Mimikatz overview
Mimikatz is an open source tool originally developed by ethical hacker Benjamin Delpy, to demonstrate a flaw in Microsoft’s authentication protocols. Simply put, the tool steals passwords. It is deployed on a Windows endpoint, and allows its users to extract Kerberos tickets and other authentication tokens from the machine.
Since then, Mimikatz has gone through many versions and has evolved into a powerful tool used by hackers to attack authentication mechanisms on Microsoft-based endpoints. The same tool is also used by penetration testers and security staff to evaluate their vulnerability to these types of attacks.
Mimikatz is still maintained by Delpy, and new versions are constantly developed to keep up with updates to Windows operating systems. You can download the latest versions on Github. There are many forks and implementations of Mimikatz, some of which are packaged in popular malicious threat kits, including NotPetya and BadRabbit. At least 20 advanced persistent threat groups have been identified using Mimikatz as part of their arsenal.
Mimikatz Attack Capabilities
Mimikatz has numerous modules that let attackers perform a variety of tasks on the target endpoint. Some of the more important attacks facilitated by the platform are:
- Pass-the-Hash—obtains an NTLM hash used by Windows to deliver passwords. This allows attackers to reuse the password without having to crack the hash.
- Pass-the-Ticket—Mimikatz was famously used to break the Kerberos protocol. It can obtain a Kerberos “ticket” for a user account and use it to login as that user on another computer.
- Kerberos Golden Ticket—obtains the ticket for the hidden root account (KRBTGT) that encrypts all authentication tickets, granting domain admin access for any computer on the network.
- Kerberos Silver Ticket—exploits Windows functionality that grants a user a ticket to access multiple services on the network (via the Ticket Granting Server or TGS). The Kerberos protocol may not check the TGS key, allowing attackers to reuse the key and impersonate the user on the network.
- Pass the Key—obtains a unique key used by a user to authenticate to a domain controller. The attacker can reuse this key to impersonate the user.
