Introduction

Mimikatz was initially developed as a proof of concept to expose vulnerabilities in Microsoft's authentication protocols. However, it unintentionally became one of the most popular and widely used tools by threat actors over the last two decades. Wired.com dubbed it as "one of the world's most powerful password stealers." IT professionals responsible for securing Windows networks must closely monitor the latest developments related to Mimikatz to understand how hackers may exploit the tool to infiltrate networks.

What is Mimikatz?

Mimikatz is an open-source application that enables users to view and save authentication credentials, including Kerberos tickets. It works on current Windows versions and offers various network attacks to assess vulnerabilities. Attackers frequently utilize Mimikatz to steal credentials and gain elevated privileges, as it often bypasses endpoint protection and antivirus systems. On the other hand, penetration testers use Mimikatz to identify and exploit vulnerabilities in networks, helping organizations address and fix these security gaps.

What can Mimikatz do?

Mimikatz, initially demonstrating a single Windows authentication system vulnerability, now exposes multiple vulnerabilities. It can perform various credential-gathering techniques, such as

• pass-the-hash

Windows used to store password data in an NTLM hash. Attackers use Mimikatz to pass that exact hash string to the target computer to log in. Attackers don’t even need to crack the password — they just need to use the hash string as-is. It’s the equivalent of finding the master key to a building on the lobby floor. You need just that one key to get into all the doors.

• pass-the-ticket

Newer versions of Windows store password data in a construct called a ticket. Mimikatz provides functionality for a user to pass a Kerberos ticket to another computer and log in with that user’s ticket. It’s very similar to the pass-the-hash method.

• overpass-the-hash (pass-the-key)

Yet another flavor of the pass-the-hash, but this technique passes a unique key obtained from a domain controller to impersonate a user.

• Kerberoast golden tickets

This is a pass-the-ticket attack, but it’s a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket provides you with non-expiring domain admin credentials to any computer on the network.

• Kerberoast silver tickets

Another pass-the-ticket, but a silver ticket takes advantage of a feature in Windows that makes it easy for you to use services on the network. Kerberos grants a user a ticket-granting server (TGS) ticket, and a user can use that ticket to authentic to service accounts on the network. Microsoft doesn’t always check a TGS after it’s issued, so it’s easy to slip past any safeguards.

• pass-the-cache

Finally an attack that doesn’t take advantage of Windows! A pass-the-cache attack is generally the same as a pass-the-ticket, but this one uses the saved and encrypted login data on a Mac/UNIX/Linux system.

These techniques allow attackers to gain unauthorized access to systems and networks without needing to crack passwords, making it highly potent for unauthorized entry. Additionally, Mimikatz enables impersonation and manipulation of Kerberos tickets, granting attackers elevated privileges, including domain admin credentials.

Where can you download Mimikatz?

To obtain Mimikatz, you can download the binaries and source code from Benjamin Delpy's GitHub repository. Multiple download options are available, ranging from pre-compiled executables to the complete source code. To use Mimikatz, you will need to compile it using Microsoft Visual Studio 2010 or a more recent version.

How do you use Mimikatz?

Step 1: Run Mimikatz as an administrator

Mimikatz needs to “run as admin” to function correctly, even if you’re already using an administrator account.

Step 2: Check your version of Mimikatz

There are two versions of Mimikatz:

• 32bit
• 64bit

Make sure you’re running the correct version for your installation of Windows. Run the command “version” from the Mimikatz prompt to get information about the Mimikatz executable, the Windows version, and if there are any Windows settings that will prevent Mimikatz from running correctly.

Step 3: Extract “clear text passwords” from memory

The module sekurlsa in Mimikatz lets you dump passwords from memory. To use the commands in the sekurlsa module, you must have admin or SYSTEM permissions.

First, run the command:

mimikatz # privilege::debug

The output will show if you have appropriate permissions to continue.

Next, start the logging functions so you can refer back to your work.

mimikatz # log nameoflog.log

And finally, output all of the clear text passwords stored on this computer.

mimikatz # sekurlsa::logonpasswords

Using other Mimikatz modules

The mentioned modules in Mimikatz serve different purposes. The crypto module grants access to the CryptoAPI, enabling the listing and export of certificates and private keys, regardless of their non-exportable status. The Kerberos module interacts with the Kerberos API, allowing users to work with Kerberos tickets by extracting and manipulating them. The service module enables users to manage Windows services, including starting, stopping, and disabling them. Lastly, the coffee command provides a fun feature, returning ASCII art of coffee, for some light-hearted enjoyment.

How do you defend against Mimikatz?

Defending against Mimikatz can be challenging because attackers typically have root access on a Windows system before executing the tool. This means that you may be dealing with damage the attacker has already caused. However, there are several defensive measures that can be implemented:

Restrict Admin Privileges

Limiting admin privileges to only those users who actually need them can reduce the potential impact of Mimikatz attacks. This prevents unauthorized users from gaining elevated privileges.

Disable Password Caching

Mimikatz can exploit cached password hashes on the system. Disabling password caching or reducing the number of recently cached passwords can limit the tool's effectiveness.

Turn Off Debug Privileges

Mimikatz can leverage debug privileges allowed for local admins. Disabling debug privileges for unnecessary users helps protect the system from exploitation.

Configure Additional LSA Protection

Upgrading to Windows 10 or implementing additional Local Security Authority (LSA) configuration items can help mitigate the types of authentication attacks enabled by Mimikatz, reducing the attack surface area.

While it may not be possible to completely prevent Mimikatz attacks, implementing these defensive measures can significantly improve your system's security posture and reduce the potential impact of such attacks.

Questions

Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.~

• pass-the-hash
• pass-the-ticket
• overpass-the-hash (pass-the-key)
• Kerberoast golden tickets
• Kerberoast silver tickets
• pass-the-cache

What are four ways we can defend against Mimikatz attacks. Explain how two of the mitigations can stop Mimikatz.

• Restrict Admin Privileges
• Disable Password Caching
• Turn Off Debug Privileges
• Configure Additional LSA Protection

Four ways to defend against Mimikatz attacks are:

• Restrict Admin Privileges

Explanation: Limit admin privileges to only those users who genuinely require them. By following the principle of least privilege, you minimize the number of accounts with elevated access, making it harder for attackers to find accounts with powerful credentials to exploit with Mimikatz.

How it Stops Mimikatz: If attackers don't have access to accounts with administrative privileges, they won't be able to execute Mimikatz effectively to obtain sensitive credentials or escalate privileges.

• Disable Password Caching

Explanation: By disabling password caching or reducing the number of recently cached passwords on a Windows system, you limit the number of password hashes accessible in memory and the system registry. Mimikatz relies on these cached credentials to perform pass-the-hash attacks, which allow attackers to escalate privileges without the need to crack passwords.

How it Stops Mimikatz: With password caching disabled, the number of cached hashes available to Mimikatz is minimized, making it significantly more challenging for attackers to access and exploit these credentials.

• Turn Off Debug Privileges

Explanation: Windows' default settings allow local administrators to debug the system. Mimikatz can exploit these debug privileges to bypass security measures and extract sensitive data, including credentials. By turning off debugging privileges on machines, you prevent unauthorized users from utilizing this pathway.

How it Stops Mimikatz: When debug privileges are disabled, attackers will encounter difficulties in leveraging Mimikatz to bypass security measures and extract sensitive information, thereby enhancing the overall security of the system.

• Configure Additional LSA Protection

Explanation: Microsoft offers additional LSA configuration items that can enhance the security of the Local Security Authority Subsystem Service (LSASS) and mitigate the types of authentication attacks that Mimikatz exploits. These configurations help reduce the attack surface and make it more difficult for attackers to access sensitive information from LSASS.

How it Stops Mimikatz: By configuring additional LSA protections, you increase the overall security of the LSASS process, making it harder for Mimikatz or other tools to access and manipulate sensitive credentials stored in LSASS memory. This extra layer of security adds complexity and resilience against Mimikatz-based attacks.