Mimikatz: the Post-exploitation Tool for Offensive Security Testing

Mimikatz is a popular open-source post-exploitation tool for offensive security penetration testing. Mimikatz is a collection of modules that use privilege escalation and lateral movement techniques to assist both security testers and malicious actors to get a foothold in the target network. This article looks at the features of Mimikatz and how you may protect your organization’s IT infrastructure from it.

History of Mimikatz:

Benjamin Delpy developed Mimikatz in 2011. While learning to code in the C programming language, Benjamin Delpy uncovered a severe security flaw in the Microsoft Windows operating system authentication protocols.

He informed Microsoft of this security flaw. Microsoft, on the other side, dismissed the finding, arguing that the vulnerability was very hard to exploit. He later constructed this tool as a proof-of-concept to extract user credentials from Windows OS. Mimikatz has since evolved into a sophisticated tool that is extensively used by penetration testers and ethical hackers to test Windows network enviroments. Because of all of these factors, this tool has been labeled the “Swiss army knife of Windows credential collection.”

Mimikatz Overview:

The source code of Mimikatz is written in the C programming language. It is an automated command-line tool used to gather credentials from the memory including clear-text passwords, NTLM password hashes, LM Hashes, digital certificates, and Kerberos tickets. This program is available for both 32-bit and 64-bit versions of Windows. In order to steal credentials from the target computer, Mimikatz requires Administrator or SYSTEM level privileges.

The WDigest protocol was used for user authentication in earlier versions of Windows (before Windows 8.1). This protocol was used to provide SSO (single sign-on) features for authenticating users and facilitating resource access. However, because of the usage of this protocol, the passwords were stored in plain text in the memory, making them vulnerable to theft. Microsoft enabled users to disable WDigest in Windows 8.1. This feature was eventually disabled by default in Windows 10. Despite this, Mimikatz is always being updated to keep up with the latest versions of Windows OS and to circumvent security features. Mimikatz has also been integrated into Metasploit and is now available as a Meterpreter script. Mimikatz is also available in the form of PowerShell modules.

Mimikatz Attack Techniques:

Mimikatz can be used to perform a variety of attacks. Some of these attacks are:

Pass the Hash: Pass the Hash attack is a lateral movement technique. Lateral movement is a tactic used by malicious entities to target other computers in the network after they have compromised a computer. In Pass the Hash attack, the attacker obtains the NTLM password hashes from the memory. These hashes can then be used for authentication. In this attack technique, the attacker does not need to crack the hash to obtain the password. These hashes can be used just as they are for logging into any computer.

Pass the Ticket: Pass the Ticket attack is also a lateral movement technique. In a Pass the Ticket attack, the attacker acquires a user’s Kerberos ticket and uses it for authentication purposes.

Kerberos is an authentication system that uses tickets to allow machines in a network to authenticate and communicate with one another. An attacker can use this ticket to authenticate as the user without needing the password. An attacker can use this ticket to gain access to any resource or service accessible to the user.

Over-Pass the Hash (Pass the Key): Pass the key attack is similar to pass the hash attack. The attacker authenticates over the network using the Kerberos authentication protocol by using the NTLM password hash. This password hash will be used to request a TGT (Ticket Granting Ticket) from the KDC(Key Distribution Center).

KDC is used to verify users’ identities, allow them access privileges, and issue session tickets. A TGT is used to obtain additional tickets for accessing various network resources. The attacker can access any service or resource that the user has access to after getting a TGT using the NTLM hash.

Pass the Cache: The Pass the Cache attack is used to steal Kerberos credentials from a Linux-based server and use them to authenticate on a Windows system by replaying them.

Kerberos Golden ticket attack: The Kerberos Golden Ticket Attack is a privilege escalation attack. In a Kerberos Golden ticket attack, the attacker gets control of a KRBTGT account in order to generate fake TGTs.

A KRBTGT is a service account for the Kerberos Key Distribution Center. After gaining access to the ticket connected with this account, an attacker can acquire full access to network resources and domain administrator rights on any machine on the network.

Kerberos Silver ticket attack: A Kerberos Silver ticket attack takes the advantage of the TGS(Ticket Granting Service) ticket to obtain access to various services on the network. Ticket Granting Service provides tickets and TGTs to client computers in the network.

In this attack, an attacker compromises the ticket associated with TGS and uses it to login into any service on the network. Kerberos allows services to log in without double-checking that their token is actually valid. Thus an attacker can use it to bypass access controls in the network.

How to use Mimikatz:

Mimikatz can be downloaded from the internet from its GitHub repository. You can visit this link to download Mimikatz. The file can be downloaded in.zip or.7z format. Before you download the program, make sure you know what version of Windows you have (32-bit or 64-bit), or it will not work properly. After unpacking the archive, navigate to the mimikatz.exe executable file in the downloaded folder. Use the Run-As Administrator command to run this file as an administrator. You can also compile Mimiktaz yourself by downloading the source code from its repository.

Mimikatz Modules:

In this section, we will review some of the most commonly used modules in Mimikatz.

Privilege: This module lets the user manipulate his privileges on the Mimikatz process. In order to obtain debug privileges on Mimikatz, run the following command:

privilege::debug

When you receive the Privilege ‘20’ OK output, this means that you have debug privileges now. You may need to run this command before running other commands in Mimikatz.

Note If you receive this error:

ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

Then it means that you haven’t launched mimikatz.exe with administrator rights. Relaunch the file as an Administrator and you won’t receive this error.

sekurlsa: The sekurlsa module is used for the extraction of credentials i.e. passwords, hashes, pins, keys, or tickets from the memory using LSASS(Local Security Authority Subsystem Service). LSASS is used for the authentication of users who are logging in to the computer. Now once you have debug rights by using privilege::debug command, you can use sekurlsa for credential extraction.

To display clear-text passwords in Windows, use the following command:

sekurlsa::logonpasswords

The output will list the passwords of all the users who have recently logged into the machine.

Note: For Windows8.1/Windows Server 2012R2 and up, clear text passwords are not displayed by using this command. In order to use this technique on these operating systems, you may have to modify registry keys first to enable WDigest protocol.

In order to perform Pass the hash attack, you can use the sekurlsa::pth command. For this purpose, retrieve the username, NTLM hash, and Domain for the target user using the sekurlsa::logonpasswords command. Now in order to perform Pass the hash attack use the following command:

sekurlsa::pth /user:<username> /domain:<domain_name> /ntlm:<ntlm_hash_value> /run:cmd.exe

kerberos: Kerberos module is used to interact with Microsoft Kerberos API. Using this module does not require administrator or SYSTEM level privileges. This module is also used for the generation of golden and silver tickets.

To list all user tickets in the memory, use the following command:

kerberos::list

To get the TGT of the current user, use the following command:

kerberos::tgt

To perform Pass the ticket attack, get administrator access with debug privileges using privilege::debug. Then use the command sekurlsa::tickets to extract all the Kerberos tickets in the memory. Use the following command for ptt attack execution:

kerberos::ptt <Kerberos_TGT_filename>

lsadump: This module is used to extract credentials from Windows Local Security Authority(LSA). The job of the LSA is to enforce the system’s local security policy.

In order to decrypt the credentials stored in LSA Secrets, you must first elevate privileges using token::elevate command. Then use the following command:

lsadump::secrets

Note: LSA Secrets is a storage location used by the Local Security Authority. It contains sensitive information like user passwords, SYSTEM account passwords, encryption keys, and much more.

token: The token module is used to interact with Windows Authentication tokens, including grabbing and impersonating existing tokens.

To elevate privileges to SYSTEM level privileges, use the following command:

token::elevate

How to Detect Mimkatz:

Detecting Mimikatz in your network can be a challenging task. Because Mimikatz’s source code is publicly available, attackers can utilize numerous obfuscation techniques to evade detection. This section will go over some of the methods used for detecting Mimikatz:

  1. Use Antivirus Software with the latest signatures. Some anti-virus solutions can even detect those versions of Mimikatz that have been modified to avoid detection.

  2. Populating the memory with HoneyCreds or Honey Hash Tokens. The main goal of these honey credentials is to gain the attraction of the intruder and detect any tampering efforts. If an attacker attempts to access these credentials, an alert is generated.

  3. Monitor for the commands, processes, or APIs that may attempt to access the credentials in the memory using Local Security Authority Subsystem Service.

  4. Monitor the modification of Kerberos ticket files having the .kirbi extension. Attackers can attempt to forge or steal these ticket files which can result in their modification. If any modification is detected it can be a sign of some malicious activity.

  5. Enable SACL(Security Access Control List) auditing to monitor and log access attempts to LSASS. This is added as a default process with LSASS in Windows 10 and Windows Server 2016 as a means to identify attacks that steal credentials from the memory.

  6. Look out for the processes that are using Mimikatz modules as command-line parameters.

  7. Monitor the modification of WDigest registry key. This key is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. Its value should be 0 to disable the WDigest protocol, which prevents passwords from being kept in memory in plaintext. If this protocol is enabled, it may indicate credential theft activity.

  8. For detecting Mimikatz use in your environment, use Yara rules published by Benjamin Delpy. Yara is a program used by malware researchers to identify and classify malware samples based on their features and behavior. These rules can be used to scan the memory of operating systems for signs of Mimikatz.

  9. Enable registry auditing to monitor Windows Registry queries for cached credentials such domain credentials, local user credentials, and LSA secrets.

How to Defend your environment against Mimikatz attacks:

Some of the recommendations that be used to defend your environment against Mimikatz attacks are as follows:

  1. Restrict the number of accounts with administrative privileges.

  2. Debugging mode is enabled by default for Windows Administrator accounts. Disable the debug right for administrators on all servers and workstations. You can configure it as follows. Open Group Policy Editor and navigate to Computer Configuration/Security Settings/Local Policies/User Rights Assignments and enable the Debug Programs policy. After this, an attacker will receive an error if he attempts to debug privileges using Mimikatz.

  3. Use the latest version of the Windows Operating system on your servers and workstations (at least Windows10 and Windows Server 2016). This will provide your endpoints with the latest defense mechanisms employed in these versions.

  4. Disable the WDigest Protocol to prevent passwords from being stored as clear-text in memory. Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. Set the registry key UseLogonCredential to zero to disable this protocol. In order to apply these changes in Windows 7, 8, and Windows Server 2008 R2/2012, download and install the KB2871997 security patch.

  5. Avoid using Common administrator accounts and passwords in your network. Make sure to use a unique password for each administrator account. Leverage password management tools to protect and change your administrator account passwords periodically.

  6. Run LSASS in protected mode by enabling LSA protection. This will ensure that the calls to LSASS are only made by protected-mode processes. To enable LSA protection, open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Set the RunAsPPL key to 1 to enable protected mode. After this, any attempts to retrieve passwords from memory by Mimikatz will be rendered ineffective.

  7. Disable credential caching in the registry. Mimikatz can be used to obtain user credentials from the registry. The registry can store the last 10 records of password hashes by default. You can disable this as follows. Open Group Policy Editor and navigate to Computer Configuration/Windows Settings/Local Policy/Security Options and activate the Interactive Logon Policy. Set the number of previous logons to cache to 0.

  8. Use the Protected Users Security Group to protect the accounts of highly privileged users such as local or domain admins. This feature is available in Windows Server OS from version 2012 R2 and up. The purpose of this group is to prevent the credential exposure/theft of its group members. The security settings of this group cannot be modified by external entities.

  9. Avoid using reversible encryption to store passwords in the Active directory. This setting causes user passwords to be stored in clear-text in Active Directory. In order to do this, open Group Policy Editor and navigate to Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy. Disable the setting Store passwords using reversible encryption.

  10. If you are using older versions of Windows operating systems (Windows XP/NT4/2000 or Windows Server 2003 ) in your environments that cannot be replaced, then disable the use of NTLMv1(NT LAN Manager version) and LM(Lan Manager) network authentication protocols. These weak authentication protocols are prone to attacks. Configure your older OS version to use NTLMv2 instead. You can configure this as follows. Open Group Policy Editor. Navigate to this location and configure the setting: Computer Configuration/Policies/ Windows Settings/Security Settings/Local Policies/Security Options/Network Security: Restrict NTLM

  11. Enable Restricted Admin Mode to avoid the credentials of local admins to be stored in LSASS during an RDP(Remote Desktop Protocol) session. This feature is available in Windows Server 2012 R2 and up. You can configure it as follows:

  • Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. Create two registry keys i.e. DisableRestrictedAdmin with value 0 and DisableRestrictedAdminOutboundCreds with value 1

  • Open Group Policy Editor and navigate to Computer Configuration/Administrative Templates/System/Credentials Delegation. Configure the policy: Restrict the delegation of credentials to remote servers with Require Restricted Admin mode.

  1. Employ network segmentation techniques in your network environment to prevent lateral movement of the attacker within your network.

Conclusion:

Mimikatz is a very potent instrument, and organizations may have a hard time defending against it. A Defense-in-Depth approach is the most effective way to deal with Mimikatz-based attacks. The detection and protection procedures mentioned in this article will make it extremely difficult for attackers to successfully carry out these attacks in your company’s network.

Looking to expand your knowledge of penetration testing? Check out our online course, MPT - Certified Penetration Tester. In this course, you’ll learn about the different aspects of penetration testing and how to put them into practice.