During a pentest, it is considered to be a post-exploitation tool. It can perform various credential gathering techniques such as:
Pass the Hash Pass the Ticket Over-Pass the Hash (Pass the Key) Kerberos Golden Ticket Kerberos Silver Ticket Pass the Cache Attacking the Kerberos Session Ticket
Developed by Benjamin Delpy, the official GitHub repository can be found at https://github.com/gentilkiwi/mimikatz. Delpy gives us the option to directly download the binaries at https://github.com/gentilkiwi/mimikatz/releases or build our own using Microsoft Visual Studio 2010, 2012, or 2013. To synchronize with the latest updates, the following links are helpful:
GIT URL: https://github.com/gentilkiwi/mimikatz.git ZIP file URL: https://github.com/gentilkiwi/mimikatz/archive/master.zip
Offensive Security has already integrated the version 1 of Mimikatz as a meterpreter script which allows easy access to its complete feature set without the hassle of the attacker uploading scripts to the target machine. However, the latest version of Mimikatz (v2) can be found at the links mentioned above.
Dumping clear text credentials
Once downloaded/built, run Mimikatz as an administrator. Depending on the Windows machine you are using (32-bit or 64-bit), run Mimikatz accordingly. This is what it will look like when it starts:
Before we start dumping passwords, we need to start the logging process and debug privilege. To start the logging process, we simply write ‘log.’
The file Mimikatz.log will be created, when running the first time, and all Input/output communication would be stored in it for future reference. Next, we debug privilege. To do that, simply write ‘privilege::debug‘. The debug privilege allows debugging a process that they normally wouldn’t have access to.
Note: ERROR kuhl_m_privilege_simple; RtlAdjustPrivilege (20) c0000061 means that you do not have the require privilege to run the command. Try running Mimikatz as an administrator. The ‘version‘ command will tell us the details of the windows machine being used:
Typically, instructions are in the following format: Modulename::commandName arguments To check the clear text passwords ‘sekurlsa::logonpasswords‘ command is used:
And there you have it, password in NTLM and clear text.
Mimikatz with Meterpreter
As stated earlier, Offensive Security has added v1 of Mimikatz as a meterpreter script with easy access to all its features. Let us see how it works. We start by loading Mimikatz in meterpreter by running the following command: “load mimikatz.”
It is imperative to know here that we should run this command only when we have the Administrator privileges. Once loaded, we can start by checking the version and to confirm that mimikatz has been loaded successfully. We can do that with the following command: “mimikatz_command –f version”:
Next, we can try running the “msv” command to see if we get anything:
We can see that we are provided with the LM and NTLM hashes but not with a clear text password. We can now run “mimikatz_command –f samdump::hashes” to see what it returns:
Followed by running “mimikatz_command –f sekurlsa::searchPasswords”:
which returns the password in clear text. Another module of Mimikatz is called the Service module. This module helps us to list, start, stop, or remove services running on the machine: “mimikatz_command –f service::”
As we can see that this command lists all the services that are currently running. Another module of Mimikatz is called the Crypto module. This module helps us to list and export any certificates and their corresponding private keys that may be stored on the compromised machine. This is possible even if they are marked as non-exportable.
Uncovering mines in Minesweeper
Mimikatz’s another great module helps you read the location of the mines straight from memory. Never lose a game again! It is worth noting that the command works once you start the game. Simply type: “minesweeper::infos”:
Conclusion
Mimikatz is a great post-exploitation tool which provides a bunch of useful features that otherwise may require two-three different tools. Though a lot of syntax changes have been done in v2, the learning curve is not steep at all.