If you're new to the infosec/offsec space, the name "Mimikatz" may be foreign or quite vaguely familiar; however, for the folks that have been around for a bit longer, this Swiss army knife of credential collection should be no stranger. Read on to learn a bit more about the story behind this tool and what it's capable of.
Curiosity killed the (closed-source version of) the cat
Mimikatz was developed and released in 2007 (as closed source, 2012 as open source) by Benjamin Delpy, a French programmer. The fascinating story behind its dissemination, as told here by WIRED magazine, talks about Delpy's spooky encounter with a strange man hovering over his laptop in his hotel room in Moscow days prior to his speaking engagement at a conference. Some time later, after an additional unpleasant encounter in the same visit, Delpy publicly released Mimikatz, preventing the suspect personas from leveraging it as a closed-source tool in the future.
Inspecting the Litter Box
So what exactly does Mimikatz do? Mimikatz collects credentials from a target host that an intruder has gained access to. It can also create golden and silver tickets. Depending on the module utilized, it can dump credentials from lsass, list kerberos encryption keys, perform pass the hash and overpass the hash attacks. To better understand its functionality, lets dive into some of the elements related to the abuses I've mentioned.
What is LSASS?
LSASS, or Local Security Authority Subsystem Service, is responsible for the authentication of accounts on a Windows system, along with credential changes, token creation, etc. As a residual effect of these interactions, the credentials are stored in the LSASS process memory. Any user with administrative access can then dump the LSASS process memory and collect the credentials stored there. Note that it will only store this information since the last restart, meaning that the information present in LSASS process memory will be only for those users that logged on since the system's last restart and not all users with accounts on the system.
What is the SAM?
A less volatile and more all encompassing target for credential dumping is the SAM, or Security Account Manager. SAM is what LSASS verifies credentials against when a user is logging onto a Windows system. This means that it serves as a database for the credentials of all user accounts on the host. The hashed passwords can be found by navigating to the HKLM\SAM registry key.
What is Kerberos?
A more in-depth dive is available in my previous blog post, however to provide a cursory overview, Kerberos enables secure authentication across an Active Directory environment by way of "tickets." These tickets contain encrypted passwords (with some other essentials) that are verified against an authentication server to grant a user access to specific resources. The communication looks a bit like this:
There's a reason why Mimikatz is known as the Swiss army knife of offensive security tools and it boils down to the versatility provided by its modules. The comprehensive list is available on Benjamin Delpy's Github. A few examples however:
List Kerberos encryption keys:
mimikatz # sekurlsa::ekeys
Golden ticket attack using aes256 encrypted key:
mimikatz # kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789 /id:500 /aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /startoffset:0 /endin:600 /renewmax:10080 /ptt
Silver ticket attack using aes256 encrypted key:
mimikatz# kerberos::golden /User:Matryoshka /domain:atomicmatryoshka.local /sid:S-1-5-21-1234567890-0987654321-123456789/aes256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 /target:atomic-dc.atomicmatryoshka.local /service:cifs /startoffset:0 /endin:600 /renewmax:10080 /ptt
Dump the SAM registry:
Get encrypted credentials for the krbtgt account:
Dump LSASS process memory:
Meow-thod behind the madness
To describe the logic flow of leveraging mimikatz, you'd utilize it to dump credentials on a target system that you already have access to with the hopes of collecting credentials that could be employed elsewhere in the enterprise environment. In the event of successful credential collection, you could then authenticate to the KDC utilizing a more privileged user's credentials by way of a golden or silver ticket attack. From there, that privileged session/shell could be used to access systems that you may have not had access to before with basic user rights.
It is of note that Mimikatz is the most signatured offensive security tool out there. This means that there's a huge chance it'll be detected and probably unable to run. There are ways around this, such as using the PowerShell version of Mimikatz and executing an AMSI bypass prior to running it, or running it against a tool such as AMSITrigger. AMSITrigger will identify which parts of the tool will be picked up by AMSI so that you can modify them in an effort to circumvent the system. Other general red teaming opsec considerations should be taken into account, regardless of which tool is being used.
Mimikatz is a mainstay tool in the hacker toolkit. It's versatile and a one-stop shop for your lateral movement and privilege escalation needs, but it's also a noisy one. Dump the litter box with caution!