Mimikatz (French for “cute cat”) is an open-source tool that both attackers and penetration testers can use to steal credentials and escalate privileges within Active Directory (AD). The tool allows you to exploit various kinds of vulnerabilities in order to extract passwords, hashes, and Kerberos tickets from memory.
How Mimikatz Can Be Used to Access Resources
Below is a round-up of the techniques used to gain access to resources using Mimikatz.
Pass-the-Hash
This technique enables the attacker to obtain an NTLM or LanMan hash of a user’s password, and use it to authenticate to a remote server or service. The attackers use Mimikatz to directly pass the hash of the password to the target login page, as opposed to providing the plaintext password, which is normally required.
Pass-the-Ticket
This attack method shares similarities with Golden and Silver Ticket attacks, in that it exploits what is said to be an irremediable vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). However, unlike Golden and Silver Ticket attacks, a Pass-the-Ticket attack doesn’t require forging Kerberos tickets. Instead, the attacker will steal a valid ticket that has already been created and issued. Using Mimikatz, they can pass the ticket from one system to another in order to gain access to resources, as a legitimate privileged user.
Over-Pass-the-Hash
With overpass-the-hash, the goal is to obtain an NTLM hash of the password of a user account and use that hash to obtain a Kerberos ticket, which can then be used to gain access to the network resources. Overpass-the-hash is essentially a combination of pass-the-hash and pass-the-ticket techniques.
Kerberos Silver Ticket
A Silver Ticket is a forged Kerberos ticket. The attacker is able to forge a ticket by first brute-force-guessing an account password, and then using this password to create a fake authentication ticket.
Kerberos Golden Ticket
This technique obtains a ticket from the hidden key Distribution Center Service Account (KRBTGT), which in turn provides access to any admin-level domain on the network.
Pass-the-Key
This type of exploit is not very well documented, although the general purpose of it is to obtain a unique key, which can be used multiple times to gain access to a domain controller.
Pass-the-Cache
This technique is essentially the same as a pass-the-ticket attack, in that it will steal a valid ticket that has already been created. The main difference is that it is designed for UNIX-based systems, as opposed to Windows-based systems.
How To Use Mimikatz
You can download the Mimikatz executable from Benjamin Delpy’s GitHub page. However, it should be noted that downloading and installing Mimikatz is not always straightforward as modern browsers and many endpoint security solutions (including Microsoft’s own Windows Defender) will try to block it. Once you have installed and run the Mimikatz executable, a console will open up in interactive mode, which allows you to run commands in real-time. Even if you are using an administrator account, it still needs to be “Run as Admin” in order to function properly. In addition to using the command line, Mimikatz can also be run automatically by executing a custom script.