Mimikatz is a tool that enables extracting plain text passwords, hashes, and Kerberos tickets from memory. It can be used to perform pass-the-hash, over-pass-the-hash, and pass-the-ticket authentication attacks. Mimikatz uses the Sekurlsa module to dump credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory. It decrypts encrypted credentials using the same functions LSASS uses, allowing extraction of passwords in plain text. Pass-the-hash allows authenticating with only the NTLM hash by replacing the hash used in authentication with the target user's hash.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
In this presentation, Erik Van Buggenhout (NVISO founder & SANS Instructor) zooms in on Windows 10 CredentialGuard and how it can be used to protect against LSASS hash dumping (e.g. using Mimikatz). Want to learn more? Join us at SANS SEC599!
CHAPTER 26
WINDOWS SECURITY
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2
26.2 WINDOWS VULNERABILITIES ................................................. 18
26.3 WINDOWS SECURITY DEFENSES ............................................ 20
26.4 BROWSER DEFENSES ............................................................ 35
26.5 CRYPTOGRAPHIC SERVICES ................................................... 37
26.6 COMMON CRITERIA............................................................... 39
26.7 RECOMMENDED READING AND WEB SITE ................................ 40
26.8 KEY TERMS, REVIEW QUESTIONS, PROBLEMS, AND PROJECTS ... 40
Contributed by:
Michael Howard
Senior Security Program Manager
Microsoft Corporation
Windows is the world’s most popular operating system and as such has a
number of interesting security-related advantages and challenges. The
major advantage is any security advancement made to Windows can protect
hundreds of millions of nontechnical users, and advances in security
technologies can be used by thousands of corporations to secure their
assets. The challenges for Microsoft are many, including the fact that
security vulnerabilities in Windows can affect millions of users. Of course,
there is nothing unique about Windows having security vulnerabilities; all
software products have security bugs. However, Windows is used by so
many non-technical users that Microsoft has some interesting engineering
challenges.
This chapter begins with a description the overall security architecture
of Windows 2000 and later (Section 26.1). It is important to point out that
versions of Windows based on the Windows 95 code base, including
Windows 98, Windows 98 SE, and Windows Me, had no security model, in
contrast to the Windows NT code base, on which all current versions of
Windows are based. The Windows 9x codebase is no longer supported.
The remainder of the chapter covers the security defenses built into
Windows, most notably the security defenses in Windows Vista and later.
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE
Anyone who wants to understand Windows security must have knowledge of
the basic fundamental security blocks in the operating system. There are
many important components in Windows that make up the fundamental
security infrastructure, among them the following:
• The Security Reference Monitor (SRM)
• The Local Security Authority (LSA)
• The Security Account Manager (SAM)
• Active Directory (AD)
• Authentication Packages
• WinLogon and NetLogon
Let’s look at each in detail.
The Security Reference Monitor
This kernel-mode component performs access checks, generates audit log
entries, and manipulates user rights, also called privileges. Ultimately, every
permission check is performed by the SRM. Most modern operating systems
include Security Reference Monitor type functi ...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
How libraries can support authors with open access requirements for UKRI fund...
Mimikatz
1. Mimikatz
A TOOL TO PLAY WITH WINDOW SECURITY
DOWNLOAD: HTTPS://GITHUB.COM/GENTILKIWI/MIMIKATZ
RISHABH SHARMA
2. Mimikatz Overview
Written in C language
For both Windows x86/x64 architecture
Develop by Benjamin Delpy
Tool use to gather credential in plain text from
Window memory
Mostly use in Red Team Assessment
3. Mimikatz Capabilities
Extract plain text password, hashes and Kerberos tickets from memory
Use to build Golden Ticket
Use to build Silver Ticket
Use to build Trust Ticket
Authentication Techniques:
Use for Pass-the-Hash
Use for Over-Pass-he-Hash
Use for Pass-the-Tickets
4. Why Need Mimikatz?
Scenario1: We assume that local administrator logged into the system and then log off
from the system. Now attacker logged into the system as a normal user. By some way, the
attacker escalates the permission to admin level. By using Mimikatz attacker may able to
get the admin clear text or NTLM hash, etc. The attacker uses that credential for further
exploitation.
Scenario 2: We assume that a domain administrator logged into the system remotely let
say by SSH, SMB, RDP, etc. Now attacker logged into the system as a normal user. By
some way, the attacker escalates the permission to local admin level, which is the
minimum requirement of Mimikatz. By using Mimikatz attacker may able to get the
domain admin clear text or NTLM hash. The attacker uses that credential for further
exploitation like to access domain controller.
Note: Attacker may use the authentication techniques available in Mimikatz for further
exploitation
5. Mimikatz Modules
Standard
Privilege
Crypto
Sekurlsa
Kerberos
Lsadump
Vault
Token
Event
Ts
Process
Service
Net
Misc
Library mimilib
Driver mimidrv
6. Sekurlsa Module to Dump Password
This module is used to extracts passwords, keys, pin codes, tickets and hashes from the
memory of LSASS (Local Security Authority Subsystem Service).
For running Sekurlsa module, Mimikatz need some rights:
Administrator Right to get debug privilege via privilege::debug
or
SYSTEM account, via post exploitation tools. If Mimikatz executed by SYSTEM account, then
privilege::debug is not needed. We directly run the sekurlsa::logonpasswords. We can use
PsExec.exe –s cmd.exe to run CMD by SYSTEM account.
Note: The system account and the administrator account (Administrators group) have the
same file privileges, but they have different functions.
7. Sekurlsa Module Commands
Command to check user is in administrator group or not.
Net localgroup administrators
Command to check Mimikatz debug privilege
Mimikatz# privilege::debug
Command to extract passwords, hashes, keys, pin codes and tickets from the memory of LSASS.
Mimikatz# sekurlsa::logonpasswords
Command to run cmd.exe by SYSTEM account.
PsExec.exe/PsExec64.exe –s –i cmd.exe
Command to get clear text password from offline memory dump.
Mimikatz # sekurlsa::minidump lsass.dmp
Mimikatz # sekurlsa::logonPasswords full
8. Run Mimikatz without
Administrator Privilege
First command is to check
username.
Second command is to
check if user exist in
administrator group or not.
In “debug” and
“logonpasswords”
commands, we got the
errors because Mimikatz
was not running by
Administrator privileges.
9. Run Mimikatz with
Administrator Privilege
Mimikatz executed by
Administrator privileges.
In the second command,
when we executed the
“logonpasswords”
command before the
“debug” command, we got
an error because Mimikatz
had executed by
Administrator privileges not
by SYSTEM privileges.
10. Local Security Authority Subsystem Service (LSASS)
LSASS (Local Security Authority Subsystem Service) is a Windows Based Service which provides the user with
the functionality of SSO (Single Sign-On).
LSASS responsibilities:
To verify user credentials.
Handle the password change.
Create access token.
Authenticate users for accessing resources or services or applications.
Check for user rights.
LSASS supports Kerberos (kerberos.dll), NTLM (msv1_0.dll) or Digest Authentication (wdigest.dll). After a
user’s authentication, his credentials are stored in the memory of the system. This is done so that the
security packages can access it. Depending on the package, the password is stored as a hash value,
encrypted or even in plaintext.
Note: Every process has memory.
11. What is Single Sign-On (SSO)
Single sign-on (SSO) is a session and user authentication service that permits a user to use
one set of login credentials (e.g., username and password) to access multiple
applications/services/resources.
A user login into the Windows system with the entry of his username and password. After
this, all resources/applications/services the users have rights are accessible without having
to enter the credentials anymore. This concept is referred to as Single-Sign-On and is
implemented in Windows with LSASS.
The LSASS service authenticates the end user for all the applications the user has been
given rights to and eliminates further prompts when the user switches applications during
the same session.
12. How Mimikatz Returns Plain Text Credentials?
The problem is that password encryption is implemented using the standard Win32
functions LsaProtectMemory and LsaUnprotectMemory, which are used to
encrypt/decrypt a certain area of memory.
Mimikatz allows you to obtain the encrypted data from the memory, decrypt them using
LsaUnprotectMemory function and display all accounts of users authorized in the system
and their passwords (decrypted, in plain text!).
13. Mimikatz Sekurlsa Flow Diagram
Windows Login
(Username and
Password)
Credentials stored in LSASS process memory (Store password using reversible encryption using the
standard Win32 functions LsaProtectMemory and LsaUnprotectMemory, which are used to
encrypt/decrypt a certain area of memory)
Mimikatz (Obtain encrypted data from memory)
Mimikatz decryption (Decrypt them using LsaUnprotectMemory function
and display all accounts of users authorized in the system and their
passwords decrypted, in plain text)
14. Other Ways To Dump LSASS Memory
By using Task manager
By using Sysinternal tool, Procdump.exe
By using PowerShell script OutMiniDump.ps1
By using Dumpert (Available on GitHub)
By Executing a native comsvcs.dll DLL found in Windowssystem32 with rundll32
15. Sekurlsa Module Login Operation
The juicy information that we get by dumping the LSASS memory can be used further by
using the below techniques to login into the system.
Pass-The-Hash
Over-Pass-The-Hash
Pass-The Tickets
16. Pass-The-Hash
Pass-The-Hash is a technique that is used to gain access to the system by using NTLM
hash of the user in that system.
Mimikatz can perform pass-the-hash operation by starting the process by fake cleartext
password and then replace NTLM of the fake password with real NTLM hash of the user.
17. Why Mimikatz use fake password?
To understand the reason of fake password, first understand the process of window authentication.
Window Authentication Process:
The user provides their username, password, and domain name (If AD authentication) at the interactive
window logon screen of a client.
The window client system change the cleartext password to NTLM hash and discards the cleartext
password.
The client send the username in cleartext to the domain controller (If AD authentication) or locally to
the authentication package (LSA).
The domain controller/local system generate 16-byte random number challenge or nonce and send it
back to client.
The client encrypts this challenge with the hash of the user's password that is mentioned in step 2 and
return the response to the domain controller/local system.
18. Why Mimikatz use fake password?
Domain controller/local system have the three values for authentication:
Username in cleartext
Challenge sent to the client
Response received from the client
The domain controller/local system uses the username to retrieve the NTLM hash of the user's
password from Active directory/Security Account Manager database (SAM).
It uses the password hash to encrypt the challenge and compare the results with the response that
received from the client.
If they are identical, authentication is successful.
19. Why Mimikatz use fake password?
Mimikatz use fake password when user/attacker only have NTLM hash of the user and
cracking the hash to get cleartext password is very time consuming when Window allows to
use NTLM hash by pass-the-hash technique for login.
Mimikatz use fake cleartext password and that cleartext password change to NTLM hash as
mentioned in step 2 , when challenge received from the domain controller/local system for
encryption, the Mimikatz replace the fake NTLM hash with the original user NTLM hash for
encryption of challenge as mentioned in step 5.
20. Ways to Capture NTLM Hashes
Sniff SMB challenge-response over the network
By using Responder
Capture NTLM hash through capture SMB & word UNC injector
Capture NTLM hash through capture SMB & spoof NBNS
Capture NTLM hash with Office [DOT] XML Documents
From SAM file
22. Pass-The-Hash Commands
Arguments:
/user - the username you want to impersonate, keep in mind that Administrator is not the only name
for this well-known account.
/domain - the fully qualified domain name - without domain or in case of local user/admin, use
computer or server name, workgroup or whatever.
/rc4 or /ntlm - optional - the RC4 key / NTLM hash of the user's password.
/aes128 - optional - the AES128 key derived from the user's password and the realm of the domain.
/aes256 - optional - the AES256 key derived from the user's password and the realm of the domain.
/run - optional - the command line to run - default is: cmd to have a shell.
