PoSHMagiC0de Posted October 12, 2017 Share Posted October 12, 2017 So, many of you in the Bashbunny and Rubber Ducky forums are noticing mimikatz/mimidogz in Powersploit has issues with Win10 after the creators update. It can dump hashes from the sam but it could not get the cleartext passwords like it used to do or currently do on Windows 7. Well, Gentilkiwi decided to get to work and has a new version of mimikatz that will get the cleartext passwords from Windows 7 Creators Update. You can find it below. https://github.com/gentilkiwi/mimikatz Now, what about Invoke-Mimikatz in Powersploit or Mimidogz. Well, a few of us has been trying to get it to work in the module by substituting the base64 encoded binaries of the old mimikatz with the new base64 encoded binaries. It does work but will not receive the parameters. The command line parameters for dumpcreds has changed and has to have the mimi command "privilege::debug" ran first before the usually 2 other commands afterwards "sekurlsa::logonpasswords exit". What I get is the mimi interactive shell which is fine for live stuff but if trying to automate then this is a stopper. Also, it seems to crash out the Powershell process it is in when you exit out of it. If you use the direct executable, Windows defender will see it and stop/kill/remove it. Avast will definitely kill it, I use Avast as the most difficult of scanners to obfuscate from. If I beat Avast at full settings, good chance all the others will be the same. So, if others want to try and help figure it out. Check out the issues thread for it that started on Powersploit's repo. Quote Link to comment Share on other sites More sharing options...
rottingsun Posted October 22, 2017 Share Posted October 22, 2017 With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 22, 2017 Author Share Posted October 22, 2017 2 hours ago, rottingsun said: With mimikatz and all the derivatives being flagged more and more these days, I find it more effective to take a memdump of lsass using procdump, then running it through mimi in minidump mode. I agree. And powerdump works for getting SAM hashes. Token manipulation works for getting tokens. Mimikatz still good for golden tickets though. But yeah, there are other methods to use mimi to get creds. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.