Windows 2012 R2 AD controller / Windows 10 client / Metasploit / Mimikatz

This is an experiment that I wanted to share.

But before that I wanted to introduce my collection of WTF screenshots from movies that I have started recently.

Mission Impossible 5

Data Transfer Relay Algo Open Sourced ….
wtf

I wish hacking would be as much fun as it looks in these movies  …

=================================================

Software used:
Windows 2012 R2 – Domain Controller (VIRTUAL.COM) (64bit) {Latest}
Windows 10 – AD joined (WINDOWS10.VIRTUAL.COM) (64bit) {Latest}
Alpine Linux – Router (NS.VIRTUAL.COM) {4.4.11-0-grsec}
Debian Linux – Linux with Metasploit (64bit) {metasploit v4.12.24-dev-58112d7}
Virtual Box – Hyper-visor from Oracle {5.1.4}
Mimikatz – Latest version from https://github.com/gentilkiwi/mimikatz/releases/latest
Custom tools to unload AV

Scenario:
– Execution of a custom meterpreter payload on a domain joined WINDOWS10.VIRTUAL.COM (64bit)
– Trying to run mimikatz from unprivileged session – no luck
– Executing the custom meterpreter payload binary with domain admin rights HYPERUSER\VIRTUAL.COM
– Get SYSYTEM
– Try to execute inbuilt meterpeter mimikatz (kiwi / mimikatz) – no luck
– Try to execute mimikatz (64bit) copy from https://github.com/gentilkiwi/mimikatz/releases/latest (Windows defender flags this) – no luck
– Upload mimikatz to host via meterpreter session
– Kill AV using Viktor Cleaner 2.0
– Execute mimikatz (64bit) copy from https://github.com/gentilkiwi/mimikatz/releases/latest
– Profit

wtf4

Part 1 of the experiment

Part 2 of the experiment

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s