What is Mimikatz? How Does it Work?

Mimikatz overview

It is a program often used by hackers and security professionals to extract important data, such as passwords and credentials, from the recollection of a computer hardware. A common goal of this kind of invasion is to acquire access to restricted areas or resources, elevate one's privileges, or move laterally within a network.

Depending on the motivations of the attacker, it can be employed in a number of ways. To give only a few examples of its usefulness:

• Get access to networks, systems, or apps by stealing passwords from the RAM.
• You can get around authentication measures like multi-factor authentication by using stolen sensitive information.
• To get unauthorized access to restricted areas of a system or to execute other harmful tasks, an attacker must first gain administrative access to the target machine.
• Lateral movement within a network provides an attacker with access to previously inaccessible systems.

To sum up, it is a potent tool that can be used by attackers to compromise networks, systems, and applications and carry out other forms of malicious activity.

‍

History of Mimikatz

In 2007, Benjamin Delpy developed the software as a proof-of-concept to study the weaknesses of Microsoft's authentication mechanisms.

However, over time Mimikatz commands evolved into a formidable password stealer. In recent years, it has been utilised in a wide range of attacks, from the Russian hacking of the German parliament to the multimillion-dollar bank thefts carried out by the Carbanak group. Both the NotPetya and BadRabbit ransomware families used Mimikatz in tandem with stolen NSA hacking tools to automate attacks that infected networks and had disastrous results.

‍

Methods Used by Mimikatz

It initially showed how to take advantage of a solitary hole in the Windows authentication protocol. In its current version, it reveals multiple types of security holes and can carry out a wide range of credential-gathering operations.

• Pass-the-ticket: In recent Windows releases, password information is stored in a ticket. It allows a user to share their Kerberos ticket with another machine and then log in with that machine's credentials. It works similarly to the pass-the-hash protocol.
• Pass the key: This variation of pass-the-hash uses a special key stolen from a domain controller to successfully impersonate a user.
• Golden Kerberoast tickets: This is a pass-the-ticket spell, but it targets a specific ticket for a concealed account named KRBTGT, which encodes all other tickets. A golden ticket is a permanent set of domain overseer identifications that can be used on any machine in the network.
• Kerberoast silver tickets: Another pass-the-ticket, but a silver ticket takes advantage of a Windows feature that makes it simple to practice grid facilities. To legalize the service accounts on the network, users need tickets from ticket-granting servers (TGSs), which are issued via Kerberos. It is easy to bypass any security measures since Microsoft does not always check a TGS after it has been given.
• Pass-the-cache: At last, an attack that does not exploit Windows! The difference between a pass-the-cache attack and a pass-the-ticket assault is that the latter uses the user's actual ticket, while the former makes use of the handler's protected and encrypted login information on a Mac/UNIX/Linux machine.

‍

How Is Mimikatz Used Today?

Follow the below steps to know how does mimikatz work?

1. Step 1 - Begin Mimikatz with managerial rights.

Even if you are logged in as the system administrator, it will not work properly unless you tell it to "run as admin."

2. Step 2 - Verify your Mimikatz installation.

It is available in two different forms:

• 32bit 
• 64bit

Verify that your Windows installation is up-to-date. To learn more about the its executable, the current version of Windows, and whether or not any Windows settings are preventing it from operating properly, type "version" into the Mimikatz prompt.

3. Step 3 - Retrieve from memory "clear text passwords."

It includes the sekurlsa module, which can be used to recover keys from memory. You need to be an administrator or have the SYSTEM part to implement the sekurlsa module's commands.

Start by entering this command:

mimikatz # privilege::debug

You can tell if you have the right to proceed by looking at the output.

Then, begin the logging procedures to keep track of your progress.

mimikatz # log nameoflog.log

Finally, print out all the encrypted passwords from this machine.

mimikatz # sekurlsa::logonpasswords

‍

Can Mimikatz Defeat Endpoint Security Software?

If the operating system is unable to keep up, are there any third-party privacy solutions that can protect against its attacks? That fluctuates, unfashionable endpoint privacy controls, sometimes known as legacy antivirus software and some "next-gen" technologies, are obtainable with a challenge by the Mimikatz tool. As was mentioned earlier, if they are not accommodating conduct in packing or if they are not governing specific movements and events, then they will not be able to spot the attack coming or stop it.

It is also important to remember that it necessitates either Administrator or SYSTEM level rights on target computers in order to function properly. This necessitates that attackers either inject their code into a process that already has the necessary level of privileges, or they find a way to elevate their privileges in a way that allows them to simply bypass certain anti-virus software solutions. This is especially true if the anti-virus software solutions are prone to whitelisting "trusted" operating system processes.

‍

How To Protect Yourself Against Mimikatz?

It can be difficult to defend against because an attacker has to have root access to a Windows machine in order to execute. In many cases, you may only be able to limit the amount of harm an assailant can do. Several countermeasures to Mimikatz malware assaults are listed below.

• Cap administrative access. Only those who really need them should be granted administrative access.
• Turn off saved passwords. Recent password hashes are stored in Windows' registry. Because of the risk of its gaining access to your cached passwords, you should adjust your settings to store no recently used passwords by default. You can enable this feature by going to Control Panel > Local Security Policy > Security Options > Interactive Logon.
• Debug mode must be off. Due to Windows' preconfigured defaults, it can be used by local administrators to gain access to the system's debugging capabilities. One way to keep hackers out of your system is to disable debugging access.

Configure supplemental LSA protections. Protecting yourself from the authentication assaults that it enables can be aided by upgrading to Windows 10. Microsoft provides other LSA configuration options that help lessen the attack surface area when this isn't achievable.