Mimikatz深度解析：WDigest凭据提取技术详解<\/h1>

1. WDigest概述<\/h2>
WDigest是Windows系统中用于缓存用户凭据的组件，在Windows Server 2008 R2及更早版本中默认启用明文凭据缓存。Mimikatz通过`sekurlsa::wdigest<\/code>命令可以提取这些缓存的凭据。<\/p>`

关键特性：<\/h3>

默认在Windows Server 2008 R2及更早版本中启用<\/li>
缓存凭据使用对称加密算法保护<\/li>
可通过注册表项UseLogonCredential<\/code>控制是否缓存凭据<\/li>
<\/ul>
2. WDigest工作原理<\/h2>
2.1 凭据缓存流程<\/h3>

用户登录时，凭据通过wdigest!SpAcceptCredentials<\/code>函数传递<\/li>
凭据被LsaProtectMemory<\/code>函数加密<\/li>
加密后的凭据存储在内存中的链表中<\/li>
<\/ol>
2.2 加密机制<\/h3>
WDigest使用两种加密算法保护凭据：<\/p>

AES<\/strong>：当数据块长度能被8整除时使用<\/li>
3DES<\/strong>：其他情况下使用<\/li>
<\/ul>
加密密钥存储在：<\/p>

lsasrv!hAesKey<\/code> - AES加密密钥<\/li>
lsasrv!h3DesKey<\/code> - 3DES加密密钥<\/li>
<\/ul>
这些密钥在lsass启动时通过BCryptGenRandom<\/code>随机生成。<\/p>
3. 凭据提取技术<\/h2>
3.1 关键数据结构<\/h3>
3.1.1 加密密钥结构<\/h4>
typedef<\/span> struct<\/span> _KIWI_BCRYPT_HANDLE_KEY {
<\/span><\/span>    ULONG size;
<\/span><\/span>    ULONG tag; \/\/ 'UUUR'
<\/span><\/span><\/span><\/span>    PVOID hAlgorithm;
<\/span><\/span>    PKIWI_BCRYPT_KEY key;
<\/span><\/span>    PVOID unk0;
<\/span><\/span>} KIWI_BCRYPT_HANDLE_KEY, *<\/span>PKIWI_BCRYPT_HANDLE_KEY;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _KIWI_BCRYPT_KEY81 {
<\/span><\/span>    ULONG size;
<\/span><\/span>    ULONG tag; \/\/ 'MSSK'
<\/span><\/span><\/span><\/span>    ULONG type;
<\/span><\/span>    ULONG unk0;
<\/span><\/span>    ULONG unk1;
<\/span><\/span>    ULONG unk2;
<\/span><\/span>    ULONG unk3;
<\/span><\/span>    ULONG unk4;
<\/span><\/span>    PVOID unk5; \/\/ before, align in x64
<\/span><\/span><\/span><\/span>    ULONG unk6;
<\/span><\/span>    ULONG unk7;
<\/span><\/span>    ULONG unk8;
<\/span><\/span>    ULONG unk9;
<\/span><\/span>    KIWI_HARD_KEY hardkey;
<\/span><\/span>} KIWI_BCRYPT_KEY81, *<\/span>PKIWI_BCRYPT_KEY81;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _KIWI_HARD_KEY {
<\/span><\/span>    ULONG cbSecret;
<\/span><\/span>    BYTE data[ANYSIZE_ARRAY]; \/\/ 实际密钥数据
<\/span><\/span><\/span><\/span>} KIWI_HARD_KEY, *<\/span>PKIWI_HARD_KEY;
<\/span><\/span><\/code><\/pre>3.1.2 WDigest凭据链表结构<\/h4>
typedef<\/span> struct<\/span> _KIWI_WDIGEST_LIST_ENTRY {
<\/span><\/span>    struct<\/span> _KIWI_WDIGEST_LIST_ENTRY *<\/span>Flink;
<\/span><\/span>    struct<\/span> _KIWI_WDIGEST_LIST_ENTRY *<\/span>Blink;
<\/span><\/span>    ULONG UsageCount;
<\/span><\/span>    struct<\/span> _KIWI_WDIGEST_LIST_ENTRY *<\/span>This;
<\/span><\/span>    LUID LocallyUniqueIdentifier;
<\/span><\/span>} KIWI_WDIGEST_LIST_ENTRY, *<\/span>PKIWI_WDIGEST_LIST_ENTRY;
<\/span><\/span><\/code><\/pre>链表节点后跟三个LSA_UNICODE_STRING<\/code>字段：<\/p>

偏移0x30：用户名<\/li>
偏移0x40：主机名<\/li>
偏移0x50：加密密码<\/li>
<\/ul>
3.2 提取步骤<\/h3>


定位密钥<\/strong>：<\/p>

在lsass进程内存中搜索hAesKey<\/code>和h3DesKey<\/code><\/li>
解析密钥结构获取实际加密密钥<\/li>
<\/ul>
<\/li>

遍历凭据链表<\/strong>：<\/p>

从wdigest!l_LogSessList<\/code>开始遍历链表<\/li>
提取每个节点的用户名、主机名和加密密码<\/li>
<\/ul>
<\/li>

解密凭据<\/strong>：<\/p>

根据密码长度选择AES或3DES解密算法<\/li>
使用提取的密钥解密密码<\/li>
<\/ul>
<\/li>
<\/ol>
4. UseLogonCredential绕过技术<\/h2>
Windows默认禁用WDigest明文凭据缓存，通过修改注册表项HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential<\/code>可以重新启用，但通常需要重启。<\/p>
4.1 内存修改技术<\/h3>
可以直接修改lsass进程内存中的g_fParameter_UseLogonCredential<\/code>变量来启用WDigest缓存，无需修改注册表或重启系统：<\/p>

定位wdigest.dll<\/code>中的g_fParameter_UseLogonCredential<\/code>变量<\/li>
将其值从0改为1<\/li>
新登录的凭据将被缓存<\/li>
<\/ol>
4.2 实现原理<\/h3>
wdigest!SpAcceptCredentials<\/code>函数检查两个条件：<\/p>

g_IsCredGuardEnabled<\/code>是否为1<\/li>
g_fParameter_UseLogonCredential<\/code>是否为0<\/li>
<\/ul>
如果任一条件为真，则调用LogSessHandlerNoPasswordInsert<\/code>不缓存密码；否则调用LogSessHandlerPasswdSet<\/code>缓存密码。<\/p>
5. 高级技术：DLL注入LSASS<\/h2>
5.1 通过注册表加载DLL<\/h3>
发现lsasrv.dll中的LsapLoadLsaDbExtensionDll<\/code>函数会加载用户指定的DLL：<\/p>


创建注册表项：<\/p>
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\LsaDbExtPt
<\/code><\/pre>
值为DLL路径<\/p>
<\/li>

系统重启时，DLL将被加载到lsass进程<\/p>
<\/li>
<\/ol>
重要<\/strong>：DLL的DllMain<\/code>函数必须返回FALSE，避免后续GetProcAddress<\/code>调用导致系统蓝屏。<\/p>
5.2 通过SAMR RPC远程加载DLL<\/h3>
samsrv.dll中存在类似功能：<\/p>


创建注册表项：<\/p>
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
<\/code><\/pre>
值为DLL路径<\/p>
<\/li>

触发SAMR RPC调用（如hSamConnect<\/code>）加载DLL<\/p>
<\/li>
<\/ol>
这种方法无需重启系统，可以通过网络触发。<\/p>
6. 防御与检测<\/h2>
6.1 防御措施<\/h3>

启用Credential Guard<\/li>
确保UseLogonCredential<\/code>注册表值为0<\/li>
监控lsass进程的异常内存访问<\/li>
限制对关键注册表项的修改<\/li>
启用PPL（Protected Process Light）保护lsass<\/li>
<\/ol>
6.2 检测方法<\/h3>

监控对lsass进程的WriteProcessMemory<\/code>调用<\/li>
检测异常DLL加载行为<\/li>
监控可疑注册表修改<\/li>
检测WDigest相关API的异常调用模式<\/li>
<\/ol>
7. 总结<\/h2>
Mimikatz的WDigest凭据提取功能依赖于对lsass进程内存的深入分析和Windows认证组件的逆向工程。理解这些技术原理不仅有助于渗透测试，也能帮助蓝队开发更有效的防御措施。通过内存操作绕过安全控制的技术展示了攻击者如何在不触发传统检测机制的情况下达成目标，强调了深度防御的重要性。<\/p>

Mimikatz深度解析：WDigest凭据提取技术详解<\/h1>

1. WDigest概述<\/h2> WDigest是Windows系统中用于缓存用户凭据的组件，在Windows Server 2008 R2及更早版本中默认启用明文凭据缓存。Mimikatz通过sekurlsa::wdigest<\/code>命令可以提取这些缓存的凭据。<\/p>

2. WDigest工作原理<\/h2>

3.1 关键数据结构<\/h3>

4. UseLogonCredential绕过技术<\/h2> Windows默认禁用WDigest明文凭据缓存，通过修改注册表项HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential<\/code>可以重新启用，但通常需要重启。<\/p>

1. WDigest概述<\/h2>
WDigest是Windows系统中用于缓存用户凭据的组件，在Windows Server 2008 R2及更早版本中默认启用明文凭据缓存。Mimikatz通过`sekurlsa::wdigest<\/code>命令可以提取这些缓存的凭据。<\/p>`

4. UseLogonCredential绕过技术<\/h2>
Windows默认禁用WDigest明文凭据缓存，通过修改注册表项`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential<\/code>可以重新启用，但通常需要重启。<\/p>`