Mimikatz is an open source application that allows users to view and store authentication credentials such as Kerberos tickets. Its toolset works with the current version of Windows and includes a collection of different network attacks to help assess vulnerabilities.
Attackers commonly use Mimikatz to steal credentials and escalate privileges because in most cases security software and anti-virus systems will not detect or prevent the attack. Instead, penetration testers use Mimikatz to find and exploit vulnerabilities in your networks so you can fix them.
What can Mimikatz do?
Mimikatz first demonstrated how to exploit a unique vulnerability in the Windows authentication system. It now exposes many different kinds of vulnerabilities where it can perform credential harvesting techniques, including:
- Pass-the-hash: Windows is used to store password data in NTLM hashes. Attackers use Mimikatz to get through this very thing on the target computer to connect. Attackers don't even need to crack the password – they just need to use the as it is.
- Pass-the-ticket: Newer versions of Windows store the password data in a file called ticket. Mimikatz allows a user to pass a Kerberos ticket to another computer and connect with that user's ticket. It is similar to the pass-the-hash method.
- Overpass-the-hash (pass-the-key): Another version of pass-the-hash, but this technique passes a unique key obtained from a domain controller to impersonate a user.
- Kerberost golden tickets: This is a pass-the-ticket attack, but it is a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all other tickets. A golden ticket gives you unlimited administrator credentials for any computer on the network.
- Kerberost silver tickets: Another pass-the-ticket, but a silver ticket takes advantage of a Windows feature that makes it easier for you to use services on the network. Kerberos grants a user a ticket-granting server (TGS) ticket, and the user can use this ticket to authenticate to service accounts on the network. Microsoft doesn't always audit a TGS after it's released, so it's easy to get around any safeguards.
- Pass-the-cache: Finally an attack that doesn't exploit Windows! The pass-the-cache attack is generally the same as pass-the-ticket, but this one uses the cached and encrypted login data on a Mac/UNIX/Linux system.
Where can you download Mimikatz?
Download Mimikatz files and source code from GitHub by Benjamin Delpy. It offers various download options from executable to source code. You will need to to Microsoft Visual Studio 2010 or some newer version.
How do you use Mimikatz?
Step 1: Run Mimikatz as administrator.
Mimikatz must be “run as administrator” to work properly, even if you are already using an administrator account.
Step 2: Check the version of Mimikatz.
There are two versions of Mimikatz:
Make sure you are running the correct version for your Windows installation. Run the “version” command to get information about the Mimikatz executable, your Windows version, and if there are any Windows settings that will prevent Mimikatz from running properly.
Step 3: Extract the “clear text passwords” from memory.
The securlsa module in Mimikatz allows you to dump passwords from memory. To use the sekurlsa module commands, you must have admin or SYSTEM privileges.
First, run the command:
mimikatz # privilege::debug
The output will show if you have the appropriate permissions to continue.
Then start logging operations so you can refer back to your work.
mimikatz # log nameoflog.log
And finally, export all clear text passwords stored on this computer.
mimikatz # sekurlsa::logonpasswords
Using other Mimikatz modules
The crypto module allows you to access the CryptoAPI on Windows, which allows you to list and export certificates and their private keys, even if they are marked as non-exportable.
The Kerberos module accesses the Kerberos API so you can play with this functionality by exporting and manipulating Kerberos.
The service section allows you to start, stop, disable, etc. Windows services.
And finally, the coffee command returns an ASCII art of coffee. Because we all need more coffee :D
How to defend against Mimikatz?
Defending against Mimikatz can be difficult because in order for an attacker to execute it, they have already gained root access to a Windows machine. Often you may only be limiting the damage the attacker has already done. Here are some of the ways you can defend against Mimikatz attacks.
- Restrict admin privileges. This can be done by restricting administrator privileges to only the users who need them.
- Disable password-caching. Windows stores the recently used access points through the system registry. Mimikatz can then access these saved passwords, so it's important to change your default settings to cache recent passwords. This can be accessed through Settings .
- Turn off debug privileges. Windows default settings allow administrators to debug the system, which Mimikatz can exploit. Disabling debugging privileges on machines is a best practice to protect your system.
- Configure additional local security authority (LSA) protection. Upgrading to Windows 11 can help mitigate the types of authentication attacks enabled by Mimikatz. However, when this is not possible, Microsoft provides additional LSA configuration elements that help reduce the attack surface.
Even with everything summarized in this article, there is so much more to know and learn about Mimikatz. In future guides we will look in detail at all forms of attacks with Mimikatz.