Collaborate Disseminate
So I am trying to write my own backdoor with python and it is something like Metaploit, where you can run a single command and it would do the work for you, so I am trying to implement a cookie decoder/decrypter, so I started doing it on m… Continue reading Decrypting Browser Cookies
I’m using mimikatz to retrieve a user’s password hashes from Active Directory with the following command:
lsadump::dcsync /user:mimikatz
The user’s password is Pa55w.rd.
The output is
…
Credentials:
Hash NTLM: 377565f7d41787414481a283… Continue reading Why do I see LM hashes stored in Active Directory?
Tried to call sekurlsa::logonpasswords function from mimikatz main source, but I get ERROR hl_aaaurlsa_acquireLSA ; Logon list
The program is executed with Administrator cred and I’m sure there’s no problem with the environment because the… Continue reading ERROR kuhl_sekurlsa_acquireLSA from customized mimikatz
When I dump the password history hashes stored in the SAM database with mimikatz lsadump::dcsync tool, for every i’th password (re-)set by a SAM account there are two hashes stored by Active Directory (AD): ntlm- i and lm- i. I know storin… Continue reading Can hashes labeled ‘lm’ in SAM database mimikatz dump be another type than (NT)LM?
Is it possible, with NT Authority/SYSTEM access, to reuse mscash2 credentials in any way on a local system or AD network? Perhaps with runas /savecred or mimikatz or something similar? I know that the mscash2 cannot be passed in a traditio… Continue reading Abusing Saved mscash2 Credentials in Active Directory
I used to run Mimikatz in one of my computers. Then, I did something to block its action and I do not recall what it was. I am trying to revert it unsuccessfully.
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. &qu… Continue reading What can prevent Mimikatz from accessing LSA?
The versatile malware known as TrickBot continues to pose “great danger” to customers of financial and technology companies because its developers are trying to stay a step ahead of cybersecurity analysts, according to Check Point Research. The company says TrickBot’s authors have equipped it with layers of “anti-analysis” and “anti-deobfuscation” capabilities, meaning that if an expert tries to pick apart the malware’s code, it stops communicating with its command-and-control servers or stops working altogether. Those features “show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family,” Check Point says in research published Wednesday. The danger remains clear, too: Check Point says the various modules of TrickBot are often deployed for stealing login credentials from customers of several large banks, including Bank of America and Wells Fargo, as well as big tech firms like Microsoft and Amazon. About 60 companies are affected overall. “These brands […]
The post TrickBot developers continue to refine the malware’s sneakiness and power appeared first on CyberScoop.
Continue reading TrickBot developers continue to refine the malware’s sneakiness and power
I run the following command:
# lsadump::cache /user:<username> /kiwi
mimikatz respond "User cache replace mode" with the right user name, the new password and it’s corresponding hash. However, few lines later it dumps the … Continue reading Issue replacing cached domain user credentials using mimikatz kiwi
I’m playing with mimikatz kerberos::golden, e.g.,
kerberos::golden /domain:XXX /sid:XXX /user:XXX /aes256:XXX /endin:864000 /renewmax:10240 /ptt
Then I tried to access a domain joined machine, but I got access denied:
dir \\IP_address\C$
… Continue reading Kerberos golden ticket works with DNS only – access denied with IP address
I’m following this article to reproduce the EFS bug: https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/
My environment:
Windows 2016 AD (Hostname: W2016$)
Windows 2016 SRV01 (Runnin… Continue reading Trying to reproduce petitpotam exploit, got "KDC_ERROR_CLIENT_NOT_TRUSTED (62)" error