Pass the Hash with Mimikatz

What is Mimikatz

Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets.

Mimikatz is a computer hacking tool that's used to steal sensitive information, particularly login credentials and passwords, from a Windows computer's memory.

It's important to note that Mimikatz is a tool often used by cybersecurity professionals and ethical hackers to identify security weaknesses in Windows systems and help improve their defenses. However, it can also be misused by malicious individuals for unauthorized access and cyber attacks. Therefore, it's essential to have robust security measures in place to protect against such attacks.

What can Mimikatz do?

Pass-the-Hash (PtH): Pass-the-Hash is an attack technique where an attacker uses the hash (encrypted password) of a user's credentials, which they obtained from the computer's memory or a database, to authenticate themselves as that user on the same or different system. Instead of knowing the actual password, the attacker uses the password hash to gain unauthorized access.

Pass-the-Ticket (PtT): Pass-the-Ticket is a similar attack to Pass-the-Hash, but it targets Kerberos tickets used in Windows networks. Attackers can use stolen or forged Kerberos tickets to impersonate users and access network resources without needing the user's actual password.

Overpass-the-Hash (Pass-the-Key): Overpass-the-Hash, also known as Pass-the-Key, is an advanced version of Pass-the-Hash. It involves extracting the encryption keys used to protect password hashes in a Windows system's memory. With these keys, attackers can manipulate the authentication process and access user accounts without needing to extract the password hashes.

Kerberoast (Golden Tickets): Kerberoast is an attack on the Kerberos authentication system in Windows. Attackers use this technique to request service tickets for specific user accounts from the domain controller. These service tickets can be offline-cracked to reveal the user's plaintext password or used to gain unauthorized access to certain services in the network.

Kerberoast (Silver Tickets): Kerberoast Silver Ticket attacks are similar to Golden Ticket attacks, but they focus on forging tickets for specific services rather than complete control of the domain. Attackers use this technique to impersonate users and gain access to specific services within the network.

Pass-the-Cache: Pass-the-Cache is another name for the Pass-the-Ticket attack. It refers to using stolen Kerberos tickets or service tickets to gain unauthorized access to resources on a Windows network without the need for the user's password.

Ways to defend against Mimikatz attacks

1. Change admin privileges

2. Change caching policy

3. Turn off debugging privileges

4. Increase local security authority

Questions

Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.

Pass-the-Cache, Kerberoast Silver & Golden Tickets, Overpass-the-Hash, Pass-the-Ticket, Pass-the-Hash.

What are four ways we can defend against Mimikatz attacks. Explain how two of the mitigations can stop Mimikatz.

The four ways are the following: Change admin privileges, Change caching policy, Turn off debugging privileges, Increase local security authority.

Change admin privileges - By reducing the number of users with administrative privileges and employing the principle of least privilege, you can limit the impact of Mimikatz attacks. When attackers successfully run Mimikatz and extract credentials from memory, having lower privilege levels restricts their ability to perform certain actions or execute malicious code. They won't have the necessary permissions to move laterally within the network or access sensitive data on other systems.

Change Caching Policy - By adjusting the caching policy, you can reduce the number of cached credentials, with this limiting the amount of sensitive information stored on the local system. Reducing caching can make it more challenging for Mimikatz to extract usable credentials from memory, as there will be fewer credentials available to steal.