You are on the Cert-IST public site
Introducing Mimikatz Application

Date :April 07, 2015

Publication: Article

Mimikatz is a well known application in the world of Windows "pen-testers" because it allows different attacks against Windows authentication mechanisms, and particularly the "Pass-the-hash" attacks.

Benjamin Delpy, designer and developer of Mimikatz, presented his tool at the RéSIST conference on 2015/02/17 (its presentation support is available here). We take this opportunity to write a short article about this tool.

Mimikatz was released in 2007. It consists of a main program and different modules, aimed to perform actions on Windows (from XP to Windows 10), all coded in C language.

Originally it was created to understand and “play” on Windows with private keys, certificates, and to make “Pass-the-hash” attacks (it uses the hash of a password to authenticate rather than the password itself), and to warn about the weaknesses of Windows authentication mechanisms. 

The modules allow, among others, to extract keys, certificates, hashes, passwords, or to inject libraries.

To illustrate these possibilities, Benjamin Delpy made several demonstrations of some of the security modules, with attack demos that target the LSASS process (Local Security Authority Subsystem Service: responsible for enforcing the security policy on the system). As this process keeps passwords and other information such as hashes in its memory, it is possible with Mimikatz:

  • To extract passwords from the Windows sessions associated with the TsPkg, WDigest, LiveSSP (connection with a Microsoft Live account), and SSP services,
  • To extract hashes and keys contained in the MSV1_O service (authentication management package on local machine),
  • To extract passwords, keys, tickets and pin code of the Kerberos service (network authentication management).

He demonstrated that it is possible to create Golden Kerberos tickets (which are crafted TGT - Ticket Granting Ticket – Kerberos tickets , encrypted and signed by the “krbtgt” Kerberos domain account, and valid for 10 years …), and Silver tickets (which are crafted Ticket Granting Service (TGS) Kerberos ticket encrypted and signed by the service account). Other modules were also presented to dump memory, to access Windows safes, or to "play" with the Windows CryptoAPI.

This tool can be used to perform pentest, but it also seems commonly used by real attackers. It is mainly known for its credential theft possibilities, but it is in fact a tool box for Windows. It allows, for example:

  • To discover rootkits in kernel mode by listing the hooks placed on the Windows API (it examines the “detours” introduced by Microsoft on those APIs),
  • To list the secondary authentication launched by attackers that want to log on by different vectors, or find secondary traces that are normally hidden by windows,
  • To retrieve private hard drives RSA encryption keys, even if the certificate has been removed,
  • etc ...

Note that to use Mimikatz, you must:

  • have an account on the machine,
  • have administrator rights,
  • and have debug rights for certain actions.

In addition, Mimikatz is detected by some antivirus as a malicious program.

 

For further information: