Mimikatz: Powerful Credentials Stealing Tool
Introduction: What is Mimikatz?
Mimikatz is a powerful and well-known post-exploitation tool written in C, capable to extract plaintexts passwords, hash, PIN codes and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets (detailed explanation below).
History
But today, Mimikatz’s primary purpose and usage is stealing users credentials that are logged in to a specific/targeted Windows machine. It’s almost always used for malicious purpose, although it was never build as a hacking tool. In the last couple of years it was used as a part of the ransomware worms (2017: NotPetya and BadRabbit) that were spread all around the globe.
Mimikatz: “A Small Tool To Play With Windows Security”
The Mimikatz is an open-source post-exploitation (credentials stealing) tool which allows you to obtain login / password data, both from hash or clear text. You can use to attack targeted Windows machines/users and extract cleartext passwords or password hashes from memory, as well as PINs, Kerberos tickets, etc. it also provides are useful attacks such as: pass-the-hash, pass-the-ticket, pass-the-cache or building Golden Kerberos tickets. It comes in two flavors: Windows x32/x64.
This amazing and very effective offensive security tool also includes modules (listed below) and comes bundled (Mimikatz v1) with a Meterpreter script as part of Metasploit Framework.
Modules:
| standard | privilege | crypto | sekurlsa |
| kerberos | lsadump | vault | token |
| event | ts | process | service |
| net | misc | library mimilib | driver mimidrv |
Features:
Pass-the-Hash
Storing password data inNTLM hash: Without need to crack the password, attacker can easily go trough using Mimikatz, which will then pass hash string to the target machine and allow attacker to login. Over-Pass the Hash (Pass the Key)
Another pass-the-hash attack technique, but in this one attacker will pass a unique key to imitate a victim which you can obtain from a domain controller.Pass-the-Ticket
Storing password data in a “ticket” construct: capability to pass a kerberos ticket to another machine and login with that user’s ticket.Pass-the-Cache
Same as the pass-the-ticket attack technique, except it uses saved and encrypted login data on OS X, Linux and UNIX systems.Kerberos Silver Ticket
Another Pass-the ticket attack technique: this silver ticket provides easy service usage on the network. It grants a TGS ticket which can be further use to login into any services on the network.Kerberos Golden Ticket
Pass-the ticket attack technique: specific ticket for a hidden KRBTGT account, which is able to encrypt all of the other tickets. With this golden ticket you’ll get domain admin credentials to any machine.Mimikatz Install
Prerequisites:
mimikiatzandmimilib: Visual Studio2010+- mimikatz driver, mimilove and ddk2003 platform: Windows Driver Kit
7.1(WinDDK)
Install Steps:
- Download from GitHub (options:
git/trunk/zip). - Once build, run the executable as admin (make sure you’re running the correct version suitable for targeted machine).
- Start extracting some passwords from the memory.
Basic Usage
.#####. mimikatz 2.2.0 alpha (x64) #17763 Apr 10 2019 00:55
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPYgentilkiwi( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz #
First you’ll need to check do you have all the permissions (debug) to start dumping some passwords:
mimikatz # privilege::debug
privilege '20' OK
Then start logging process using log:
mimikatz # log logfilename.log
If everything goes well and without errors, you can start by outputting cleartext passwords:
mimikatz # sekurlsa::logonpasswords
For more information, usage examples and detailed explanations click on the “documentation” button below.
