{"id":1119,"date":"2015-09-29T14:36:10","date_gmt":"2015-09-29T11:36:10","guid":{"rendered":"https:\/\/furkansandal.com\/2871997-microsoft-guvenlik-bulteni-ve-mimikatz\/"},"modified":"2015-09-29T14:36:10","modified_gmt":"2015-09-29T11:36:10","slug":"2871997-microsoft-guvenlik-bulteni-ve-mimikatz","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/2871997-microsoft-guvenlik-bulteni-ve-mimikatz\/","title":{"rendered":"2871997 Microsoft G\u00fcvenlik B\u00fclteni ve Mimikatz"},"content":{"rendered":"
\nMicrosoft taraf\u0131ndan yay\u0131nlanan bu yamalardan sonra, Benjamin Delpy taraf\u0131ndan da Mimikatz’in 2.0 versiyonu yay\u0131nlanm\u0131\u015ft\u0131r. Bu yaz\u0131da da hem Mimikatz 1.0, hem de Mimikatz 2.0 s\u00fcr\u00fcmleri kullan\u0131lm\u0131\u015ft\u0131r.<\/p>\n
\nYaz\u0131n\u0131n amac\u0131, Microsoft taraf\u0131ndan yay\u0131nlanan yamalar\u0131n etkisini incelemektir. Bu inceleme s\u0131ras\u0131nda i\u015fletim sistemi s\u00fcr\u00fcm\u00fc ve mimarisi, yaman\u0131n ge\u00e7ilme durumu, kullan\u0131lan Mimikatz s\u00fcr\u00fcm\u00fc, birbirinden farkl\u0131 olan etki alan\u0131 ortamlar\u0131 kriterleri temek al\u0131nm\u0131\u015ft\u0131r. \u0130nceleme kriterleri \u015fu \u015fekildedir:<\/p>\n
\nMicrosoft taraf\u0131ndan haz\u0131rlanan yamalar\u0131 yap\u0131lmam\u0131\u015f olan “W7-Pro-SP1-x64-15GB” ad\u0131ndaki bir bilgisayarda “Yonetici” adl\u0131 bir yerel y\u00f6netici kullan\u0131c\u0131s\u0131 ile oturum a\u00e7\u0131lm\u0131\u015ft\u0131r. Bu bilgisayardan, “W7-Ent-x86-15GB” adl\u0131 bilgisayara da “UzakYonetici” adl\u0131 bir yerel y\u00f6netici kullan\u0131c\u0131s\u0131 ile RDP yoluyla ba\u011flant\u0131 kurulmu\u015ftur. Bu durumdayken Mimikatz arac\u0131 kullan\u0131ld\u0131\u011f\u0131nda a\u015fa\u011f\u0131daki gibi ekran g\u00f6r\u00fcnt\u00fcleri elde edilmi\u015ftir.<\/p>\n
\n\u0130lk ekran g\u00f6r\u00fcnt\u00fcs\u00fc eski s\u00fcr\u00fcm Mimikatz ile, ikinci ekran g\u00f6r\u00fcnt\u00fcs\u00fc ise yeni s\u00fcr\u00fcm Mimikatz ile elde edilmi\u015ftir:<\/p>\n
\n\u015eekil 1 – Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda Mimikatz 1.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n \n\u015eekil 2 – Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda Mimikatz 2.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131<\/b><\/p>\n \nSonu\u00e7 olarak, ekran g\u00f6r\u00fcnt\u00fcs\u00fcnde de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, kimlik bilgileri 5 adet g\u00fcvenlik destek sa\u011flay\u0131c\u0131s\u0131 (Security Support Provider – SSP) taraf\u0131ndan elde edilebilmi\u015ftir. “Yonetici” kullan\u0131c\u0131s\u0131na ait parola “Aa123456” olarak elde edilmi\u015f iken, “UzakYonetici” kullan\u0131c\u0131s\u0131na ait parola ise “Bb123456” olarak elde edilmi\u015ftir.<\/p>\n \nDaha sonra da ilgili g\u00fcncelleme paketi indirilerek i\u015fletim sistemi yamas\u0131 ger\u00e7ekle\u015ftirilmi\u015ftir.<\/p>\n \n\u015eekil 3 – Microsoft g\u00fcncellemesinin ger\u00e7ekle\u015ftirilmesi\u00a0<\/b><\/p>\n \nYama i\u015flemi sonras\u0131nda RDP i\u015flemi ger\u00e7ekle\u015ftirildikten sonra Mimikatz 1.0 ve 2.0 s\u00fcr\u00fcmlerinin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131na ait ekran g\u00f6r\u00fcnt\u00fcleri a\u015fa\u011f\u0131daki gibidir:<\/p>\n \n\u015eekil 4 – Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda Mimikatz 1.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n \n\u00a0\u015eekil 5 – Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda Mimikatz 2.0 arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n \nMicrosoft taraf\u0131ndan ger\u00e7ekle\u015ftirilen g\u00fcncelleme sonras\u0131nda WCE kaynak kodunda herhangi bir geli\u015ftirme ger\u00e7ekle\u015ftirilmemi\u015ftir. Eski s\u00fcr\u00fcm WCE ve son s\u00fcr\u00fcm WCE arac\u0131yla ger\u00e7ekle\u015ftirilen incelemelerin sonucu a\u015fa\u011f\u0131daki gibidir.<\/p>\n \n\u015eekil 6 – Microsoft g\u00fcncellemesi yap\u0131lmam\u0131\u015f bir bilgisayarda eski ve yeni s\u00fcr\u00fcm WCE arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n \n\u015eekil – 7: Microsoft g\u00fcncellemesi yap\u0131lm\u0131\u015f bir bilgisayarda eski ve yeni s\u00fcr\u00fcm WCE arac\u0131n\u0131n \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131\u00a0<\/b><\/p>\n \nEkran g\u00f6r\u00fcnt\u00fclerinde de g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi, Microsoft yamas\u0131n\u0131n \u00f6ncesinde ve sonras\u0131nda WCE arac\u0131yla parolalar elde edilebilmektedir. Ancak RDP yap\u0131lan bilgisayara ba\u011flant\u0131 bilgileri WCE arac\u0131yla elde edilememektedir.<\/p>\n \nGer\u00e7ekle\u015ftirilen incelemeler sonucunda a\u015fa\u011f\u0131daki gibi bir tablo elde edilmi\u015ftir:<\/p>\n