Mimikatz is a tool that can be used to display cached credentials of a computer running the Microsoft Windows operating system by exploiting vulnerabilities. The software is freely available and can be downloaded from GitHub in a 32-bit or 64-bit version.
What is Mimikatz?
Mimikatz is a tool that developer Benjamin Delpy originally intended to expose vulnerabilities in the Windows operating system’s management of cached credentials. The software is freely available and can be downloaded from GitHub in a 32-bit or 64-bit version. The first version, written in C, dates back to 2007, while the current version 2.2.0 is from 2019.
With the help of the tool, passwords in plain text or password hashes can be read from the memory of a Windows client. Login data of highly privileged accounts of domain admins, Kerberos tickets, or golden tickets can also be exported, retrieved, or generated via Mimikatz. Methods used by the software include pass-the-hash or pass-the-ticket. The software is used by Windows administrators to check systems for vulnerabilities, by security experts for penetration tests, or by hackers.
Microsoft has repeatedly closed vulnerabilities discovered by Mimikatz in newer Windows versions. However, the software is continuously being developed further and masters the latest methods for determining login data. Many antivirus programs detect the tool and prevent it from being saved or executed.
The methods supported by Mimikatz
The tool is capable of exploiting different Windows vulnerabilities and masters a variety of different methods to extract and display login credentials from a computer’s memory. One of these methods is Pass-the-Hash (PtH). It is a method that uses the password hash rather than the actual password to authenticate a user.
The method exploits a Windows vulnerability based on a static password hash that is always the same from session to session. Other methods that the tool can handle are:
- Over-Pass-the-Hash (Pass-the-Key)
- Kerberos Golden Ticket
- Kerberos Silver Ticket
The necessary steps to use the tool and some sample commands
First, Mimikatz must be run in the appropriate 32- or 64-bit version on the Windows machine. For most actions, the software requires administrator rights. After starting the executable program with administrator rights, one gets a console display. These commands can be entered in interactive mode, which is executed in real-time. Commands are for example:
- privilege::debug – for displaying the privileges
- log logfile.log – to record the output in the logfile.log file
- sekurlsa::logonpasswords – output the credentials found in the computer memory in plain text using the “sekursla” module
The different uses of the tool
Mimikatz can be used for various purposes. Often, the tool is used for penetration testing to reveal and subsequently eliminate security vulnerabilities. Many Windows administrators also use the tool. They check if there are any vulnerabilities in the authentication.
Hackers use Mimikatz to steal credentials and passwords, which they use to further penetrate systems. Mimikatz methods are also used in some ransomware worms to further spread the malicious software.