web-dev-qa-db-ja.com

crackmapexecから取得したWindows LSAハッシュの使用

LSAプロセスから、crackmapexecとダンプを使用していくつかのハッシュを取得しました。ハッシュはこの形式です(以下のデータは偽です):

adm_name:c6f132a235209036744ba5d303bd5d9b:SOME.ORGANISATION.COM:ORGANISATION:::

Kaliのハッシュ識別ユーティリティはハッシュをそのままでは認識しませんが、ハッシュが変更された場合は出力を提供します。
ツールhash-identifier入力の場合:

c6f132a235209036744ba5d303bd5d9b

結果:

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

ツールhashid入力の場合:

adm_name:c6f132a235209036744ba5d303bd5d9b

出力:

[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2

johnはハッシュをそのまま受け入れますが、次のように報告します。

Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Lotus5"
Use the "--format=Lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-old"
Use the "--format=NT-old" option to force loading these as that type instead

(上記のhash-identifier入力例のように)ダイジェストのみの場合、hashcatは(NTLMハッシュタイプの-m 1000フラグを使用して)クラックを試みます。

ダイジェストはキャッシュされたNTハッシュ(無塩MD4)クレデンシャルタイプのように見えるため、「ハッシュを渡す」攻撃では使用できないと思います。 https://docs.Microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994565(v = ws.11) =

ユーザー名を明らかにする以外に、この形式のこれらのハッシュは攻撃者にどのように使用されますか?どんなガイダンスも素晴らしいでしょう!

1
user1330734

DCCは独自の形式です。 JtRでは、次のとおりです。

mscash-opencl
mscash2-opencl

...そしてhashcatでは、それらは:

1100 | Domain Cached Credentials (DCC), MS Cache        | Operating Systems
2100 | Domain Cached Credentials 2 (DCC2), MS Cache 2   | Operating Systems

お気づきのとおり、これらはクラックされる可能性がありますが、パスザハッシュでは使用できません。また、それらが最新であることは保証されていません。そのため、それらを解読したとしても、「ライブ」オンライン認証に使用できない、現在有効期限が切れたパスワードを表している可能性があります。

2
Royce Williams