mimikatz icon indicating copy to clipboard operation
mimikatz copied to clipboard

Published 20 hours ago verified publisher icon gentilkiwi

Mimikatz on Windows 11 with/without Credential Guard

Open omrirefaeli opened this issue 1 year ago • 5 comments

Hey!

I looked at previous issues and couldn't find a definitive answer to these 2 questions:

  1. Does Mimikatz (Trunk) work on a machine with Credential Guard activated?
  2. Does Mimikatz work on a Windows 11 machine?

I tried both and couldn't get the sekurlsa::logonpasswords plugin to work. Was looking for an answer or should I keep trying?

Thanks!

omrirefaeli avatar Apr 27 '23 13:04 omrirefaeli

mimikatz no longer works even on recent versions of IWindows 10.

rakbladsvalsen avatar May 08 '23 17:05 rakbladsvalsen

This pull request https://github.com/gentilkiwi/mimikatz/pull/432 may be the fix we're all looking for. I've tested the code from the above-linked pull request, apart from the required modification to the built environment in order to target W11, it works like a charm, tested in the latest W11 fully patched.

Compiling from sources requires Visual Studio, perfectly fine with the latest community 2022 release. Required modification in order to compile from sources:

  • Install MSVC for your compiler version (mine was the latest)
  • Retarget the project to your compiler version
  • Disable treating warnings as errors

Then compile ONLY the "mimikatz" sub-project as the other are not needed and requires further compilation effort.

ebalo55 avatar Oct 20 '23 05:10 ebalo55

Unfortunately, even after PR#432 it does not return sha1.

BubbleMaker2089 avatar Oct 23 '23 14:10 BubbleMaker2089

But it does NTLM (at the moment), as a red teamer that's even better

Il lun 23 ott 2023, 16:22 BubbleMaker2089 @.***> ha scritto:

Unfortunately, even after PR#432 it does not return sha1.

— Reply to this email directly, view it on GitHub https://github.com/gentilkiwi/mimikatz/issues/425#issuecomment-1775317768, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAA3DAVGGAETYCAKWLYIO3YAZ4R5AVCNFSM6AAAAAAXN4KUFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVGMYTONZWHA . You are receiving this because you commented.Message ID: @.***>

ebalo55 avatar Oct 23 '23 14:10 ebalo55

But it does NTLM (at the moment), as a red teamer that's even better Il lun 23 ott 2023, 16:22 BubbleMaker2089 @.> ha scritto: Unfortunately, even after PR#432 it does not return sha1. — Reply to this email directly, view it on GitHub <#425 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADAA3DAVGGAETYCAKWLYIO3YAZ4R5AVCNFSM6AAAAAAXN4KUFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZVGMYTONZWHA . You are receiving this because you commented.Message ID: @.>

But is it possible to decrypt specific masterkey using NTLM hash retrieved from sekurlsa::logonpasswords? It does not work on both Win10 and Win11 the last time I checked.

BubbleMaker2089 avatar Oct 24 '23 06:10 BubbleMaker2089