Mimikatz: Walkthrough [updated 2019]
Security researchers have been obsessed with Windows security since the beginning of time. Various tools have been released over the years which try to weaken the security/bypass it in some way or the other. Mimikatz is a tool written in `C` as an attempt to play with Windows security. Its primary function is to gather credentials of a Windows machine. Mimikatz is available for both 32-bit as well as for 64-bit Windows machines.
During a pentest, it is considered to be a post-exploitation tool. It can perform various credential gathering techniques such as:
What should you learn next?
- Pass the Hash
- Pass the Ticket
- Over-Pass the Hash (Pass the Key)
- Kerberos Golden Ticket
- Kerberos Silver Ticket
- Pass the Cache
- Attacking the Kerberos Session Ticket
Developed by Benjamin Delpy, the official GitHub repository can be found at https://github.com/gentilkiwi/mimikatz. Delpy gives us the option to directly download the binaries at https://github.com/gentilkiwi/mimikatz/releases or build our own using Microsoft Visual Studio 2010, 2012, or 2013.
To synchronize with the latest updates, the following links are helpful:
- GIT URL: https://github.com/gentilkiwi/mimikatz.git
- ZIP file URL: https://github.com/gentilkiwi/mimikatz/archive/master.zip
Offensive Security has already integrated the version 1 of Mimikatz as a meterpreter script which allows easy access to its complete feature set without the hassle of the attacker uploading scripts to the target machine. However, the latest version of Mimikatz (v2) can be found at the links mentioned above.
Dumping clear text credentials
Once downloaded/built, run Mimikatz as an administrator. Depending on the Windows machine you are using (32-bit or 64-bit), run Mimikatz accordingly. This is what it will look like when it starts:
Before we start dumping passwords, we need to start the logging process and debug privilege. To start the logging process, we simply write 'log.'
The file Mimikatz.log will be created, when running the first time, and all Input/output communication would be stored in it for future reference. Next, we debug privilege. To do that, simply write 'privilege::debug'. The debug privilege allows debugging a process that they normally wouldn't have access to.
Note: ERROR kuhl_m_privilege_simple; RtlAdjustPrivilege (20) c0000061 means that you do not have the require privilege to run the command. Try running Mimikatz as an administrator.
The 'version' command will tell us the details of the windows machine being used:
Typically, instructions are in the following format:
Modulename::commandName arguments
To check the clear text passwords 'sekurlsa::logonpasswords' command is used:
And there you have it, password in NTLM and clear text.
Mimikatz with Meterpreter
As stated earlier, Offensive Security has added v1 of Mimikatz as a meterpreter script with easy access to all its features. Let us see how it works. We start by loading Mimikatz in meterpreter by running the following command: "load mimikatz."
It is imperative to know here that we should run this command only when we have the Administrator privileges. Once loaded, we can start by checking the version and to confirm that mimikatz has been loaded successfully. We can do that with the following command: "mimikatz_command –f version":
Next, we can try running the "msv" command to see if we get anything:
We can see that we are provided with the LM and NTLM hashes but not with a clear text password. We can now run "mimikatz_command –f samdump::hashes" to see what it returns:
Followed by running "mimikatz_command –f sekurlsa::searchPasswords":
which returns the password in clear text.
Another module of Mimikatz is called the Service module. This module helps us to list, start, stop, or remove services running on the machine:
"mimikatz_command –f service::"
As we can see that this command lists all the services that are currently running.
Another module of Mimikatz is called the Crypto module. This module helps us to list and export any certificates and their corresponding private keys that may be stored on the compromised machine. This is possible even if they are marked as non-exportable.
Uncovering mines in Minesweeper
Mimikatz's another great module helps you read the location of the mines straight from memory. Never lose a game again! It is worth noting that the command works once you start the game.
Simply type: "minesweeper::infos":
FREE role-guided training plans
Conclusion
Mimikatz is a great post-exploitation tool which provides a bunch of useful features that otherwise may require two-three different tools. Though a lot of syntax changes have been done in v2, the learning curve is not steep at all.
In this Series
- Mimikatz: Walkthrough [updated 2019]
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness