Ops 401 Class 42
Mimikatz is an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.
Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
Mimikatz originally demonstrated how to exploit a single vulnerability in the Windows authentication system. Now the tool demonstrates several different kinds of vulnerabilities. Mimikatz can perform credential-gathering techniques such as:
Pass-the-Hash: Windows used to store password data in an NTLM hash. Attackers use Mimikatz to pass that exact hash string to the target computer to login. Attackers don’t even need to crack the password, they just need to use the hash string as is. It’s the equivalent of finding the master key to a building on the floor. You need that one key to get into all the doors.
Pass-the-Ticket: Newer versions of windows store password data in a construct called a ticket. Mimikatz provides functionality for a user to pass a kerberos ticket to another computer and login with that user’s ticket. It’s basically the same as pass-the-hash otherwise. Over-Pass the Hash (Pass the Key): Yet another flavor of the pass-the-hash, but this technique passes a unique key to impersonate a user you can obtain from a domain controller.
Kerberos Golden Ticket: This is a pass-the-ticket attack, but it’s a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket gives you domain admin credentials to any computer on the network that doesn’t expire.
Kerberos Silver Ticket: Another pass-the-ticket, but a silver ticket takes advantage of a feature in Windows that makes it easy for you to use services on the network. Kerberos grants a user a TGS ticket, and a user can use that ticket to log into any services on the network. Microsoft doesn’t always check a TGS after it’s issued, so it’s easy to slip it past any safeguards.
Pass-the-Cache: Finally an attack that doesn’t take advantage of Windows! A pass-the-cache attack is generally the same as a pass-the-ticket, but this one uses the saved and encrypted login data on a Mac/UNIX/Linux system. what can mimikatz do
You can download Mimikatz from Benjamin Delpy’s GitHub – he offers several options to download, from the executable to the source code. You will need to compile with Visual Studio 2010 or later.
When you run Mimikatz with the executable, you get a Mimikatz console in interactive mode where you can run commands in real time.
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
There are 2 versions of Mimikatz: 32bit and 64bit. Make sure you are running the correct version for your installation of Windows. Run the command ‘version’ from the Mimikatz prompt to get information about the Mimikatz executable, the Windows version, and if there are any Windows settings that will prevent Mimikatz from running correctly.
The module sekurlsa in Mimikatz lets you dump passwords from memory. To use the commands in the sekurlsa module, you must have Admin or SYSTEM permissions.
First, run the command:
mimikatz # privilege::debug
The output will show if you have appropriate permissions to continue.
Next, start the logging functions so you can refer back to your work.
mimikatz # log nameoflog.log
And finally, output all of the clear text passwords stored on this computer.
mimikatz # sekurlsa::logonpasswords
The crypto module allows you to access the CryptoAPI in Windows which lets you list and export certificates and their private keys, even if they’re marked as non-exportable.
The kerberos module accesses the Kerberos API so you can play with that functionality by extracting and manipulating Kerberos tickets.
The service module allows you to start, stop, disable, etc. Windows services.
And lastly, the coffee command returns ascii art of coffee. Cause everyone needs coffee.
There is so much more to Mimikatz. If you are looking at penetration testing or you just want to dig into the Windows authentication internals, check out some of these other references and links:
- Guide to Pen Testing Active Directory Environments
- Unofficial Guide to Mimikatz & Command Reference
- Koadic: LoL Malware Meets Python-Based Command and Control (C2) Server
- Official Mimikatz Wiki
all content cited from Varonis
This content is relevant to our course content this week because we're working with Mimikatz in our lab environment. This article serves as a great primer outlining the functionality of Mimikatz and providing references to additional resources for further research.