或 AES-256)的 Policy.vpol 文件,该文件由 DPAPI 保护。这些 AES 密钥用于加密凭证。新版本的 Windows 利用凭证卫士(Credential Guard)进一步保护 DPAPI 主密钥,将其存储在安全的内存隔区中( 基于虚拟化的安全 )。
Microsoft 通常将受保护的存储库称为凭证锁( 前称 Windows Vaults)。凭证管理器是面向用户的功能/API,而实际加密的存储是保险库/保险箱文件夹。下表列出了 Windows 存储的两种凭证类型:
| Name | Description |
|---|---|
| Web Credentials | Credentials associated with websites and online accounts. This |
| locker is used by Internet Explorer and legacy versions of Microsoft | |
| Edge. | |
| Windows Credentials Windows 凭 | Used to store login tokens for various services such as OneDrive, and credentials related to domain users, local network resources, services, and shared directories. |
可以通过控制面板或以下命令将 Windows Vaults 导出为 .crd 文件。通过这种方式创建的备份会用用户提供的密码加密,并且可以导入到其他 Windows 系统。
C:\Users\sadams>rundll32 keymgr.dll,KRShowKeyMgr
DO
RDP协议远程连接至靶机
xfreerdp /v:10.129.234.171 /u:sadams /p:totally2brow2harmon@
这里得进行解释,AD域渗透的流程并非从此节开始,常规诸如内网穿透等,这些在外网工作是进入内网渗透的必要条件,但此处假设我们经过前期的信息收集、前渗透测试工作后,得到了一台内网靶机(目标机)、一台攻击机(同样与目标机处于同一内网网段)。
cmdkey 命令,我们很容易发现,在此用户下存储了另一个用户的凭证,这使得我们可以完成一次竖向移动,为什么是竖向移动。
看出来 macharles是管理员组的成员,这使得他开启的cmd以system32程序运行。
后渗透测试阶段,我们如何将我们的恶意程序传输至目标上,又应该如何将这些程序能够获得足够的权限运行,这里介绍下常见的后渗透测试工具。
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0044 | Juicy Mix | During Juicy Mix, OilRig used a Windows Credential Manager stealer for credential access.[7] |
| S0526 | KGH_SPY | KGH_SPY can collect credentials from the Windows Credential Manager.[8] |
| S0349 | LaZagne | LaZagne can obtain credentials from Vault files.[9] |
| S0681 | Lizar | Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using vaultcmd.exe and another that can collect RDP access credentials using the CredEnumerateW function.[10] |
| S0002 | Mimikatz | Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.[6] |
| G0049 | OilRig | OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.[11] |
| S0194 | PowerSploit | PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.[12][13] |
| S0629 | RainyDay | RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.[14] |
| S0240 | ROKRAT | ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[15] |
| S0692 | SILENTTRINITY | SILENTTRINITY can gather Windows Vault credentials.[16] |
| G0038 | Stealth Falcon | Stealth Falcon malware gathers passwords from the Windows Credential Vault.[17] |
| G0010 | Turla | Turla has gathered credentials from the Windows Credential Manager tool.[18] |
| S0476 | Valak | Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.[19] |
| G0102 | Wizard Spider | Wizard Spider has used PowerShell cmdlet Invoke-WCMDump to enumerate Windows credentials in the Credential Manager in a compromised network.[20] |
这里我们选择mimikatz。
为了能够和目标机建立传输文件的连接,我们有很多种方法,尽管,windows系统在很多自定义功能上很难开启,诸如smb等,但windows的web搜索服务仍然存在。
目标机的网络并未接入互联网,但所幸,我们的攻击机与目标在同一网段。
这里实现过程省略。
之后我们主要问题在于UAC绕过。
Malware often requires full administrative privileges on a machine to
perform more impactful actions such as adding an antivirus exclusion,
encrypting secured files, or injecting code into interesting system
processes. Even if the targeted user has administrative privileges, the
prevalence of User Account Control (UAC) means that the malicious application will often default to Medium Integrity, preventing write access to resources with higher integrity levels. To bypass this restriction, an attacker will need a way to elevate integrity level silently and with no user interaction (no UAC prompt). This technique is known as a User Account Control bypass
and relies on a variety of primitives and conditions, the majority of
which are based on piggybacking elevated Windows features.
Example of cscript.exe running as Medium spawning a cmd.exe instance with High integrity via a UAC bypass:
Most of UAC validation logic is implemented in the Application
Information (AppInfo) service. A great primer about the elevation
conditions and the different checks can be found here.
In this blog post, we will take a look at a collection of UAC
bypasses, investigate some of the key primitives they depend on, and
explore detection opportunities.
因为纯中文翻译并不难表述清楚,只能使用英文。
这里使用一种简单的方法。
computerdefaults.exe,这里并不细讲此系统程序的操作原理,我们使用此程序,加载出administrator用户的cmd命令界面。
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d "cmd.exe" /f && start computerdefaults.exe
现在我们已经拥有了一个完整的管理员权限的cmd命令行,接下来我们可以试着获取所以的信息了。
浙公网安备 33010602011771号