Metasploit's mimikatz Module
Metasploit is such a powerful tool that I can only scratch the surface of its capabilities here. As it has developed over the years, it is now possible to use Metasploit for nearly everything from recon to post exploitation to covering your tracks. Given its versatility, every aspiring hacker should have at least a tentative grasp of Metasploit.
Every so often, a post-exploitation module comes out that is so powerful that every Metasploit user should be aware of it and learn to use it. Mimikatz is one such modules. It was created by Benjamin Delpy, aka gentilkiwi, who developed it to teach himself C and to explore Windows security. Basically, it is capable of extracting various sets of Windows credentials from memory. It played a key role in the Iranian hack of the Sands Corporation in 2014.
Mimikatz was originally developed as standalone module that we can upload to the target or run locally on the target, but recently, Rapid7 has ported it for Metasploit and made it available as Meterpreter script. The advantage of this is that it will run entirely in memory and will not leave a footprint on the hard drive that might be detected.
In this tutorial, we will be using the Metasploit module which is a bit limited in its capabilities, but I promise to do a tutorial soon on the more powerful standalone tool.
One other key point before we begin: there are both 32- and 64-bit versions of Mimikatz. Often, Mimikatz will load the 32-bit version if we have used a 32-bit process to compromise the system. If that happens, Mimikatz will be largely non-functional. To avoid this potential problem, use the "migrate" command to migrate the Meterpeter to a 64-bit process before loading Mimkatz. In that way, it will load the 64-bit version and you will enjoy all of its amazing capabilities.
Step 1: Exploit the Target & Get a Meterpreter Payload
Mimikatz is a post-exploitation module, meaning that it can only be used after the target has been exploited. As a result, I will begin this module assuming that you have successfully exploited the target and have the Meterpreter payload installed on the target system. In addition, you will need to have sysadmin privileges on the target for Mimikatz to work. If you exploited the target as a regular user, you can use the getsystem command to escalate privileges.
meterpreter > getsystem
Now that we have "system" privileges, we need to load the Mimikatz module.
meterpreter > load mimikatz
Next, let's get a help screen.
meterpreter > help mimikatz
As you can see, Mimikatz has a number of native commands and a specialmimikatz_command to run custom commands.
Before we advance, let's check the version of Mimikatz.
meterpreter > mimikatz_command -f version
Metasploit has only ported version 1.0, although Mimikatz is in version 2.0 (watch for my coming tutorial using the standalone version 2.0 of Mimikatz).
Step 2: Native Commands
Let's start by looking to see what we can do to the system with the native commands. If we want to retrieve the Kerberos credentials, we simply need to type:
meterpreter > kerberos
We can retrieve Windows MSV credentials by simply typing:
meterpreter > msv
Step 3: Mimikatz__Command
Mimikatz also enables us to create custom commands. The commands take the following syntax. Please note the double colon (::) between the command type and the command action.
mimikatz_command -f <type of command>::<command action>
If we want to retrieve password hashes from the SAM file, we can type:
meterpreter > mimikatz_command -f samdump::hashes
Of course, with these hashes, we can then crack them with any of a number of password cracking tools such Cain and Abel, Hashcat, John the Ripper, and others.
If we want to get a list of services running on the target system, we can use the command type service combined with the command action list.
meterpreter > mimikatz_command -f service::list
Step 4: Crypto
Mimikatz has a special command type that addresses cryptography and, as a you might expect, it is called crypto. Using this custom command, we can get a list of cryptography providers on the target system.
meterpreter > mimikatz_command -f crypto::listProviders
If we want to know where the various cryptography stores are located, we can type:
meterpreter > mimikatz_command -f crypto::listStores
Mimikatz is just another powerful tool for the penetester/hacker. Before attempting to use Mimkatz, make certain that you are fairly proficient in the use of Metasploit by going through my Metasploit series here