Mimikatz: a swiss-army knife for Windows credential gathering
Really useful for penetration testing purposes!
If a program has been written in order to keep in memory some credentials in clear text, this can be a security risk.
When you make a security assessment, it will be useful a tool that scans processes memory searching for cleartext passwords, like Mimikatz, a tool written by Benjamin Delpy and Vincent Le Toux.
Mimikatz supports both Windows 32-bit and 64-bit and allows you to gather various credential types, using various techniques:
mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.
It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?
- Dump credentials from LSASS (Windows Local Security Account database)
- MSV1.0: hashes & keys (dpapi)
- Kerberos password, ekeys, tickets, & PIN
- TsPkg (password)
- WDigest (clear-text password)
- LiveSSP (clear-text password)
- SSP (clear-text password)
- Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
- Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
- Export certificates and keys (even those not normally exportable).
- Dump cached credentials
- Stop event monitoring.
- Bypass Microsoft AppLocker / Software Restriction Polcies
- Patch Terminal Server
- Basic GPO bypass
An interesting tutorial on Windows OS Hub about the extraction of cleartext credentials from LSASS process:
Yes, two simple commands:
mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
and also a brief video demo:
Both examples shouldn’t works on system that have installed the KB2871997:
One of the credentials stored by LSASS is the user’s clear-text password. This update prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password. WDigest still stores the user’s clear-text password because it cannot function without the user’s password (Microsoft does not want to break existing customer setups by shipping an update to disable this).
However, because WDigest (used for credential storage) is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why mimikatz can still obtain clear text password.
An attacker can simply re-enabling the credential storing in LSASS with this command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\WDigest /v UseLogonCredential /t REG_DWORD /d 1
(Obviously must be run as an administrator, but if you are using mimikatz is assumed that the privileges have been already gained!)