July 24, 2019

Mimikatz: Credential harvest, Pass the hash, Golden Ticket


Mimikatz is a tool, built in C language and used to perform password harvesting in windows platform. It is very well known to extract clean text passwords, hash, PIN code, Kerberos tickets from memory and those credentials can then be used to perform lateral movement and access restricted information.

We can have two more optional components of mimikatz. One is called mimidrv, which is a driver to interact with windows kernel and another one is called mimilib, which is used to bypass AppLocker. Auth package/SSP, password filter, and sekurlsa for WinDBG. 

Mimikatz needs administrator or SYSTEM priviledge to get debug rights in order to do certain actions and connect with the LSASS process.

Relation between LSASS and MIMIKATZ:

LSASS.exe also known as Local Security Authority Subsystem Service which is responsible for giving Single Sign On features in windows, where an already logged-in user is not required authenticate every time whenever wants to access any resources. LSASS provides access not only to the authenticated users credentials but also to the open session credentials which is already running since the last boot. Mimikatz exploits this credential cache of LSASS service and provide the credential reports to the attackers in various formats.

Execution of Mimikatz:

In term of basic objective of Mimikatz, we can retrieve clear text password by using the commands “debug” and asking for the passwords. 

  • priviledge::debug 
  • sekurlsa::logonpassword
Mimikatz needs admin privilege in order to get the LSA (Local Security Authority) information. If it will run as standard user the LSA will return errors, and that way it will become useless.

Mimikatz returns different set of results in term of version of the Windows it is executed on. For example if we run the Mimikatz in XP, and the unpatched versions of Windows 7 and 8 we will not only retrieve the SIDs, usernames and domain details but also the passwords in clear text. Please find the below screenshot for your reference.



But from the beginning of the Windows 8.1 LSASS no longer stores cleartext passwords inside the memory. Similarly Windows 10 and Windows server 2012R2 provide null information in the password fields for wdigest and Kerberos providers.



Pass the hash with mimikatz:

From the above figure we got that plaintext password is no longer available in the LSASS memory, but no worries still we can retrieve the NTLM hash. Mimikatz allows to run a process as another user by using the retrieved hashes. The attacker authenticates the process to the local system by using the local user’s password hashes. This is known as pass the hash attack, where instead of following the time consuming process like crack the password from the NTLM hashes, it can directly pass the hash and allow us to access resources remotely using another user privilege. 

To pass the hash follow the below commands,

#sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>



In the above commands reflects as opening a new command window on the respective local machine with the hash of the another domain user name as “ShortUser”. 

The moment command prompt is popped up from the remote system a connection will be buildto a network recource on DC1. For confirmation we can use “net use” command in the command prompt followed by the <network share>.

C:\> net use \\dc1\fshare 



To view the user connection to the shared resource follow the below command



Golden Ticket Attack:

The previous attack is all about pass the NTLM hash of a valid user to get an existing session. Where Golden Ticket attack is one step ahead, where it will convince the target system that an invalid session is valid and get the access to it.

A Kerberos implemented Windows system trusts a Kerberos ticket only when it is signed by the hash of a ticket granting ticket. If the attacker somehow manages to get the NTLM hash of the Kerberos TGT account that can be used to signed any ticket of this system other than the legitimate one.

Mimikatz can be used here to get the krbtgt NTLM hash and generate ‘Golden Ticket’ and that can be used to give privilege to any session from any system. To create a Golden ticket the below four informations are must require.
  •        An administrator username. (if unavailable, any privileged user will be fine)
  •       The FQDN (Fully Qualified Domain Name)
  •       The SID of the domain 
  •       The NTLM hash of the krbtgt account
So we can get the above details by following the below ways.

        1)       The username can be anything existing or non-exiting but the chances of getting a valid session will be more with the existing username.
      
        2)       We can get a FQDL by executing “ipconfig /all



3            3)       We can also get the domain SID by executing “whoami /user” command.



We can get the first three information from any system but for getting the krbtgt NTLM hash the attacker must get it from the Domain Controller. For this Mimikatz can be used to obtain the krbtgt NTLM hash using “lsadump::lsa /inject /name:krbtgt”.



With the above four information now we can proceed and create the Golden Ticket from any system by executing the below command in Mimikatz.

Mimikatz # kerberos::golden /user:<username> /domain:<domainname> /SID:<SID> /krbtgt: <krbtgt NTLM hash> /groups:501,502,512,513,518,519,520 /ticket:<ticketname.tck>

After execution of the above command the ticket will be generated with name of the /ticket parameter and the validity of the ticket will be ten years for long term data exfiltration activity.



Now for using the Golden Ticket we will use this from a elevated command prompt window and execute “Kerberos::ptt” (pass-the-ticket) command.



If we closely observe the above sceenshot then will find that first of all we have tried to connect the administrative share on \\DC1 but failed, and then applied a Mimikatz session with a Golden ticket, And right after that the access is granted.

I hope you have enjoyed reading this write-ups about Mimikatz, please let me know if you have any queries/feedback in the comment section. We will meet again in my next blog. Happy hacking!!

10 comments:

  1. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. best dog brushes for golden retrievers with thick coats

    ReplyDelete
  2. Consider Bitcoin like a major record shared by every one of the clients: In the event that you pay or receive payment using Bitcoin, then the exchange will be documented on the record. bitcoin mixer

    ReplyDelete
  3. It is safe to say that you are planting and not accepting your harvest? The test might be that you are not purposely harvesting the natural products from your seeds planted.undefined

    ReplyDelete
  4. Ocean lice had never been accounted for on youthful pink salmon before the appearance of salmon farming. Europa-Road kombájn szállítás

    ReplyDelete
  5. We have sell some products of different custom boxes.it is very useful and very low price please visits this site thanks and please share this post with your friends. cinema

    ReplyDelete
  6. The measure of tickets sold on week after week premise are 255,000, which compares out to almost 13 million sold each year, which is a colossal number of tickets - All this information puts the normal cost of a Broadway show ticket at $98, clearly some sell for much higher than that, yet 72% of Broadway tickets really sell for not exactly that sum, once in a while essentially lower. web-based reserved seating software

    ReplyDelete
  7. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. understand to this site

    ReplyDelete
  8. Normal appointments listed here are the easiest method to thanks for the work, that means that I am going to the website daily, searching for brand new, fascinating data. Numerous, thank you! Packers and Movers Hyderabad to Bhubaneswar

    ReplyDelete