Mimikatz

rishabhsharma85 580 views 23 slides Nov 29, 2020
Slide 1
Slide 1 of 23
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23

About This Presentation

Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets.

Size: 815.83 KB
Language: en
Added: Nov 29, 2020
Slides: 23 pages

Slide Content

Mimikatz A tool to play with window security Download: https://github.com/gentilkiwi/mimikatz Rishabh Sharma

Mimikatz Overview Written in C language For both Windows x86/x64 architecture Develop by Benjamin Delpy Tool use to gather credential in plain text from Window memory Mostly use in Red Team Assessment

Mimikatz Capabilities Extract plain text password, hashes and Kerberos tickets from memory Use to build Golden Ticket Use to build Silver Ticket Use to build Trust Ticket Authentication Techniques: Use for Pass-the-Hash Use for Over-Pass-he-Hash Use for Pass-the-Tickets

Why Need Mimikatz? Scenario1: We assume that local administrator logged into the system and then log off from the system. Now attacker logged into the system as a normal user. By some way, the attacker escalates the permission to admin level. By using Mimikatz attacker may able to get the admin clear text or NTLM hash, etc. The attacker uses that credential for further exploitation. Scenario 2: We assume that a domain administrator logged into the system remotely let say by SSH, SMB, RDP, etc. Now attacker logged into the system as a normal user. By some way, the attacker escalates the permission to local admin level, which is the minimum requirement of Mimikatz . By using Mimikatz attacker may able to get the domain admin clear text or NTLM hash. The attacker uses that credential for further exploitation like to access domain controller. Note: Attacker may use the authentication techniques available in Mimikatz for further exploitation

Mimikatz Modules Standard Privilege Crypto Sekurlsa Kerberos Lsadump Vault Token Event Ts Process Service Net Misc Library mimilib Driver mimidrv

Sekurlsa Module to Dump Password This module is used to extracts passwords, keys, pin codes, tickets and hashes from the memory of LSASS (Local Security Authority Subsystem Service). For running Sekurlsa module, Mimikatz need some rights: Administrator Right to get debug privilege via privilege::debug or SYSTEM account, via post exploitation tools. If Mimikatz executed by SYSTEM account, then privilege::debug is not needed. We directly run the sekurlsa::logonpasswords. We can use PsExec.exe –s cmd.exe to run CMD by SYSTEM account. Note: The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions.

Sekurlsa Module Commands Command to check user is in administrator group or not. Net localgroup administrators Command to check Mimikatz debug privilege Mimikatz# privilege::debug Command to extract passwords, hashes, keys, pin codes and tickets from the memory of LSASS. Mimikatz# sekurlsa::logonpasswords Command to run cmd.exe by SYSTEM account. PsExec.exe/PsExec64.exe –s – i cmd.exe Command to get clear text password from offline memory dump. Mimikatz # sekurlsa::minidump lsass.dmp Mimikatz # sekurlsa:: logonPasswords full

Run Mimikatz without Administrator Privilege First command is to check username. Second command is to check if user exist in administrator group or not. In “debug” and “logonpasswords” commands, we got the errors because Mimikatz was not running by Administrator privileges.

Run Mimikatz with Administrator Privilege Mimikatz executed by Administrator privileges. In the second command, when we executed the “logonpasswords” command before the “debug” command, we got an error because Mimikatz had executed by Administrator privileges not by SYSTEM privileges.

Local Security Authority Subsystem Service (LSASS) LSASS (Local Security Authority Subsystem Service) is a Windows Based Service which provides the user with the functionality of SSO (Single Sign-On). LSASS responsibilities: To verify user credentials. Handle the password change. Create access token. Authenticate users for accessing resources or services or applications. Check for user rights. LSASS supports Kerberos (kerberos.dll), NTLM (msv1_0.dll) or Digest Authentication (wdigest.dll). After a user’s authentication, his credentials are stored in the memory of the system. This is done so that the security packages can access it. Depending on the package, the password is stored as a hash value, encrypted or even in plaintext. Note: Every process has memory.

What is Single Sign-On (SSO) Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., username and password) to access multiple applications/services/resources. A user login into the Windows system with the entry of his username and password. After this, all resources/applications/services the users have rights are accessible without having to enter the credentials anymore. This concept is referred to as Single-Sign-On and is implemented in Windows with LSASS.  The LSASS service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.

How Mimikatz Returns Plain Text Credentials? The problem is that password encryption is implemented using the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory , which are used to encrypt/decrypt a certain area of memory. Mimikatz allows you to obtain the encrypted data from the memory, decrypt them using LsaUnprotectMemory function and display all accounts of users authorized in the system and their passwords (decrypted, in plain text!).

Mimikatz Sekurlsa Flow Diagram Windows Login (Username and Password) Credentials stored in LSASS process memory (Store password using reversible encryption using the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory , which are used to encrypt/decrypt a certain area of memory) Mimikatz (Obtain encrypted data from memory) Mimikatz decryption (Decrypt them using LsaUnprotectMemory function and display all accounts of users authorized in the system and their passwords decrypted, in plain text)

Other Ways To Dump LSASS Memory By using Task manager By using Sysinternal tool, Procdump.exe By using PowerShell script OutMiniDump.ps1 By using Dumpert (Available on GitHub) By Executing a native comsvcs.dll DLL found in Windows\system32 with rundll32

Sekurlsa Module Login Operation The juicy information that we get by dumping the LSASS memory can be used further by using the below techniques to login into the system. Pass-The-Hash Over-Pass-The-Hash Pass-The Tickets

Pass-The-Hash Pass-The-Hash is a technique that is used to gain access to the system by using NTLM hash of the user in that system. Mimikatz can perform pass-the-hash operation by starting the process by fake cleartext password and then replace NTLM of the fake password with real NTLM hash of the user.

Why Mimikatz use fake password? To understand the reason of fake password, first understand the process of window authentication. Window Authentication Process: The user provides their username, password, and domain name (If AD authentication) at the interactive window logon screen of a client. The window client system change the cleartext password to NTLM hash and discards the cleartext password. The client send the username in cleartext to the domain controller (If AD authentication) or locally to the authentication package (LSA). The domain controller/local system generate 16-byte random number challenge or nonce and send it back to client. The client encrypts this challenge with the hash of the user's password that is mentioned in step 2 and return the response to the domain controller/local system.

Why Mimikatz use fake password? Domain controller/local system have the three values for authentication: Username in cleartext Challenge sent to the client Response received from the client The domain controller/local system uses the username to retrieve the NTLM hash of the user's password from Active directory/Security Account Manager database (SAM). It uses the password hash to encrypt the challenge and compare the results with the response that received from the client. If they are identical, authentication is successful.

Why Mimikatz use fake password? Mimikatz use fake password when user/attacker only have NTLM hash of the user and cracking the hash to get cleartext password is very time consuming when Window allows to use NTLM hash by pass-the-hash technique for login. Mimikatz use fake cleartext password and that cleartext password change to NTLM hash as mentioned in step 2 , when challenge received from the domain controller/local system for encryption, the Mimikatz replace the fake NTLM hash with the original user NTLM hash for encryption of challenge as mentioned in step 5.

Ways to Capture NTLM Hashes Sniff SMB challenge-response over the network By using Responder Capture NTLM hash through capture SMB & word UNC injector Capture NTLM hash through capture SMB & spoof NBNS Capture NTLM hash with Office [DOT] XML Documents From SAM file

Pass-The-Hash Commands Mimikatz# privilege::debug Mimikatz# sekurlsa:: pth / user: IEUser /domain: IEWIN7 /ntlm: fc525c9683e8fe067095ba2ddc971889

Pass-The-Hash Commands Arguments: /user - the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account. /domain - the fully qualified domain name - without domain or in case of local user/admin, use computer or server name, workgroup or whatever. /rc4 or / ntlm - optional - the RC4 key / NTLM hash of the user's password. /aes128 - optional - the AES128 key derived from the user's password and the realm of the domain. /aes256 - optional - the AES256 key derived from the user's password and the realm of the domain. /run - optional - the command line to run - default is: cmd to have a shell.

Thank You
Tags
vapt cybersecurity security tool ntlm sso windows security hacking tool hacking rta
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 580
  • Slides 23
  • Age 1829 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category