mimikatz 1.0 vient de sortir en version alpha !
Cette nouvelle version n’est pas une révolution de « l’ancien » mimikatz 0.x, mais une rationalisation du fonctionnement de ce dernier (elle m’apporte surtout beaucoup plus de souplesse lors de son écriture en C/C++)
- http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z
- http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip
Modules
mimikatz est maintenant organisé autours de modules locaux :
"standard"; commandes de basecrypto; Cryptographie et certificatssystem; Gestion systèmeprocess; Manipulation des processusthread; Manipulation des threadsservice; Manipulation des servicesprivilege; Manipulation des privilègeswinmine; Manipulation du démineur de Windows XP (démonstration)nogpo; Pour éviter quelques GPO trivialessamdump; Dump de SAM offlineinject; Injecteur de librairiests; Manipulations Terminal Serverdivers; Fonctions diverses trop petites pour s’émanciper
A part pour le module « standard », la séparation du module et de la fonction appelée se fait avec le séparateur ::
Exemple : inject::process lsass.exe sekurlsa.dll
Librairies
Ce n’est pas forcément le plus discret, mais j’aime injecter des librairies
sekurlsa; manipulation des données de sécurités dans LSASSklock; manipulation de bureauxkelloworld; libraire à injecter, pour l’exemple
Pilote
Être administrateur n’est pas toujours suffisant, il peut aussi être intéressant de disposer d’un point d’entrée en mode utilisateur.
Un pilote, mimikatz.sys est donc disponible.
pilote mimikatz.sys; manipulation noyau
Les commandes distantes peuvent être appelées en les précédants d’un :
@pour les libraires (@seul clos la connexion à la librairie, et la décharge)!pour le pilotemimikatz(!seul clos la connexion au pilote)
Pingback: effeciently dumping Windows password hashes « Daniel Weis's I.T Security Blog
Pingback: effeciently dumping Windows password hashes - Daniel Weis - Blogs - Telligent
Pingback: Dis9 Team » Dump Windows password hashes efficiently
Pingback: Mimikatz Contraseñas de Windows « Seguridad y Redes
Unbeatable tool :), nice work.
Pingback: Obtener Contraseña Administrador de Windows desde Windows (Sin Hash NTML/LM) « sanchezdiego.com.ar
Pingback: Latino » Blog Archive » Mimikatz Contraseñas de Windows
Love this tool! Had no idea Windows stored passwords in plaintext, by the way.
Windows don’t store passwords in plaintext, it keep them in memory in reversible way.
How did you come about finding the exploit?
This is not an exploit, but a memory trick :)
Like said in http://blog.gentilkiwi.com/securite/pass-the-pass , found in searching SSO mechanism of Terminal Server, and WDigest
Pingback: Dumping Cleartext Credentials with Mimikatz « Daniel Weis's I.T Security Blog
Pingback: Dumping Cleartext Credentials with Mimikatz - Daniel Weis - Blogs - Telligent
Pingback: Security News « CyberOperations
Great tool congrats.
Merci pour mimikatz ;)
Pingback: mimikatz: Tool To Recover Cleartext Passwords From Lsass – Dacheng Luo
Pingback: Jeremiah Grossman, Security News – Episode 278 » 華人資安論壇與資安認知教育網誌
Pingback: FeiFei's Blog » 获取Windows系统明文密码神器
Input » ^Z » in mimikatz.exe command, it’s will run always you ctrl-c.
Pingback: 调试器神器 – mimikatz-获取windows处于active状态账号明文密码[转] | Vision's Blog
very good! thanks ~~~
3Q!
Pingback: 轻量级神器 mimikatz – 直接抓取 Windows 明文密码! - Firedli's Blog
really an amazing tool! thanks for sharing! nice work!!
ccan i use it on win7?
for sure !
(don’t forget to run it as administrator ;))
thank you i will try it
i run it as administrator win7 sp1
but error
Hints are as follows:
Demande d’ACTIVATION du privilege: SeDebugPriviliege:OK
Erreur:Impossible d’injecter !; 拒绝访问
Erreur:pas ou plus de communication etablie
How so? thank
Send me full console output.
this is full console output.
win7 sp1 administrator run it
mimikatz # privilege::debug
Demande d’ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 580
Erreur : Impossible d’injecter ! ; (0×00000005) 拒绝访问。
mimikatz # @getLogonPasswords
Erreur : pas ou plus de communication établie
Acces denied come from 360 Safe security functions :)
Pingback: 通杀WIN服务器得明文密码神器
Pingback: Outils, services, sites à (re)découvrir 2012 S08 | La Mare du Gof
Great! Thank U.
secpol.msc -> Local Policies -> User Rights Assignments -> Debug Programs
Remove Administrators/System
This is also how you stop Pass-The-hash from working too.
I’ve tried on Win7 and XP SP3 (english) and I get this error on XP
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 640
Erreur : Impossible d’injecter ! ; (0×00000008) Not enough storage is available to process this command.
Same wtih Win7(64-bit) only the hex is different
Erreur : Impossible d’injecter ! ; (0xc0000022) {Access Denied} A process has requested access to an object, but has not been granted those access rights.
Nevermind :) I was not using the 64-bit (x64) version on my 64-bit OS.
Also to work around removing the sedebug priv using group policy and or secpol.msc, you can run as system (psexec -s cmd.exe) and everything works well. Very good tool, I hope you make even more additions! (@dumpall would be cool too, dump anything and everything this tool has to offer)
-william
0×00000008 is from NT 5 RDP session, not because debug right removed ;)
in both case : psexec -s XXX … no need of debug right, and bypass session isolation in RDP ;)
Pingback: 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码!
Pingback: 百寞' Blog » Blog Archive » 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码!
Pingback: 转:windows下轻量级调试神器—mimikatz – 2哥博客|H3CIE|网络技术|数据中心|路由交换|网络安全|黑客技术|CCIE|Linux|服务器|wordpress
You can solve the problem of CreateRemoteThread the
http://www.cnasm.com/view.asp?classid=51&newsid=292
Thank’s !!! I’ve already relied on manual Stack creation and get it worked, but with NT 6, I prefer RtlCreateUserThread :)
Pingback: 神器mimikatz使用命令方法总结 | Vision's Blog
Pingback: mimikatz的使用方法总结 « Crackerban Team
it’s necessary an english version please
Pingback: 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码! « x7z|关注网络安全|Web安全|最新0day漏洞|网站安全顾问
Isn’t this how Windows can send HTTP-Authentication using IE without prompting for the password? If so, could a program like Firefox, launched as the same user who is logged on, read those credentials and also pass HTTP-authentication without being prompted? This could add functionality to something like FF if this was so, could it not? I mean IE does it…
-mandingo-
In some way yes. But Windows does not need it for Kerberos or NTLM auth. Just for some Digest auth.
FireFox can use Kerberos and NTLM auth with SSO (see network.negotiate-auth.*), maybe wdigest too ?
In all case, no need for hack for that, Windows allow « normal » API to obtain responses to challenges.
I meant digest-auth. I wonder if FF could read it and then pass it on, or if they choose not to :)
It seems it’s a choice ; SSPI supports wdigest.
cf. http://technet.microsoft.com/library/cc780455.aspx
Pingback: Unsung Heros (the list) « Cатсн²² (in)sесuяitу / ChrisJohnRiley
help me
On NT 5 RDP use psexec -s … (and avoid privilege::debug ;))
FYI, Windows 8 (dev-preview) is working for me so far. Haven’t tried all the commands yet but so far so good. Is there a way to run all commands planned? Maybe output to a single file?
-mandingo-
I’ve some surprises for windows 8 consummer preview :)
they’re are some problem with the current version, internal is 90% for x64, and 70% x86.
Pingback: Drunken Security News – Episode 279 » 信息安全播客
Pingback: Tonya Bacam, Security Onion – Episode 279 » 華人資安論壇與資安認知教育網誌
Pingback: Live from CCDC – Episode 280 » 華人資安論壇與資安認知教育網誌
Pingback: Recuperando contraseñas de Windows en texto plano (I de II)
Pingback: 牛X神器-mimikatz | Yoio's Blog
Pingback: 欺天: NLP | HACK | 社会工程学 | 金融
Pingback: Remotely Recovering Windows Passwords in Plain Text « CYBER ARMS – Computer Security
Is source code available? Thanks
no, but getXXFunctions list all you need…
Pingback: 轻量级调试器神器 – mimikatz – 直接抓取 Windows 明文密码 | Linglin'S Blog
Pingback: Episode 647 – Quantum Encryption,TriCk, 100 days, Mimikatz, and MySQL DoS | InfoSec Daily
Pingback: Obtener Contraseña Administrador de Windows desde Windows (Sin Hash NTML/LM) | GEEKNOPATAS
Пополним коллекцию благодарностей на иностранных языках :)
Спасибо!
Hey, how about a natively english version? I had french in school, but it’s a bit rusty tbh ;)
Pingback: Pw » 关注互联网技术,专注于信息安全,记录生命点滴故事.
Pingback: Recovering Windows Passwords Remotely in Plain Text | IT Security
Pingback: gentilkiwi @ PHDays 2012 | Blog de Gentil Kiwi