mimikatz: hacking tool of yesteryear used even today

Mimikatz   (mimi katz) became an extremely effective attack tool against Windows clients, allowing to recover secure passwords, as well as password hashes in memory. Dubbed the Swiss Army knife of Windows credentialing tools as well as, Windows Credential Editor (WCE) of Hernán Ochoa .







Mimikatz, written for the first time by Frenchman Benjamin Delpy (akk gentilkiwi) in 2011, has greatly simplified and automated the collection of credentials in Windows systems. 

Mimikatz: cute cat


Mimikatz is an open source utility that allows you to view the credentials information of Windows lsass (Subsystem Service of the Local Security Authority) through its sekurlsa module that includes plain text passwords and Kerberos tickets that could then be used for attacks such as pass-the-hash and pass the ticket. Most antivirus tools will detect the presence of Mimikatz as a threat and eliminate it, but it may be interesting to test the security of the systems.

Mimikatz provides a large number of tools to collect and use Windows credentials on target systems, including recovery of clear text passwords, Lan Manager hashes and NTLM hashes, certificates and Kerberos tickets. The tools run with varying success in all versions of Windows from XP onwards, with somewhat limited functionality in Windows 8.1 and later.



It has also come to light as a component of two ransomware worms that have crossed Ukraine and have spread across Europe, Russia and the USA. US: Both NotPetya and BadRabbit ransomware used Mimikatz along with NSA-filtered tools to create automated attacks whose infections quickly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies such as Maersk, Merck and FedEx, and is believed to have caused more than a billion dollars in damages.


WDigest


Mimikatz became for the first time a key asset for hackers thanks to its ability to exploit a dark Windows function called WDigest . That feature is designed to make it more convenient for corporate and government Windows users to test their identity to different applications on their network or on the web; It contains your authentication credentials in the memory and reuses them automatically, so you only have to enter your username and password once. While Windows keeps the copy of the user's password encrypted, it also saves a copy of the secret key to decrypt it in memory


In 2014, Microsoft responded to this security hole with a patch that allows system administrators to disable the " WDiges t" passwords so that they are not stored. This notice from Microsoft explains how to update a special registry entry.


HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SecurityProviders \ WDigest




In Windows 8 and above, the default setting is to not store clear text passwords in lsass.



mimikatz comes in two flavors: x64 or Win32, depending on your version of Windows (32/64 bits). 
The flavor of Win32 can not access the 64-bit process memory (such as lsass), but it can open a 32-bit minidump in Windows 64 bits. Some operations need administrator privileges or system token, so consider the UAC of the Vista version. 


privilege :: debug 
inject :: process lsass.exe s 
ekurlsa.dll@getLogonPasswords 
sekurlsa :: logonpasswords

Modules of use of mimikatz with Metasploit



meterpreter > mimikatz_command -f fu ::
Module: 'fu' introuvable

Modules available: 
                - Standard
      crypto - Cryptographie et certificats
        hash - Hash
      system - Gestion système
     process - Manipulation des processus
      thread - Manipulation of threads
     service - Manipulation des services
   privilege - Manipulation des privilèges
      handle - Manipulation des handles
 impersonate - Manipulation tokens d'accès
     winmine - Manipulation du démineur
 minesweeper - Manipulation du démineur 7
       nogpo - Anti-gpo et patchs divers
     samdump - SAM Dump
      inject - Injecteur de librairies
          ts - Terminal Server
      divers - Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
    sekurlsa - Dump des sessions courants for providers LSASS
         efs - Manipulations EFS


Modules of mimikatz





Technical characteristics (features)

  • Dump credentials from LSASS (Windows Local Security Account database)
  • MSV1.0: hashes & keys (dpapi)
  • Kerberos password, ekeys, tickets, & PIN
  • TsPkg (password)
  • WDigest (clear-text password)
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys (even those not normally exportable).
  • Dump cached credentials
  • Stop event monitoring.
  • Bypass Microsoft AppLocker / Software Restriction Polcies
  • Patch Terminal Server
  • Basic GPO bypass
Yara rules for tool detection

LaZagne Project



The LaZagne project is an open source application used to recover many passwords stored on local computers. Many software products store access passwords using different techniques, from common plain text, through databases, APIs and proprietary algorithms. 

This tool was developed for the purpose of finding such passwords for the most commonly used software products. It currently supports 22 Windows programs and 12 Linux / Unix operating systems:



In the GitHub repository of the product there are more details about its use and alternatives to extend it.


An important precaution that we can take in our teams, to avoid the findings of programs like LaZagne is to clean up the traces of our activities, for example through a program like CCleaner (although it does not eliminate everything that LaZagne finds, if it does with everything related to the clues that remain of the use of Internet browsers for example). 
Share To:

Hackerbrother

Post A Comment:

0 comments so far,add yours