PoSHMagiC0de Posted October 11, 2018 Share Posted October 11, 2018 Someone updated the PS version of the payload with the new and PS injecty way of use so it works with Windows 10 again. I cannot tell if the original repo from PowershellMafia is updated but here it is updated in Empire. https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1 Tested and works. Of course I turned Defender off. You want it to work from Lazagne? You will have to edit Lazagne's source for the part that has the old mimi and update it with the new ps file and compile. Folks were complaining about not being able to dump creds in Win 10 with invoke-mimi*, well here is one that will work minus AV probably killing it. Link to comment Share on other sites More sharing options...
icarus255 Posted October 12, 2018 Share Posted October 12, 2018 Thanks, amigo. I never had much success with the cred-stealing payloads but never really investigated them properly either. I will definitely check this out over the weekend. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 26, 2018 Author Share Posted October 26, 2018 Doh, new Invoke-Mimikatz does not work anymore in newer updates of Win10. MS implemented security fixes that break invoke-reflectivepeinjection. So, mimikatz inside does work but the method Invoke uses to inject it does not. That also breaks my injection techniques for Windows 10. Doesn't matter as AV on Windows 10 will detect Invoke-Mimikatz.ps1 even if I heavily obfuscate the powershell with Invoke-Obfuscation. Method on Win 10 will have to be a dropper after you kill the realtime AV. Once done you could drop the original mimikatz.exe to the drive (sorry, only way on new Win10 right now) and run it to drop a log in its current directory with: mimikatz log privilege::debug sekurlsa::logonpasswords exit an it will drop a mimikatz,log to its current folder where you can pick it up and cleanup or in powershell after it is dropped you can run: $results = .\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit All the results will be in $results for you to send or save how every you like. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 1, 2018 Author Share Posted November 1, 2018 I hate going back the forth. It is working again. The link I posted above has not been updated yet, it is still waiting to be pushed. The location to the unpushed version that works is here. https://github.com/EmpireProject/Empire/blob/7a39a55f127b1aeb951b3d9d80c6dc64500cacb5/data/module_source/credentials/Invoke-Mimikatz.ps1 That one will definitely work. I was confused when I went into the one I listed before and saw the date of the mimikatz. Link to comment Share on other sites More sharing options...
mr.buddy Posted December 1, 2018 Share Posted December 1, 2018 great find, dude. tested and working 😎 Link to comment Share on other sites More sharing options...
Crumb93 Posted December 18, 2018 Share Posted December 18, 2018 Thank you! I was just looking for an updated version of the script. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 24, 2019 Share Posted December 24, 2019 @PoSHMagiC0de Compared to the rest, this script actually runs. Thank you, but I'm having a small problem. My issue is that I get a memory error and it exits. But at least its not a code error. Can you tell me what I'm doing wrong? Here is the error. .#####. mimikatz 2.1.1 (x64) built on Aug 3 2018 17:05:14 - lil! .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz(powershell) # exit Bye! Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 26, 2019 Author Share Posted December 26, 2019 Yeah, that version doesn't work anymore. Here is the part where people will need to begin the hunt for their own for a working copy. I no longer use Powershell version of mimikatz but have moved over to .NET solutions. There is probably a working version out there but I do not have it. I actually compiled me a .NET 4.0 version of SharpSploit's dll and use that reflectively for stuff in Powershell if I use Powershell or I create an app to ingest it. So, I guess you can say I actually created my own Powershell version borrowing .NET versions of the libraries from SharpSploit. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 27, 2019 Share Posted December 27, 2019 11 hours ago, PoSHMagiC0de said: Yeah, that version doesn't work anymore. Here is the part where people will need to begin the hunt for their own for a working copy. I no longer use Powershell version of mimikatz but have moved over to .NET solutions. There is probably a working version out there but I do not have it. I actually compiled me a .NET 4.0 version of SharpSploit's dll and use that reflectively for stuff in Powershell if I use Powershell or I create an app to ingest it. So, I guess you can say I actually created my own Powershell version borrowing .NET versions of the libraries from SharpSploit. @PoSHMagiC0de Thank you for your response. I managed to get this powershell script working with this command as administrator Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::tspkg"' I read that minidump still works instead of the lsa permission method. Now the only error i get is error 0x2 which is a file not found error because tspkg cant find the .dmp file. I cant find minidump in the script to see if the proper code is there to create the .dmp file or what path the .dmp file might be saving to, and I believe the minidump code might be in the encoded base64 string which I do not know how to decode. Is it possible for you to post a completely decoded version of invoke-mimikatz.ps1? I like the default powershell script because I do not want to install .net framework to run it. I really want to get this script working if thats possible to edit the save path of the .dmp file. Here is the command to run invoke mimikats along with successful minidump and error 0x2 on tspkg https://pastebin.com/kFTsp2Zk ------------------------------------------------------------------------------------------------------------------------------------------------------------ Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 27, 2019 Author Share Posted December 27, 2019 Cool. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 28, 2019 Share Posted December 28, 2019 On 12/27/2019 at 4:32 PM, PoSHMagiC0de said: Cool. So do you have this totally decoded invoke-mimikatz script that I can check the save path of the .dmp file? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 30, 2019 Author Share Posted December 30, 2019 BC Security has forked the Powershell Empire project to their github, updated it and all its modules so their revived version of PSEmpire has a updated copy of the Mimikatz powershell script updated 11-25 of this year that works out the box. Oh, you always have to be admin and UAC has to be bypassed for any version of mimikatz to work. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 31, 2019 Share Posted December 31, 2019 21 hours ago, PoSHMagiC0de said: BC Security has forked the Powershell Empire project to their github, updated it and all its modules so their revived version of PSEmpire has a updated copy of the Mimikatz powershell script updated 11-25 of this year that works out the box. Oh, you always have to be admin and UAC has to be bypassed for any version of mimikatz to work. @PoSHMagiC0de Ok so I got the BC security empire invoke-mimkatz 11-25th update just now and i still have the same error 0x2 which means .dmp file is not found even when running as administrator and bypassing uac. I've done a search on my entire c drive for lsass.dmp and cant find it because the .dmp file is never created. Can you please post a link directly to the invoke-mimikats.ps1 that I should try? Maybe I still have the wrong one. Invoke-Mimikatz -Command '"log %TEMP%\mimikatz.log" "privilege::debug" "sekurlsa::minidump %TEMP%\lsass.dmp" "sekurlsa::tspkg"' mimikatz log: mimikatz(powershell) # log %TEMP%\mimikatz.log Using 'C:\Users\user4\AppData\Local\Temp\mimikatz.log' for logfile : OK mimikatz(powershell) # privilege::debug Privilege '20' OK mimikatz(powershell) # sekurlsa::minidump %TEMP%\lsass.dmp Switch to MINIDUMP : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp' mimikatz(powershell) # sekurlsa::tspkg %TEMP%\lsass.dmp Opening : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002) Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 31, 2019 Author Share Posted December 31, 2019 ?? The one for BC security worked fine for me. Used it with no parameters. Logged in to full updated Win10 VM as administrator, UAC bypassed, Defender turned all off. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 31, 2019 Share Posted December 31, 2019 @PoSHMagiC0de I'm just trying to use it to dump passwords from memory . Any idea how i do that? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted December 31, 2019 Author Share Posted December 31, 2019 If I intent on doing a proc dump of lsass, I usually use another program or script to do a minidump of lsass so well known malicious bins (like mimikatz) don't have to be loaded on the victim. I copy that off and then use the non-powershell mimikatz to process or pypykatz or any of the other dump file processors out there. If I am on the box, I have high privilege and I intent on using mimikatz, might as well just process the memory in place rather than leave artifacts writing to disk. Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 31, 2019 Share Posted December 31, 2019 7 minutes ago, PoSHMagiC0de said: If I intent on doing a proc dump of lsass, I usually use another program or script to do a minidump of lsass so well known malicious bins (like mimikatz) don't have to be loaded on the victim. I copy that off and then use the non-powershell mimikatz to process or pypykatz or any of the other dump file processors out there. If I am on the box, I have high privilege and I intent on using mimikatz, might as well just process the memory in place rather than leave artifacts writing to disk. How can I do all that though? It might take a while to post all that on here, so can you come on irc.hak5.org #hak5 and help me when you have time please? Link to comment Share on other sites More sharing options...
kuyaya Posted September 4, 2020 Share Posted September 4, 2020 Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. Link to comment Share on other sites More sharing options...
Koden Posted October 6, 2020 Share Posted October 6, 2020 On 9/5/2020 at 7:49 AM, kuyaya said: Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. ..and how did you obfuscate it enough to evade AV? Link to comment Share on other sites More sharing options...
Koden Posted October 6, 2020 Share Posted October 6, 2020 On 9/5/2020 at 7:49 AM, kuyaya said: Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. ..and how did you obfuscate it enough to evade AV? Link to comment Share on other sites More sharing options...
kuyaya Posted October 6, 2020 Share Posted October 6, 2020 That's my little secret😉 If I upload it here, I'm sure some idiots will upload it to virustotal and then it'll get flagged soon. There's a lot of information about obfuscating scripts out there, I'm sure you'll find your way :). Link to comment Share on other sites More sharing options...
Koden Posted October 7, 2020 Share Posted October 7, 2020 On 10/7/2020 at 3:37 AM, kuyaya said: That's my little secret😉 If I upload it here, I'm sure some idiots will upload it to virustotal and then it'll get flagged soon. There's a lot of information about obfuscating scripts out there, I'm sure you'll find your way :). def. not going to ask you to upload and give-away as that defeats the purpose. but can you point me in a direction for an obfuscation that works? I've tried stuff like HideMyPS, InvokeObfuscation but didn't work, as even Windows AV picked them up upon execution. Link to comment Share on other sites More sharing options...
kuyaya Posted October 13, 2020 Share Posted October 13, 2020 Hmm, sorry. I won't tell you that. Let's see if I find some other ways and then I'll PM you about it, ok? Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 29, 2020 Share Posted December 29, 2020 On 9/4/2020 at 5:49 PM, kuyaya said: Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. Is there a working Get-ChromeDump.ps1 or Get-SessionCookieDump.ps1 or nishangs Get-WebCredentials.ps1? or do you know how to get the Empire version of ChromeDump.ps1 to work? When I run the empire version, it dumps the search history fine but when it dumps the username and password the password does not show up, just the username and search history shows up. I also get an error when running Get-ChromeDump.ps1. Here is the error when running Get-ChromeDump.ps1 Exception calling "Unprotect" with "3" argument(s): "The parameter is incorrect. " At line:153 char:9 + $decryptedBytes = [Security.Cryptography.ProtectedData]::Unpr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CryptographicException Exception calling "GetString" with "1" argument(s): "Array cannot be null. Parameter name: bytes" At line:154 char:9 + $plaintext = [System.Text.Encoding]::ASCII.GetString($decrypt ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentNullException Link to comment Share on other sites More sharing options...
eeeeeesy Posted December 29, 2020 Share Posted December 29, 2020 On 9/4/2020 at 5:49 PM, kuyaya said: Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. I also tried nishangs mimikatz with the command Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect But I get this error about /unprotect so its not decrypting the login data from chrome. Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'. At C:\Users\user4\Desktop\newest working mimikats by nishang\Invoke-Mimikatz.ps1:2754 char:1 + Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ... Could you tell me what I'm doing wrong? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.