intro

This is a summary of the tool Mimikatz and its usage + examples.

Mimikatz

Mimikatz exploits several vulnerabilities and weaknesses in Windows operating systems and security protocols to extract sensitive information and authentication credentials. Here are some of the vulnerabilities that Mimikatz can exploit:

Pass-the-Hash

Mimikatz can extract and use the hash values of user passwords to authenticate to Windows systems without knowing the actual passwords. This technique is known as “pass-the-hash” and is possible because Windows stores password hashes in memory.

sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>

This command uses the pass-the-hash technique to authenticate to a Windows system by providing the username, domain, and NTLM hash value of the user’s password.

Pass-the-Ticket

Mimikatz can also extract and use Kerberos tickets to authenticate to other systems in the network. This technique is known as “pass-the-ticket” and is possible because Kerberos tickets are stored in memory.

kerberos::ptt <ticket file>

This command adds a Kerberos ticket to the current session’s Kerberos ticket cache, which can be used to authenticate to other systems in the network without knowing the user’s password.

LSASS memory dump

Mimikatz can extract authentication credentials, including plaintext passwords and Kerberos tickets, from the memory of the LSASS process, which is responsible for managing security on Windows systems.

lsadump::lsa /inject /name:lsass.exe

This command extracts authentication credentials from the memory of the LSASS process and injects them into the current process, where they can be used for pass-the-hash and other attacks.

WDigest

Mimikatz can extract plaintext passwords that are stored in memory using the WDigest protocol, which is enabled by default on many versions of Windows.

privilege::debug
token::elevate
lsadump::wdigest /patch

These commands enable debugging privileges and elevate the current token, then extract plaintext passwords from memory using the WDigest protocol and patch the memory to prevent detection by anti-virus software.

MSV1_0

Mimikatz can intercept and manipulate the MSV1_0 authentication protocol, which is used by Windows to authenticate users.

sekurlsa::logonpasswords

This command extracts authentication credentials from memory, including plaintext passwords and Kerberos tickets, by intercepting the MSV1_0 authentication protocol.

Kerberos Golden Tickets

Mimikatz can create Kerberos Golden Tickets, which are forged Kerberos tickets that can be used to authenticate to any service in the domain.

kerberos::golden /domain:<domain> /sid:<domain SID> /user:<username> /krbtgt:<NTLM hash of krbtgt password> /ticket:<path to ticket file>

This command creates a forged Kerberos Golden Ticket that can be used to authenticate to any service in the domain.

Kerberos Silver Tickets

Mimikatz can create Kerberos Silver Tickets, which are forged Kerberos tickets that can be used to authenticate to specific services in the domain.

kerberos::golden /domain:<domain> /sid:<domain SID> /rc4:<hash of user's password> /user:<username> /service:<SPN> /target:<target computer> /ticket:<path to ticket file>

This command creates a forged Kerberos Silver Ticket that can be used to authenticate to a specific service in the domain.