What is Mimikatz: A Beginner's Guide

Benjamin Delpy originally created Mimikatz as a proof of concept to demonstrate Microsoft's vulnerability to attacks on their authentication protocols. Instead, he inadvertently created one of the most widely used and downloaded hacking tools of the past 20 years.



Jake Williams of Rendition Infosec says, "Mimikatz has done more to improve security than any other tool I know . " If securing Windows networks is your job, it's important to stay up to date with the latest Mimikatz updates to understand the techniques hackers will use to infiltrate your networks and stay one step ahead.

What is Mimikatz?

Mimikatz is an open source application that allows users to view and save authentication credentials such as Kerberos tickets . Benjamin Delpy continues to lead the development of Mimikatz, so the toolkit works with the current version of Windows and includes the most advanced attacks.



Attackers commonly use Mimikatz to steal credentials and elevate privileges: in most cases, endpoint protection software and antivirus systems detect and remove it. Conversely, penetration testers use Mimikatz to discover and test vulnerabilities in your networks so you can fix them.

Mimikatz features

Mimikatz originally demonstrated how to exploit a single vulnerability in the Windows authentication system. Now this tool covers several different types of vulnerabilities. Mimikatz can perform the following credential collection methods:

• Pass-the-Hash : Previously, Windows stored authentication credentials in an NTLM hash . Attackers use Mimikatz to pass the exact hash string to the target computer for login. Attackers don't even need to crack the password, they just need to intercept the hash and use it without any processing. This is the same as finding the key to all the doors of the house on the floor. You need one key to open any door.
• Pass-the-Ticket ( ): Windows , (Ticket). Mimikatz Kerberos . , .
• Over-Pass the Hash (Pass the Key): pass-the-hash, , .
• Kerberos Golden Ticket): (pass-the-ticket), KRBTGT. .« » .
• Kerberos Silver Ticket: pass-the-ticket, « » Windows, . Kerberos (TGS), . Microsoft (TGS) , .
• Pass-the-Cache): , Windows! , Mac/UNIX/Linux.

Mimikatz

You can download Mimikatz from Benjamin Delpy's GitHub. It offers several download options, from an executable to source code , which you will need to compile with Visual Studio 2010 or newer.

How to use Mimikatz

After running the Mimikatz executable, the Mimikatz interactive console will appear, where you can run commands in real time.



Run Mimikatz as Administrator: For Mimikatz to work properly, select Run as Administrator, even if you are using an administrator account.



Checking the Mimikatz version

There are 2 versions of Mimikatz: 32-bit and 64-bit. Make sure you are using the correct version for your Windows bit. Run the version command from the Mimikatz command line to get information about the Mimikatz executable, the Windows version, and if there are any Windows settings that might prevent Mimikatz from working correctly.



Retrieving clear text

passwords from memory The sekurlsa module in Mimikatz allows you to retrieve passwords from memory. To use commands in the sekurlsa module, you must have administrator or system level rights.



First run the command:

mimikatz # privilege::debug 

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

You will see if you have the appropriate permissions to proceed.

Then start the logging functions, in the future you may need this log in your work:

mimikatz # log nameoflog.log

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Finally, output all passwords stored on this computer in plain text:

mimikatz # sekurlsa::logonpasswords

      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Using other Mimikatz modules

The encryption module exposes the CryptoAPI on Windows, which allows you to enumerate and export certificates and their private keys, even if they are marked as non-exportable.



The Kerberos module accesses the Kerberos API, so you can experiment with this functionality by retrieving and managing Kerberos tickets .



The services module allows you to start, stop, disable, and perform other operations on Windows services.



And finally, the coffee command outputs an ASCII image of coffee, because everyone needs coffee.



Mimikatz is capable of so much more If you are interested in penetration testing or just want to dig into the internals of Windows Authentication, check out the links below.

• Penetration Testing Guide for Active Directory Environments
• Unofficial Mimikatz Manual and Command Reference
• Koadic: LOL malware and Python command and control server
• Official Encyclopedia of Mimikatz

Want to see Mimikatz in action and find out how Varonis protects you from intruders? Join our free interactive hands-on cyberattack workshop and see how Varonis engineers conduct a cyberattack in our security lab.