Tuesday, 27 October 2015

Parse Mimikatz Output One-Liner

Love mimikatz but hate the output? Yeah me too. In this post I'll show you how to parse the output with one simple line.

The Output

Running either the mimikatz binary or powershell equivalent Invoke-Mimikatz will give you output similar to the following:
Authentication Id : 0 ; 92831308 (00000000:05889d8c)
Session           : RemoteInteractive from 3
User Name         : john.smith
Domain            : ACME
SID               : S-1-5-21-2052118978-2816230894-3584936141-8335
 msv : 
  [00000003] Primary
  * Username : john.smith
  * Domain   : ACME
  * NTLM     : 1acd1a77416c50969d66867cd1e27e91
  * SHA1     : fc1a13cdf5e6d8da249812b320764fbaac0cb1bb
  [00010000] CredentialKeys
  * NTLM     : 1acd1a77416c50969d66867cd1e27e91
  * SHA1     : fc1a13cdf5e6d8da249812b320764fbaac0cb1bb
 tspkg : 
 wdigest : 
  * Username : john.smith
  * Domain   : ACME
  * Password : Myl0ngs3cretP@ssword
 kerberos : 
  * Username : john.smith
  * Domain   : ACME.mycompany
  * Password : (null)
 ssp : 
 credman : 
In most situations you'll often just want to know the users and passwords however this is hidden among a whole load of other output. Now we could go and patch the mimikatz code or we could use a cheeky one-liner...


I Love A One-Liner

My goal was to obtain a list of all usernames with domains and passwords from a set of mimikatz output files. This is simple to do with the following one-liner:
cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($12)>2) print $8 "\\" $4 ":" $12}'|sort -u

Parsing the example above you get the following:
ACME\john.smith:Myl0ngP@ssword
jira.acme.com\john.smith@acme.com:Myj1raP@ssword

Hows it work?
  • I start by outputting all files in the current directory and removing carriage return characters as these seemed to break awk. I also remove tab characters to clean up the output.
  • Next up I used awk to effectively put the username, domain and password all on the same line. This makes greppping, cutting or more awking easier.
  • I used grep to remove lines I didn't care about. For example NTLM hashes and null passwords.
  • I then did a final awk to remove hex string passwords. I'm not sure how/why mimikatz generates this output, if anyone knows please leave a comment! :)
  • And finally I sorted and uniqued the list.

I modified the one-liner to also output just the usernames and passwords without the domain:
cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; getline; print user " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($8)>2) print $4 ":" $8}'|sort -u
john.smith:Myl0ngP@ssword
john.smith@acme.com:Myj1raP@ssword
And also output usernames and NTLM hashes ready for use with pth-winexe:
cat *|tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* Password\|Microsoft_OC1"|awk '{if (length($12)>2) print $8 "/" $4 "%aad3b435b51404eeaad3b435b51404ee:" $12}'|sort -u
ACME/john.smith%aad3b435b51404eeaad3b435b51404ee:1acd1a77416c50969d66867cd1e27e91
If you want a different output format just modify the final print statement.


Final Thoughts

Mimikatz is such an awesome tool unfortunately the default output is not that user/grep friendly. Luckily with a simple one-liner we can easily work the output into something more useful. As mentioned in my smb-share enumeration post, don't be afraid to jump in and learn some grep/awk/sed, these tools can speed up data analysis massively!

Hopefully this post has been useful, if you have any suggestions for improvements or better ways to get usable output then leave a comment below.

Pwndizzle out.

25 comments:

  1. Try to take a look at these advices if you want to be a nursing school student. It will help you to achieve success

    ReplyDelete
  2. Given article is very helpful and very useful for my admin, and pardon me permission to share articles here hopefully helped :

    Cara Menyembuhkan Lambung Bengkak Secara Alami
    Cara menyembuhkan nyeri ulu hati

    ReplyDelete
  3. Nice blog. I would like to share it with my friends. I hope you will continue your works like this. Keep up the excellent work. You have a magical talent of holding readers mind. It is something special which cant be given to everyone.
    In today's digital world secure your systems from cyber attacks by using McAfee antivirus. Visit: mcafee.com/activate

    ReplyDelete
  4. Could you please write at least a few words in English? I can't get this stupid code. I am not a programmer, I just need to finish my computer science essay that's all. I need some additionalinfo to make a conclusion.

    ReplyDelete
  5. We support all types of HP printer troubleshooting and service. Just enter the model number of your printer in 123.hp.com/setup to identify the software and drivers your printer requires. Download and install it in your mac and 'Run' the file. The process is easy however if you have any doubts or queries regarding HP printers contact us.

    ReplyDelete
  6. If you are new user to sage 50 accounting software and looking for the sage 50 technical support.If yes than you have come to right place as we provide efficient technical support service to customers who show complete faith in us. With our efficient and highly qualified team ,we never disappoint our customers.You can reach us at 1800-910-4754 at any hour of the day. You can also visit our website at https://www.geekaccounting247.com/ for the complete knowledge of the sage products and services.

    The Services we offered are following-
    Sage 50 Technical Support Number
    Sage 100 Technical Support Number
    Sage 50 live chat
    Sage 50 Technical Support phone Number
    Sage 50 customer service number
    Sage 50 payroll support number

    ReplyDelete
  7. AllHomeworkHelp
    PR homework help
    math homework help
    With the help of our lord mentors, understudies present the assignments in the offered time and can show hints of progress grades without barely lifting a finger.

    ReplyDelete
  8. If you are looking for the law assignment help then in this case you can opt for our Law Assignments help .we provide the best Online law assignment help.We also provide Criminal Law Assignment Help for students across the globe. for more information contact us +16692714848.

    ReplyDelete
  9. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.
    visit@-
    mcafee.com/activate |
    mcafee.com/activate |
    webroot support number |
    office.com/setup

    ReplyDelete
  10. We are a free help giving body, enabling you to get to our telephonic administrations. At the point when your HP Printer makes inconvenience for you, dial HP Printer Support Toll-Free number USA. Our help administrations are very savvy. We stay open 24 hours every day and 7 days per week. We are never off helping you. We manage our clients over the telephone as it were.
    HP Support

    ReplyDelete
  11. I found this is an informative blog and also very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this blog norton.com/setup
    www.norton.com/setup

    ReplyDelete
  12. This is an informative blog. Keep it up. I am looking forward to this kind of blog. Thanks for sharing it with us mcafee.com/activate

    www.mcafee.com/activate

    ReplyDelete
  13. Thank you for sharing this article. It is an amazing post, I am really impressed by your post. It’s really useful www.avg.com/retail
    avg.com/retail

    ReplyDelete
  14. Now a day Tech Support is everyone's requirement for their Devices as a laptop, Printer, Pc, ….etc. Among then if you required HP Printer Installation Setup steps in a simple way by the expert call our Toll-Free Number for more details.
    Can I Setup HP Officejet Pro 8710 Printer
    Fix Computer Applications are Running too Slow

    ReplyDelete
  15. Dear Author, you have written a mind-blowing blog all content was very informative and useable information I would like to say thank you so much for sharing such useful information with us and wish you all the best for upcoming comment. I have also something to share here I hope you will like my comment. norton.com/setup
    www.norton.com/setup, Norton product key

    ReplyDelete
  16. This is one of the best articles I have ever read all information is very useful for me I would love to read this article and subscribe to it. Thank you for sharing this with us. I also want to share some useful links here. www.office.com/setup, Office product key, office.com/setup

    ReplyDelete
  17. Geek Squad became extremely successful with this approach, and in 2002, the company became part of Best Buy. In 2004, Geek Squad was rolled out throughout the U.S. and Canada, eventually expanding beyond its computer tech origins to help out with everything from appliance repairs to car, home theater and smart home installations.

    For more information visit site :- Geek Squad tech support

    Geek Squad appointment

    ReplyDelete