Mimikatz and Credentials

The Credential Store

Empire will attempt to parse common Mimikatz output and keep it in an internal credential store. Credentials can be viewed from most menus with the creds command. The credential store can effectively operate as a golden and silver ticket catalog (see below), generating the appropriate ticket on demand.

You can add credentials with creds add domain username password . Notes, credType, and domainSID are options, and credType is one of “ktbgt”, “hash”, or “plaintext”. creds remove all will drop all the credentials from that database, and creds export will export a CSV of the existing credentials.

Typing creds krbtgt/plaintext/hash/searchTerm will filter the existing credentials in the database by the appropriate search term. For example, creds plaintext will display all plaintext passwords, and creds SERVER will search display all credentials with “SERVER” in the hostname or username.

empire_credstore_filter

Mimikatz

Empire can take advantage of nearly all Mimikatz functionality through PowerSploit’s Invoke-Mimikatz. Mimikatz was built by Benjamin Delpy (@gentilkiwi) with help from Vincent LE TOUX for the DCSync functionality, and Invoke-Mimikatz was built by Joeseph Bialek (@JosephBialek) and is a part of the PowerSploit project.

Typing mimikatz in an agent menu will run Invoke-Mimikatz with the sekurlsa::logonpasswords module, which runs all relevant in-memory password modules:

empire_mimikatz

The rest of the available Mimikatz modules are located in credentials/mimikatz/*. logonpasswords is the module run by the mimikatz alias, certs will export all current certificates, command will execute a custom Mimikatz command, lsadump will execute an lsadump (useful on domain controllers), and trust_keys will extract all current domain trust keys (again only useful on domain controllers). Empire will attempt to parse the results of logonpasswords and lsadump and store them in the internal credential store.

empire_credstore_full

 

DCSync

As of version 1.2, Empire implements the mimikatz lsadump::dcsync module (built with Vincent LE TOUX) which allows allows you to extract the hashes of domain accounts without code execution on a domain controller by abusing the MS-DRSR protocol for AD replication. The output of this module will also be scraped and thrown into the backend credential model. Remember to specify ‘domain\user’ for the user option:

empire_dcsync