This article will showcase various attacks and tasks that can be performed on a compromised Windows Machine which is a part of a Domain Controller through Metasploit inbuilt Mimikatz Module which is also known as kiwi. We covered various forms of Credential Dumping with Mimikatz in our Series but we didn’t present a consolidated guide to use Mimikatz with Metasploit. Also, after the response from the PowerShell Empire for Pentester: Mimikatz Module, We were encouraged to create this resource.
Table of Content
- LSA Secrets
- Changing Password of a User
- DC Sync Attack
- Golden Tickets
- Purging Tickets
- Extract Credentials from Security Packages
- Mimikatz Commands
- Extract Wi-Fi Credentials
To begin with the demonstration, we first need to compromise a Windows machine that is a part of a Network governed by a Domain Controller. The choice of compromise is your own. After the initial compromise through Metasploit, we get a meterpreter shell. There are a bunch of inbuilt commands that are loaded inside the meterpreter shell if some commands or a set of commands are not loaded then they can be loaded in the form of a module. Mimikatz is also a module that needs to be loaded inside the meterpreter shell. After loading the module, you can hit the help command to see a list of different options and attacks that can be performed on the target machine through this meterpreter shell.
load kiwi help kiwi
The lsa_dump_sam module gets the SysKey to decrypt SAM entries (from registry or hive). It connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. As we have known that LSA is a system process that authenticates and logs users on the system. LSA authenticates the Domain Credentials that are used by the Operating System. The user information is validated by LSA by accessing the SAM of each computer. If there is a code that is running inside the LSA process than that process is able to access the credentials. LSA is able to store Reversibly encrypted plaintext, Kerberos tickets (ticket-granting tickets (TGTs), service tickets), NT hash, LAN Manager (LM) has. Here we can see that NTLM hash is extracted of the raj user.
Learn More: Credential Dumping: Local Security Authority (LSA|LSASS.EXE)
LSA secrets, Let’s understand what is the secret behind this? Earlier it was designed to store the cached domain records. After a while, Microsoft expanded its usage to store passwords, IE passwords, SQL Passwords, RAS Passwords and CISCO passwords and much more. A slice of the secrets can be seen in the screenshot below. This is quite less information than it was promised as this is a Local Lab Environment. Real Working Domain Controllers have much more data.
Changing Password of a User
The ability to change the password for a user can be not only a high-risk situation but also can be a tad bit annoying. The password_change module can help you do just that. There is an option to change the password if the old password is known. It generates and stores an NTLM hash for the new user. The other option is if you are able to extract the NTLM hash of a user, say using the lsadump then you have the ability to change the password for that user.
password_change -u raj -p 123 -P 9876 password_change -u raj -n <NTLM-hash> -P 1234
DC Sync Attack
As discussed earlier, the DC Sync attack allows an attacker to replicate Domain Controller (DC) behaviour. In simple words, it impersonates as a domain controller and requests other DC’s for user credential data via GetNCChanges. The only barrier is that you need a compromised machine and its user who is a member of the privileged account (Administrators, Domain Admin or Enterprise Admin).
dcsync_ntlm krbtgt dcsync krbtgt
Learn More: Credential Dumping: DCSync Attack
Golden Tickets is an attack that forges the Kerberos Ticket Granting Tickets (TGT) which in turn is used to authenticate users with the help of Kerberos. The Ticket Granting Services (TGS) is dependent upon the TGTs to verify the authenticity of tickets. This means that the forged ticket can be used to directly authenticate the attacker. These tickets can have a life span of up to a decade. That makes them so valuable almost like gold.
golden_ticket_create -d ignite.local -u pavan -s <SID> -k kerberos_ticket_use /root/ticket.kirbi shell dir\DC1.ignite.localc$
Learn More: Domain Persistence: Golden Ticket Attack
While working with the tokens and tickets, there will be a time where the number of tickets would be too large to work with. This scenario will arise sooner or later and that’s when the purge command will help you. It will purge all the tickets in the current session.
kerberos _ticket_list kerberos_ticket_purge kerberos_ticket_list
Extract Credentials from Security Packages
Microsoft provides the MSV1_0 authentication package for local machine logons that do not require custom authentication. The Local Security Authority (LSA) calls the MSV1_0 authentication package to process logon data collected by the GINA for the Winlogon logon process. The MSV1_0 package checks the local security accounts manager (SAM) database to determine whether the logon data belongs to a valid security principle and then returns the result of the logon attempt to the LSA. MSV1_0 also supports domain logons. MSV1_0 processes domain logons using pass-through authentication We can extract the hash using the creds_msv command on meterpreter as shown in the image.
Similarly, if we want to extract the credentials from the Kerberos Service, we can run the creds_kerberos to attack the Kerberos. This however have the ability to extract clear text passwords for the users.
SSP or Security Support Provider is a dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application’s SSPI function calls and an actual security model’s function. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager. Due to the connection of the SSP with the Kerberos, it can extract credentials in clear text as shown in the image below.
WDigest.dll was introduced in the Windows XP operating system The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. These exchanges require that parties that seek to authenticate must demonstrate their knowledge of secret keys. This process improves upon earlier versions of HTTP authentication, in which users provide passwords that are not encrypted when they are sent to a server, leaving them vulnerable to capture by attackers by using the creds_wdigest.
In case, you want to extract all the possible hashes or credentials from all the security packages on the target machine, then use creds_all command on the meterpreter. It will show all the credentials from the packages that we just discussed in one go.
Learn More: Credential Dumping: SAM
There are modules inside the Mimikatz that don’t have direct access in the form of commands in kiwi. This is where the ability to run the Mimikatz commands comes to the rescue. This acts as a normal shell with the ability to run the Mimikatz commands and perform almost all the attacks possible in the scenario.
Extract Wi-Fi Credentials
Among the attacks that duplicate that tickets to provide the ability to run the commands as a domain controller, the ability to read the Wi-Fi credentials seems a bit dim but this is not the case. The Wi-Fi passwords are not the most thought-out passwords. It usually the first things that come into the user’s mind. This provides insight as to how that particular user will create passwords. There is a good chance that the account of that user will have the same passwords. Even if it turned out to be that case, you get free Wi-Fi access and that’s not bad.
After the Credential Dumping Series which contained different tools that can be used against a specific vulnerability and PowerShell Empire for Pentester: Mimikatz Module which provided an insight on the ability of PowerShell Empire to attack the Windows Authentication Process. We felt the need for a guide that can help a person who is trying to get the reins of Metasploit.
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn