Arsgera - Fotolia
Mimikatz is an open source Windows utility available for download from GitHub. First developed in 2007 to demonstrate a practical exploit of the Microsoft Windows Local Security Authority Subsystem Service, or LSASS, Mimikatz is capable of dumping account login information, including clear text passwords stored in system memory.
mimikatz -- French for cute cat -- is a post-exploitation tool intended to help attackers -- whether black hat hackers, red team hackers or penetration testers -- to extract login IDs, passwords and authentication tokens from hacked systems in order to elevate privileges and gain greater access to systems on a breached network.
This Mimikatz tutorial provides an introduction to the credential hacking tool, what Mimikatz does and how to use Mimikatz to extract logon passwords from a target system.
Hackers use Mimikatz to extend their presence on victim networks by extracting and using keys that may have been reused on other systems or by extracting keys from accounts with elevated privileges, such as those used by administrators.
Benjamin Delpy, the French information security researcher who created Mimikatz, wrote on the Mimikatz GitHub page that the software can be used to "extract plaintext passwords, hash, PIN code and Kerberos tickets from memory," or to "perform pass-the-hash, pass-the-ticket or build Golden tickets." Mimikatz attacks exploit standard Windows authentication schemes, as well as Kerberos authentication.
These capabilities make Mimikatz a must-have tool for attackers: The Mitre ATT&CK framework identifies at least 20 different advanced persistent threat groups that have been detected using Mimikatz. However, Mimikatz is also a key tool for defenders, especially those doing penetration testing or carrying out red team exercises to demonstrate how well -- or how poorly -- an organization is able to defend against such attacks.
Getting it: How to download Mimikatz and get it running
The best place to get Mimikatz is from the Mimikatz GitHub project page, where you can download the Mimikatz source code. Precompiled binaries for Windows are also available from the Mimikatz GitHub page.
If you choose to download the Mimikatz source code, you'll need to compile the code with Microsoft Visual Studio. Downloading any version of Mimikatz, either the source code or the precompiled binaries, can be a challenge, as modern browsers and operating systems classify Mimikatz as dangerous and block users from downloading it. Many endpoint security products -- including Microsoft's own Windows Defender -- will block Mimikatz because the software is often used in attacks.
One way to avoid being blocked by antimalware is to use the Invoke-Mimikatz PowerShell module, which enables an attacker running PowerShell, Microsoft's task automation framework, to load and execute Mimikatz remotely without needing to write the executable to the targeted system's disk.
What is Mimikatz good for?
Mimikatz can do a lot, and its modular structure means that new features and functions can be added to the platform with relative ease. As noted, running Mimikatz as a PowerShell module makes it an even more effective attack technique.
The main functions that Mimikatz enables include:
- Extracting passwords from memory. When run with admin or system privileges, attackers can use Mimikatz to extract plaintext authentication tokens -- passwords and PINs, for example -- from the LSASS process running in system memory.
- Extracting Kerberos tickets. Using a Kerberos module, Mimikatz can access the Kerberos API, enabling a number of different Kerberos exploits that use Kerberos tickets that have been extracted from system memory.
- Extracting certificates and their private keys. A Windows CryptoAPI module enables Mimikatz to extract certificates -- and the private keys associated with them -- that are stored on the victim system.
Mimikatz becomes even more powerful when combined with other attack platforms such as the Microsoft PowerShell utility, the Metasploit platform or other tools that enable hackers to exploit the credentials that Mimikatz extracts from victim systems.
Hands-on tutorial: Mimikatz setup and commands
Whether executing Mimikatz from an executable running on a victim system or executing a utility like PowerShell remotely, commands can be run manually with a console command line or by executing a script to run automatically.
The default format for issuing commands is to enter the command's module followed by two colons and the command name. You can enter more than one command at a time, but any commands that include spaces need to be set off by quotes.
The command session starts like this after Mimikatz executes:
To exit Mimikatz, enter the command exit.
The process of extracting clear text passwords starts by invoking the debug command from the privilege module. This command elevates permissions for Mimikatz to get to the debug privilege level, and it looks like this:
mimikatz # privilege::debug
Privilege '20' OK
To record a log of Mimikatz interactions and results, enter:
mimikatz # log
Using 'mimikatz.log' for logfile : OK
The default log file is mimikatz.log, but you can specify another log file name with a command. For example:
mimikatz # log customlogfilename.log
Once logging is turned on, the rest of the session will be recorded for exfiltration or analysis purposes.
Perhaps the simplest and most productive command is the one that extracts plaintext passwords, lists them on the console screen and writes them to the log file.
mimikatz # sekurlsa::logonpasswords
The logonpasswords command extracts a user ID and password for currently logged-in and recently logged-in users of the target system.
The sekurlsa module includes other commands to extract Kerberos credentials and encryption keys, and it can even perform a pass-the-hash attack using the credentials Mimikatz extracts.
This Mimikatz tutorial is intended as an introduction to the hacking tool. It is worth knowing how Mimikatz works in practice and how easy it makes system exploits for even unsophisticated attackers.