Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz

As we continue this journey looking into learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit, the focus of this post allows me to get a better understanding of how I may be able to use the mimikatz tool.

In this post, metasploit usage is continued in order to leverage mimikatz.

The image below shows that first "pwd" was executed to determine the directory which we have landed in.
Once we know where we are, next we created a directory named "x64" in "c:".
Once the directory is completed, we next upload the mimikatz files to the x64 folder.

Now that we have uploaded the files, let's "execute" mimikatz from the meterpreter

Looks like it uploaded successfully! Let's verify that we are good to go.




Still looks good! Moving on!!

Let's look at the logon passwords for this sessions using the command "sekurlsa::logonPasswords"

From the image above, we see a plethora of information has been provided to us. For the account with username "administrator" we see among the information, the "Logon Time", the LM, NTLM and SHA1 hash of the administrator account password. Most importantly, we see also that we were provided with the clear text password "Testing1". This is good stuff.

What else can we get, let's figure it out or obtain.













Above shows that we can export the private and public key for administrator's certificate. While I executed this command, I did not see the files created. However, I later tested this directly on the Windows 2008 box and it worked. See this post


Alternatively we could have exported the key associated with administrator account.
Anything more?! Let's try looking at any Kerberos ticket association with the logon user.
From below we see there is one.
OK! There is a lot more to be learnt about mimikatz. So in the next post I will take a look at the pass the ticket vulnerability. I'm very interested in this as pass the hash still exist and I'm verry much aware of this. However, the pass the ticket is what I'm interested in at this time.

See you in the Pass The Ticket (PTT) post.

Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)