Mimikatz: Credential harvest, Pass the hash, Golden Ticket

Mimikatz is a tool, built in C language and used to perform password harvesting in windows platform. It is very well known to extract clean text passwords, hash, PIN code, Kerberos tickets from memory and those credentials can then be used to perform lateral movement and access restricted information.

We can have two more optional components of mimikatz. One is called mimidrv, which is a driver to interact with windows kernel and another one is called mimilib, which is used to bypass AppLocker. Auth package/SSP, password filter, and sekurlsa for WinDBG. 

Mimikatz needs administrator or SYSTEM priviledge to get debug rights in order to do certain actions and connect with the LSASS process.

Relation between LSASS and MIMIKATZ:

LSASS.exe also known as Local Security Authority Subsystem Service which is responsible for giving Single Sign On features in windows, where an already logged-in user is not required authenticate every time whenever wants to access any resources. LSASS provides access not only to the authenticated users credentials but also to the open session credentials which is already running since the last boot. Mimikatz exploits this credential cache of LSASS service and provide the credential reports to the attackers in various formats.

Execution of Mimikatz:

In term of basic objective of Mimikatz, we can retrieve clear text password by using the commands “debug” and asking for the passwords. 

• priviledge::debug 
• sekurlsa::logonpassword

Mimikatz needs admin privilege in order to get the LSA (Local Security Authority) information. If it will run as standard user the LSA will return errors, and that way it will become useless.

Mimikatz returns different set of results in term of version of the Windows it is executed on. For example if we run the Mimikatz in XP, and the unpatched versions of Windows 7 and 8 we will not only retrieve the SIDs, usernames and domain details but also the passwords in clear text. Please find the below screenshot for your reference.

But from the beginning of the Windows 8.1 LSASS no longer stores cleartext passwords inside the memory. Similarly Windows 10 and Windows server 2012R2 provide null information in the password fields for wdigest and Kerberos providers.

Pass the hash with mimikatz:

From the above figure we got that plaintext password is no longer available in the LSASS memory, but no worries still we can retrieve the NTLM hash. Mimikatz allows to run a process as another user by using the retrieved hashes. The attacker authenticates the process to the local system by using the local user’s password hashes. This is known as pass the hash attack, where instead of following the time consuming process like crack the password from the NTLM hashes, it can directly pass the hash and allow us to access resources remotely using another user privilege. 

To pass the hash follow the below commands,

#sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>

In the above commands reflects as opening a new command window on the respective local machine with the hash of the another domain user name as “ShortUser”. 

The moment command prompt is popped up from the remote system a connection will be buildto a network recource on DC1. For confirmation we can use “net use” command in the command prompt followed by the <network share>.

C:\> net use \\dc1\fshare 

To view the user connection to the shared resource follow the below command

Golden Ticket Attack:

The previous attack is all about pass the NTLM hash of a valid user to get an existing session. Where Golden Ticket attack is one step ahead, where it will convince the target system that an invalid session is valid and get the access to it.

A Kerberos implemented Windows system trusts a Kerberos ticket only when it is signed by the hash of a ticket granting ticket. If the attacker somehow manages to get the NTLM hash of the Kerberos TGT account that can be used to signed any ticket of this system other than the legitimate one.

Mimikatz can be used here to get the krbtgt NTLM hash and generate ‘Golden Ticket’ and that can be used to give privilege to any session from any system. To create a Golden ticket the below four informations are must require.

•        An administrator username. (if unavailable, any privileged user will be fine)
•       The FQDN (Fully Qualified Domain Name)
•       The SID of the domain 
•       The NTLM hash of the krbtgt account

So we can get the above details by following the below ways.

        1)       The username can be anything existing or non-exiting but the chances of getting a valid session will be more with the existing username.

      

        2)       We can get a FQDL by executing “ipconfig /all”

3            3)       We can also get the domain SID by executing “whoami /user” command.

We can get the first three information from any system but for getting the krbtgt NTLM hash the attacker must get it from the Domain Controller. For this Mimikatz can be used to obtain the krbtgt NTLM hash using “lsadump::lsa /inject /name:krbtgt”.

With the above four information now we can proceed and create the Golden Ticket from any system by executing the below command in Mimikatz.

Mimikatz # kerberos::golden /user:<username> /domain:<domainname> /SID:<SID> /krbtgt: <krbtgt NTLM hash> /groups:501,502,512,513,518,519,520 /ticket:<ticketname.tck>

After execution of the above command the ticket will be generated with name of the /ticket parameter and the validity of the ticket will be ten years for long term data exfiltration activity.

Now for using the Golden Ticket we will use this from a elevated command prompt window and execute “Kerberos::ptt” (pass-the-ticket) command.

If we closely observe the above sceenshot then will find that first of all we have tried to connect the administrative share on \\DC1 but failed, and then applied a Mimikatz session with a Golden ticket, And right after that the access is granted.

I hope you have enjoyed reading this write-ups about Mimikatz, please let me know if you have any queries/feedback in the comment section. We will meet again in my next blog. Happy hacking!!