Mimikatz

Mimikatz is a powerful post-exploitation tool that is often used in penetration testing and red team operations to extract sensitive information from Windows systems. It is widely known for its ability to extract plaintext passwords, hashes, Kerberos tickets, and other authentication data from memory. Mimikatz was originally created by French security researcher Benjamin Delpy, and it has since become a go-to tool for attackers and defenders alike.

Here’s a breakdown of the key features, uses, and capabilities of Mimikatz:

Key Features of Mimikatz:

1. Password Extraction: Mimikatz can extract plaintext passwords, NTLM hashes, and Kerberos tickets directly from memory, making it a potent tool for Post-Exploitation.

   • Plaintext Passwords: If a user has logged into a system, their password may be stored in memory. Mimikatz can read this memory to recover the plaintext password.
   • NTLM Hashes: Mimikatz can extract NTLM hashes of user accounts, which can be used in Pass-the-Hash attacks.
   • Kerberos Tickets: Mimikatz can dump Kerberos Ticket Granting Tickets (TGTs) and service tickets (TGS), which are used to authenticate users in a Kerberos authentication environment.

2. Pass-the-Hash (PTH): Mimikatz allows attackers to use the NTLM hash (obtained from tools like Hashdump or Windows Credential Manager) instead of the plaintext password to authenticate on other systems without needing to know the actual password.

3. Pass-the-Ticket (PTT): With Mimikatz, attackers can inject Kerberos tickets into a process to impersonate users or services on the network. This can be especially useful for Kerberos ticket reuse or ticket renewal attacks.

4. Kerberos Ticket Manipulation: Mimikatz can create, modify, or forge Kerberos tickets (TGT/TGS). It can be used for Golden Ticket and Silver Ticket attacks:

   • Golden Ticket: Mimikatz can create a forged TGT using a domain controller's secret (KRBTGT account hash), which can then be used to authenticate to any service in the domain.
   • Silver Ticket: This involves forging a TGS for a specific service. Unlike a golden ticket, it only grants access to one service.

5. Credential Dumping: Mimikatz can dump credentials from various sources on Windows systems:

   • LSA Secrets: These are the credentials stored in the Local Security Authority Subsystem Service (LSASS) memory (e.g., stored passwords and service account credentials).
   • SAM Database: The Security Accounts Manager (SAM) database stores local account hashes (NTLM hashes).
   • Windows Credential Store: Credentials stored by Windows and other programs like Internet Explorer or Chrome.

6. Privilege Escalation: Mimikatz can assist with privilege escalation by manipulating or extracting privileged credentials (e.g., Administrator account hashes or System access). It can also enable local administrator accounts if they are disabled or locked.

7. Golden Ticket and Silver Ticket Attacks:

   • Golden Ticket: Mimikatz can forge a Kerberos Ticket Granting Ticket (TGT) by using a domain administrator's password hash or the KRBTGT account hash.
   • Silver Ticket: Mimikatz can forge a Kerberos service ticket (TGS) for a specific service, allowing the attacker to authenticate to that service.

8. Lateral Movement: Mimikatz is often used in lateral movement attacks, where attackers use credentials (NTLM hashes or Kerberos tickets) to access other machines on the network.

Common Mimikatz Commands and Features

Here are some of the most common Mimikatz commands and their purposes:

1. Dumping Passwords and Hashes:

   • sekurlsa::logonpasswords: This is one of the most popular Mimikatz commands for extracting plaintext passwords, NTLM hashes, and Kerberos tickets from memory. It works by dumping the current session credentials (from LSASS) and providing the attacker with plaintext passwords and hashes.

   sekurlsa::logonpasswords
   

2. Pass-the-Hash:

   • sekurlsa::pth: This allows attackers to use an NTLM hash to authenticate as a user without needing the plaintext password. It’s used in Pass-the-Hash attacks to authenticate to remote systems.

   sekurlsa::pth /user:<username> /domain:<domain> /hash:<NTLM_hash> /run:<command>
   

3. Kerberos Ticket Dumping:

   • kerberos::list: This command lists all the Kerberos tickets stored on the system, including TGTs and TGS tickets.

   kerberos::list
   

4. Golden Ticket Creation:

   • kerberos::ptt: Used for Pass-the-Ticket attacks, allowing attackers to inject a Kerberos ticket into memory, effectively impersonating a user.
   • kerberos::golden: This command creates a Golden Ticket, allowing an attacker to authenticate to any service in the domain using a forged TGT. The TGT is generated using the KRBTGT account hash from the domain controller.

   kerberos::golden /user:<username> /domain:<domain> /sid:<domain_SID> /rc4:<KRBTGT_hash>
   

5. Dumping LSA Secrets:

   • lsadump::sam: Dumps the local SAM database containing user hashes and other sensitive information.

   lsadump::sam
   

6. Dumping Windows Credentials:

   • sekurlsa::msv: This command is used to extract credentials from the Windows Credential Manager.

   sekurlsa::msv
   

7. Privilege Escalation:

   • privilege::debug: This command enables debugging privileges, which are necessary for certain Mimikatz operations, like interacting with LSASS memory or dumping credentials.

   privilege::debug
   

Practical Use Cases for Mimikatz:

1. Post-Exploitation: After gaining access to a target system, Mimikatz is often used to dump passwords and hashes, allowing attackers to move laterally within a network by reusing credentials or performing Pass-the-Hash and Pass-the-Ticket attacks.

2. Privilege Escalation: Mimikatz can help escalate privileges on a compromised system by dumping local administrator hashes, cracking weak passwords, or injecting forged tickets into the current session.

3. Network Reconnaissance: By dumping Kerberos tickets and credentials, attackers can gather a list of services and other users that may be useful for later lateral movement or escalation.

4. Red Teaming and Penetration Testing: In legal security testing environments, Mimikatz is a standard tool used by red teams to simulate the actions of attackers and assess the security posture of the network.

5. Exfiltrating Domain Admin Credentials: One of the most significant uses of Mimikatz is to dump the KRBTGT account hash (domain controller credentials), which can be used to forge Golden Tickets for full access to the domain.

Countermeasures and Defense Against Mimikatz:

1. Use of Windows Defender Credential Guard:

   • Credential Guard can protect credentials stored in memory, including NTLM hashes and Kerberos tickets, from being dumped by tools like Mimikatz.

2. Use Strong, Unique Passwords:

   • Ensure all domain administrator accounts, including the KRBTGT account, use strong, unique passwords, and rotate them regularly.

3. Disable NTLM Authentication:

   • Where possible, disable NTLM authentication or configure it to only allow NTLMv2 to limit the impact of Pass-the-Hash and Relay attacks.

4. Enforce Kerberos Authentication:

   • Configure Active Directory environments to prioritize Kerberos over NTLM for authentication. This helps mitigate some attacks involving NTLM.

5. Use SMB Signing:

   • Enforce SMB signing to prevent attackers from performing SMB relay attacks that involve intercepting and relaying NTLM authentication traffic.

6. Limit Administrative Privileges:

   • Implement least privilege by restricting administrative privileges to a minimal set of users. Use dedicated administrative workstations for sensitive tasks.

7. Monitor for Abnormal Credential Dumping:

   • Use endpoint protection tools and SIEM solutions to monitor for suspicious activity, such as memory dumps and credential extraction.