Credential dumping from a compromised target has never been more effortless until the release of the great tool Mimikatz. The name itself is a French word meaning “cute cats”. This tool is an excellent addition to any security researcher for compromising computer security. Whether it be a Penetration Tester, a Red Teamer, Black Hat, or a White Hat, this is a must-learn tool for everyone. Due to its popularity and features, it is built into many C2 frameworks, malware campaigns, post-exploitation tools, and many more. Another good thing is that this is not a private NSA hacking tool. Rather it is an open-source and free tool developed by an ethical hacker Benjamin Deply in 2007. Since then, many versions of this amazing tool have been released. These continuous improvements turned it into an amazing hacking tool that one must have in their tool arsenal.
There are many tools that utilize Mimikatz. Invoke-Mimikatz is a Powershell tool that can be run by uploading to the system. Alternatively, you can run it via IEX which downloads the file and executes it without touching the disk.
Mimikatz History
In 2007, Benjamin Deply created Mimikatz as a PoC (Proof of Concept) to demonstrate a flaw in Microsoft’s Authentication Protocols. The flaw was in the way that Windows protected its users’ passwords. The creator says that Mimikatz was a side project to learn more about Windows Security and the C Programming Language. The evolution and improvements of Mimikatz are the reason that everyone uses it.
You can get Mimikatz from the official Github repository which contains the source code as well as the compiled binaries.
You can learn more about how it became THE popular hacking tool from here.
WHAT IS IT?
This is a tool used to view and steal credentials (that are stored in the memory), generate Kerberos tickets, and leverage attacks. The few attacks that it can leverage include the following
Credential Dumping
Pass The Hash
Over Pass The Hash
Pass The Ticket
Golden Ticket
Silver Ticket
Mimikatz is a post-exploitation tool that allows an attacker to extract sensitive information from Windows systems, including passwords, Kerberos tickets, and plaintext passwords stored in memory.
Working
Mimikatz is designed to exploit weaknesses in Windows security mechanisms, such as the way that passwords are stored in memory. It works by injecting itself into the LSASS process, which is responsible for managing security credentials on a Windows system. Once injected, Mimikatz can extract credentials from memory, including plaintext passwords, hashes, and Kerberos tickets. It can also perform pass-the-hash attacks, where an attacker uses stolen password hashes to authenticate to a remote system.
Mimikatz in Action
For the demonstration, we assume that we already have access to the Domain Controller. So go to the Domain Controller machine and download the Mimikatz binary from the Github. Once you download the zip file, extract it and navigate to the following directory
PATH_TO_MIMIKATZ_FOLDER/x64
There you will find a mimikatz binary along with some dll and system files.
Before starting working with this amazing tool, I recommend you read on its wiki about different modules that this tool provides. The wiki explains each module along with its functions and commands.
For example, following is the detail for the privilege module that everyone uses as the first step after running mimikatz
Credential Dumping With Mimikatz
First, run the mimikatz through cmd by going into the specified path above and running the mimikatz executable as below
Now, the first step you should always do is to run the following command
privilege::debug
privilege is a command group in Mimikatz that allows the user to manipulate the privileges of the current process
The :: operator is for accessing commands within a command group
debug is the name of the privilege command that is being manipulated. The debug privilege allows a process to attach to or debug another process
Enabling the debug privilege for the current process is necessary for some of Mimikatz’s functionality. These include dumping LSASS memory to extract sensitive information. To use this debug privilege, the user must have administrative privileges on the system.
There are memory protections in place so in order to dump the credentials, we need to bypass the protections by enabling the privilege debug. When you run the command, you should see Privilege '20' OK as output
If you get some error, it means that you don’t have administrator privileges while running the mimikatz.
Logon Passwords
sekurlsa module allows us to interact with the LSASS process and extract authentication credentials, including passwords, kerberos tickets, and NTLM hashes.
logonpasswords is its command that extracts plaintext passwords and NTLM hashes associated with user logons.
Run the following command in mimikatz
sekurlsa::logonpasswords
The output shows us the computer name, NTLM hash as well as any user that has logged into the computer since last reboot. The memory stores all this information and mimikatz dumps it.
There could be possibility that a computer also be able to log into the Domain Controller along with the users. Look for the accounts that once had logged into the computer and get their hashes.
The good point is that we get NTLM hashes that can we can further relay and pass for attacks including pass-the-hash.
Even if we get access to some other system in the AD environment, we can look in logon passwords for Administrator login. We can then use its NTLM hash for further attacks.
wdigest in the output is a registry feature that was enabled by default in Windows 7 and prior versions of windows. It stored the passwords in plaintext. But from Windows 8 and later, this has been patched by turning this feature off. Therefore, in the output for wdigest, you can see (null) against the password field because this is Windows 10 machine.
Since wdigest is off by default, we can actually turn it on through mimikatz and then wait for someone to log into the computer. As soon anyone logs in, we would be able to get their plaintext password as well.
Dumping SAM
We can actually dump SAM hashes using the command lsadump::sam as below
If we are not SYSTEM or using an impersonated SYSTEM token, we will get this access denied error.
Remember, we are Administrator. Not SYSTEM
To bypass this, we need to run a series of commands
token::whoami # it will show the current user
token::elevate # it will elevate the token privileges to SYSTEM
lsadump::sam
Through this, you will be able to dump SAM as well
Dumping LSA
LSA (Local Security Authority) is a protected subsystem in Windows Authentication. It authenticates and creates logs on sessions to the local computer. It has the usernames along with their NTLM hashes and we can get this using the command lsadump::lsa
We can try to either crack these NTLM hashes or use them in pass-the-hash attacks.
Second Exercise
In our second exercise today, we’re going to be compromising a Windows 7 VM and using Mimikatz within Metasploit to steal the password of the user that’s logged into our VM. So, let’s get started!
Step 1: Generate Payload and Set up Handler
First things first, we need to generate a payload to execute on our victim machine. For this we’ll be using msfvenom to generate a meterpreter payload in the form of an EXE file. Once we’ve generated our payload, we can move it to /var/www/html on our Kali VM and use the command service apache2 start in order to start a web server to serve our payload to the victim (note: I’ll be generating the payload within the aforementioned directory):
Now that we’ve got our payload, we can move on to setting up our handler. The handler will catch the connection made by the payload on the victim machine. Once we catch the connection, we should be yielded a meterpreter. In order to set up the handler, we use multi/handler from within the msfconsole:
Note: The LHOST and LPORT values are the same between the payload we generated and our handler. LHOST should be the local IP address of your attacking machine, and LPORT should be the port to listen on/connect back to. These values must be the same between the payload and handler, or else we won’t be able to catch the connect back.
Step 2: Serve Payload and Gain Access
Now that we have our web server up and ready to serve our payload, and our handler listening for the reverse connection, we can move on to downloading and executing our payload on the victim machine:
Note: I’m using Internet Explorer for this act, as using a more modern browser (such as Google Chrome) will flag our payload as malware and refuse to download it. This is due to the fact our payload is an un-obfuscated EXE file of a well-known payload.
Once our payload is finished download, we need to right-click it and hit “Run as Administrator.” This step isn’t 100% necessary, but if we don’t then we’ll have to jump through the hoops of privilege escalation (which is beyond the scope of this article). Now that we’ve downloaded and executed our payload, we can return to our Kali machine and we should see that we have a brand new meterpreter, with which we can load mimikatz and steal that password!
Step 3: Load Mimikatz and Steal Credentials
So, we’ve got our meterpreter. But there’s a slight problem, mimikatz needs SYSTEM privileges in order to perform. But don’t fret! Since we ran our payload as Administrator, we should be able to use the getsystem meterpreter command to elevate our privileges to that of SYSTEM:
There we go! Now that we have SYSTEM privileges, we can load the mimikatz extension for our meterpreter:
Alright, we’ve loaded mimikatz successfully, so lets take a look at the help page:
Here we can see that we have many options when using mimikatz. Most of the options presented in the help page are various tactics for pulling passwords out of memory (Note: the mimikatz_command option can be used to access other capabilities of mimikatz, which I plan on getting to in a later article).
After some trial and error regarding which tactic to use, I discovered that in this particular case, the wdigest method will successfully retrieve the Windows credentials we’re after:
There we have it. We can see at the bottom of the above screenshot that the credentials mimikatz pulled are; Username: Defalt, Password: C0mplexP@ssw0rd!!@, which are the credentials I set before we began this exercise.
Conclusion
Mimikatz is a super powerful tool with so many features to help in further escalation, pivoting, and lateral movement. We have covered only a few of the modules and commands. But you can look into the wiki for different modules and a bunch of commands in each module. You can then practice each command in your environment and also look for ways to bypass the errors or protections just like we did in SAM dump.
Welcome back my fellow hackers! Today we’re going to be deviating from our antivirus evading escapades to discuss a tool that I’ve recently started using, Mimikatz. Mimikatz is a tool to automate many Windows hacking tactics. The capabilities of mimikatz stretch much further than a single article, so today we’re going to be focusing on a basic function of mimikatz, stealing Windows credentials straight from memory. Lucky for us, Rapid7 has included mimikatz into Metasploit, which makes it very easy to use.
Now that we’ve got our payload, we can move on to setting up our handler. The handler will catch the connection made by the payload on the victim machine. Once we catch the connection, we should be yielded a meterpreter. In order to set up the handler, we use multi/handler from within the msfconsole:
Note: The LHOST and LPORT values are the same between the payload we generated and our handler. LHOST should be the local IP address of your attacking machine, and LPORT should be the port to listen on/connect back to. These values must be the same between the payload and handler, or else we won’t be able to catch the connect back.
Note: I’m using Internet Explorer for this act, as using a more modern browser (such as Google Chrome) will flag our payload as malware and refuse to download it. This is due to the fact our payload is an un-obfuscated EXE file of a well-known payload.
Once our payload is finished download, we need to right-click it and hit “Run as Administrator.” This step isn’t 100% necessary, but if we don’t then we’ll have to jump through the hoops of privilege escalation (which is beyond the scope of this article). Now that we’ve downloaded and executed our payload, we can return to our Kali machine and we should see that we have a brand new meterpreter, with which we can load mimikatz and steal that password!
There we go! Now that we have SYSTEM privileges, we can load the mimikatz extension for our meterpreter:
Alright, we’ve loaded mimikatz successfully, so lets take a look at the help page:
Here we can see that we have many options when using mimikatz. Most of the options presented in the help page are various tactics for pulling passwords out of memory (Note: the mimikatz_command option can be used to access other capabilities of mimikatz, which I plan on getting to in a later article).
After some trial and error regarding which tactic to use, I discovered that in this particular case, the wdigest method will successfully retrieve the Windows credentials we’re after:
There we have it. We can see at the bottom of the above screenshot that the credentials mimikatz pulled are; Username: Defalt, Password: C0mplexP@ssw0rd!!@, which are the credentials I set before we began this exercise.