Mimikatz: Powerful Credentials Stealing Tool


Mimikatz: Powerful Credentials Stealing Tool

Introduction: What is Mimikatz?

Mimikatz is a powerful and well-known post-exploitation tool written in C, capable to extract plaintexts passwords, hash, PIN codes and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets (detailed explanation below).

History

It was initially developed in 2007 under different names, but back in 2014, Benjamin Delpy (@gentilkiwi) originally created Mimikatz as a PoC to show Microsoft that their authentication protocols were highly vulnerable to hacking attacks.

But today, Mimikatz’s primary purpose and usage is stealing users credentials that are logged in to a specific/targeted Windows machine. It’s almost always used for malicious purpose, although it was never build as a hacking tool. In the last couple of years it was used as a part of the ransomware worms (2017: NotPetya and BadRabbit) that were spread all around the globe.
Mimikatz 2.2.0 [Released]!

Mimikatz: “A Small Tool To Play With Windows Security”

The Mimikatz is an open-source post-exploitation (credentials stealing) tool which allows you to obtain login / password data, both from hash or clear text. You can use to attack targeted Windows machines/users and extract cleartext passwords or password hashes from memory, as well as PINs, Kerberos tickets, etc. it also provides are useful attacks such as: pass-the-hash, pass-the-ticket, pass-the-cache or building Golden Kerberos tickets. It comes in two flavors: Windows x32/x64.

This amazing and very effective offensive security tool also includes modules (listed below) and comes bundled (Mimikatz v1) with a Meterpreter script as part of Metasploit Framework.

Modules:

standard privilege crypto sekurlsa
kerberos lsadump vault token
event ts process service
net misc library mimilib driver mimidrv

Features:

Pass-the-Hash

Storing password data in NTLM hash: Without need to crack the password, attacker can easily go trough using Mimikatz, which will then pass hash string to the target machine and allow attacker to login.

Over-Pass the Hash (Pass the Key)

Another pass-the-hash attack technique, but in this one attacker will pass a unique key to imitate a victim which you can obtain from a domain controller.

Pass-the-Ticket

Storing password data in a “ticket” construct: capability to pass a kerberos ticket to another machine and login with that user’s ticket.

Pass-the-Cache

Same as the pass-the-ticket attack technique, except it uses saved and encrypted login data on OS X, Linux and UNIX systems.

Kerberos Silver Ticket

Another Pass-the ticket attack technique: this silver ticket provides easy service usage on the network. It grants a TGS ticket which can be further use to login into any services on the network.

Kerberos Golden Ticket

Pass-the ticket attack technique: specific ticket for a hidden KRBTGT account, which is able to encrypt all of the other tickets. With this golden ticket you’ll get domain admin credentials to any machine.

Mimikatz Install

Prerequisites:

  • mimikiatz and mimilib: Visual Studio 2010+
  • mimikatz driver, mimilove and ddk2003 platform: Windows Driver Kit 7.1 (WinDDK)

Install Steps:

  1. Download from GitHub (options: git / trunk / zip).
  2. Once build, run the executable as admin (make sure you’re running the correct version suitable for targeted machine).
  3. Start extracting some passwords from the memory.
Important: Don’t forget that Mimikatz needs to be “Run as Admininistrator” in order to work properly and completely.

Basic Usage

   .#####.   mimikatz 2.2.0 alpha (x64) #17763 Apr  10 2019 00:55
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz #

First you’ll need to check do you have all the permissions (debug) to start dumping some passwords:

mimikatz # privilege::debug 
privilege '20' OK

Then start logging process using log:

mimikatz # log logfilename.log

If everything goes well and without errors, you can start by outputting cleartext passwords:

mimikatz # sekurlsa::logonpasswords

For more information, usage examples and detailed explanations click on the “documentation” button below.

Documentation Box
Download Box