Mimikatz HistoryIn 2007, Benjamin Deply created Mimikatz as a PoC (Proof of Concept) to demonstrate a flaw in Microsoft’s Authentication Protocols. The flaw was in the way that Windows protected its users’ passwords. The creator says that Mimikatz was a side project to learn more about Windows Security and the C Programming Language. The evolution and improvements of Mimikatz are the reason that everyone uses it. You can get Mimikatz from the official Github repository which contains the source code as well as the compiled binaries. You can learn more about how it became THE popular hacking tool from here.
WHAT IS IT?This is a tool used to view and steal credentials (that are stored in the memory), generate Kerberos tickets, and leverage attacks. The few attacks that it can leverage include the following
- Credential Dumping
- Pass The Hash
- Over Pass The Hash
- Pass The Ticket
- Golden Ticket
- Silver Ticket
WorkingMimikatz is designed to exploit weaknesses in Windows security mechanisms, such as the way that passwords are stored in memory. It works by injecting itself into the LSASS process, which is responsible for managing security credentials on a Windows system. Once injected, Mimikatz can extract credentials from memory, including plaintext passwords, hashes, and Kerberos tickets. It can also perform pass-the-hash attacks, where an attacker uses stolen password hashes to authenticate to a remote system.
Mimikatz in ActionFor the demonstration, we assume that we already have access to the Domain Controller. So go to the Domain Controller machine and download the Mimikatz binary from the Github. Once you download the zip file, extract it and navigate to the following directory
There you will find a mimikatz binary along with some dll and system files.
Credential Dumping With MimikatzFirst, run the mimikatz through cmd by going into the specified path above and running the mimikatz executable as below
- privilege is a command group in Mimikatz that allows the user to manipulate the privileges of the current process
::operator is for accessing commands within a command group
- debug is the name of the privilege command that is being manipulated. The debug privilege allows a process to attach to or debug another process
Privilege '20' OK as output
Logon Passwordssekurlsa module allows us to interact with the LSASS process and extract authentication credentials, including passwords, kerberos tickets, and NTLM hashes. logonpasswords is its command that extracts plaintext passwords and NTLM hashes associated with user logons. Run the following command in mimikatz
wdigest in the output is a registry feature that was enabled by default in Windows 7 and prior versions of windows. It stored the passwords in plaintext. But from Windows 8 and later, this has been patched by turning this feature off. Therefore, in the output for wdigest, you can see
(null) against the password field because this is Windows 10 machine.
Since wdigest is off by default, we can actually turn it on through mimikatz and then wait for someone to log into the computer. As soon anyone logs in, we would be able to get their plaintext password as well.
Dumping SAMWe can actually dump SAM hashes using the command
lsadump::sam as below
To bypass this, we need to run a series of commands
Remember, we are Administrator. Not SYSTEM
Through this, you will be able to dump SAM as well
token::whoami # it will show the current user
token::elevate # it will elevate the token privileges to SYSTEM
Dumping LSALSA (Local Security Authority) is a protected subsystem in Windows Authentication. It authenticates and creates logs on sessions to the local computer. It has the usernames along with their NTLM hashes and we can get this using the command