← 返回命令列表

Linux command

impacket-ntfs-read 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Read a file from a remote NTFS share

impacket-ntfs-read '[domain]/[user]:[password]@[192.168.1.100]' '[C$\Windows\System32\config\SAM]'

Read file using NTLM hash

impacket-ntfs-read -hashes ':[nthash]' '[domain]/[user]@[192.168.1.100]' '[share\path\to\file]'

Read file using Kerberos

impacket-ntfs-read -k -no-pass '[domain]/[user]@[target]' '[C$\path\to\file]'

说明

impacket-ntfs-read reads files from remote Windows systems via SMB by directly parsing the NTFS file system structures. This allows reading files that might be locked by the operating system, such as registry hives or other system files. The tool connects to administrative shares (C$, ADMIN$) and reads files at the raw NTFS level, bypassing Windows file locking mechanisms. This is particularly useful for extracting sensitive files during penetration tests.

参数

-hashes _LMHASH:NTHASH_
Use NTLM hashes for authentication instead of password
-no-pass
Don't ask for password (useful with -k)
-k
Use Kerberos authentication from ccache file
-aesKey _KEY_
AES key to use for Kerberos authentication
-dc-ip _IP_
IP address of the domain controller (for Kerberos)

FAQ

What is the impacket-ntfs-read command used for?

impacket-ntfs-read reads files from remote Windows systems via SMB by directly parsing the NTFS file system structures. This allows reading files that might be locked by the operating system, such as registry hives or other system files. The tool connects to administrative shares (C$, ADMIN$) and reads files at the raw NTFS level, bypassing Windows file locking mechanisms. This is particularly useful for extracting sensitive files during penetration tests.

How do I run a basic impacket-ntfs-read example?

Run `impacket-ntfs-read '[domain]/[user]:[password]@[192.168.1.100]' '[C$\Windows\System32\config\SAM]'` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -hashes _LMHASH:NTHASH_ do in impacket-ntfs-read?

Use NTLM hashes for authentication instead of password