个人觉得WCE跟mimikatz一样都好用 直接在CMD下执行执行wce.exe -w就可以了,屡试不爽。32和64通杀,小弟64位测试通过。 WCE v1.3beta (X64) (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Secu rity - by Hernan Ochoa (hernan@ampliasecurity.com) Use -h for help. Options: -l List logon sessions and NTLM credentials (default). -s Changes NTLM credentials of current logon session. Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>. -r Lists logon sessions and NTLM credentials indefinitely. Refreshes every 5 seconds if new sessions are found. Optional: -r<refresh interval>. -c Run <cmd> in a new session with the specified NTLM crede ntials. Parameters: <cmd>. -e Lists logon sessions NTLM credentials indefinitely. Refreshes every time a logon event occurs. -o saves all output to a file. Parameters: <filename>. -i Specify LUID instead of use current logon session. Parameters: <luid>. -d Delete NTLM credentials from logon session. Parameters: <luid>. -a Use Addresses. Parameters: <addresses> -f Force 'safe mode'. -g Generate LM ; NT Hash. Parameters: <password>. -K Dump Kerberos tickets to file (unix ; 'windows wce' form at) -k Read Kerberos tickets from file and insert into Windows cache -w Dump cleartext passwords stored by the digest authentica tion package -v verbose output.