Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that their authentication protocols were vulnerable to attack. Instead, he inadvertently created one of the most widely used and downloaded hacker tools of the past 20 years.
Rendition Infosec’s Jake Williams said, “Mimikatz has done more to advance security than than any other tool I can think of.” If you’re tasked with protecting Windows networks, it’s essential to keep up with the latest Mimikatz updates to understand the techniques hackers will use to infiltrate your networks – and stay one step ahead.
What is Mimikatz?
Mimikatz is an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.
Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
What Can Mimikatz Do?
Mimikatz originally demonstrated how to exploit a single vulnerability in the Windows authentication system. Now the tool demonstrates several different kinds of vulnerabilities. Mimikatz can perform credential-gathering techniques such as:
- Pass-the-Hash: Windows used to store password data in an NTLM hash. Attackers use Mimikatz to pass that exact hash string to the target computer to login. Attackers don’t even need to crack the password, they just need to use the hash string as is. It’s the equivalent of finding the master key to a building on the floor. You need that one key to get into all the doors.
- Pass-the-Ticket: Newer versions of windows store password data in a construct called a ticket. Mimikatz provides functionality for a user to pass a kerberos ticket to another computer and login with that user’s ticket. It’s basically the same as pass-the-hash otherwise.
- Over-Pass the Hash (Pass the Key): Yet another flavor of the pass-the-hash, but this technique passes a unique key to impersonate a user you can obtain from a domain controller.
- Kerberos Golden Ticket: This is a pass-the-ticket attack, but it’s a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket gives you domain admin credentials to any computer on the network that doesn’t expire.
- Kerberos Silver Ticket: Another pass-the-ticket, but a silver ticket takes advantage of a feature in Windows that makes it easy for you to use services on the network. Kerberos grants a user a TGS ticket, and a user can use that ticket to log into any services on the network. Microsoft doesn’t always check a TGS after it’s issued, so it’s easy to slip it past any safeguards.
- Pass-the-Cache: Finally an attack that doesn’t take advantage of Windows! A pass-the-cache attack is generally the same as a pass-the-ticket, but this one uses the saved and encrypted login data on a Mac/UNIX/Linux system.
Where to Download Mimikatz
How Do You Use Mimikatz
When you run Mimikatz with the executable, you get a Mimikatz console in interactive mode where you can run commands in real time.
Run Mimikatz as Administrator: Mimikatz needs to be “Run as Admin” to function completely, even if you are using an Administrator account.
Checking Version of Mimikatz
There are 2 versions of Mimikatz: 32bit and 64bit. Make sure you are running the correct version for your installation of Windows. Run the command ‘version’ from the Mimikatz prompt to get information about the Mimikatz executable, the Windows version, and if there are any Windows settings that will prevent Mimikatz from running correctly.
Extracting clear text passwords from memory
The sekursla module in Mimikatz lets you dump passwords from memory. To use the commands in the sekurlsa module, you must have Admin or SYSTEM permissions.
First, run the command:
mimikatz # privilege::debug
The output will show if you have appropriate permissions to continue.
Next, start the logging functions so you can refer back to your work.
mimikatz # log nameoflog.log
And finally, output all of the clear text passwords stored on this computer.
mimikatz # sekurlsa::logonpasswords
Using Other Mimikatz modules
The crypto module allows you to access the CryptoAPI in Windows which lets you list and export certificates and their private keys, even if they’re marked as non-exportable.
The kerberos module accesses the Kerberos API so you can play with that functionality by extracting and manipulating Kerberos tickets.
The service module allows you to start, stop, disable, etc. Windows services.
And lastly, the coffee command returns ascii art of coffee. Cause everyone needs coffee.
There is so much more to Mimikatz. If you are looking at penetration testing or you just want to dig into the Windows authentication internals, check out some of these other references and links:
- Guide to Pen Testing Active Directory Environments
- Unofficial Guide to Mimikatz & Command Reference
- Koadic: LoL Malware Meets Python-Based Command and Control (C2) Server
- Official Mimikatz Wiki
Want to Mimikatz in action and learn how Varonis protects you from infiltration? Join our free Live Cyber Attack Workshop and see our engineers execute a live cyberattack in our security lab.