Small white diary 23:kali penetration test Right (iii)--WCE, Fgdump, Mimikatz

WCE

Windows identity authentication Process

Http://wenku.baidu.com/view/cf2ee127a5e9856a56126017.html

#特例在登陆的目标服务器/System, there is a W digest security package that caches a plaintext password locally and is deleted when logging off

WCE (WINDOWS credential EDITOR)

Windows Credentials Editor (WCE) "Windows Authentication Information editor" is a powerful intranet penetration tool for Windows platforms.

Role: It can enumerate login sessions, and can add, change, and delete related credentials (for example: Lm/nt hashes). These features can be exploited in the network penetration, for example, by performing a bypass hash on the Windows platform or getting NT/LM hashes from memory (also available from interactive logins, services, Remote Desktop connections) for further attacks. You can view the login password of the current login user's ciphertext form and clear text form.

Requirements: With Administrator privileges

Integration of Windows programs in Kali Toolkit, using FTP upload to download files to XP

#http://write.blog.csdn.net/postedit

For more demos, add a few more accounts

-L: Check the hash value of the password of the current login account in ciphertext "Lmhash:nthash"

-LV: Means to view more detailed information "Injection mode may cause damage to system processes"

# #作用类似pwdump, but the principle is different. Pwdump is read from the SMB file database, WCE is from memory

-R: Displays the current latest login information, 5 seconds to refresh

-e: can specify refresh time

-D: Specify LUID Delete

-G: Hash calculation for a given number

-W: Read password in clear text form

#修改登录会话, modify the login session of B to another user account

-S: Modify

#默认情况下, log on to multiple users of the server, you can feel free to view someone else's password until Win8 appears protection settings

Prevent WCE attacks

The system maintains plaintext passwords through the Digest authentication package, which is self-booting by default. can go to the registry to turn off the default boot

Hkey_local_machine\system\currentcontrolset\control\lsa\security Packages

Delete the last line wdigest, even the line break can not leave "idea: by modifying the registry, you can view the system user password"

Other similar tools

Fgdump "An application under Windows, Kali integration"

[Email protected]:~# cd/usr/share/windows-binaries/[email protected]:/usr/share/windows-binaries# lsbackdoors    FPort             nbtenum     sbd.exeenumplus     hyperion-1.0.zip  nc.exe      vncviewer.exeexe2bat.exe  Klogger.exe       plink.exe   wget.exefgdump       mbenum            radmin.exe  Whoami.exe

Artifact: Mimikatz "can also be used as a power of reference"

#用双冒号查看命令模块和子模块

# #privilege::d ebug "power to Debug"

# #sekurlsa:: logonpasswords "View login account password Information"

# #process "START Process"

# #suspend "Suspend process: can be used to suspend anti-virus software when using Trojan Horse"

# #resume "Process Recovery"

# #service::

# #lsadump::

Read account password from SAM database "not successful in XP, but may succeed in WIN7, Win8"

# #ts:: "Terminal Services" by default XP allows only one active logon session

#打上一个补丁 so that sessions can be parallel, that is, multiple user logins

# #event::

Log information is logged by default

Evnet::clear "Clearing the Security log"

Event::d ROP "no longer logged"

#misc:: "Miscellaneous"

# #token::

Small white diary 23:kali penetration test Right (iii)--WCE, Fgdump, Mimikatz