Mimikatz is is an application that allows you to view, save and use authentication credentials and even more.
The following examples are simple and do not require a master’s degree in computer science. As an Admin you should go trough the article to make sure you know how to prevent your infrastructure from a Mimikatz attack. Specially if you use older Operating systems!
To start, download latest version from: https://github.com/gentilkiwi/mimikatz/releases/latest
Extract the file and run mimikatz.exe
Enter ” privilege::debug” to check if you have appropriate permissions.
mimikatz # privilege::debug
Privilege ’20’ OK
Start logging:
mimikatz # log logfilename.log
Logon passwords from memory
Show all of the clear text logon passwords stored on this computer:
mimikatz # sekurlsa::logonpasswords
Prevent storing Logon password in LSA
Create a registry key “RunAsPPL” and set the value to “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
passwords from offline memory dumps
With Mimikatz you ca extract passwords from a memory dump of the process Lsass.exe. There is no tool needed to create a dump file. There is only one requirement: You need the privilege “SeDebugPrivilege”. “Administrators” have this right by default.
Open the Task Manager and go to Details. Then search for Lsass.exe and click on “Create dump file”.
Copy the lsass.DMP from C:\Users\USER\AppData\Local\Temp\ to your system where mimikatz is available and run the following command to load the dump file:
mimikatz # sekurlsa::minidump C:\YOURPATH\lsass.dmp
Switch to MINIDUMP
To show all of the clear text passwords stored in the dump file, run:
mimikatz # sekurlsa::logonPasswords full
Prevent memory dumps
To prevent users to create memory dumps, you can remove the debug privilege “SeDebugPrivilege” from group “Administrators” with a GPO or remove Users from group “Administrators”.
Group Policy Management Editor / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Debug programs
Wdigest
Digest Authentication is a protocol that was primarily used in old Operating systems for web based authentication. To show all of the “wdigest” clear text passwords stored on this computer, run:
mimikatz # sekurlsa::wdigest
Prevent storing Wdigest password in LSA
Create or set “Negotiate” and “UseLogonCredential” registry keys and set values to “0”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
Cached Credentials
Windows will check the last password hashes that has been cached on a system to authenticate the user with the system if a system does not reach a Domain Controller. Password hashes are cached in the registry.
To show all of the cached passwords, run:
mimikatz # lsadump::cache
Prevent cached passwords
Attention: With this setting, you cannot logon anymore with a Domain account if Domain Controllers are not reachable!!!
Use a GPO to set ” Interactive Logon: Number of previous logons to cache ” to “0”.
Computer Configuration / Windows Settings / Local Policy / Security Options / Interactive Logon: Number of previous logons to cache
Password hashes from Domain Controller
Mimikatz can use the Directory Replication Service to retrieve the password hashes from a Domain Controller. The permission “Replicate Directory changes All” is required (“Administrators” and “Domain Controller” groups have this right by default).
Start mimikatz.exe and run:
mimikatz # lsadump::dcsync /domain:dom.local /user:Admin
The output will show NTLM and LM hashes of user Admin
Prevent DCSync
Do not use Domain Administrator, Enterprise Administrators and Administrators on other systems than Domain Controllers to reduce the attack surface on such accounts!
