Windows Post Exploitation - Dumping Hashes With Mimikatz

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys hackersploit here back again with another video welcome back to the penetration testing boot camp in this video we're going to be taking a look at how to dump hashes with mimikats so again we're following along with the post exploitation room on tryhackme which is a free room and we've already taken a look at how to perform enumeration with power view as well as enumeration with bloodhound and sharphound um so now our main objective will be to of course uh dump hashes and uh you know of course take a look at how to crack them with hashcat and then finally and the second part of this video will involve generating golden tickets uh with mimikats right so uh granted a lot of you are not familiar with active directory but i'll be explaining things as we move along and yeah so i'll be sort of filling the blanks in there until we actually get into active directory fundamentals where i'll be covering all the terminology and essentially how everything works that being said i've logged into the target system we already have the mimikatz binary on the target however before we do that let us you know first of all get an understanding of what mimikatz is right so uh mimikat is essentially a windows post exploitation tool that was written uh that was actually developed in by benjamin delpai and it's essentially utilized for extracting plain text credentials from memory uh dumping password hashes from you know the sam database uh it also allows you to perform advanced kerberos functionality uh you know like we're going to be taking a look at right now when we'll be talking about generating golden tickets and uh yeah that's essentially what it's utilized for and uh in this case as i've mentioned before uh we don't have to transfer it to the target which is great and in order to use it we can just navigate to the downloads directory here and again if i list out the contents of this particular directory you can see we have mimicats.exe so we can execute it by saying mimicats.exe all right and the first thing we need to do is we need to check our privileges because mimikatz requires administrative privileges in order to work so we need to say privilege debug this will list out you know essentially tell us whether we have the adequate privileges as you can see privilege 20 okay so if we add back over into the room we have just done the first few steps and you can see it says ensure that the output is privileged 20 okay that ensures that you're running cards as a as an administrator if you don't run mimikatz as an administrator mimikatz will not run pro properly what that means essentially is will not be able to dump the contents of you know elements or components like the sam database etc right now before we actually take a look at the technique highlighted here where it's essentially dumping lsa it's using lsa dump and dumping lsa and then of course it's patching or using the patch argument here before i explain that i want to explain a few things and uh highlight a few other techniques that might be useful for you right so uh when it comes down to dumping clear text passwords in our case it'll really not be relevant because um starting with windows server 2012 i believe they uh clear text passwords and lm hashes uh are no longer stored in memory which means even if we tried and dumped the uh you know the log on passwords we shouldn't get any value so typically if we if we were working on an older version of windows uh then um you know we could essentially enumerate the clear text passwords or the you know logon passwords as it were by typing in sec url sa and then of course we type in logon passwords we hit enter and in this case you can see it essentially provides us with the ndlm hashes for the user accounts and any other computers that are part of this domain however and i'll just scroll to the top here we know that the only user that's logged on so far is the administrator user and you can see under here it essentially says for the username administrator the password is null so we know that it doesn't store passwords in memory or clear text passwords in memory regardless of that we were able to get the ntlm hash here so that's great we can you know crack it with hashcra with hashcat but before we actually get there i want to explain a few more things uh we can also dump the contents of the sam database which you should be familiar with but if you're not uh the sam database or the security account manager database is essentially um is a database file that's found on you know modern windows systems and is used to store user account passwords and i'll i'll get into that uh you know as we move on in into this particular bootcamp but for now you should just know that if you've never had any experience with it but we can use lsa dom and then we can of course uh sorry let me just type that in lsa dump and then we can dump the contents of the sam database so we hit enter you can see it's going to tell us that when it essentially tries to run the operation we can see that the sam database or rather the registry keys here have been set to false so that means we can't pull the contents of the sam database right all right so um now that we've covered that we can actually talk about lsa right which is what we're working with here so mimikatz has the ability to dump lsa as well as the contents of lsa or lsa secrets if you will um and the purpose of lsa and lsa stands for the local security authority on windows is essentially to manage uh the system's local security policy and as a result of that it will typically store data pertaining to user accounts such as user logins authentication of users and their lsa secrets now i i doubt that will actually be able to dump lsa secrets for you know the reasons that i've mentioned previously but what we can do here is we can follow the instructions provided by try acme so we say lsa dump lsa and we use the patch option now the the reason we're using the patch option is is essentially the following so if i say let's say dump and then i just say lsa and we hit enter you can see it will provide you with the user which again will essentially entail the the user accounts as well as any other computers that are part of the that are part of this particular domain but uh as for the password or the ntlm hashes it'll tell us we don't have uh it'll essentially give us various errors so what we need to do is of course use the patch flag which will essentially patch the memory of the library uh the the function um patch uh that is utilized by mimikatz is utilizing right so we can run that again and then we just say patch we hit enter and now we get the lm and ntlm hashes uh you know for each of these uh user accounts service accounts and of course computers so uh following with the documentation here we have been able to get that so uh it also covers the process of cracking these ntlm hashes with hashcat and using the rocky word list but as for the questions it's asking us to find the password for machine one so let's actually get the ntlm hash for machine one so there we are machine two machine one that's the intel m hash so in order to crack it with the hashcat we would essentially say hashcat and then of course following the instructions here you can see we spin we specify m uh to a thousand and then the hash and rocky.txt so again if you want to learn more about hashcat i'll probably be uh be making a video on that but uh this you can go through the documentation and essentially how it works and hopefully i can actually explain a few things in regards to what's going on here um so let me just see there we are so when we specify m that's for the hash type and if we specify again the value in this case is set to a thousand so for example we can take a look at the hash type and the references which will provide us with the exact hash that we're working with so if we go to the hash modes you can see for a thousand if i can actually find that here um let's see if i can identify that here for some reason it's not been sorted numerically which i guess is fine um let's see if i can find that here right so a thousand the mode or the type of hash 1000 refers to ntlm so that should make sense now um so we essentially um i'll just hit enter here and we'll then say um hashcat m1000 and then paste in the hash there and then we specify the directory or the path to the word list the rock you word list so user share word lists and then rock u dot txt we hit enter that's going to begin the cracking process in my case it looks like all hashes found in podfile use show to display them so um all we need to do is just say show in my case i've cracked this before that's why it's asking me to essentially show the file and there we are you can see for this particular hash this is the password so it's password one so let's actually verify that and uh the machine one password is password one so that's fairly simple again this is for demonstration purposes as you can obviously tell and then what is the machine 2 hash which we were able to get here um so machine 2 that's the ntlm hash there we just paste it in there and submit that and that is correct right so that is done or that is essentially it for dumping hashes with mimikats we can now take a look at golden ticket attacks with mimikats alright so when we talk about golden ticket attacks there's a few things that i need to explain number one if you remember the previous videos i didn't explain what this user account is used for or what its purpose for or what its purpose was in the context of an active directory domain or environment the reason i didn't do that is primarily because i didn't want to confuse you before we reach this particular stage but the krb tgt user account is essentially a local account in an active directory environment that is essentially uh utilized to is essentially utilized for key distribution right or you know ticket distribution so again i've not really introduced active directory if you're not familiar with it um you know when working in active directory environment accounts sign in with you know username and password and or any other form of authentication and then of course they get back a kerberos ticket that contains the authentication token um now the golden ticket attack or you know the process of generating a golden ticket uh is essentially uh you know generating a an authentication token for the krb tgt account right now this particular account as i've mentioned has the job or its main functionality is to essentially encrypt all of the authentication tokens for all the users on the domain for the domain controller right so the golden ticket can be used uh to essentially log into any account right so in order to utilize it or in order to do that we need to create a golden ticket uh we need to actually create a golden ticket so the steps involved here are fairly simple number one we need to dump we need to dump the hash and security identifier for the kerberos ticket granting ticket account which is what it stands for which will allow us to create a golden ticket so again that can be done fairly simply all we need to do is type you know type in lsa dump lsa and then of course we use the inject option now the inject option is um fairly simple or rather i really don't want to cover it right now because that's going to be uh beyond the scope of this video but we can actually just follow along with these demonstrations and i'll explain what's going on here right so i'll just clear that out and if we can then say lsa dump lsa and then we specify inject and we then say the name of the account is kr krb so kerberos ticket granting system so or rather the ticket the ticket granting ticket account which is krb tgt and then of course we hit enter and that is going to give us all the relevant um details for this particular or rather the the domain sid here uh the ntlm hash etc so again we need to actually copy all of this information uh we'll do that in a second but um as you can see here it tells us to copy the domain controller or rather the controller sid and then the name um the name of the of the user account which in this case is krb tgt and then the ntlm hash right so um now when it comes down to creating the golden ticket we need to essentially specify uh kerberos golden uh the user that we want to essentially elevate our privileges to or you know switch our privileges to the domain and then the s id right which uh is over here which we we can actually copy and then the uh the ntlm hash of the krb tgt account and then the id or sid rather off the administrator user so what we can do is essentially just say i'm just going to do that right now let me just copy all of this information here so we'll just open up a we'll open up mousepad here that's the sid we have the user account there just make sure i have everything noted down and then the ntlm hash four this particular account and then the sid we know is 500 right and yeah that's pretty much it in regards to what we need to specify so again what we'll do is we'll head over here and again let me just make sure that that is set correctly so we will say kerberos golden and then we specify the user which in this case is going to be administrator and then we have the we have the domain which in this case is going to be controller.local do we have to be case sensitive no we don't all right and then the sid right sid which we will just copy from here and then we paste that in there and then the next option that we need to provide is the krb tgt hash or user account hash tgt and then we just get that from here get that there and then of course we need to provide the sid or the id right for the administrator user which in this case is 500 so if we just go back in here it looks like we've specified that correctly and we can just hit enter now um so i'm just going to hit enter and you can see final ticket is saved to file so now we can utilize the golden ticket to login to any account or in this case to the administrator account so we can do that by saying miscellaneous cmd right so misc cmd hit enter as you can see patch okay for cmd.exe and if we list out the contents here um sorry about that um let me just declare that out if we take a look at the questions here before we actually do that well we don't have any questions but there we are so it says this will open up a new command prompt with elevated privileges to all machines um so we can essentially as you can see access other machines you'll now have another command prompt with access to all of the machines on the network however as i said these machines are offline so we can't actually access them even if we were utilizing ps exec um so in this case as you can see it actually tells you that here but we know that how that's how it works so yeah that's essentially how to generate a golden ticket with um with mimikatz as i said it may be a bit confusing at the moment but i'll be explaining uh all of this when we'll be taking an in-depth look at active directory environments alright so that's pretty much all that i wanted to cover in this video uh primarily because again i don't want to get too much into you know the the various concepts that surround active directory and you know exploiting active directory environments but i will be making follow-up videos that again highlight how to use mimikatz uh you know in depth a little bit uh because i haven't explained that here so again let me know what you guys think if you have any questions or suggestions i would love to hear about them or actually answer them if i can you can leave them in the comments section or you can contact me via twitter if you have any other in-depth questions or detailed questions that you'd like me to answer you can join our discord server and i'll be sure to answer you there we have great members on there that can again help you with most of your questions and yeah thank you very much for watching and i'll be seeing you in the next video a huge thank you to all of our patreons uh your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy tofembari dustin on president michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you
Info
Channel: HackerSploit
Views: 33,149
Rating: undefined out of 5
Keywords: hackersploit, hacker exploit, hacking, kali linux, mimikatz, mimikatz kali linux, mimikatz kali linux tutorial, mimikatz tutorial, mimikatz pass the hash, mimikatz rubber ducky, mimikatz powershell, mimikatz demo, mimikatz golden ticket, mimikatz metasploit, mimikatz payload, mimikatz on windows 10, mimikatz install, mimikatz kali, dumping hashes
Id: AZirvtZNIEw
Channel Id: undefined
Length: 18min 45sec (1125 seconds)
Published: Mon Oct 25 2021
Related Videos
Windows Red Team Credential Access Techniques | Mimikatz & WCE
HackerSploit
25K
Active Directory Enumeration With BloodHound
HackerSploit
55K
Metasploit
David Bombal
343K
Kerberos Golden Ticket Attack Explained
VbScrub
30K
Windows Privilege Escalation Tutorial For Beginners
HackerSploit
69K
Windows Post Exploitation - Persistence With Metasploit
HackerSploit
30K
Domain Admin: Bloodhound, Mimikatz, Pass-The-Hash & Golden ticket.
thehackerish
3.3K
Fuzzing & Directory Brute-Force With ffuf
HackerSploit
36K
ChatGPT For Cybersecurity
HackerSploit
443K
Top Things To Do After Installing Kali Linux in 2023!
Stefan Rows
71K
How to run a Python script in VS Code
NP Learn
135K
Windows Enumeration With winPEAS
HackerSploit
33K
Attack Tutorial: How a Golden Ticket Attack Works
Netwrix
8.9K
Windows Red Team Persistence Techniques | Persistence With PowerShell Empire
HackerSploit
16K
Don't use Mimikatz 🥝, build your own | lsass dumper
Hicham El Aaouad
2.3K
Active Directory Enumeration With PowerView
HackerSploit
28K
Penetration Testing with Metasploit: A Comprehensive Tutorial | PT2
Nielsen Networking
2.8K
Linux Red Team Exploitation Techniques | Exploiting WordPress & MySQL
HackerSploit
20K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.