When Benjamin Delpy created Mimikatz to target the vulnerability of Windows attack protocols, he never imagined that his invention would become such a popular tool among pentesters and hackers around the world.
Several years have passed since the creation of Mimikatz, and although Windows has already developed some tools to protect users from this credential thief, many cybercriminals still use it to enhance their attacks.
If you are interested in learning more about this technique and the risks it represents, we invite you to continue reading below. Find out everything you need to know about Mimikatz and stay one step ahead of threats.
What is Mimikatz?
Mimikatz is an open source application that allows, among other things, stealing identification data from other users by providing access, for example, to Kerberos tickets.
Because it enables illegal infiltration into systems, pentesters also frequently use the Mimikatz tool to detect and exploit network vulnerabilities, thus finding ways to repair gaps.
How does Mimikatz work?
Although it was originally created to detect vulnerabilities in Windows, today Mimikatz represents an open door to various types of threats.
Windows has the functionality of Single Sign-On, this feature is what Mimikatz exploits to steal credentials. Windows, until its version 10 used by default a function called WDigest to store encrypted passwords in memory, but also the secret key to decrypt them.
Although WDigest helped many companies with the user authentication process in their corporate networks, it also allowed Mimikatz access to extract passwords. The WDigest function is currently inactive in Windows, however, it is still incorporated in Microsoft’s operating system, which makes it a potential threat, as the attacker only has to activate it and start running Mimikatz.
Unfortunately, there are also many computers with older versions of Windows that lack the necessary patches and updates to protect the systems. This makes the Mimikatz threat more prevalent than ever.
Mimikatz can use techniques to collect credentials such as:
Pass-the-Ticket: The user’s password data in Windows is stored in so-called Kerberos Tickets. Mimikatz offers the hacker the possibility to access this ticket and authenticate himself without using a password.
Golden Ticket Kerberos: This is a Pass the Ticket attack. This ticket corresponds to a hidden account called KRBTGT, which is none other than the account that encrypts all other tickets. This attack offers a golden pass to the hacker, so that he can obtain domain administrator rights that do not expire.
Kerberos Silver Ticket: In this case, Kerberos grants a TGS ticket to a user and this user can use it to connect to any service on the network.
Pass-the-Cache: This could also enter the classification of Pass the Ticket attacks. The only difference is that in this case, Mimikatz uses the recorded and encrypted connection data of a Mac/UNIX/Linux system.
Pass-the-Hash: It doesn’t matter if the attacker doesn’t have access to the plain text password of the device he wants to know. With Mimikatz, the hacker can use NTLM hashes to authenticate and access the system.
In the field of pentesting, this tool can also be used for:
- Discover rootkits in kernel mode by listing hooks placed in Windows APIs.
- List secondary authentications initiated by attackers to connect via different vectors; or find secondary fingerprints that are normally hidden by Windows.
- Find RSA private keys to encrypt hard disks, even if the certificate has been deleted.
It is important to note that in order to use Mimikatz, the attacker must:
- Have an account on the computer you want to attack.
- Have administrator rights.
What can you do to protect your systems?
Keep your systems up to date
The importance of keeping operating systems and applications up to date seems quite obvious to some people, however, there are many careless users who do not care about applying the patches or updates needed for each digital asset they have.
This is a serious mistake, because although it may not seem like much, it is precisely these updates and patches that allow the early detection of new and not so new threats.
Restrict administrator privileges
Reduce as much as possible the number of privileges you grant and offer administrator privileges only to those users to whom these permissions are indispensable to do their job.
Make a pentesting
Evaluate your systems on a regular basis through a pentesting. In this case, your security expert may even use the Mimikatz as a resource to detect weak points in your systems.
Integrate efficient security tools
There is no successful security strategy that does not include efficient tools. Integrate into your systems all the necessary ones, including antivirus, vulnerability detection software, SIEM solutions, etc.
Mimikatz will continue to be a threat for some time to come, but that doesn’t have to be a problem for your company. With the help of the right tools, the security of your digital assets is guaranteed.
Count on us to offer you these tools and much more. In GB Advisors we strive to provide high technology solutions and professional advice so that companies can carry out their IT projects without any difficulty.
Contact us and find out all the ways we can help you.