search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.11k stars 3.65k forks source link

kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000544 #313

Open KrE80r opened 3 years ago

KrE80r commented 3 years ago

Hi,

Getting mentioned error with windows defender turned off and running as admin.

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::pth /user:normaluser /domain:LAPTOP /impersonate /ntlm:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
user    : normaluser
domain  : LAPTOP
program : C:\mimikatz.exe
impers. : yes
NTLM    : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ERROR kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000544)

mimikatz # version /full /cab

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 18363 (arch x64)
msvc 150030729 207

lsasrv.dll      : 10.0.18362.1082
msv1_0.dll      : 10.0.18362.1016
tspkg.dll       : 10.0.18362.836
wdigest.dll     : 10.0.18362.959
kerberos.dll    : 10.0.18362.1016
dpapisrv.dll    : 10.0.18362.387
cryptdll.dll    : 10.0.18362.113
samsrv.dll      : 10.0.18362.1049
rsaenh.dll      : 10.0.18362.1
ncrypt.dll      : 10.0.18362.1
ncryptprov.dll  : 10.0.18362.295
wevtsvc.dll     : 10.0.18362.1049
termsrv.dll     : 10.0.18362.836

CAB: mimikatz_x64_sysfiles_18363
 -> lsasrv.dll
 -> msv1_0.dll
 -> tspkg.dll
 -> wdigest.dll
 -> kerberos.dll
 -> dpapisrv.dll
 -> cryptdll.dll
 -> samsrv.dll
 -> rsaenh.dll
 -> ncrypt.dll
 -> ncryptprov.dll
 -> wevtsvc.dll
 -> termsrv.dll

This account is a Microsoft account (i.e. attached to an email on https://account.microsoft.com/) but as far as i can tell it's treated as a local account.

Did PTH stop working on this version of windows, or am I doing something wrong?

gentilkiwi commented 3 years ago

The error is about CreateProcessWithLogonW, not really about PtH operation.

What is the result without impersonation? and without another program ?

KrE80r commented 3 years ago

Thx for the fast reply.

The error is the same, with/without impersonation. I tried running "cmd","whoami", also the same error

gentilkiwi commented 3 years ago

Interesting, do you have problems when running runas /noprofile /netonly /user:LAPTOP\normaluser cmd ?

KrE80r commented 3 years ago 
C:\WINDOWS\system32>runas.exe /noprofile /netonly /user:LAPTOP\normaluser cmd
Enter the password for LAPTOP\normaluser:
Attempting to start cmd as user "LAPTOP\normaluser" ...
RUNAS ERROR: Unable to run - cmd
1348: The validation information class requested was invalid.

Above was ran using the plain text password.

It looks interesting, is it because this is an account connected to a Microsoft live account?

KrE80r commented 3 years ago

Worth mentioning also that in this test the system is offline, i.e. no internet access .

Quagliada3kg commented 10 months ago

so... no solution so far?