1 00:00:00,950 --> 00:00:09,410 ‫Mimi Katz is absolutely a great host exploitation tool after the initial exploitation phase, attackers 2 00:00:09,410 --> 00:00:16,850 ‫may want to get a firmer foothold on a computer or network doing so often requires a set of complementary 3 00:00:16,850 --> 00:00:17,340 ‫tools. 4 00:00:17,840 --> 00:00:24,140 ‫Mimi Katz is an attempt to bundle together some of the most useful tasks that attackers will want to 5 00:00:24,140 --> 00:00:24,680 ‫perform. 6 00:00:25,430 --> 00:00:31,790 ‫Fortunately, Métis Boyd has decided to include Mimi Katz as an interpreter script to allow for easy 7 00:00:31,790 --> 00:00:37,550 ‫access to its full set of features without needing to upload any files to the disk of the compromised 8 00:00:37,550 --> 00:00:37,910 ‫host. 9 00:00:39,370 --> 00:00:46,030 ‫So after obtaining a metaphor to show we need to ensure that our session is running with system level 10 00:00:46,030 --> 00:00:54,130 ‫privileges for Mimi Katz to function properly, so you get UID to look at the user, and if it's not 11 00:00:54,130 --> 00:00:59,590 ‫system user, we can use get system to try to gain system privileges. 12 00:01:01,120 --> 00:01:03,790 ‫Now, we cannot be McAtee module into the memory. 13 00:01:04,830 --> 00:01:07,530 ‫Help me get to see the Mimecast commands. 14 00:01:09,280 --> 00:01:14,920 ‫Now, Métis Boyd provides us with some built-In commands that showcase Maemi, Gazza's most commonly 15 00:01:14,920 --> 00:01:19,940 ‫used features, dumping hashes and clear text credentials straight from memory. 16 00:01:20,500 --> 00:01:26,740 ‫However, that maybe Cat's command option gives us full access to all of the features in Mimecast. 17 00:01:28,160 --> 00:01:34,640 ‫Those slightly unorthodox, we can get a complete list of the available modules by trying to load a 18 00:01:34,640 --> 00:01:41,850 ‫non-existent feature, so type memy command F to specify the feature. 19 00:01:42,260 --> 00:01:43,820 ‫Now write something meaningless. 20 00:01:43,820 --> 00:01:49,430 ‫For example, just X, Y, Z, put colon, colon at the end and hit enter. 21 00:01:50,350 --> 00:01:53,560 ‫Here are the list of the modules we can use and mimic at. 22 00:01:55,260 --> 00:02:01,500 ‫We can also use Mimi Katz commands to extract hashes and clear text credentials from the compromised 23 00:02:01,500 --> 00:02:08,010 ‫machine type Mimecast Command F Sam Dump and hit ETAs. 24 00:02:08,010 --> 00:02:10,170 ‫See the commands of the SAM module. 25 00:02:11,290 --> 00:02:15,280 ‫Now let's use the hashes command and collect all the hashes. 26 00:02:19,860 --> 00:02:26,640 ‫To extract the clear text credentials, we can use the search password's command of the SEC you Earl 27 00:02:26,640 --> 00:02:27,600 ‫assay module. 28 00:02:28,280 --> 00:02:34,560 ‫This command search is directly in Alsace memory segments for password's so type Meimi Cats' Command 29 00:02:34,560 --> 00:02:39,930 ‫F as he KUAR else a search password and hit enter. 30 00:02:40,740 --> 00:02:42,900 ‫Now here we have a clear text password. 31 00:02:46,090 --> 00:02:49,510 ‫OK, so let's take a little break here and play some minesweeper. 32 00:02:52,710 --> 00:02:55,950 ‫Come on, we're not children will play in expert mode, of course. 33 00:02:56,820 --> 00:02:59,190 ‫Well, OK, I'll need some help. 34 00:02:59,220 --> 00:03:00,360 ‫So back to Cali. 35 00:03:00,960 --> 00:03:07,350 ‫We're in the interpreter session and Mimecast is loaded to list the modules of the commands again. 36 00:03:07,350 --> 00:03:14,220 ‫Type memy cat commands f q w e colon, colon and hit enter. 37 00:03:15,230 --> 00:03:21,020 ‫Now, there's a strange module here when mine, let's look at its commands. 38 00:03:23,310 --> 00:03:26,280 ‫So what happens when we use the info command here? 39 00:03:28,010 --> 00:03:33,680 ‫Well, I think these stars show the places of the mines, so now we can know where to click. 40 00:03:35,950 --> 00:03:43,360 ‫OK, so restart the minesweeper again and I'll use this cheat command for this time around. 41 00:03:44,900 --> 00:03:51,830 ‫Now turn back to Minesweeper and click anywhere, and you are the new record holder. 42 00:03:52,250 --> 00:03:52,850 ‫Well done.