This article is part of the series "Penetration Testing Explained". Check out the rest:
We’re now at a point in this series where we’ve exhausted all our standard tricks to steal credentials — guessing passwords, or brute force attacks on the hash itself. What’s left is a clever idea called passing the hash or PtH that simply reuses a password credential without having to access the plaintext.
Remember the simple test environment I had set up?
I have a Windows domain with two servers for the mythical Acme company with its beer-based server naming scheme. Playing the part of the pen tester, I landed on employee Jane’s server, initially using a RAT, and then at some point was able to pop a shell. My goal is to gain credentials of another user with higher privileges and broader access rights than Jane— in other words, move laterally to Bob’s amstel server.
In our last post, I showed you how to dump the local user hashes with fgdump.
Let’s now meet mimikatz, developed by Benjamin Delpy.
Mimikatz is an amazingly powerful tool that probes the lsass process for hashes, and has the ability to run programs under these hash credentials.
You can download the mimikatz binary from github. Mimikatz runs lean with a total payload of about 395 kb.
To use mimikatz you’ll need admin privileges, the same as you did with fgdump.
sekurlsa::logonpasswords, you’ll see a listing of all active users and services, along with their associated NTLM and SHA1 hashes. The first surprise is that for users, this pass-the-hash utility also displays the plaintext password.
I was under the impression that Windows would never do something so silly.
Technically, they don’t. The memory region in the lsass process where the Windows password is stored is encrypted. But mimikatz can execute a special Microsoft API that unencrypts the memory.
After doing some research, it turns out that Windows uses plaintext passwords for something called HTTP Digest authentication. You can read more about it here.
In 2014, Microsoft responded to this security hole with a patch that lets sys admins disable “WDigest” passwords from being stored. This Microsoft advisory explains how they’ll need to update a special registry entry. Btw, in Windows 8 and above the default setting is not to store plaintext passwords in lsass.
Now as a pen tester, I learned that Jane’s server minimally needs some security tuning and as a worst case, the patch.
Pass the Hash
The whole point of mimikatz is that you don’t need the actual password text, just the NTLM hash.
Hackers are on the lookout especially for admin-level domain users. If they get their hashes, it becomes relatively straightforward to use mimikatz to make the lateral move.
For my pen testing scenario, I had previously logged into Jane’s computer as user “bigadmin”, a domain-level account with elevated privileges.
In my test, I passed bigadmin’s NTLM hash to psexec. Remember that utility?
Psexec allows users to remotely execute commands — in this case, Windows cmd shell program. As you can see from the screen capture, I’m now in amstel, the other server in the Acme environment, but logged in as bigadmin. Technically, I am “overpassing the hash” to psexec — more about this in my next post.
One of the lessons from using mimikatz is that you should limit users’ networking capabilities, and set a policy to prevent domain-level admins from remotely logging into an ordinary user’s machine. Smart hackers equipped with mimikatz can leverage these hashes, as we just saw, to move around a target system.
I’ll continue my mimikatz exploration in my next and final post in this series.