Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2

2 Comments / Penetesting, Powershell / December 16, 2014

A year ago, @mubix published a cool post on http://carnal0wnage.attackresearch.com/ about “Dumping a domain’s worth of passwords with mimikatz“. In the article, he talked about using a combination of PowerShell, file shares, .bat scripts and output files in order to run Mimikatz across a large number of machines in an enterprise using just WMI.

A few months ago, @obscuresec posted a great article on using PowerShell as a quick and dirty web server. I started thinking about how to incorporate Chris’ work with Rob’s approach to simplify the attack flow a bit.

The result is Invoke-MassMimikatz, a PowerShell script that utilizes @clymb3r’s work with reflective .dll injection/Mimikatz, along with @obscuresec’s webserver and WMI functionality to deliver Mimikatz functionality en-mass to machines on a domain. Again, this doesn’t rely on PSRemoting, and doesn’t need any external binaries, though it does need local admin. It’s just pure PowerShell, WMI, and HTTP goodness.

Here’s how Invoke-MassMimikatz works:

  1. A jobbified web server is spun up in the background. This server will share out the Invoke-Mimikatz code for GET requests, and decodes POST responses with results from targets. It defaults to port 8080, which can be changed with the -LocalPort flag.
  2. A PowerShell one-liner is built that uses the IEX download cradle to grab/execute code from the server, encode the results in Base64, and then post the results back to the same server.
  3. The command is executed on all specified hosts using WMI.
  4. As the raw results come back in clients, the raw output is saved to a specified folder, under “HOSTNAME.txt”. This folder defaults to “MimikatzOutput”, which can be changed with the -OutputFolder flag.
  5. Some parsing code tries to aggregate the result sets and build custom psobjects of credential sets.

In practice, this is how it looks:

invoke.mass.mimikatz

End result? You get some nice “server”/”credential” results pouring back in, which can be piped to CSVs or whatever you would like.

Let me know if anyone uses this script and finds it useful!

2 thoughts on “Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2”

  1. Pingback: Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz

  2. Pingback: Account Hunting for Invoke-TokenManipulation

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.