gentilkiwi
commented
4 years ago Can you post some outputs and support data ? :)
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-open-an-issue
Open johnmccash opened 4 years ago
gentilkiwi
commented
4 years ago Can you post some outputs and support data ? :)
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-open-an-issue
johnmccash
commented
3 years ago Sorry, but Windows isn't cooperating with me at the moment. I'm currently unable to get mimikatz to run on it at all. From what I remember, if you just run 'sekurlsa::ekeys' on a Win10 2004 system, all of the key types in the left hand column show as des_cbc_md4, including the one that should clearly be labeled aes256_hmac. If you're unable to replicate the issue this way, maybe it was some vaguery of my windows system, (which I've since spilled a drink on and had to have replaced). Sorry John
eyalk5
commented
3 years ago @johnmccash see https://github.com/gentilkiwi/mimikatz/issues/322 . The pull request should solve this issue as well.
rasta-mouse
commented
2 years ago Sorry to necro this issue @gentilkiwi, but I ran into the same today. The output of sekurlsa::ekeys lists every key as des_cbc_md4, where the first entry should be aes256_hmac, and the remaining are junky rc4 ones.
Authentication Id : 0 ; 1647148 (00000000:0019222c)
Session : Interactive from 1
User Name : rasta
Domain : TESTLAB
Logon Server : WIN-5SISS4QHDSI
Logon Time : 31/08/2022 14:33:55
SID : S-1-5-21-3262091733-1485093339-2929888855-1104
* Username : rasta
* Domain : TESTLAB.LOCAL
* Password : (null)
* Key List :
des_cbc_md4 27c877bd9bb28c12e5cf22d2760947cd2a84da9a5a5caeeb882c52136640e8f1
des_cbc_md4 fc525c9683e8fe067095ba2ddc971889
des_cbc_md4 fc525c9683e8fe067095ba2ddc971889
des_cbc_md4 fc525c9683e8fe067095ba2ddc971889
des_cbc_md4 fc525c9683e8fe067095ba2ddc971889
des_cbc_md4 fc525c9683e8fe067095ba2ddc971889I'm using mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 which I just downloaded from the latest GitHub releases,
on a Windows 10 Enterprise 10.0.19044 N/A Build 19044 target. LSASS dump from the target is attached for your viewing pleasure.
I was just familiarizing myself with overpass-the-hash, and I realized that the key types that are output by the current version of Mimikatz seem to be incorrect. All current entries in the output table under the line "* Key List :" are showing up as "des_cbc_md4" (I'm running it on Win10 2004). I can tell by the length that the first one is probably supposed to be aes256_hmac, and I know for sure that all the ones below it are actually my NTLM hash. This bug actually shows up partially in https://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash. You can see in the screenshot there that the first entry is aes256_hmac, the 2nd one is aes128_hmac (or, at least, I assume that these first two labels are accurate), and all the others, with five different labels, are all the same, and match the example NTLM hash. This is, of course, just a minor bug, but I would think it maybe deserves to be fixed, if possible?