Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates

Still continuing this journey looking into learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit, the focus of this post allows me to get a better understanding of how I may be able to use the mimikatz tool.

When I performed this task within meterpreter, for whatever reason I was not successful. However, when I did on Windows I was ;-)

So here we go.
First up, I loaded mimikatz and verified that I was good to go.

Looks good!

Let's see what certificates are immediately available for the user.
So we have a certificate for administrator and its key is exportable too.

Let's export!

So Mimikatz claims it exported the public key as a .der file and the private key as a .pfx file. 

Let's verify this is so!
I Guess Mimikatz did not lie :-)

Let's add this to our personal store.


























The password for the private key is "mimikatz".

Once the password is accepted we can complete the installation as shown below.


























Let's now verify this is in our personal store.


Verify the thumbprint!





























So we have the certificate installed and we have its private key.

What next should we do?

Let's make "Administrator" a recovery agent for the local user EFS encrypted file as we see below "Administrator" has "File Recovery" as one of its intended purposes.
So I created a file named "EFS Testing" and encrypted it with EFS as shown below. We can see the "Recovery Certificate" belongs to "SECURITYNIK\Administrator". This certificate came from the logged in administrator of the domain. Additionally, by looking at the Certificate Thumbprint, we know that this is the certificate we imported above.

So that's it for me on this post. Now that you have both the public and private key you can decide on what level of badness or goodness you would like to perform. Let your imagination run wild!


Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)