Mimikatz - consoletornado.com

> [!Info] > This page is currently a work in progress. ## What is Mimikatz [Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source Windows tool that contains a collection of modules that are used to view and save authentication credentials from [[Kerberos]] tickets. Originally written as a POC to show that Windows was storing sensitive data in memory insecurely however, these days it is generally used and abused by attackers to steal credentials and escalate privileges in a series of different types of attacks such as [[Pass-The-Hash]], [[Pass-The-Ticket]], or even build [golden tickets](Golden-Ticket). --- ## How Mimikatz Works? 1. Requirements for Privilege Escalation - Mimikatz requires SYSTEM privileges or admin + debug privileges in order to interact with the Local Security Authority Subsystem Service (LSASS) process. - If you have admin rights, you can enable `SeDebugPrivilege` with `privilege::debug`. 2. Interacts with LSASS - LSASS is responsible for handling NTLM, Kerberos, and cached logon auths as well as others. - LSASS stores secrets in memory such as plain text passwords, password hashes, kerberos tickets, and DPAPI master keys. - Mimikatz injects itself into LSASS and then parses the memory. 3. Locate and Extract Secrets using Windows API's - Uses knowledge of internal Windows API calls, to locate and extract: - Passwords and hashes (`sekurlsa::logonpasswords`) - [[Kerberos]] tickets (`sekurlsa::kerberos`) - LSA secrets & cached creds (`lsadump::lsa`, `lsadump::sam`) - DPAPI masterkeys (`dpapi::masterkey`) 4. Bypass Protections - Can modify the non-exportable flags for crypto keys in order to make them extractable. - This is done by patching CryptoAPI/CNG in memory to bypass that flag and then export private keys (`crypto::capi`, `crypto::cng`) 5. Perform Attacks - Once secrets have been gained, can perform the following attacks: - [[Pass-the-Hash|Pass the Hash]] - Authenticate with stolen NTLM hash instead of a password. - [[Pass-the-Ticket|Pass the Ticket]] - Inject stolen or forged Kerberos tickets. - [[Over-Pass-the-Hash|Over Pass the Hash]] / [[Pass-the-Key|Pass the Key]] - Generates Kerberos tickets from stolen NTLM hashes. - [[Golden-Ticket|Golden Ticket]] - Forge a TGT using the KRBTGT account (Kerberos Service Account) hash. - [[Silver-Ticket|Silver Ticket]] - Forge service tickets (STs). - [[DCSync-Attack|DCSync]] (`lsadump::dcsync`) - Impersonate a DC and pull password hashes via AD replication. --- ## Mimikatz Modules ### crypto Windows uses the Cryptographic API (CAPI) and CryptoAPI Next Generation (CNG) to manage keys, certificates, and cryptographic operations. As per [Microsoft](https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography--cryptoapi--and-capicom); >[!cite] >CryptoAPI and CAPICOM provide services that enable application developers to **add encryption/decryption** of data, authentication using digital **certificates**, and **encoding** to and **decoding** from Abstract Syntax Notation One (ASN.1) to their Windows-based applications. Essentially, this module lets you interact with and extract secrets from the Windows certificate and cryptographic systems. Below are some of the more commonly used commands in this module: - `crypto::capi` – Patches CAPI for exporting - `crypto::cng` – Patches CNG (modern Windows crypto) for exporting - `crypto::certificates` – List/exports certificates - `crypto::keys` – List/exports key containers (raw crypto key storage locations) - `crypto::extract` – Extract keys from RSA/AES provider - `crypto::hash` – Password to hash conversion - `crypto::providers` – Lists cryptographic providers - `crypto::stores` – Lists cryptographic stores (folders that group certs by role) ### dpapi DPAPI (Data Protection API). Windows API that is used to securely store secrets like passwords, encryption keys, Wi-Fi creds, browser cookies, etc. It uses the user's or machines logon creds to encrypt. To decrypt these secrets, Windows needs the user’s logon key (or the SYSTEM key, for SYSTEM-level secrets). Below are some of the more commonly used commands in this module: - `dpapi::blob` - Decrypts a DPAPI blob with API or masterkey. - `dpapi::chrome` - Dumps saved Chrome credentials and cookies. - `dpapi::cred` - Decrypts saved credentials (RDP, scheduled tasks, etc.). - `dpapi::masterkey` - Inspects/decrypts masterkeys (needed to unlock other secrets). - `dpapi::vault` - Dumps saved creds from Windows Credential Manager vault. - `dpapi::wifi` - Decrypts saved Wi-Fi passwords. - `dpapi::ps` - Decrypts PowerShell creds. - `dpapi::rdg` - Decrypts saved Remote Desktop Gateway passwords. - `dpapi::ssh` - Extracts OpenSSH private keys. - `dpapi::cache` - Shows the credential cache. ### event Windows logs specific events in Windows Event Logs such as logons, process creation, service starts, errors, etc. This module allows for the modification of event logs in order to cover an attackers tracks by deleting logs or preventing logs from being written all together. Commands: - `event::clear` - Clears a specified event log - `event::drop` - Patches event services to avoid new events >[!Attention] >Everything below is all copy and paste and not my own work. >It is purely there to remind me of functions in order to learn and for me to re-write them in my own words. ### kerberos [[Kerberos]] is the default authentication protocol in [[Active Directory]] and is a ticket system for proving your identity without constantly having to type your password. This module allows you to list, steal and/or inject tickets ([[Pass-the-Ticket]]), and even allows you to forge your own [[Golden-Ticket|Golden Tickets]] or [[Silver-Ticket|Silver Tickets]]. - `kerberos::ask` - can be used to obtain Service Tickets (STs). The Windows native command is klist get - `kerberos::clist` - lists tickets in MIT/Heimdall ccache format. It can be useful with other tools (i.e. ones that support Pass the Cache) - `kerberos::golden` - can be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keys - `kerberos::hash` - computes the different types of Kerberos keys for a given password - `kerberos::list` - has a similar functionality to klist command without requiring elevated privileges. Unlike `sekurlsa::tickets`, this module does not interact with LSASS - `kerberos::ptc` - can be used to pass the cache. This is similar to `kerberos::ptt` that does pass the ticket but is different in the sense that the ticket used is a `.ccache` ticket instead of a `.kirbi` one - `kerberos::ptt` - is used for passing the ticket by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket) - `kerberos::purge` - purges all kerberos tickets similar to `klist purge` - `kerberos::tgt` - retrieves a TGT (Ticket-Granting Ticket) for the current user ### lsadump This module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets. - `lsadump::backupkeys` - dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets) - `lsadump::cache` - can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2) - `lsadump::changentlm` - can be used to change the password of a user - `lsadump::dcshadow` - - `lsadump::dcsync` - can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry - `lsadump::lsa` - extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly - `lsadump::mbc` - dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates - `lsadump::netsync` - can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer account - `lsadump::packages` - lists the available Windows authentication mechanisms - `lsadump::postzerologon` - is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd - `lsadump::RpData` - - `lsadump::sam` - dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump) - `lsadump::secrets` - can be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entries - `lsadump::setntlm` - can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenario - `lsadump::trust` - can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts - `lsadump::zerologon` - detects and exploits the ZeroLogon vulnerability ### misc The miscellaneous module contains functionalities such as [[PetitPotam]], PrintNightmare RPC Print Spooler and others. - `misc::aadcookie` - can be used to dump the Azure Panel's session cookie from `login.microsoftonline.com` - `misc::clip` - monitors clipboard. CTRL+C stops the monitoring - `misc::cmd` - launches the command prompt - `misc::compress` - performs a self compression of mimikatz - `misc::detours` - is experimental and it tries to enumerate all modules with Detours-like hooks - `misc::efs` - is Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion technique - `misc::lock` - locks the screen. It can come in handy with misc::memssp - `misc::memssp` - patches LSASS by injecting a new Security Support Provider (a DLL is registered) - `misc::mflt` - identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude) - `misc::ncroutemon` - displays Juniper network connect (without route monitoring) - `misc::ngcsign` - can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key. - `misc::printnightmare` - can be used to exploit the PrintNightMare vulnerability in both *MS-RPRN RpcAddPrinterDriverEx* and *MS-PAR AddPrinterDriverEx*. - `misc::regedit` - launches the registry editor - `misc::sccm` - decrypts the password field in the `SC_UserAccount` table in the SCCM database - `misc::shadowcopies` - is used to list the available shadow copies on the system - `misc::skeleton` - injects a "Skeleton Key" into the LSASS process on the domain controller - `misc::spooler` - is Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion technique - `misc::taskmgr` - launches the task manager - `misc::wp` - sets up a wallpaper - `misc::xor` - performs XOR decoding/encoding on a provided file with 0x42 default key ### net Some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included. - `net::alias` displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc - `net::deleg` checks for the following types of Kerberos delegations - `net::group` displays the local groups - `net::if` displays the available local IP addresses and the hostname - `net::serverinfo` displays information about the logged in server - net::session displays the active sessions through NetSessionEnum() Win32 API function - `net::share` displays the available shares - `net::stats` displays when the target was booted - `net::tod` displays the current time - `net::trust` displays information for the active directory forest trust(s) - `net::user` displays the local users - `net::wsession` displays the active sessions through NetWkstaUserEnum() Win32 API function ### privilege This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS. - `privilege::backup` - requests the backup privilege (SeBackupPrivilege) - `privilege::debug` - requests the debug privilege (SeDebugPrivilege) - `privilege::driver` - requests the load driver privilege (SeLoadDriverPrivilege) - `privilege::id` - requests a privilege by its id - `privilege::name` - requests a privilege by its name - `privilege::restore` - requests the restore privilege (SeRestorePrivilege) - `privilege::security` - requests the security privilege (SeSecurityPrivilege) - `privilege::sysenv` - requests the system environment privilege (SeSystemEnvironmentPrivilege) - `privilege::tcb` - requests the tcb privilege (SeTcbPrivilege) ### process This module deal with Windows processes. It can also be used for process injection and parent process spoofing. - `process::exports` - lists all the exported functions from the DLLs each running process is using. If a `/pid` is not specified, then exports for mimikatz.exe will be displayed - `process::imports` - lists all the imported functions from the DLLs each running process is using. If a `/pid` is not specified, then imports for mimikatz.exe will be displayed - `process::list` - lists all the running processes. It uses the NtQuerySystemInformation Windows Native API function - `process::resume` - resumes a suspended process by using the NtResumeProcess Windows Native API function - `process::run` - creates a process by using the CreateProcessAsUser Win32 API function. The CreateEnvironmentBlock is also utilized - `process::runp` - runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofing - `process::start` - starts a process by using the CreateProcess Win32 API function. The PID of the process is also displayed - `process::stop` - terminates a process by using the NtTerminateProcess Windows Native API function. The Win32 API equal one is TerminateProcess - `process::suspend` - suspends a process by using the NtSuspendProcess Windows Native API function ### rpc The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely. - `rpc::close` - closes remote RPC sessions - `rpc::connect` - connects to an RPC endpoint - `rpc::enum` - enumerates RPC endpoints on a system - `rpc::server` - starts an RPC server ### sekurlsa The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than `sekurlsa::logonpasswords`. - `sekurlsa::backupkeys` lists the preferred Backup Master keys - `sekurlsa::bootkey` sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials - `sekurlsa::cloudap` lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin: - `sekurlsa::credman` lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL (lsasrv.dll) - `sekurlsa::dpapi` lists DPAPI cached masterkeys - `sekurlsa::dpapisystem` lists the DPAPI_SYSTEM secret key - `sekurlsa::ekeys` lists Kerberos encryption keys - `sekurlsa::kerberos` lists Kerberos credentials - `sekurlsa::krbtgt` retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes - `sekurlsa::livessp` lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant - `sekurlsa::logonpasswords` lists all available provider credentials. This usually shows recently logged on user and computer credentials - `sekurlsa::minidump` can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump - `sekurlsa::msv` dumps and lists the NT hash (and other secrets) by targeting the MSV1_0 Authentication Package - `sekurlsa::process` switches (or reinits) to LSASS process context. It can be used after sekurlsa::minidump - `sekurlsa::pth` performs Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted to cme.exe) - `sekurlsa::ssp` lists Security Support Provider (SSP) credentials - `sekurlsa::tickets` lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users) - `sekurlsa::trust` retrieves the forest trust keys - `sekurlsa::tspkg` lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication - `sekurlsa::wdigest` lists WDigest credentials. According to Microsoft, WDigest.dll was introduced in the Windows XP operating system ### service This module can interact with Windows services plus installing the `mimikatzsvc` service. - `service::-` - removes the mimikatzsvc service - `service::+` - installs the mimikatzsvc service by issuing rpc::server service::me exit - `service::preshutdown` - pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal - `service::remove` - removes the specified service (It must be used with caution) - `service::resume` - resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal - `service::shutdown` - shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal - `service::start` - starts a service - `service::stop` - stops a specified service by sending a SERVICE_CONTROL_STOP signal - `service::suspend` - suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal ### sid This module deals with the Security Identifier. - `sid::add` - adds a SID to sIDHistory of an object - `sid::clear` - clears the sIDHistory of a target object - `sid::lookup` - looks up an object by its SID or name - `sid::modify` - modifies an object's SID - `sid::patch` - patchs the NTDS (NT Directory Services). It's useful when running `id::modify` or `sid::add` - `sid::query` - queries an object by its SID or name ### standard This module contains some general functionalities which are not related to exploitation. - `standard::answer` - or answer provides an answer to The Ultimate Question of Life, the Universe, and Everything! - `standard::base64` - or base64 switches file input/output to base64 - `standard::cd` - or cd can change or display the current directory. The changed directory is used for saving files - `standard::cls` - or cls clears the screen - `standard::coffee` - or coffee is the most important command of all - `standard::exit` - or exit quits Mimikatz after clearing routines - `standard::hostname` - or hostname displays system local hostname - `standard::localtime` - or localtime displays system local date and time - `standard::log` - or log logs mimikatz input/output to a file - `standard::sleep` - or sleep make Mimikatz sleep an amount of milliseconds - `standard::version` - or version displays the version in use of Mimikatz ### token This module deals with the Windows tokens (who does not really like elevating to `NT AUTHORITY\ SYSTEM`). - `token::elevate` - can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEM - `token::list` - lists all tokens on the system - `token::revert` - reverts to the previous token - `token::run` - executes a process with its token - `token::whoami` - displays the current token ### ts This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords. - `ts::logonpasswords` - extracts clear text credentials from RDP running sessions (server side) - `ts::mstsc` - extracts cleartext credentials from the mstsc process (client side) - `ts::multirdp` - enables multiple RDP connections on the target server - `ts::remote` - performs RDP takeover/hijacking of active sessions - `ts::sessions` - lists the current RDP sessions. It comes in handy for RDP hijacking ### vault This module dumps passwords saved in the Windows Vault. - `vault::cred` - enumerates vault credentials - `vault::list` - lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user