B2B网络软件

标题: 三头狗又来了 Windows再现毁灭级漏洞 [打印本页]

作者: IT首发    时间: 2015-12-15 13:37
标题: 三头狗又来了 Windows再现毁灭级漏洞
安全研究人员发现Windows的Kerberos认证系统存在一个可称之为“毁灭级”的漏洞。该漏洞无法修复,唯一的解决方案就是使用微软的 Credential Guard 应用程序来防止口令存储在内存。


三头狗又来了 Windows再现毁灭级漏洞 B2B网络软件

漏洞是由于第三方认证系统建立密钥而引起的,它使用了一个与口令相关的无效用户名(krbtgt)。这个口令很少改变,于是允许攻击者给自己赋予admin权限从而完全绕过系统的认证,同时可以给现有用户和新用户建立秘密口令。

尽管一些入口有着时间限制(系统会在20分钟后寻找并确认账户的有效性),但由于可以无限制的建立虚假用户,因此也就意味着可以持续访问系统。

Kerberos是Windows网络、认证客户端和服务器端中的认证协议。去年就曾发现过一个漏洞,可以被攻击者利用危害整个网络,包括安装程序和删除数据。


Kerberos或称Cerberus,是希腊神话中的地狱之门守护者,一条有着三个头的巨狗,凶猛无比,但可以用七弦琴的声音让其睡觉。

研究人员表示,系统建立密钥是为了避免通过网络认证用户时发送口令。但密钥并没有经过“撒盐”处理并且使用了NTLM哈希,因此相对容易破解。krbtgt这个用户是在系统首次安装时建立的,而且并没有激活,因此可以呆在系统中数年之久而不被触及,但却为黑客留下了一个潜在的入口。研究人员在博客中描述了攻击的一些细节,包括添加新用户、为已有用户增加第二个秘密口令,下载文件等。

微软目前尚未对此漏洞发表回应。

漏洞详细描述地址:
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
安全牛:http://mp.weixin.qq.com/s?__biz=MjM5Njc3NjM4MA==&mid=401220537&idx=2&sn=b48cd890d16cf9e46815e52b0a13977b&scene=0#rd
——————————————原文内容———————————————
Posted on December 13, 2015December 13, 2015 by dfirblog                                 

Kerberos is an authentication protocol that is used by default in Windows networks and provide mutual authentication and authorization for clients and servers. It does not require you to send a password or a hash on the wire, it is instead rely on a trusted third party for handling all the details.
Although, it is considered a secure protocol, it has some flaws in Windows environments with devastating consequences.
How does it work?
Kerberos is a rather complex protocol, so let’s just have a look at how a typical authentication looks like:
So, we have the following components:

If you’re still confused about Kerberos or interested in more details – I’ve suggest to look here and here.
Here is the important facts to us:
Attacking the KerberosPass-the-key(Overpass-the-hash)
How do we prove to KDC, that we who we are and request a TGT? Well, we just encrypt current timestamp with our secret key. That’s how a normal process looks like. So, if we have an access to the key – we can repeat this process on behalf of the user and gain legitimate kerberos tickets, and thus access. Essentially skipping the part of kerberos authentication, where user secret key is created from his password. Recall that rc4 secret key is an NTLM hash of the user account, so we can reuse it any time we want, once we get it. It is very similar to pass-the-hash, hence the name. Of course you can also do this with newer AES keys, just NTLM hash is more convenient and there are multiple ways to obtain it.
Okay, suppose we’ve obtained an NTLM hash, but turns out this system have ntlm disabled:
All hope is lost? We can’t pass-the-hash? Of course not!
Let’s use this NTLM hash in pass-the-key attack:
And what you will see on the wire is the normal kerberos authentication:
You will also see, that we are indeed using RC4 for session key:
Of course, if you are in position and have someone logged on – you could just steal their AES key too:
And then use it the same way:
Even though we’re under local(we’re not even a domain user!) user account on a completely different computer, we have an admin ticket:
This way – as long as we have a valid NTLM hash or aes key – we can impersonate those users anytime we want from any machine! And they will stay valid until password is changed.
By the way, if you have trouble with mimikatz(like in pivoting scenario) on the separate machine to carry out this attack – you could also just spawn any bogus process on any machine in the domain, where you’ve got a shell and then just steal a token of this process via meterpreter or something.
Pass-the-ticket
Recall that TGT is representing an authenticated user in kerberos and service ticket is representing an authenticated user for a particular service. Also, recall that they’re cached in memory and valid for 10 hours. This means, if we’re able to steal those tickets and somehow insert them into our own system – we would be able to request any service ticket on behalf of this user or access a service directly with service ticket. Because for the KDC or the service we will look like a legitimate, already authenticated user. This way we can impersonate this user and gain access for the lifetime of the ticket. This will be 10 hours by default, which is plenty of time to do anything we want.
So, let’s do this:
So, we dumped all tickets into files:
As you can see, we got a bunch of service tickets(those with LDAP, HOST and cifs in file name) and even TGT(those are with krbtgt in the file name). So, you can then download them to any other machine and re use – to become an admin.
Here is our machine at the moment:
Let’s try service ticket first:
And here is what happens now:
And we’ve got access – simple as that!
Of course, we can’t access smb service on another machine – because we don’t have a ticket for this service.
And on the wire you will see that we authenticate to SMB service via kerberos:
Notice that we bypassed steps 1-4 of our kerberos scheme and went straight to 5 and 6.Cool, huh? What if we want to access other machines too, but we don’t have service tickets there?
No problem, we also got a TGT ticket, remember?
So, let’s see now:
Awesome! We successfully got a service ticket for another machine with our TGT.
And here is what you see on the wire:
Notice that we bypassed steps 1-2 of our kerberos scheme and went straight to 3-4 and 5-6.
Golden ticket
Recall that everyone has a secret key and KDC is using krbtgt user account password to create a key. Recall also, that KDC is encrypting and signing TGT tickets with it’s own key – which means a secret key of a krbtgt user account. And don’t forget that TGT contain all the group membership data. So, if we can obtain a secret key of this user – we can create our own TGT tickets and essentially impersonate KDC service. There’s more, since PAC data is also signed by this key – we can also create any user and group information in our TGT, which means we can grant any user any privileges. Pretty cool, huh?
It is incredibly powerful persistence trick, allowing you full access to the whole domain under any user and do crazy stuff like access resources with disabled or even non-existent users.
How can we do that?
It’s just an account in domain controller database, so your obviously need access to DC or it’s data.
After that, you can:


Okay, suppose we compromised the DC and dump it from memory:
You can use either aes or rc4 key.
You also need a domain SID – just copy a SID of any user and delete last block with user ID.
Let’s create a golden ticket!
So, we created a ticket for user with admin SID and he is also in all the typical admin groups like Domain Admins, Schema Admins and Enterprise Admins.
Note, you can create it on any machine, even offline.
Now, just pass it:
Once again – no tickets:
Now let’s try to access something:
The funny thing is – godmode user is not even exist:
Yet, there are tickets for him:
Of course, you only have 20 minutes to get as much service tickets as possible with such users, after 20 minutes KDC will validate account information. But you can create a new golden ticket again and again to have unlimited time, if you really want.
At this point – you can do anything you want, you can simply reuse existing accounts or be extra sneaky and grant some regular user account admin privileges, even though, if anyone look him up – he will not have any. You can even use other user accounts and add them with /groups option, to create a kind of super user that impersonate several other users at the same time.
Silver Ticket
Recall that service ticket created with secret key of either computer account or service account. So, if we know a secret key for this account, we can create forged service tickets to access a service. Since service is usually doesn’t validate PAC data and don’t communicate with DC – we can easily impersonate any user. It is a kind of similar to golden ticket, but limited to specific service.
Computer account passwords is randomly generated and change every 30 days automatically, I think previous one is still valid too, but I didn’t test. You can pull secret keys from memory or get an NTLM hash(rc4 key) from lsa secrets.
So, let’s get a password hash for a computer with kerberos::ekeys command:
Now, let’s create a silver ticket:
So, we granting non-existent user silver with domain admin privileges and ticket for this service.
And let’s try to access it:
Once again you can do whatever you want, just like with golden tickets, you just will be limited to this particular service.
Forged PAC
There was also a bug(MS14-068), that allowed to create an arbitrary PAC and insert it into a legitimate TGT ticket, so effect was similar to a golden ticket, but you was able to do that with any domain user and krbtgt user key was not needed. Nice write up is here.
Skeleton Key
Early this year Dell Secureworks reported that they found a so called Skeleton Key malware installed on DC of the victim. This allowed attackers to authenticate as any domain user with a secret password, but it didn’t affect users and they still could logon with their own credentials.
It works by patching lsass.exe process on DC and it was implemented in mimikatz. It is not persistent and reboot of DC will clear it.
To install it, you will need to have an admin rights.
Suppose we got a domain admin creds and want to leave a backdoor, so let’s plant a skeleton key on DC:
So, now we have a secret password – mimikatz(hardcoded), that should allow us to log in as any user!
Let’s try it:
It’s also work for interactive log in, so you could use it for RDP and even physical log in.
Detection
Detecting this activity is a very hard challenge, since we deal with legitimate credentials.
You should heavily focus on detecting tools that used to carry out this attacks and manual monitoring for privileged accounts(this include accounts of executive and other regular employees, who have access to information attacker might want to get). So you would at least have an idea where people regularly logon to and it would be easier to spot a difference.
Check my previous article for more details.
There are still value in logs, so don’t forget to enable logging of kerberos – event ids 4768-4773.
One of the inconsistencies I’ve found is with domain name, when attacker accesses resources as a result of various attacks, so aggregating on Domain name and investigating suspicious entries might be a good idea. Usually, domain name in logs will be in capital letters, but mimikatz send them in lower characters. Take a look for domain names aggregated on a week of data:
As you can see, events with low count definitely look suspicious and need to be investigated(they are in fact from attacks). However, after testing on real life data I’ve found that is not a consistent indicator as you will have quite a bit of lowercase realms, because capitalization of realm is merely a recommendation in Kerberos RFC. But it still can be useful to slice data into smaller chunks. On a full day of data I’ve got about half a million uppercase domains and about 35000 lowercase ones. Unfortunately, it is still a lot of data to manually look at and it doesn’t necessary mean this is a result of attack.
Mimikatz also leave a signature string in domain for golden and silver tickets – oe.eo, so definitely add this too.
Another useful thing to look for – is use of RC4 cipher, since modern Windows(from Vista) use AES by default and lots of attacks rely on RC4. For this – you need to aggregate on Ticket Encryption Type. You need to look for 0x17 or 0x18 as this means an RC4. 0x12 means AES-256 and 0x11 AES-128. Don’t mind 0xfffffff – this is some kind of code when error is occurred and seen in legitimate, unsuccessful ticket request.
Full table of codes for all options is here.
So, unless you have a bunch of XP and 2003 machines or some third party systems – you should never see RC4 used.
Another way to get this data is to monitor network traffic, since most of the meta data is not encrypted, however not much systems support Kerberos. The good news is Bro recently added support of Kerberos traffic and produce the following data:
Unfortunately, not everything is parsed, but still very useful, especially when getting logs is not possible. There is also some problems with the parser, sometimes RC4 detected as AES for some reason.
I’ve also created a wrapper around tshark to detect those attacks. It works, but you need to have no gaps in packet capture. Packet loss or just gaps in kerberos packets ruins the detection and produce a lot of FP as a result. It’s on my github here. It works on any linux machine with tshark version 1.12+
Let’s take a closer look for each attack.
Pass-the-key(Overpass-the-hash)
It is hard to spot this attack, because it’s looks exactly like a legitimate activity process. However there is still some artifacts we can use.
If RC4 key is used – then it can be easily spotted via logs or traffic as described above, granted you have a modern environment. With AES it won’t be so obvious. As mentioned above it’s also leave domain name in lower case, that can be useful for detection:
Another thing I’ve noticed, is that Encryption Types is set strictly to a ticket algorithm like only AES 256 or only RC4. This is unusual and easily stand out, because normally OS announce support of all algorithms:
And here is legitimate request:
Let’s detect it with our script:
If you got matches on AES, it is a very good chance this a pass-the-key. On RC4 it could also match on some legacy systems, so don’t jump to conclusion with it. I say it is pretty accurate, I didn’t get any FP on real traffic.
Pass-the-ticket
Once again detecting this activity is hard. Logs doesn’t help us much here, since there is no obvious artifacts and all you would see a legitimate entries that tickets was requested or access was granted to a particular user. One way to detect it – is to look what people access. If tickets reused somewhere else, you will see, for example, that admin user requesting service tickets from a bob machine and this is weird. So look for a mismatch between user principal and source IP where requests is coming from. If they are reused from the same machine – you’re out of luck, since they look 100% legitimate.
Another thing you can look in logs and in network traffic – is absence of certain Kerberos steps. For stolen TGT tickets there is no AS-REQ and AS-REP steps in traffic and no event 4768 in logs. For service tickets there is no TGS-REQ and TGS-REP steps in traffic and no event 4769 in logs.
Let’s detect them with our script:
The key here is to get a complete packet capture without packet loss, otherwise you will get a bunch of FP. Also keep in mind you will have gaps in traffic when you start capturing in the middle of the sessions. It is pretty accurate, but you may get quite a bit of FP due to packet loss.
Golden Ticket
For non-existent users it is fairly easy to spot. You could obviously check all users if they exists or not and alert if you see successful logon with non-existent user(or any other impossible state, like disabled or locked). Another thing to look here is mismatch between Security ID field and Account Name and signature mimikatz string oe.eo in Account Domain.
Here is how it looks:
This information is get populated in all kinds of logs where those fields is present.
When legitimate user is impersonated, this leaves only Domain indicator:
Please note, this signature can change in the future and skilled attackers can fix the code, so it would look legitimate.
We can also use similar detection method as with pass-the-ticket, since there is no AS-REQ and AS-REP steps for golden ticket:
Silver Ticket
It leaves the same artifacts as golden, so the same detection methods apply. Just make sure you’re collecting events from endpoint computers too, as this leaves no records on DC – all events will be on accessed computers and servers.
Once again we can use detection from pass-the-ticket attack, since there is no TGS-REQ and TGS-REP for silver tickets:
Forged PAC
This attack also relies on RC4 for getting a forged TGT, so you can look for that. Because it send only rc4-md5-hmac as supported cipher:
Another easy thing to look at, is request without PAC. This will never occur in legitimate traffic:
Let’s detect it with our script:
Skeleton Key
The simple way to detect it – is to try default password ‘mimikatz’ yourself.
Mimikatz implementation is a kind of downgrade attack, so after installing skeleton key all users will be downgraded to RC4 cipher, so on Kerberos events you will see they will be using 0x17 Encryption Option, so this is already a huge tell. Especially if they used AES keys in the past.
This only relevant to service tickets. Here is how logon with secret password looks like:
So, if you suddenly have a lot of RC4 cipher used – then you’re definitely have a Skeleton Key, especially if it is a modern Windows systems – they will never default to RC4. Other than that, this doesn’t leave any artifacts in logs.
Another way to detect it – is to use the free script provided by Aorato:
Yet another way is with our script:
Mitigation
Mitigation of most of this attacks is not possible, as this is simply how Kerberos work in Windows environment. For some attacks, mitigation discussed in previous articles is useful and recommended. For the most part, you need to focus on protecting privileged accounts at all cost, because this is what attackers are after and protecting everyone is not possible. Otherwise you will lose control of your network really fast. The most effective mitigation at the moment seems to be Protected Users group and Credential Guard.
Let’s see for each attack type in detail:
Pass-the-key(Overpass-the-hash)
The Protected Users group prevent storage of keys in memory, so there is nothing to steal for members of this group, but other users will stay vulnerable. Complete mitigation is possible only with Credential Guard.
Pass-the-ticket
Credential Guard is the only possible mitigation, Protected Users can’t help with this due to the need to store tickets in memory for normal operation.
Golden & Silver Ticket
Mitigation for this type of attacks is not possible. Only remediation steps – see below.
Forged PAC
This bug was fixed in KB3101780, so install it ASAP on each DC. I think 2012 DC is not affected by this.
Skeleton Key
No mitigation possible, however, I think Protected Users should help with this since it deny usage of RC4.
Remediation
Remediation for those types of incidents is costly and time consuming. Since Kerberos doesn’t allow revocation of tickets, all remediation steps should assume that attacker still have access with tickets and wait out on expiration before any active action. You quickly lose control of domain and your network after compromise, allowing unlimited persistence for an attacker. So, you could take a risk and recover the same domain or rebuild the whole domain and forest, as this is the only way to be sure that attacker doesn’t leave any backdoors.
Pass-the-key(Overpass-the-hash)
If you’re suspecting that the key was stolen – you need to change the password(this will invalidate the key) of the account and possibly disable it too. You also need to forcibly logoff all active sessions from this user to be sure. However, it doesn’t affect granted tickets – see below.
Pass-the-ticket
The only thing you can do – is to clean cached tickets with this script and wait out expiration time. However, this doesn’t cover cases where attacker could simply reload ticket from file or use it on machine outside your control. Of course, changing password of affected accounts is necessary too in case he got a key.
Golden Ticket
You need to change a krbtgt user password twice in a rapid succession to prevent any more tickets. You can also change it frequently yourself to limit potential exposure and window of opportunity for an attacker. Please note, this can cause disruption in access, so plan ahead. You can use MS provided script for this, available here.
Silver Ticket
You need to change a computer password – you can do this via Users and Computers MMC, netdom or Reset-ComputerPassword powershell script. I think previous password is stay valid too, so this means you need to reset it twice. However I didn’t test it. If your service is running under dedicated user account, then reset his password.
Forged PAC
Patch DC and use remediation from pass-the-ticket.
Skeleton Key
Reboot the DC. You might also reboot it time to time, just it case.
Reference
https://adsecurity.org/?p=556
http://www.slideshare.net/gentilkiwi?utm_campaign=profiletracking&utm_medium=sssite&utm_source=ssslideview
https://www.youtube.com/watch?v=-IMrNGPZTl0
https://www.blackhat.com/docs/eu-15/materials/eu-15-Beery-Watching-The-Watchdog-Protecting-Kerberos-Authentication-With-Network-Monitoring-wp.pdf
https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf

作者: 605186089    时间: 2016-2-2 13:03
还凑合
作者: 千里马mazh    时间: 2016-2-2 16:39
顺丰发货第二天就到!发票随货。不错!
作者: clc闯天涯    时间: 2016-2-4 08:07
不错,已经开始使用啦
作者: 双赤赤赤赤    时间: 2016-2-5 21:05
还没装,是正品,装完再来追评
作者: 锥锥_    时间: 2016-2-6 03:33
正在使用中,因为急用,感谢卖家发了顺风
作者: 星猫卡    时间: 2016-2-8 17:15
解释:亲  试用版和正版在功能上没有区别,但是试用版只能结账2期哦
作者: 双赤赤赤赤    时间: 2016-2-9 21:04
好用,以前常来的,正版哦
作者: 浅笑4597    时间: 2016-2-10 13:58
非常喜欢,物流很快,准备试用,期待中
作者: 我是大帅哥zwy    时间: 2016-2-10 16:44
此用户没有填写评论!
作者: 磁通量5    时间: 2016-2-10 23:53
很好
作者: 我是大帅哥zwy    时间: 2016-2-11 12:05
店家发货速度挺快的,态度也很好,有问必答。谢谢。软件足够支持小公司做账了。
作者: 897748948    时间: 2016-2-11 23:19
掌柜一级棒。不是吹牛。服务好的要爆炸,太喜欢了。
作者: 1111一1111一    时间: 2016-2-13 10:21
财务软件不错,很实用
作者: 挑刺的骚年    时间: 2016-2-13 20:39
操作简单 方便 其他功能还在研究
作者: 360安全卫士4    时间: 2016-2-13 22:06
非常不错  必须点赞
作者: 木边兔    时间: 2016-2-14 10:53
尚未用,习惯好评
作者: 沈寒乀    时间: 2016-2-14 10:54
店主发货速度很快,很OK,服务也很好
作者: 用户名丶123    时间: 2016-2-14 19:29
软件不错的,很适用小规模的公司
作者: ebr凝爱    时间: 2016-2-16 22:47
还在研究中
作者: 沈寒乀    时间: 2016-2-17 07:58
电脑坏了,暂不能安装,先予好评,待安装使用后追评。
作者: 魔方狂人Moss    时间: 2016-2-17 11:16
帮人买的,听说还可以
作者: 丶神丶话丶    时间: 2016-2-17 12:39
售后态度还可以,就是这个确实够便宜,功能少,不是太习惯
作者: 双赤赤赤赤    时间: 2016-2-17 12:52
在使用了,暂时没有什么问题,好评。
作者: 守仁兄会格物    时间: 2016-2-17 22:34
不错,用着好,再拍一套吧!
作者: 花无缺0228    时间: 2016-2-18 06:42
账务处理挺简单的,自学很快就上手了
作者: 壹纸湖言    时间: 2016-2-18 07:13
装上了,还没用,好
作者: 七七七七七七瑾    时间: 2016-2-18 10:54
挺好用的,售后也非常好。值得信赖的卖家。
作者: 浅笑4597    时间: 2016-2-19 08:06
已经开始用了,具有财务软件的基本功能,还在摸索使用,总体不错。四掌柜指导注册的,谢谢
作者: 我是大帅哥zwy    时间: 2016-2-19 13:56
客服很好,耐心解决问题
作者: 搜索什么好    时间: 2016-2-19 22:30
用过了 还不错 就是很多功能还不懂 最好以后有使用说明
作者: 河南Rezc    时间: 2016-2-20 11:10
好!
作者: cheocheocheo    时间: 2016-2-21 11:00
是正品,很好用,会计记账的那点事全能搞定。很好的记账软件。如果能自动生成现金流量表就更完美了。
作者: Rensizhe123    时间: 2016-2-21 22:55
很方便,还在琢磨当中。
作者: 这有根葱    时间: 2016-2-22 00:06
麻烦~不会玩!软件一切正常!
作者: 黑色城镇HY    时间: 2016-2-24 02:19
此用户没有填写评论!
作者: 123456    时间: 2016-2-24 19:46
此用户没有填写评论!
作者: 用户名丶123    时间: 2016-2-26 00:21
服务很到位,宝贝在摸索着用,以后会追评
作者: 897748948    时间: 2016-2-27 14:12
安装时有点小问题但售后人员很热情,服务他都也很好!
作者: yuanlaibao    时间: 2016-2-27 17:47
还可以
作者: 我爱__mc    时间: 2016-2-27 18:36
功能基本够用,使用简单
作者: 黑色城镇HY    时间: 2016-2-28 03:57
还没安装,包装很好。安装后再追评。
作者: 泪濛濛的毕业    时间: 2016-2-29 07:21
物流速度非常快,软件也实用,但使用上有很多地方不明,软件方提供的服务QQ群人数太多,问题回复有点慢,希望改进。
作者: 贴吧触点推广    时间: 2016-2-29 19:07
好评!很好用,易懂!专门有一个售后群为你排忧解难,很好的售后服务值得推荐!
作者: 壹纸湖言    时间: 2016-2-29 23:19
就是发货速度有点慢
作者: 头疼的哥    时间: 2016-3-1 00:04
可以用,以后有啥问题再说
作者: 小男朋友heart    时间: 2016-3-1 08:15
简单好用。客服挺好的。
作者: 傲天无痕走天下    时间: 2016-3-1 08:38
很 好用,很方便,又拍了一份。
作者: 唐小婉的梦    时间: 2016-3-2 22:57
刚买就降价了,卖家不返差价,不厚道啊
作者: 佳能尼康索尼    时间: 2016-3-3 03:09
包装很精细,还没开始使用,店家服务态度很好,有需要的亲不用犹豫哦
作者: 1111一1111一    时间: 2016-3-5 04:59
刚安装上,还没用,用过发后在来评价
作者: Yahoos_    时间: 2016-3-5 07:31
正版 的没错,在使用当中,店家五掌柜的服务态度超好
作者: shvydhn    时间: 2016-3-5 09:00
东西还没开始用,但卖家服务态度很好,不错!
作者: 1041469105    时间: 2016-3-5 09:26

作者: 孤木行舟    时间: 2016-3-6 00:04
还没用
作者: 188741515i    时间: 2016-3-7 01:27
应该还不错吧!
作者: 千里马mazh    时间: 2016-3-8 19:06
光盘无法读盘,不过下载了无妨。
作者: 黑色城镇HY    时间: 2016-3-9 03:25
还没有安装,安装后追评
作者: 1172231201    时间: 2016-3-9 07:52
软件是个好软件,但是服务真的没法说是好服务。
作者: nnzxz7777    时间: 2016-3-9 16:43
明明买的套餐,竟然凭证纸到现在都不给我发过来。开始的时候说分开发,问了几遍,说发忘记了,重发。到现在都没收到,连单号都说不上来。
作者: 这有根葱    时间: 2016-3-9 17:12
软件挺好的。客服也很热心的解决了我的问题。发货超快。推荐推荐。
作者: 过分丶賏霗    时间: 2016-3-10 20:54
解释:安装联系售后四掌柜或者大掌柜,远程处理。(周一--周五   09;00-17;45),感谢您对金蝶的支持和理解
作者: 用户名丶123    时间: 2016-3-11 05:45
软件还没装,电脑出问题了。
作者: 我是大帅哥zwy    时间: 2016-3-11 18:47
还在学用。挺不错了,工作变得轻松多了。以后有不懂的再问客服哦。
作者: 苹果导弹    时间: 2016-3-11 19:19
非常好用,简单易操作,更谢谢掌柜们们的解说,特别是四掌柜的给予我财务软件使用方面的帮助,必须好评!
作者: 氕氘氚同学    时间: 2016-3-13 04:12
比以前的8.0好用多了,谢谢客服
作者: 孤木行舟    时间: 2016-3-13 05:27
非常好用.已注册成功开始使用,推荐给大家?
作者: 傲天无痕走天下    时间: 2016-3-13 06:27
是正品,但是物流太慢了,而且还不给送到地方,没办法只好自己亲自去取。
作者: 黑桃A591    时间: 2016-3-13 13:35
沒有指导使用手册,有就?,不過還是好
作者: 帅哥死了吗    时间: 2016-3-13 16:49
挺好的
作者: 水果队队长    时间: 2016-3-14 13:10
好用
作者: cheocheocheo    时间: 2016-3-14 23:47
不错
作者: 傲天无痕走天下    时间: 2016-3-15 23:15
还没用,不过应该是不错的!用了再来好评
作者: 1172231201    时间: 2016-3-15 23:48
此用户没有填写评论!
作者: 360安全卫士4    时间: 2016-3-16 08:22
不错,用着好,再拍一套吧!
作者: 沈寒乀    时间: 2016-3-17 00:20
发货速度快,安装上了,准备使用!
作者: 浅笑4597    时间: 2016-3-17 03:07
还在研究中
作者: 陪催的时间    时间: 2016-3-17 06:49
very good
作者: 605186089    时间: 2016-3-17 07:19
之前用过,所以用起来很顺手,很不错,价格也不高, 我的工作效率提高不少!!!之前都是手写凭证
作者: 过分丶賏霗    时间: 2016-3-17 13:44
给公司买的,因为公司业务比较简单,所以就买了这个记账王,会计说挺好的。
作者: _____小旺    时间: 2016-3-17 14:39
优惠 时买的,,,好用
作者: 桑德斯闪电    时间: 2016-3-18 00:13
挺好用的
作者: 霸气灬沈哥    时间: 2016-3-18 01:38
此用户没有填写评论!
作者: 沈寒乀    时间: 2016-3-18 10:24
装了还没有用应该可以吧
作者: 磁通量5    时间: 2016-3-18 22:38
,不存在不能建立3级账的问题,谢谢亲对金蝶的理解和支持。
作者: 1111一1111一    时间: 2016-3-19 16:29
记账王软件收到了,还没用上,先给个好评吧!
作者: q751012003    时间: 2016-3-19 16:43
还没用 先好评
作者: 我是大帅哥zwy    时间: 2016-3-24 05:58
此用户没有填写评论!
作者: 火柴人XX27    时间: 2016-3-27 06:59
真好用
作者: 木边兔    时间: 2016-3-28 19:50

作者: 磁通量5    时间: 2016-3-29 23:38
货收到后因没时间安装所以延迟收货,包装盒里应该有套使用说明就好了,文档说明看着累,而且没有安装视频,应该说售后是有问题的,东西己安装注册还未使用,用后再说
作者: 头疼的哥    时间: 2016-3-30 12:56
软件还没实际操作 不予评价!售后客服全五分!
作者: 贴吧触点推广    时间: 2016-4-2 10:17
好用
作者: 左殇L    时间: 2016-4-4 17:30
用了几天再来评价的,小企业够用了,简单 实用
作者: 星猫卡    时间: 2016-4-6 03:10
东西很好用,真货。有需要的就到这买吧。
作者: 唐小婉的梦    时间: 2016-4-6 11:32
买了好几个了。好用。
作者: 过分丶賏霗    时间: 2016-4-6 20:40
非常非常好用
作者: 凝冷千火    时间: 2016-4-6 20:45
简单易用,非常适合小企业,好评!
作者: Apocalypse239    时间: 2016-4-7 22:28
正版软件,实惠,代账起来很棒的,谢谢店家。
作者: 千里马mazh    时间: 2016-4-8 11:41
安装了还没正式用,卖家服务不错。发货物流蛮快,还要感谢快递小哥我八楼爬楼梯的也给我送上来了。




欢迎光临 B2B网络软件 (http://bbs.niubt.cn/) Powered by Discuz! X3.2