Mimikatz is a tool that is primarily used for retrieving sensitive information from Windows operating systems. Its commonly used for post exploitation and dumping hashes but it can do a lot more. In this post I’ll be going over how we can use Mimikatz to dump hashes from a Windows machine after we’ve compromised it.
To start off, I have a shell as an Administrator on a Windows machine and have brought mimikatz.exe over for post exploitation.
Our goal here is to dump hashes
We can run mimikatz using “.\mimikatz.exe”
Then, we need to run privilege::debug
privilege::debug
After that, all we have to do is run sekurlsa::logonpasswords. And BOOM we get the hashes.
sekurlsa::logonpasswords
The output is pretty large but we can see different the hashes for the users that have logged into this machine.
You might think these hashes are useless since we’ve already got Administrator privileges on this machine. But if we are able to get the hash of a Domain Admin, we could compromise the Domain Controller which in turn would compromise the domain that this machine is part of.
Let’s take a couple steps back and exit from mimikatz to identify all Domain Admins using a tool called PowerView.ps1.
To find all domain admins, we can use this command:
. .\PowerView.ps1Get-NetGroupMember -GroupName "Domain Admins"
Above, we can see three users that are Domain Admins: T.Stark, sqlservice, and Administrator.
Note: “Administrator” will always be a Domain Admin but this isn’t the Administrator that we’ve compromised. The Administrator we currently have a shell as is actually ONLY Administrator for this Windows machine. The Administrator for the Domain Controller has Administrator privileges over all the machines in the Domain.
But by dumping hashes from the Windows machine, we managed to get the NTLM hash of the user T.Stark.
We can try a pass-the-hash attack on the Domain Controller to see if it works:
Thank you for reading! If you found this post useful, be sure to share it!
