Her0in · 2016/02/17 restraunt

Original address: adsecurity.org/?page_id=18… Written by Sean Metcalf

“Please do not reproduce all or part of the content contained on this page without the express written consent of the author of this article.” So in order to share this excellent work, the translator got in touch with the author (Sean Metcalf) on Twitter, and after talking to him, he gave me permission to translate the full article and share it with others. Thanks also to Sean Metcalf for systematically organizing and sharing everything about Mimikatz. Below is a screenshot of Sean Metcalf’s reply for licensing purposes:

Mimikatz is one of the most powerful Intranet infiltrators of the moment, and it seems that few people really care about its full capabilities (Sean Metcalf also raised such doubts at the beginning of this article), and there is no mention of Mimikatz in articles like “Top 10 Hacking Tools.” Sean Metcalf has done a systematic review of the techniques associated with Mimikatz and has done a rough translation and share. Translation is unavoidably wrong, hope you see the officer timely correction.

This is the third and last part of the translation. Links to translations of the remaining two parts are as follows:

  • Mimikatz Unofficial guide and command reference _Part1
  • Mimikatz Unofficial guide and command reference _Part2

0x00 The most popular Mimikatz command

Here are some of the most popular Mimikatz commands and related features.

  • CRYPTO::Certificates – Lists/exports credentials
  • KERBEROS::Golden — Create gold/silver/trust tickets
  • KERBEROS::List – Lists all users’ tickets (TGT and TGS) in the user’s memory. No special permissions are required because it displays only the current user’s ticket. The function is similar to that of klist.
  • KERBEROS::PTT – Ticket transfer. Usually used to inject stolen or forged Kerberos tickets (gold/silver/trust tickets).
  • LSADUMP::DCSync – Initiates a challenge to the DC to synchronize an object (to get password data for the account). There is no need to execute code on DC.
  • LSADUMP::LSA – Queries the LSA Server to retrieve SAM/AD data (normal or unpatched). You can export all Active Directory domain credential data from the DC or from an LSass.dmp dump file. It is also possible to obtain credentials for a specified account, such as KRBTGT account, using the /name parameter, such as “/name: KRBTGT”.
  • LSADUMP::SAM – Gets SysKey to decrypt SAM’s project data (exported from the registry or Hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. Can be used to dump all local credentials on a Windows machine.
  • LSADUMP::Trust – Queries the LSA Server to obtain trusted authentication information (in normal or unpatched condition). Dumps trust keys (passwords) for all associated trusted domains or forests.
  • MISC::AddSid – Adds user accounts to SID history. The first value is the target account, and the second value is the account/group name (which can be multiple) (or SID).
  • MISC::MemSSP – Inject malicious Wndows SSP to record local authentication credentials.
  • MISC::Skeleton — Inject Skeleton Key into LSASS process in DC. This allows the master key patch DC used by all users to authenticate with a “master password” (aka master key) as well as their own commonly used passwords.
  • PRIVILEGE::Debug – Obtain Debug permissions (many Mimikatz commands require Debug permissions or local SYSTEM permissions).
  • SEKURLSA::Ekeys – Lists Kerberos keys
  • SEKURLSA::Kerberos — Lists the Kerberos credentials of all authenticated users (including service accounts and computer accounts)
  • SEKURLSA::Krbtgt – Obtains the password data of the Kerberos service account (Krbtgt) in the domain
  • SEKURLSA::LogonPasswords – Lists the credentials of all available providers. This command usually displays the credentials of the most recently logged in user and the most recently logged in computer.
  • SEKURLSA:: PTH-hash and Key Hash (note: the actual Hash process is passing the relevant Key(s))
  • SEKURLSA::Tickets – lists the Kerberos Tickets available for all recently authenticated users, including services running using the context of the user account and the computer account of the local computer in AD. Unlike Kerberos :: List, Sekurlsa uses in-memory reading and is not restricted by key export.
  • TOKEN::List – Lists all tokens in the system
  • TOKEN::Elevate — Fake TOKEN. Used to promote permissions to SYSTEM permissions (by default) or to discover the domain administrator’s token on the machine.
  • TOKEN::Elevate/Domainadmin – Impersonates a TOKEN with domain administrator credentials.

0x01 Mimikatz Command Reference

Mimikatz’s modules are as follows:

  • CRYPTO
    • CRYPTO::Certificates
  • DPAPI
  • EVENT
  • KERBEROS
    • Golden Tickets
    • Silver Tickets
    • Trust Tickets
    • KERBEROS::PTT
  • LSADUMP
    • DCSync
    • LSADUMP::LSA
    • LSADUMP::SAM
    • LSADUMP::Trust
  • MISC
  • MINESWEEPER
  • NET
  • PRIVILEGE
    • PRIVILEGE::Debug
  • PROCESS
  • SERVICE
  • SEKURLSA
    • SEKURLSA::Kerberos
    • SEKURLSA::Krbtgt
    • SEKURLSA::LogonPasswords
    • SEKURLSA::Pth
  • STANDARD
  • TOKEN
    • TOKEN::Elevate
    • TOKEN::Elevate /domainadmin
  • TS
  • VAULT

LSADUMP

Mimikatz’s LSADUMP module is used to interact with Windows Local Security Authority (LSA) processes to extract credential data. Most commands in this module require either the Debug privilege (privlege:: Debug) or the SYSTEM privilege. By default, the Administrators group has the Debug rights, but you still need to run the privilege:: Debug command to enable the Debug.

LSADUMP:Backupkeys

Administrator privileges are required.

LSADUMP::Cache

Administrator privileges are required.

Get SysKey for decrypting NLKM and MSCache(v2) (from registry or Hive file).

LSADUMP::DCSync

Issue a challenge to the DC to synchronize an object (to get password data for the account).

A member of a domain administrator, domain administrator group, or custom delegate is required.

In August 2015, Mimikatz added a new feature called “DCSync” that can effectively “impersonate” a domain controller and request account password data from the target domain controller. This feature was written by Benjamin Delpy and Vincent Le Toux.

The previous attack method using DCSync was to run Mimikatz or invoke-Mimikatz on the domain controller to get the password hash of the KRBTGT account to create a golden ticket. If Mimikatz’s DCSync function is performed with appropriate permissions, an attacker can read the password hash of a domain controller, as well as the hash of previous passwords, remotely over the network without having to log in interactively or copy Active Directory’s database files (NtdS.dit).

The special permissions required to run DCSync are Administrators, Any member of the Domain Admins or Enterprise Admins groups, as well as the Domain controller computer account, can run DCSync to read password data. Note that the read-only domain controller does not allow reading of user password data by default.

How DCSync works:

  • Discover a domain controller using the specified domain name.
  • Request the domain controller to copy user credentials via DSGetNCChanges (using the Directory Replication Service (DRS) remote protocol)

I captured some packets of domain controller replicating data and confirmed the traffic on how domain controller replicating internal DC data.

The Samba Wiki describes the DSGetNCChanges function as follows:

“When the first acquired AD object is updated from the second, the client DC sends a DSGetNCChanges request to the server. The data in response contains a set of updates that the client must apply to its COPY of the NC.

When the DC receives a DSReplicaSync request, it performs a replication cycle, copying each DC it wants to copy (stored in the RepsFrom data structure), and behaves like a client. The DSGetNCChanges request is sent to the DC to be copied. So it gets the latest AD object for every DC it copies.

DCSync options:

  • /user – The ID or SID of the user to pull data from
  • /domain (optional) FQDN of an Active Directory domain. Mimikatz will find a DC in the domain and connect to it. If this parameter is not provided, Mimikatz defaults to the current domain.
  • /dc (optional) Specifies the domain controller you want to connect to and collect data from using DCSync. There is also a/GUID parameter.

Example of the DCSync command line:

Pull KRBTGT user account password data from the rd.adsecurity.org field:

#! bash Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt" exitCopy the code

Pull the Administrator user account password data from the rd.adsecurity.org domain:

#! bash Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator" exitCopy the code

Pull the password data for the computer account of ADSDC03 domain controller in lab.adsecurity.org:

#! bash Mimikatz "privilege::debug" "lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$" exitCopy the code

LSADUMP::LSA

Query the LSA Server to retrieve SAM/AD data (normal or unpatched). You can export all Active Directory domain credential data from the DC or from an LSass.dmp dump file. You can also obtain the credentials of a specified account, such as KRBTGT account, using the /name parameter. For example, /name: KRBTGT requires Debug or SYSTEM permissions.

  • /inject – Inject LSASS process to extract credential data
  • /name – Account name of the target user account
  • /id – The RID of the target user account
  • /patch – Patches the LSASS process

Typically, the service account is a member of a domain administrator group (or equivalent), or a domain administrator user recently logged on to the machine from which the attacker exported credentials. Using these credentials, an attacker can gain access to the DC and be able to obtain credentials for the entire domain, including the NTLM hash used to create the KRBTGT account for Kerberos gold tickets.

Command line: mimikatz lsadump:: LSA /inject exit

Run this command in the DC to dump the credential data of the domain in the active directory.

You need either administrator permissions (use DEBUG permissions) or SYSTEM permissions.

The account with a RID of 502 is a KRBTGT account, and the account with a RID of 500 is the default domain administrator account.

The following figure shows the result of exporting only the NTLM password hash after running LSADUMP::lsa /patch.

LSADUMP::Rpdata

LSADUMP::SAM – Gets the Syskey used to decrypt data for the SAM project (retrieved from the registry or Hive). SAM connects to the local Security Account Manager (SAM) database and dumps credentials data for the local account.

SYSTEM or DEBUG permissions are required.

It contains the NTLM of the user password and some LM hashes. This command can work in two modes, online mode (using SYSTEM user or token) or offline mode (using SYSTEM & SAM Hives data or backup data)

For an “online” SAM file, you need either administrator permission (DEBUG permission) or local SYSTEM permission.

Get a simulated SYSTEM TOKEN: Mimikatz “PRIVILEGE::Debug” “TOKEN:elevate”

LSADUMP::Secrets – Gets the Syskey used to decrypt the Secrets entry data (retrieved from the registry or Hive data).

SYSTEM or DEBUG permissions are required.

LSADUMP::Trust

Challenge the LSA server to retrieve trust authentication information.

SYSTEM or DEBUG permissions are required.

Extract data from existing domain trust relationships in the active directory. The trust key (password) will also be displayed.

MISC

Mimikatz’s MISC module is a command that contains some other rather inappropriate commands.

There are several well-known commands in this module, MISC::AddSID, MISC::MemSSP, and MISC::Skeleton.

MISC::AddSid – Adds user accounts to SIDHistory. The first value is the target account, and the second value is the account/group name (or SID).

SYSTEM or DEBUG is required.

MISC::Cmd – Command line prompt (no DisableCMD).

Administrator privileges are required.

MISC::Detours — (Experiment) Try using Detours HOOK to enumerate all the modules.

Administrator privileges are required.

MISC::MemSSP – Injects a malicious Windows SSP that records local authentication credentials by patting the LSASS process in memory with the new SSP without a restart, which clears the SSP injected by Mimikatz. See Mimikatz SSP Memory Patch and more SSP Persistence Techniques for more details.

Administrator privileges are required.

Mandiant introduction to MemSSP

MISC::Ncroutemon — Juniper Manager (no DisableTaskMgr) MISC::Regedit — Registry editor (no DisableRegistryTools)

Administrator privileges are required.

MISC::Skeleton – Inject the Skeleton key into the LSASS process in DC.

Administrator privileges are required.

This will patch the DC so that all users will be authenticated with the “master password” (aka master key) as well as their own usual password.

MISC::Taskmgr – Task Manager (no DisableTaskMgr)

Administrator privileges are required.

MISC::Wifi

MINESWEEPER

MINESWEEPER::Infos — Provides radar information for MINESWEEPER.

Net

NET::User

NET::Group

NET::LocalGroup

PRIVILEGE

PRIVILEGE::Debug – Obtains the Debug permission. (DEBUG or SYSTEM permissions are required for many Mimikatz commands)

By default, the administrator group has the DEBUG permission. However, you still need to run the privilege::debug command to enable the debugging.

The DEBUG permission allows you to DEBUG a process that is not otherwise accessible. For example, the token of a user process with DEBUG permission can DEBUG a service process running with local SYSTEM permission.

Msdn.microsoft.com/library/win…

Benjamin’s remarks to this command:

If you run this command, ERROR kuhl_m_privilege_simple is displayed; RtlAdjustPrivilege (20) c0000061 Error, you may not have administrator rights to execute this command.

PROCESS

The PROCESS module of Mimikatz provides the ability to collect data from and interact with processes.

PROCESS::Exports – Lists exported tables of PROCESS executables

PROCESS::Imports – Lists the import tables of PROCESS executables

PROCESS::List – Lists running processes.

Administrator privileges are required.

PROCESS::Resume – Resumes a PROCESS

PROCESS::Start – Starts a PROCESS PROCESS::Stop – Terminates a PROCESS PROCESS::Suspend – Suspends a PROCESS

SERVICE

SERVICE::List – Lists all services SERVICE::Preshutdown – Pre-shuts down services SERVICE::Remove – Uninstalls services SERVICE::Resume – Restores services SERVICE::Shutdown – SERVICE::Start – Starts a SERVICE SERVICE::Stop – Stops a SERVICE SERVICE::Suspend – Suspends a SERVICE

SEKURLSA

Mimikatz’s SEKURLSA module provides the ability to interact with protected memory. This module can extract passwords, keys, PINS, tickets from LSASS (local Security Authentication subsystem service) process memory. In order to be able to interact with LSASS processes, the Mimikatz process needs the appropriate permissions:

  • Administrator permission. Run the PRIVILEGE::Debug command to obtain the Debug permission
  • SYSTEM rights: Use TOKEN::elevate to obtain SYSTEM rights

Dump LSASS memory files without permission promotion.

SEKURLSA::Backupkeys – Get the master key for the preferred backup.

SEKURLSA::Credman – Lists the credential manager

SEKURLSA::Dpapi – Lists cached master keys

SEKURLSA::DpapiSystem – Obtains the ciphertext of DPAPI_SYSTEM

SEKURLSA::Ekeys – Lists Kerberos encryption keys

! [p26][288]

SEKURLSA::Kerberos – Lists the Kerberos credentials of all authenticated users, including service and computer accounts.

SEKURLSA::Krbtgt – Obtains the password data of the domain Kerberos service account (Krbtgt)

SEKURLSA::LiveSSP — Lists LiveSSP credentials

SEKURLSA::LogonPasswords – Lists credential data for all available providers. The system displays the credentials of the recently logged in user and computer.

  • Dump the password data stored in the LSASS process for currently logged in or recently logged in accounts and for services running with the user credential context.
  • The account password is stored in memory in a reversible manner. If this data exists in memory (before Windows 8.1/Windows Server 2012 R2), it will be displayed. In most cases, Windows 8.1/Windows Server 2012 R2 does not store account passwords in the same way. KB2871997 patch makes this security feature compatible with Windows 7, Windows 8, Windows Server 2008R2 and Windows Server 2012, Although additional configuration of the computer is required after the KB2871997 patch is applied.
  • Administrator permissions (with DEBUG permissions) or local SYSTEM permissions are required

Windows Server 2008 R2 (Display plaintext password)

Windows Server 2012 R2 (Plain text password not displayed)

You can also use this command to dump the credentials of a service running with account credentials. Note that you can dump in this way only if the service is running (after which credentials are stored in memory).

SEKURLSA::Minidump – Switches to the “lightweight” dumping LSASS process context

Note that Minidumps reads data dumped on the same platform, NT5 Win32 or NT5x64 or NT6 Win32 or NT6 x64.

SEKURLSA::MSV — Lists LM and NTLM credential data

SEKURLSA::Process – Converts to LSASS Process context

SEKURLSA::Pth – Hash transmission, key transmission

Mimikatz can perform what is known as “Hash passing,” running a process using the NTLM Hash context of another user’s password in place of its real plaintext password. To do this, it starts a process with fake identity information, which then replaces the fake information (the NTLM hash of the fake password) with the real information (the NTLM hash of the real password).

  • /user – You want to impersonate the user name. It is important to understand that Administrator is not the only known account.
  • /domain – FQDN for the domain name. You do not need to add a local user name. You can use the computer name, server name, or workgroup name.
  • /rc4 or/NTLM (Optional) – Specifies the RC4 key or NTLM hash of the user.
  • /run (optional) – Command line to run – Default: CMD to get a CMD shell.

Benjamin’s remarks on this command:

  • This command cannot be used with minidumps
  • Requires privileges (privilege::debug or SYSTEM accounts), unlike pass-the-ticket which uses The official API, The new version of hash delivery replaces Kerberos’s RC4 key with an NTLM hash (or AES key) – it allows Kerberos providers to challenge TGT tickets.
  • NTLM hashes are mandatory in WinXP/2003/Vista/2008, and in Win7/2008/2008R2/8/2012 before kb2871997 (not available or replaceable by AES).
  • AES keys can only be replaced in 8.1/2012R2 and 7/2008R2/8/2012 with kb2871997, in which case you can avoid using NTLM hashing.

Benjamin published an article on key passing.

SEKURLSA::SSP – Lists SSP credentials.

SEKURLSA::Tickets – Lists the Kerberos Tickets available for all recently authenticated users, including services running using the context of the user account and the computer account of the local computer in AD.

Unlike Kerberos :: List, Sekurlsa uses in-memory reading and is not restricted by key export.

  • /export (optional)- Exports tickets to a.kirbi file. The file name uses the user’s LUID and group number (0 = TGS, 1 = client ticket (?)) , 2 = TGT).

Similar to dumping credential data from LSASS, using the SEKURLSA module, an attacker can retrieve all Kerberos ticket data in memory, including those belonging to administrators or services.

This can be useful when a user accesses the SQL server on the back end if the attacker has already compromised a Web server configured with Kerberos delegation. This enables an attacker to capture and reuse all users’ tickets in memory on that server.

Mimikatz’s “Kerberos :: Tickets” command dumps kerberos tickets of currently logged users without permission promotion. With the function of the SEKURLSA module, the protected memory (LSASS) can be read and all Kerberos tickets in the system can be dumped.

Command: mimikatz sekurlsa::tickets exit

  • Dump all authenticated Kerberos tickets in the system
  • You need administrator or local SYSTEM permission with DEBUG enabled

The following figure shows the password and Kerberos tickets (TGS and TGT) dumped by another domain administrator (LukeSkywalker).

The following figure shows the password and Kerberos tickets (TGS and TGT) for the dump of another domain administrator (HanSolo).

The following figure shows the password and Kerberos tickets (TGS and TGT) for dumping an SQL service account (SVC-SQLDBEngine01).

SEKURLSA::Trust – Obtains the Trust key

(I think this command is outdated, lsadump::trust /patch can be used instead)

SEKURLSA::TSPKG – Lists TSPKG credentials.

SEKURLSA::Wdiget – Lists Wdiget credentials.

STANDARD

STANDARD::Base64 — Convert output to Base64 output STANDARD::CD — Change or display current folder STANDARD::CLS — Clear screen STANDARD::Exit — Exit Mimikatz STANDARD::Log – Records the Mimikatz data to a Log file. STANDARD::Sleep – Specifies the delay in milliseconds. STANDARD::Version – Displays the Version information

TOKEN

Mimikatz’s Token module is capable of interacting with Windows authentication tokens, including fetching and forging fake existing tokens.

TOKEN::Elevate — Fake TOKEN. Use to promote permissions to SYSTEM permissions (default) or use the Windows API to find the domain administrator token.

Administrator privileges are required.

Find a domain administrator credential and use the domain administrator’s token:

token::elevate /domainadmin

TOKEN::List – Lists all tokens in the system

TOKEN::Revert – Restore process TOKEN

TOKEN::Whoami – Displays the current identity information

TS

TS::Multirdp – (Experimental) Patch Terminal server service allows multiple users to connect

VAULT

VAULT::List – Lists VAULT credentials

VAULT::Cred – cred

Originally owned by Sean Metcalf (ADSecurity.org) this article was translated by Her0in and first published in Dark Clouds Drops