Shulou(Shulou.com)06/02 Report--

This article mainly explains "what is the function of DLLPasswordFilterImplant". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what is the function of DLLPasswordFilterImplant"?

DLLPasswordFilterImplant

DLLPasswordFilterImplant is a custom password filter DLL that can help security researchers capture the credential information of target users. Each password change event in the domain triggers a DLL registration operation to extract the user name and new password values before they are modified in the active Directory.

To learn more about Windows password filters, please refer to this [official documentation] from Microsoft.

Tool download

The majority of researchers can use the following command to clone the source code of the project locally:

Git clone https://github.com/GoSecure/DLLPasswordFilterImplant.git tool installation

First, create a DLL file for the target operating system architecture, 64-bit DLL for 64-bit systems, and 32-bit DLL for 32-bit systems. Copy the generated DLL file to the Windows installation directory, the default path is "\ Windows\ System32". Next, register the password filter by updating the following registry key:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa

If the subkey Notification Packages already exists, add the name "DLLPasswordFilterImplant" of DLL to the existing data value. Remember, do not overwrite existing values. If the subkey does not exist, create the subkey and write the name "DLLPasswordFilterImplant" of the DLL to the data value. It is important to note here that when you add the DLL name to the Notification Packages subkey, do not add the .dll suffix.

Then, configure the public key required to encrypt the credentials:

KEY=key.pem# Generate an RSA key and dump its public key. Keep the private key around for decryptionopenssl genrsa-out $KEY 204 Prepare the Windows registry key entry.echo 'Windows Registry Editor Version 5.00' > addKey.regecho > > addKey.regecho' [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa]'> > addKey.reg# If python2 does not exist, use `python` instead.echo "Key=hex:$ (openssl rsa-in $KEY-pubout | sed-E'/ ^\-/ d' | base64-d | python2-c 'import sys Print ("," .join (["{: 02x}" .format (ord (b)) for b in sys.stdin.read ()]))') "> > addKey.reg

Next, you can run the addKey.reg file to append the meta public key to the registry. Note that due to the existence of the data filling mechanism, the use of asymmetric encryption algorithms will significantly increase the size of the extracted data files. In order to reduce the overhead of data, we may need to make some improvements.

Next, we need to restart the system.

When this is done, we need to register the corresponding keys and domain names for the DNS extraction. Go to the following registry key:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa

Create a subkey of the string type named "Domain". Specify the value of your domain name in this subkey, which must be "." Start with, for example, ".yourdomain.com".

Data decryption

The encrypted data is populated using OAEP and can be decrypted using the following methods:

# Convert the stitched hex string to raw bytes.xxd-r-p exfiltrated.hex > raw.bin# Decrypt using the private key.openssl rsautl-decrypt-oaep-inkey $KEY-in raw.bin-out decrypted.txt uninstall filter

In order to completely remove the configured password filter from the target system, we first need to unregister the password filter by updating the following registry key:

HKEY_LOCAL_MACHINE SYSTEM\ CurrentControlSet\ Control\ Lsa

In the Notification Packages subkey, remove the DLL name from the subkey data value, but do not remove other existing values, and restart the system when you are finished.

In the Windows installation directory (the default path is "\ Windows\ System32"), locate the password filter DLL- "DLLPasswordFilterImplant.DLL" and delete the file.

Compatibility

Password filters are currently compatible / supported on the following system platforms:

Windows 7 Hosts (x64)

Windows 10 Hosts (x64)

Windows Server 2008 DCs (x64)

Windows Server 2012 DCs (x64)

Windows Server 2016 DCs (x64)

Thank you for your reading, the above is the content of "what function does DLLPasswordFilterImplant have?" after the study of this article, I believe you have a deeper understanding of the function of DLLPasswordFilterImplant, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.