Mimikatz on edermi's Bloghttps://edermi.github.io/tags/mimikatz/Recent content in Mimikatz on edermi's BlogHugoen-usMon, 02 Mar 2026 21:55:17 +0100Vulnerabilities on vmwareidentity.de (XSS) and in VMware UEM (exportable authentication certificate)https://edermi.github.io/post/2021/vmware_vulnerabilities/Sun, 29 Aug 2021 00:00:00 +0000https://edermi.github.io/post/2021/vmware_vulnerabilities/<p>This post is a short notice about vulnerabilities in VMware products I found earlier this year. During a penetration test of a freshly built environment, I took a closer look at VMware Unified Access Gateway (UAG) in combination with devices enrolled and managed via VMware Unified Endpoint Management (UEM). I found a reflected XSS vulnerability on VMware&rsquo;s authenticator <code>vmwareidentity.de</code> that can be abused by sending links to unauthenticated victims. Also, I found it possible to export a user&rsquo;s authentication certificate, which allows to access zero trust protected resources without access to the user&rsquo;s device or account on a trusted system. There has been no advisory or notification for affected customers I am aware of. The disclosure deadline was already a few weeks ago and VMware did not respond to multiple attempts of contacting them as well as offering an extension of the responsible disclosure timeframe, therefore I am releasing the vulnerability details to the public.</p>Passing the hash with native RDP client (mstsc.exe)https://edermi.github.io/post/2018/native_rdp_pass_the_hash/Sun, 06 May 2018 00:00:00 +0000https://edermi.github.io/post/2018/native_rdp_pass_the_hash/<p><em><strong>TL;DR:</strong> If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client <code>mstsc.exe</code>. (You&rsquo;ll need mimikatz or something else to inject the hash into the process)</em></p> <p>On engagements it is usually only a matter of time to get your hands on NTLM hashes. These can usually be directly used to authenticate against other services / machines and enable lateral movement. Powershell / PSExec, SMB and WMI are usual targets to pass the hash to, but it is also possible to use it to establish a RDP session on a remote host. Searching the Internet on how to do this unfortunately always leads to <a href="https://www.kali.org/penetration-testing/passing-hash-remote-desktop/">using xfreerdp</a>, but I wasn&rsquo;t able to find anything on the Internet regarding how to do this directly using the provided RDP client <code>mstsc.exe</code>, so I had to find out on my own.</p>