{"id":1119,"date":"2015-09-29T14:36:10","date_gmt":"2015-09-29T11:36:10","guid":{"rendered":"https:\/\/furkansandal.com\/2871997-microsoft-guvenlik-bulteni-ve-mimikatz\/"},"modified":"2015-09-29T14:36:10","modified_gmt":"2015-09-29T11:36:10","slug":"2871997-microsoft-guvenlik-bulteni-ve-mimikatz","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/2871997-microsoft-guvenlik-bulteni-ve-mimikatz\/","title":{"rendered":"2871997 Microsoft G\u00fcvenlik B\u00fclteni ve Mimikatz"},"content":{"rendered":"<div id=\"post-body-8778880473384596612\" itemprop=\"description articleBody\" readability=\"128.797827288\">\n<div style=\"text-align: justify;\" readability=\"9.64052287582\">\n<a href=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/microsoft_security.png?ssl=1\" imageanchor=\"1\" style=\"clear: right; float: right; margin-bottom: 1em; margin-left: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" src=\"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/microsoft_security.png?resize=200%2C200&#038;ssl=1\" height=\"200\" width=\"200\" data-recalc-dims=\"1\" \/><\/a><a href=\"http:\/\/blog.gentilkiwi.com\/mimikatz\">Mimikatz <\/a>ve <a href=\"http:\/\/www.ampliasecurity.com\/research\/wcefaq.html#curversion\">WCE <\/a>(Windows Credentials Editor) gibi ara\u00e7lar kullan\u0131larak RAM \u00fczerindeki kullan\u0131c\u0131 ad\u0131 ve parola bilgileri a\u00e7\u0131k olarak elde edilebilmektedir. Konu ile ilgili ayr\u0131nt\u0131l\u0131 i\u00e7in, Bilgi G\u00fcvenli\u011fi Kap\u0131s\u0131&#8217;ndaki &#8220;Bellekten Parolalar\u0131n Elde Edilmesi&#8221; yaz\u0131lar\u0131 incelenebilir [1][2][3].<\/div>\n<div style=\"text-align: justify;\" readability=\"16\">\nMicrosoft, bellek \u00fczerinden parolalar\u0131n a\u00e7\u0131k halinin elde edilmesini \u00f6nlemek i\u00e7in 13 May\u0131s 2014 tarihinde 2871997 numaral\u0131 en \u00f6nemli ilk g\u00fcncelleme b\u00fcltenini yay\u0131nlam\u0131\u015ft\u0131r [4]. Bu g\u00fcncelle\u015ftirme paketi [5] Windows 8, Windows RT, Windows Server 2012, Windows 7 ve Windows Server 2008 R2 i\u015fletim sistemlerindeki kimlik h\u0131rs\u0131zl\u0131\u011f\u0131n\u0131 azaltmak i\u00e7in haz\u0131rlanm\u0131\u015ft\u0131r. Bu yama sonras\u0131nda, Microsoft taraf\u0131ndan, 2973351 [6] ve 2975625 [7] g\u00fcncelle\u015ftirmeleri de yay\u0131nlanm\u0131\u015ft\u0131r.<br \/><a name=\"more\"\/><\/div>\n<p>\nMicrosoft taraf\u0131ndan yay\u0131nlanan bu yamalardan sonra, Benjamin Delpy taraf\u0131ndan da Mimikatz&#8217;in 2.0 versiyonu yay\u0131nlanm\u0131\u015ft\u0131r. Bu yaz\u0131da da hem Mimikatz 1.0, hem de Mimikatz 2.0 s\u00fcr\u00fcmleri kullan\u0131lm\u0131\u015ft\u0131r.<\/p>\n<p>\nYaz\u0131n\u0131n amac\u0131, Microsoft taraf\u0131ndan yay\u0131nlanan yamalar\u0131n etkisini incelemektir. Bu inceleme s\u0131ras\u0131nda i\u015fletim sistemi s\u00fcr\u00fcm\u00fc ve mimarisi, yaman\u0131n ge\u00e7ilme durumu, kullan\u0131lan Mimikatz s\u00fcr\u00fcm\u00fc, birbirinden farkl\u0131 olan etki alan\u0131 ortamlar\u0131 kriterleri temek al\u0131nm\u0131\u015ft\u0131r. \u0130nceleme kriterleri \u015fu \u015fekildedir:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><b>\u0130\u015fletim Sistemi S\u00fcr\u00fcm\u00fc:<\/b> Windows 7 Enterprise, Windows 8 Enterprise, Windows 2008 R2 Enterprise, Windows 2012 Enterprise\u00a0<\/li>\n<li style=\"text-align: justify;\"><b>\u0130\u015fletim Sistemi Mimarisi:<\/b> 64 bit, 32 bit\u00a0<\/li>\n<li style=\"text-align: justify;\"><b>G\u00fcncelleme Durumu:<\/b> Yamas\u0131 ger\u00e7ekle\u015ftirilmemi\u015f, Yamas\u0131 ger\u00e7ekle\u015ftirilmi\u015f\u00a0<\/li>\n<li style=\"text-align: justify;\"><b>Mimikatz S\u00fcr\u00fcm\u00fc:<\/b> 1.0 ve 2.0\u00a0<\/li>\n<li style=\"text-align: justify;\"><b>Etki alan\u0131: <\/b>WORKGROUP ve Ornek.local\u00a0<\/li>\n<li style=\"text-align: justify;\"><b>Kullan\u0131c\u0131:<\/b> Yerel bir y\u00f6netici kullan\u0131c\u0131s\u0131 (WORKGROUPYonetici), etki alan\u0131nda y\u00f6netici olan bir kullan\u0131c\u0131 (ORNEKDomainAdmin)\u00a0<\/li>\n<\/ul>\n<p>\nMicrosoft taraf\u0131ndan haz\u0131rlanan yamalar\u0131 yap\u0131lmam\u0131\u015f olan &#8220;W7-Pro-SP1-x64-15GB&#8221; ad\u0131ndaki bir bilgisayarda &#8220;Yonetici&#8221; adl\u0131 bir yerel y\u00f6netici kullan\u0131c\u0131s\u0131 ile oturum a\u00e7\u0131lm\u0131\u015ft\u0131r. Bu bilgisayardan, &#8220;W7-Ent-x86-15GB&#8221; adl\u0131 bilgisayara da &#8220;UzakYonetici&#8221; adl\u0131 bir yerel y\u00f6netici kullan\u0131c\u0131s\u0131 ile RDP yoluyla ba\u011flant\u0131 kurulmu\u015ftur. Bu durumdayken Mimikatz arac\u0131 kullan\u0131ld\u0131\u011f\u0131nda a\u015fa\u011f\u0131daki gibi ekran g\u00f6r\u00fcnt\u00fcleri elde edilmi\u015ftir.<\/p>\n<p>\n\u0130lk ekran g\u00f6r\u00fcnt\u00fcs\u00fc eski s\u00fcr\u00fcm Mimikatz ile, ikinci ekran g\u00f6r\u00fcnt\u00fcs\u00fc ise yeni s\u00fcr\u00fcm Mimikatz ile elde edilmi\u015ftir:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/1.bp.blogspot.com\/-PkSR0sRVvv0\/U-ATLfjLD5I\/AAAAAAAACE8\/V-NYd2NNYr8\/s1600\/01.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"185\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526554_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u015eekil 1 &#8211; Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda Mimikatz 1.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/4.bp.blogspot.com\/-vPX3kfY_pFg\/U-ATLicXs4I\/AAAAAAAACEU\/-Tpi-HHIKaA\/s1600\/02.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"532\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526555_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u015eekil 2 &#8211; Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda Mimikatz 2.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131<\/b><\/p>\n<p>\nSonu\u00e7 olarak, ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, kimlik bilgileri 5 adet g\u00fcvenlik destek sa\u011flay\u0131c\u0131s\u0131 (Security Support Provider &#8211; SSP) taraf\u0131ndan elde edilebilmi\u015ftir. &#8220;Yonetici&#8221; kullan\u0131c\u0131s\u0131na ait parola &#8220;Aa123456&#8221; olarak elde edilmi\u015f iken, &#8220;UzakYonetici&#8221; kullan\u0131c\u0131s\u0131na ait parola ise &#8220;Bb123456&#8221; olarak elde edilmi\u015ftir.<\/p>\n<p>\nDaha sonra da ilgili g\u00fcncelleme paketi indirilerek i\u015fletim sistemi yamas\u0131 ger\u00e7ekle\u015ftirilmi\u015ftir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-ckJs8HwGR2g\/U-ATLjjCMWI\/AAAAAAAACEY\/p47vGyvEPp0\/s1600\/03.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img decoding=\"async\" border=\"0\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526556_*\"\/><\/a><\/div>\n<p>\n<b>\u015eekil 3 &#8211; Microsoft g\u00fcncellemesinin ger\u00e7ekle\u015ftirilmesi\u00a0<\/b><\/p>\n<p>\nYama i\u015flemi sonras\u0131nda RDP i\u015flemi ger\u00e7ekle\u015ftirildikten sonra Mimikatz 1.0 ve 2.0 s\u00fcr\u00fcmlerinin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131na ait ekran g\u00f6r\u00fcnt\u00fcleri a\u015fa\u011f\u0131daki gibidir:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/4.bp.blogspot.com\/-AOn2SMsdegQ\/U-ATMIZyUuI\/AAAAAAAACEw\/1VHtapt2mGA\/s1600\/04.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img decoding=\"async\" border=\"0\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526556_*\"\/><\/a><\/div>\n<p>\n<b>\u015eekil 4 &#8211; Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda Mimikatz 1.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-GQQw0rAXYEo\/U-ATMtPYKaI\/AAAAAAAACE0\/HaRcu4AU3qA\/s1600\/05.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"539\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526560_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u00a0\u015eekil 5 &#8211; Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda Mimikatz 2.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n<p>\nMicrosoft taraf\u0131ndan ger\u00e7ekle\u015ftirilen g\u00fcncelleme sonras\u0131nda WCE kaynak kodunda herhangi bir geli\u015ftirme ger\u00e7ekle\u015ftirilmemi\u015ftir. Eski s\u00fcr\u00fcm WCE ve son s\u00fcr\u00fcm WCE arac\u0131yla ger\u00e7ekle\u015ftirilen incelemelerin sonucu a\u015fa\u011f\u0131daki gibidir.<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/2.bp.blogspot.com\/-0joh9qITriY\/U-ATM9nD2WI\/AAAAAAAACEk\/kZRQooVTcOc\/s1600\/06.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"214\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526563_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u015eekil 6 &#8211; Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda eski ve yeni s\u00fcr\u00fcm WCE arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/1.bp.blogspot.com\/-DVnttjNBPwo\/U-ATM1TJZvI\/AAAAAAAACEo\/_7U-cMFPpL4\/s1600\/07.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"195\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526567_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u015eekil &#8211; 7: Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda eski ve yeni s\u00fcr\u00fcm WCE arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n<p>\nEkran g\u00f6r\u00fcnt\u00fclerinde de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, Microsoft yamas\u0131n\u0131n \u00f6ncesinde ve sonras\u0131nda WCE arac\u0131yla parolalar elde edilebilmektedir. Ancak RDP yap\u0131lan bilgisayara ba\u011flant\u0131 bilgileri WCE arac\u0131yla elde edilememektedir.<\/p>\n<p>\nGer\u00e7ekle\u015ftirilen incelemeler sonucunda a\u015fa\u011f\u0131daki gibi bir tablo elde edilmi\u015ftir:<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\">\n<a href=\"http:\/\/3.bp.blogspot.com\/-UwIlp8_KtlU\/U-CgAoOh1cI\/AAAAAAAACFY\/t4_XbEI1WNs\/s1600\/09.jpg\" style=\"margin-left: 1em; margin-right: 1em;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" height=\"212\" src=\"https:\/\/furkansandal.com\/wp-content\/uploads\/2015\/09\/1443526569_*\" width=\"640\"\/><\/a><\/div>\n<p>\n<b>\u015eekil &#8211; 8: Microsoft g\u00fcncellemelerinin incelenmesine ait tablo\u00a0<\/b><\/p>\n<blockquote class=\"tr_bq\" style=\"text-align: justify;\"><p>\n<span style=\"color: #990000;\"><b>Not:<\/b> Yamas\u0131 yap\u0131lm\u0131\u015f Windows Server 2012 Data Center&#8217;da msv1_0 \u00fczerinden parola \u00f6zeti elde edilememektedir. Ancak genelleme bozulmamas\u0131 i\u00e7in bu durum ihmal edilmi\u015ftir. Ayr\u0131ca, yamas\u0131 ge\u00e7ilmi\u015f bu i\u015fletim sisteminde WCE arac\u0131 d\u00fczg\u00fcn olarak \u00e7al\u0131\u015fmamaktad\u0131r.<\/span><\/p><\/blockquote>\n<p>\nSonu\u00e7lardan da g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, Microsoft taraf\u0131ndan yay\u0131nlanan yamalar k\u0131smen de olsa bir iyile\u015fme sa\u011flasa da parolalar <b>wdigest <\/b>ve <b>ssp <\/b>adl\u0131 sa\u011flay\u0131c\u0131lar \u00fczerinden a\u00e7\u0131k, <b>msv1_0<\/b> \u00fczerinden ise \u00f6zet olarak elde edilebilmektedir.<\/p>\n<h3 style=\"text-align: justify;\">\nKaynak\u00e7a<\/h3>\n<\/div>\n<p><a href=\"https:\/\/furkansandal.com\">Ana Sayfa <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mimikatz ve WCE (Windows Credentials Editor) gibi ara\u00e7lar kullan\u0131larak RAM \u00fczerindeki kullan\u0131c\u0131 ad\u0131 ve parola bilgileri a\u00e7\u0131k olarak elde edilebilmektedir&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":1120,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[103,109,76,104,105,59,22,108,102,107,101,84,86,106],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/09\/microsoft_security.png?fit=256%2C256&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-i3","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1119"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=1119"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/1119\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/1120"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=1119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=1119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=1119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}