So are you curious about how to pass the hash with Mimikatz and want to understand how it all works?
In this article, we’ll break down what Mimikatz and pass the hash attacks are, and the requirements to perform this attack. Then we will walk you through performing the attack with Mimikatz and introduce you to Kiwi, the invaluable Mimikatz module within Meterpreter.
After reading our article, you will understand how to pass the hash with Mimikatz, enabling you to perform the attack during your post-exploitation phase.
So, let's dive into the workings of Mimikatz and master the art of pass the hash attacks.
What Is Mimikatz?
Developed by Benjamin Delpy, Mimikatz can retrieve plaintext passwords, password hashes, PINs, and Kerberos tickets directly from memory, primarily by accessing credential data within the Local Security Authority Subsystem Service (LSASS) process, which is responsible for managing user authentication and security policies.
Mimikatz enables attackers to rapidly perform lateral movement and privilege escalation through techniques like pass the hash by easily extracting privileged credentials. Mimikatz's power and stealth make it a universal staple in pentests and real-world attacks.
A few of the attacks that can be performed with the help of Mimikatz are listed below.
Mimikatz can inject Kerberos tickets into the current session, allowing an attacker to impersonate users and access network resources.
In this variant of pass the hash, the attacker uses an NTLM hash to request a Kerberos TGT (Ticket Granting Ticket), effectively bypassing the normal Kerberos authentication process.
This is an attack on the Kerberos authentication system where Mimikatz can create a TGT with extended validity and permissions. Because it's a forged TGT, it grants the attacker unauthorized access to network resources.
Similar to the Golden Ticket, but it is constrained to a particular service on a particular domain-joined computer. Silver Tickets can be used to gain unauthorized access to specific services.
Mimikatz can inject a "master key" into the domain controller’s memory, which can be used to authenticate as any user.
In this attack, Mimikatz pretends to be a Domain Controller and asks other DCs to replicate information using the Directory Replication Service (DRS) Remote Protocol. This can allow the extraction of password data for any account.
Mimikatz changed the game in Active Directory hacking. It made it easier to steal credentials like passwords, forcing security experts to develop new ways to protect sensitive information, especially in areas like user access management.
Even with these new security measures, the techniques popularized by Mimikatz continue to pose challenges, especially in preventing unauthorized access and limiting the ability of attackers to gain higher-level permissions in a system.
According to Sentinel One, many high-level cyber security threats utilize Mimikatz to extract credentials and propagate through networks. This includes less skilled hackers and sophisticated cyber-attackers, such as Advanced Persistent Threat (APT) groups, who often integrate Mimikatz into their complex attack strategies.
Check Out Other Hacking Tools
Pass the Hash Attacks
Pass-the-hash is an attack that exploits how NTLM hashes are used for authentication in Windows environments.
Before we explain how a pass the hash attack works, let's explain hashes and NTLM.
NTLM, which stands for NT Lan Manager, is a collection of protocols that authenticate computers and users in Windows environments. Even though more secure authentication protocols like Kerberos exist, NTLM is still commonly used as a fallback authentication method and to maintain backward compatibility in Active Directory and Windows networks.
When a user logs into a Windows machine, the domain controller handling the authentication will attempt Kerberos authentication first. If that fails due to misconfiguration or lack of domain connectivity, NTLM authentication kicks in as a fallback. NTLM relies on a challenge-response protocol using hashes of users' passwords to authenticate logins.
Kerberos-then-NTLM fallback mechanism is specific to domain-joined Windows machines. The process usually relies on NTLM and the local SAM database to authenticate local, non-domain-joined machines.
NTLM utilizes password hashing. The original NTLM version, NTLMv1, hashed passwords using the MD4 hashing algorithm. MD4 is considered quite weak by modern standards. NTLMv2, a more secure version, employs a different hashing technique for enhanced security. Specifically, NTLMv2 uses HMAC-MD5 rather than plain MD4. HMAC-MD5 combines the MD5 hash function with a secret key through a mechanism called a Hash-Based Message Authentication Code.
Hashing is the process where an input, like a plaintext password, is put through a one-way cryptographic hashing function, returning a fixed-length string output known as the hash value or digest.
This transformation from the original input to the hash output is irreversible. In the case of NTLM, when a user sets a password, the algorithm is applied to that password, generating a unique NTLM hash value for that input.
To illustrate how passwords are hashed, let's walk through an example:
- Start with a plain text password: MySecurePassword
- Put the password through the SHA256 hashing algorithm.
- SHA256 outputs the fixed length hash value (known as a digest):
- This resulting hash is 64 characters long and completely unique to the password.
- Hashing is a one-way function, so the original password cannot be reversed from the hash digest.
The hash is stored instead of the original plaintext password. The user-entered password is re-hashed in future logins, and the resulting value is compared to the stored NTLM hash to authenticate the user.
Pass the Hash
Pass the hash attacks take advantage of the nature of NTLM hash authentication to enable lateral movement across a network. As mentioned, instead of the plaintext password, the hashed version of the password is what gets stored and used for verification.
This allows an attacker who has obtained a user's NTLM hash to simply pass that hash to other systems, servers, or services requiring NTLM authentication rather than needing to provide the actual password.
Mimikatz enables you to execute a process under the user's identity whose NTLM hash you have acquired. You can escalate privileges and compromise additional systems if the user has privileged access.
Let's explore the requirements for using Mimikatz to conduct pass the hash attacks. This includes steps on where to download the tool, methods for bypassing antivirus software, and the necessary permissions required to run it.
Download and Transfer
Mimikatz can be downloaded from Github. However, most web browsers will likely flag the download link as dangerous or malicious, given Mimikatz's reputation.
You must download one of the zipped mimikatz_trunk files from the releases page.
Once you have downloaded Mimikatz to your attacking machine, you must transfer it to the compromised Windows host. There are numerous ways you can accomplish this. Let's assume we have already compromised a system and gained RDP access to it. We will show you how to transfer it by setting up a Python server in Kali and downloading the files into Windows via the browser.
If using Kali as your attacking machine, another option is to utilize the Mimikatz files included.
As of Kali 2023.3, the Mimikatz files are included in the following path:
Move into the directory you saved the zipped file, extract it, and then move into the x64 directory. You will see four files. We need to transfer all of these to the target machine. Start a Python server by running the following command:
python3 -m http.server 80 (this will start a simple server on port 80 of your attacking machine).
On the compromised host, open a browser and enter the IP address of the attacking machine. You will see a directory listing of the files needed. You need to download all four of these files. Windows Defender must be disabled to download these files.
Windows SmartScreen will block these files from being downloaded. Simply right-click and click Keep on each file to download them to the system.
Since Mimikatz is widely known as a hacking tool, almost all antivirus and endpoint security products will detect and block it from running. You will likely need to bypass antivirus protections on the target Windows system to get Mimikatz working.
This can involve fully disabling defenses like Windows Defender via privilege escalation, excluding the Mimikatz directory from scans, or evading detection.
Additionally, you may need to bypass AMSI restrictions, which can be done by altering the script in ways to evade detection by security software that uses the Antimalware Scan Interface. You will need to obfuscate this heavily for it to work.
When it comes to evading detection, Mimikatz, like many other security tools, can be modified in various ways to make it less likely to trigger antivirus or intrusion detection systems. Here's how some techniques fit together to create a more stealthy version of Mimikatz.
- Change Signatures: Make Mimikatz's code look different so it doesn't match what security tools are programmed to spot.
- Switch Up Menu Items: Change the names of commands and options. This helps you avoid detection from systems that recognize Mimikatz's usual lingo.
- Change Keywords: Alter the words related to the tool's features. This adds another layer of disguise.
- Process Injection: Injecting shellcode into a remote process running on the target machine
- Split the Binary: Breaking the Mimikatz file into parts can reveal additional parts of the code that should be changed to avoid detection.
- Customize netapi32: Windows Defender often flags functions from the netapi32.dll library. Creating a custom version of this library file with different function structures can help avoid this.
To perform the attack, SMB must be enabled on the target system. To run Mimikatz, you must also have elevated access levels, such as Administrator or SYSTEM permissions. This is crucial because Mimikatz requires high-level privileges to interact with the LSASS process memory, where sensitive credential data is stored.
Regular user-level access is insufficient for Mimikatz to harvest passwords and hashes successfully.
In summary, the following requirements must be met to pass the hash with Mimikatz:
- You must download the Mimikatz files onto the target system.
- You need elevated permissions to run Mimikatz.
- Evade or disable antivirus detection mechanisms on the target system.
- You may need to bypass or circumvent AMSI to avoid detection.
- Obtain the NTLM hash of the user to impersonate with Mimikatz.
- You need to have SYSTEM access for LSASS interaction.
- Enable SMB on the target computer.
Performing Pass the Hash With Mimikatz
Now that you know the requirements needed to run Mimikatz, let’s go through obtaining credentials in the form of a username and NTLM hash and then use that hash in a pass the hash attack.
Before we start, let’s show you that our initial compromised user cannot access a shared folder on the domain controller. We can take advantage of Mimikatz and the pass the hash attack to attempt to access this sensitive folder.
You will need to open a command prompt as an Administrator. Move into the directory where you downloaded Mimikatz. Next, load Mimikatz by entering
From here, you need to run the command
privilege::debug. This command allows you to access the sensitive system processes needed by Mimikatz.
If you are not running as SYSTEM, you must first run the command
token::elevate. The token::elevate command in Mimikatz is used to elevate the privileges of the current process to that of a process with SYSTEM privileges. It allows you to impersonate a security token with more permissions than your current one.
This is needed to access privileged memory and processes requiring SYSTEM-level access. Many Mimikatz commands dump sensitive credential data from memory or leverage Windows API calls requiring the highest privileges. Without elevating, Mimikatz will not have sufficient access to perform tasks like extracting plaintext passwords from LSASS.
Next, we can dump any credentials that are stored in the Security Account Manager (SAM) database, a registry hive in Windows where local user accounts are located.
We can use the following command:
We can also use the command:
This command targets the LSASS process in memory to retrieve credentials. It retrieves plaintext passwords, NTLM hashes, and Kerberos tickets of users who are currently, or have recently, logged into the system.
After looking through the output, we find a username and an NTLM hash, which we can use to attempt a pass the hash attack.
We can use the following command to open a command prompt with the privileges associated with the Administrator user whose hash we have.
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>
In our case, we now have elevated privileges. We can test whether we can access the drive that we tried to access earlier with our regular user account. Doing so will confirm that our pass the hash attack was successful and that we have effectively elevated our permissions to carry out this task.
Performing Pass the Hash With Meterpreter and Kiwi
We can also use Mimikatz inside of Metasploit by taking advantage of a Meterpreter session and using the Kiwi module.
The Kiwi extension within Meterpreter essentially ports the Mimikatz project into Meterpreter's functionality. This means you can execute Mimikatz-like operations directly through your Meterpreter session without uploading additional files to the target system.
You need to be running with SYSTEM privileges to use most of the commands in Kiwi for extensive credential dumping.
If you do not already have SYSTEM privileges, you can use Meterpreter's “getsystem” command to attempt to elevate your current process's privileges.
Alternatively, you can use the migrate command to migrate your Meterpreter session into an existing process that is already running as SYSTEM, such as a service like spoolsv.exe.
Some of the main functionalities of the Kiwi module include:
Dumping Credentials: Kiwi's ability to extract different kinds of credentials from the target system is one of its most powerful features. This includes passwords in plain text, hashes for NTLM, and even Kerberos tickets.
Manipulation of Kerberos Tickets: Kiwi lets you interact and modify Kerberos tickets. You can use
kerberos_ticket_list to list already-existing tickets,
kerberos_ticket_purge to purge them, or even
golden_ticket_create to create new tickets.
Dumping Sensitive Secrets: Kiwi can extract information from the Windows Local Security Authority. Other data, like VPN credentials, service account passwords, and other system secrets, can be retrieved using commands like
Once you have obtained your Meterpreter shell, you can load the Kiwi module by using the command:
To see all the options that are available to you in Kiwi, enter the command:
For our demonstration, we will be using the
creds_all command to dump all credentials.
As you can see, we have a variety of hashes available for pass-the-hash attacks. While the Kiwi module doesn't allow us to pass the hash directly, we can utilize these hashes with other tools like CrackMapExec.
Let's take the Administrator's hash and attempt to authenticate to SMB on other machines using CrackMapExec and the command
crackmapexec smb <ip_range_cidr> -u <user> -H <hash>.
As you can see, we've successfully authenticated with two hosts, including the domain controller.
Let's use the hash we obtained in Kiwi to execute PsExec, granting us an interactive shell.
The command is
impacket-psexec -hashes 00000000000000000000000000000000:<ntlm_hash> <username>@<ip_address>.
As we've explored, Mimikatz is an extremely powerful tool for post-exploitation activities in Windows Active Directory environments. It exploits weaknesses in the Windows NTLM authentication process to allow lateral movement across a network, bypassing the need to crack passwords.
Now that you understand how Mimikatz can steal and reuse credentials from memory, you might appreciate the importance of practicing these techniques in a lab environment. This hands-on experience will offer you a first-hand understanding of this security weakness, better preparing you for real-world scenarios.
Check out some of our courses below to learn about hacking and penetration testing and our Accelerator Program to take your career to the next level.