Mimikatz on Windows 11 with/without Credential Guard

gentilkiwi / mimikatz

A little tool to play with Windows security

http://blog.gentilkiwi.com/mimikatz

19.3k stars 3.7k forks source link

Mimikatz on Windows 11 with/without Credential Guard #425

Open omrirefaeli opened 1 year ago

omrirefaeli commented 1 year ago

Hey!

I looked at previous issues and couldn't find a definitive answer to these 2 questions:

Does Mimikatz (Trunk) work on a machine with Credential Guard activated?
Does Mimikatz work on a Windows 11 machine?

I tried both and couldn't get the sekurlsa::logonpasswords plugin to work. Was looking for an answer or should I keep trying?

Thanks!

rakbladsvalsen commented 1 year ago

mimikatz no longer works even on recent versions of IWindows 10.

ebalo55 commented 11 months ago

This pull request https://github.com/gentilkiwi/mimikatz/pull/432 may be the fix we're all looking for. I've tested the code from the above-linked pull request, apart from the required modification to the built environment in order to target W11, it works like a charm, tested in the latest W11 fully patched.

Compiling from sources requires Visual Studio, perfectly fine with the latest community 2022 release. Required modification in order to compile from sources:

Install MSVC for your compiler version (mine was the latest)
Retarget the project to your compiler version
Disable treating warnings as errors

Then compile ONLY the "mimikatz" sub-project as the other are not needed and requires further compilation effort.

BubbleMaker2089 commented 11 months ago

Unfortunately, even after PR#432 it does not return sha1.

ebalo55 commented 11 months ago

But it does NTLM (at the moment), as a red teamer that's even better

Il lun 23 ott 2023, 16:22 BubbleMaker2089 @.***> ha scritto:

Unfortunately, even after PR#432 it does not return sha1.

— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/425#issuecomment-1775317768, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAA3DAVGGAETYCAKWLYIO3YAZ4R5AVCNFSM6AAAAAAXN4KUFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVGMYTONZWHA . You are receiving this because you commented.Message ID: @.***>

BubbleMaker2089 commented 11 months ago

But it does NTLM (at the moment), as a red teamer that's even better Il lun 23 ott 2023, 16:22 BubbleMaker2089 @.> ha scritto: … Unfortunately, even after PR#432 it does not return sha1. — Reply to this email directly, view it on GitHub <#425 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAA3DAVGGAETYCAKWLYIO3YAZ4R5AVCNFSM6AAAAAAXN4KUFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVGMYTONZWHA . You are receiving this because you commented.Message ID: @.>

But is it possible to decrypt specific masterkey using NTLM hash retrieved from sekurlsa::logonpasswords? It does not work on both Win10 and Win11 the last time I checked.