Mimikatz

Mimikatz- secret double octopus

Mimikatz is a credential dumping open source program used to obtain account login and password information, normally in the form of a hash or a clear text password, from an operating system or software. Credentials can then be used to perform lateral movement and access restricted information.

Mimikatz is a Windows x32/x64 program to extract passwords, hash, PINs, and Kerberos tickets from memory.  It is used as an attack tool against Windows clients, allowing the extraction of cleartext passwords and password hashes from memory. The program was coded in C by Benjamin Delpy in 2007 to learn more about Windows credentials (and as a Proof of Concept).

There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested).

In the last years Mimikatz was used as a component of two ransomware worms that have reached targets around the globe: Both NotPetya and BadRabbit ransomware used Mimikatz in conjunction with leaked NSA hacking tools to automate attacks whose infections saturated networks, with disastrous results. NotPetya was able to paralysis thousands of computers at companies like FedEx, Maersk and Merck. it is believed to have caused over a billion dollars in damages.

Frequently Asked Questions
What is a pass the hash?

Pass the hash (PtH) is a hacking technique for authenticating as a user using his hashed password, instead of the cleartext password. The attacker obtains that user name and user password hash values (different techniques can be used) and presents them to a remote server or service. The attack exploits an implementation weakness in the authentication protocol, where the password hash remains static from session to session and until the next password change.

What is a Meterpreter session?

Meterpreter, or more precisely Metasploit Meterpreter, is a payload within the Metasploit Framework that runs as a DLL loaded into any process on the target machine, which provides control over the target system.

A Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.

Mimikatz can be downloaded and invoked as part of a Meterpreter shell

Is Mimikatz an easy tool to hack with?

Not at all, an attacker need to get access to a physical computer which was not shut down correctly, also there have been several Windows updates that mitigate the vulnerability that Mimikatz take advantage off.

What does the Mimikatz feature Dcsync does?

DCSync is a feature in Mimikatz found at the lsadump module. DCSync impersonates the behavior of Domain Controller (DC) and requests account password data from the targeted Domain Controller. DCSync is AN attack technique in the post-exploitation phase in Internal Pentest.