Mimikatz is a tool, built in C language and used to perform
password harvesting in windows platform. It is very well known to extract clean
text passwords, hash, PIN code, Kerberos tickets from memory and those
credentials can then be used to perform lateral movement and access restricted
information.
We can have two more optional components of mimikatz. One is
called mimidrv, which is a driver to interact with windows kernel and another
one is called mimilib, which is used to bypass AppLocker. Auth package/SSP,
password filter, and sekurlsa for WinDBG.
Mimikatz needs administrator or SYSTEM priviledge to get
debug rights in order to do certain actions and connect with the LSASS process.
Relation between LSASS and MIMIKATZ:
LSASS.exe also known as Local Security Authority Subsystem
Service which is responsible for giving Single Sign On features in windows,
where an already logged-in user is not required authenticate every time
whenever wants to access any resources. LSASS provides access not only to the
authenticated users credentials but also to the open session credentials which
is already running since the last boot. Mimikatz exploits this credential cache
of LSASS service and provide the credential reports to the attackers in various
formats.
Execution of Mimikatz:
In term of basic objective of Mimikatz, we can retrieve
clear text password by using the commands “debug” and asking for the passwords.
- priviledge::debug
- sekurlsa::logonpassword
Mimikatz needs admin privilege in order to get the LSA
(Local Security Authority) information. If it will run as standard user the LSA
will return errors, and that way it will become useless.
Mimikatz returns different set of results in term of version
of the Windows it is executed on. For example if we run the Mimikatz in XP, and
the unpatched versions of Windows 7 and 8 we will not only retrieve the SIDs,
usernames and domain details but also the passwords in clear text. Please find
the below screenshot for your reference.
But from the beginning of the Windows 8.1 LSASS no longer
stores cleartext passwords inside the memory. Similarly Windows 10 and Windows
server 2012R2 provide null information in the password fields for wdigest and
Kerberos providers.
Pass the hash with mimikatz:
From the above figure we got that plaintext password is no
longer available in the LSASS memory, but no worries still we can retrieve the
NTLM hash. Mimikatz allows to run a process as another user by using the
retrieved hashes. The attacker authenticates the process to the local system by
using the local user’s password hashes. This is known as pass the hash attack,
where instead of following the time consuming process like crack the password
from the NTLM hashes, it can directly pass the hash and allow us to access
resources remotely using another user privilege.
To pass the hash follow the below commands,
#sekurlsa::pth /user:<username> /domain:<domain>
/ntlm:<hash> /run:<command>
In the above commands reflects as opening a new command window
on the respective local machine with the hash of the another domain user name
as “ShortUser”.
The moment command prompt is popped up from the remote
system a connection will be buildto a network recource on DC1. For confirmation
we can use “net use” command in the command prompt followed by the <network
share>.
C:\> net use \\dc1\fshare
To view the user connection to the shared resource follow
the below command
Golden Ticket Attack:
The previous attack is all about pass the NTLM hash of a
valid user to get an existing session. Where Golden Ticket attack is one step
ahead, where it will convince the target system that an invalid session is
valid and get the access to it.
A Kerberos implemented Windows system trusts a Kerberos
ticket only when it is signed by the hash of a ticket granting ticket. If the
attacker somehow manages to get the NTLM hash of the Kerberos TGT account that
can be used to signed any ticket of this system other than the legitimate one.
Mimikatz can be used here to get the krbtgt NTLM hash and
generate ‘Golden Ticket’ and that can be used to give privilege to any session
from any system. To create a Golden ticket the below four informations are must
require.
- An administrator username. (if unavailable, any privileged user will be fine)
- The FQDN (Fully Qualified Domain Name)
- The SID of the domain
- The NTLM hash of the krbtgt account
So we can get the above details by following the below ways.
1) The username can be anything existing or
non-exiting but the chances of getting a valid session will be more with the
existing username.
2) We can get a FQDL by executing “ipconfig /all”
3 3) We can also get the domain SID by executing
“whoami /user” command.
You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. best dog brushes for golden retrievers with thick coats
ReplyDeleteConsider Bitcoin like a major record shared by every one of the clients: In the event that you pay or receive payment using Bitcoin, then the exchange will be documented on the record. bitcoin mixer
ReplyDeleteMua vé máy bay tại Aivivu, tham khảo
ReplyDeletegia ve may bay tu han quoc ve viet nam
giá vé máy bay huế- tp hồ chí minh
máy bay đà lạt hà nội
đặt vé máy bay đi nha trang vietnam airline
vé máy bay đi Huế Vietjet
dịch vụ taxi đi sân bay nội bài
It is safe to say that you are planting and not accepting your harvest? The test might be that you are not purposely harvesting the natural products from your seeds planted.undefined
ReplyDeleteOcean lice had never been accounted for on youthful pink salmon before the appearance of salmon farming. Europa-Road kombájn szállítás
ReplyDeleteThere are three principle classes of weed:
ReplyDeleteOrder weed online In France
We have sell some products of different custom boxes.it is very useful and very low price please visits this site thanks and please share this post with your friends. cinema
ReplyDeleteThe measure of tickets sold on week after week premise are 255,000, which compares out to almost 13 million sold each year, which is a colossal number of tickets - All this information puts the normal cost of a Broadway show ticket at $98, clearly some sell for much higher than that, yet 72% of Broadway tickets really sell for not exactly that sum, once in a while essentially lower. web-based reserved seating software
ReplyDeleteIt’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. understand to this site
ReplyDeleteNormal appointments listed here are the easiest method to thanks for the work, that means that I am going to the website daily, searching for brand new, fascinating data. Numerous, thank you! Packers and Movers Hyderabad to Bhubaneswar
ReplyDelete