1 00:00:00,390 --> 00:00:05,220 So here's another great example of how Métis Point framework expands. 2 00:00:06,260 --> 00:00:11,280 When new tools arrive, they are rapidly integrated into the framework. 3 00:00:12,080 --> 00:00:16,280 Mimi Katz is one of them which is integrated into MSF, like the. 4 00:00:17,340 --> 00:00:22,290 It was first written by Benjamin Delpy as opposed to exploitation tool. 5 00:00:23,310 --> 00:00:30,300 Basically, it attempts to get users clear text passwords from the memory over the interpreter session. 6 00:00:31,320 --> 00:00:36,870 Now, I know that you've already used the hashes by using the pass the hash tag. 7 00:00:37,790 --> 00:00:43,330 However, sometimes passwords can also be required to save time from the beginning. 8 00:00:44,610 --> 00:00:50,880 So that's when you can use the Mimecast extension to get clear text passwords from the memory of the 9 00:00:50,880 --> 00:00:54,390 compromised target, leaving no trace on the disk. 10 00:00:55,730 --> 00:00:57,830 And there's one more thing to keep in mind. 11 00:00:58,790 --> 00:01:07,520 Mimecast version one is implemented in MSF, but later on when Mimecast version two was released. 12 00:01:08,590 --> 00:01:12,970 It got implemented into the MSF and named Kiwi. 13 00:01:14,070 --> 00:01:18,030 So I'm going to start with Lowed Mimecast first. 14 00:01:19,120 --> 00:01:22,060 But for sure, you've got to have system privileges. 15 00:01:23,460 --> 00:01:26,820 And to extensions type lowed, el. 16 00:01:28,340 --> 00:01:31,510 And these are the available extensions to load on this session. 17 00:01:32,950 --> 00:01:40,360 Loading is a very easy process, just type load, and then the name of the extension in this case, 18 00:01:40,390 --> 00:01:41,020 Jimmy Cat. 19 00:01:43,450 --> 00:01:47,950 Now, it gives a warning about using Kiwi, but you can disregard it. 20 00:01:49,430 --> 00:01:52,670 So after you load Mimi Katz type help. 21 00:01:53,630 --> 00:01:55,100 Mimi Katz to list. 22 00:01:56,310 --> 00:01:57,810 The commands of the extension. 23 00:01:59,110 --> 00:02:00,580 And with the memory cards come in. 24 00:02:01,800 --> 00:02:05,510 You can directly run Meimi Katz command by themselves. 25 00:02:07,010 --> 00:02:14,120 Now, I know this is a weird sentence, but it really will help you to execute all Mimecast modules 26 00:02:14,120 --> 00:02:14,630 directly. 27 00:02:16,580 --> 00:02:21,410 But the other commands are like short cuts of some memy cats' module's. 28 00:02:22,510 --> 00:02:25,660 You'll you'll get what I mean in a couple of seconds. 29 00:02:27,250 --> 00:02:29,800 So type Kerberos. 30 00:02:30,890 --> 00:02:33,830 To get the clear text Kouros credentials. 31 00:02:35,310 --> 00:02:37,440 And look at the password column. 32 00:02:38,380 --> 00:02:40,090 See how you get that clear text password. 33 00:02:41,690 --> 00:02:43,970 Now, it doesn't matter how strong the password is. 34 00:02:45,090 --> 00:02:51,240 And you can also list live SSP credentials by typing live SSP. 35 00:02:52,580 --> 00:02:56,320 If, of course, live SSP is applicable for the current operating system. 36 00:02:57,980 --> 00:03:02,390 But this time you see password hashes in the password column. 37 00:03:03,950 --> 00:03:07,930 So it's also possible to get SSP credentials if they're available. 38 00:03:09,730 --> 00:03:14,170 So type this package to view the package credentials. 39 00:03:15,460 --> 00:03:18,700 Now you can see clear text passwords on the last column. 40 00:03:20,450 --> 00:03:22,340 Now, time to digest. 41 00:03:23,660 --> 00:03:27,050 To get clear passwords from the Web Digest package. 42 00:03:28,490 --> 00:03:35,240 So if you're wondering what are all these toys packaged, digest and all these others, they are all 43 00:03:35,390 --> 00:03:37,400 Microsoft security packages. 44 00:03:38,690 --> 00:03:43,580 So the implementations of these packages differ from OS to OS. 45 00:03:44,800 --> 00:03:51,280 And if you really want to know about these implementations, you can search for them on the World Wide 46 00:03:51,280 --> 00:03:53,730 Web, that thing that binds us all. 47 00:03:55,050 --> 00:03:58,590 But believe me, there's a lot to read, there's a very large topic. 48 00:03:59,680 --> 00:04:03,850 So for now, let's only get the passwords and clear text. 49 00:04:05,750 --> 00:04:08,780 OK, then the Mimecast can't command. 50 00:04:09,970 --> 00:04:14,980 This command enables you to run Mimecast commands on the target directly. 51 00:04:16,530 --> 00:04:18,000 So first type help. 52 00:04:19,090 --> 00:04:24,190 Mimi Katz, command groups hope you didn't see that. 53 00:04:25,400 --> 00:04:29,780 Then type Mimi Katz, command H to get the help menu. 54 00:04:31,570 --> 00:04:40,240 So maybe Cats' has modules and each module has different functions and each function has its own parameters. 55 00:04:41,360 --> 00:04:48,050 So in order to list the module's type, Maemi cance command f f u. 56 00:04:50,140 --> 00:04:51,850 And here, the Mimecast module's. 57 00:04:53,580 --> 00:04:56,610 We can't command F Krypto. 58 00:04:57,880 --> 00:05:00,220 We'll list the functions of the crypto module. 59 00:05:01,520 --> 00:05:02,330 Whisky's. 60 00:05:04,250 --> 00:05:07,010 Well, I'll give you a list of crypto keys in the memory. 61 00:05:08,790 --> 00:05:14,580 Now will assume that you are in a server that has an SSL certificate. 62 00:05:15,650 --> 00:05:18,470 This will really help you to extract Keith. 63 00:05:19,660 --> 00:05:20,830 List providers. 64 00:05:25,180 --> 00:05:28,270 Well, bring the crypto providers like you see right here. 65 00:05:32,110 --> 00:05:32,760 SEC. 66 00:05:32,830 --> 00:05:34,120 Earl as a. 67 00:05:34,980 --> 00:05:36,240 That's another useful module. 68 00:05:37,480 --> 00:05:40,870 And if you read through this, these are the functions of this module. 69 00:05:42,220 --> 00:05:45,940 So the names are similar to the interpreter commands of this extension. 70 00:05:47,860 --> 00:05:52,630 So MTV will bring only the password hashes. 71 00:05:55,340 --> 00:06:01,310 Digest will generally bring the clear tax password's due to its implementation. 72 00:06:02,690 --> 00:06:05,870 And at the end of the line, there are the password's. 73 00:06:07,490 --> 00:06:15,410 Tuberose is also an important function because it brings the Password's and Kouros ticket if it's applicable 74 00:06:15,410 --> 00:06:17,000 for the current operating system. 75 00:06:20,290 --> 00:06:21,850 Then tax package. 76 00:06:22,870 --> 00:06:25,390 Is also very useful, it brings the credentials. 77 00:06:27,100 --> 00:06:30,460 So if live SSP and ASSP are available. 78 00:06:31,350 --> 00:06:38,820 You can also get credentials of these packages by simply typing live ASSP and. 79 00:06:40,330 --> 00:06:41,020 Espe. 80 00:06:44,000 --> 00:06:49,340 So in my case here, there are no credentials provided by these packages. 81 00:06:50,980 --> 00:07:01,780 Now, it's also possible to get logged in users passwords from memory, so let's pass the log on passwords. 82 00:07:02,860 --> 00:07:04,930 To Mimi Katz command. 83 00:07:06,330 --> 00:07:09,850 Now, you see, here are the password hashes for each user. 84 00:07:10,710 --> 00:07:12,210 Sometimes it brings up like this. 85 00:07:13,600 --> 00:07:16,720 It might change due to the operating system. 86 00:07:18,290 --> 00:07:24,140 And then the last SEC earl as a function is search password's. 87 00:07:26,020 --> 00:07:30,340 So that's going to bring up all the clear text passwords from all the modules. 88 00:07:32,140 --> 00:07:40,950 Now, here, you might be seeing the same username a few times because Mimi Katz extracts each username 89 00:07:40,960 --> 00:07:45,370 password from different security packages, DRL files. 90 00:07:47,260 --> 00:07:52,390 Now, the second extension is actually an upgraded version of Mimecast. 91 00:07:53,410 --> 00:07:54,520 That's called Kiwi. 92 00:07:55,540 --> 00:07:58,180 So load Kiwi. 93 00:07:59,800 --> 00:08:02,500 And now you're able to run the Kiwi command. 94 00:08:03,980 --> 00:08:08,720 And in order to see the available Kiwi commands type help Kiwi. 95 00:08:11,040 --> 00:08:14,790 And then the logic is exactly the same as Mimecast. 96 00:08:16,220 --> 00:08:20,900 You can list Kerberos credentials by typing Creg, Kerberos. 97 00:08:23,030 --> 00:08:25,760 But this time, I think the view is better. 98 00:08:27,250 --> 00:08:29,710 So type in KRED M. 99 00:08:29,730 --> 00:08:33,040 S V to get M as V credentials. 100 00:08:35,920 --> 00:08:43,600 Albert Krejza mSv sometimes can cause crashes on the target, it just randomly happens, but, you know, 101 00:08:43,600 --> 00:08:44,410 just be prepared. 102 00:08:45,380 --> 00:08:48,770 And what do you know, as if I predict the future. 103 00:08:50,420 --> 00:08:55,910 So because it's happened, I'm not going to panic, I will use my RC file. 104 00:08:57,170 --> 00:08:59,000 To bring up a session again. 105 00:09:01,700 --> 00:09:04,010 Now, it takes a while to get a session again. 106 00:09:06,630 --> 00:09:08,550 But finally, I've got my new session. 107 00:09:09,470 --> 00:09:17,030 OK, then use creds ASSP for ASSP credentials. 108 00:09:18,330 --> 00:09:20,040 Credits package. 109 00:09:20,990 --> 00:09:24,450 That's going to get me passwords from this DL. 110 00:09:26,010 --> 00:09:27,660 But there's nothing really meaningful. 111 00:09:28,750 --> 00:09:31,090 OK, creds digest. 112 00:09:33,000 --> 00:09:34,740 And the situation is the same. 113 00:09:36,240 --> 00:09:41,220 So at the end, you extract some clear text passwords from the memory of the target. 114 00:09:42,590 --> 00:09:47,180 And now you can use these credentials to further compromise your target.