mimikatz — Abusing Windows Security
iSpeech
mimikatz is well known tool for extraction of plaintexts passwords, hashes, PIN codes and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. A lot of times after the initial exploitation phase attackers may want to get a firmer foothold on the computer/network. Doing so often requires a set of complementary tools. Mimikatz is an attempt to bundle together some of the most useful tasks that attackers will want to perform.
mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits). Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits. Some operations need administrator privileges, or SYSTEM token, so be aware of UACfrom Vista version.
Mimikatz is a great post-exploitation tool
[adsense size='1']
After launching mimikatz:
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 14 modules * * */ mimikatz #
… you have the command prompt mimikatz #, you can type instructions like exit,cls, crypto::certificates
Instructions can be in the form: modulename::commandname arguments…, eg:
- kerberos::tgt
- crypto::certificates /systemstore:local_machine /store:my /export
- cls
commands from standard module can be typed without modulename; cls is the same as standard::cls
You can quit mimikatz with exit command.
[adsense size='1']
Command line
You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted.
C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # version
mimikatz 2.0 alpha (arch x64)
NT - Windows NT 6.1 build 7601 (arch x64)
mimikatz(commandline) # crypto::certificates /systemstore:local_machine
* System Store : 'local_machine' (0x00020000)
* Store : 'My'
0. example.nirvana.local
Key Container : example.nirvana.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
mimikatz(commandline) # exit
Bye!
Instructions from command line are marked with (commandline) on the prompt.
[adsense size='1']
Alternative versions:
- Meterpreter extension for mimikatz 1.0 by Ben Campbell: Meterpreter & Metasploit
- Meterpreter extension for mimikatz 2.0 by Oliver Reeves :Meterpreter & Metasploit
- DLL reflection in PowerShell by Joseph Bialek: Script & Information
- Volatility plugin by Francesco Picasso:Plugin & Information
Other resources:
- wce (cleartext passwords part) by Hernan Ochoa @ Amplia security: WCE faq &Seclists
Details here: Slides PHDays 2012 #29 - sessiondump by Steeve Barbeau @ HSC advertising & Source & Pull reques Details here: core.c
Gloss