The Complete Guide to Ransomware [Updated for 2022] Download eBook

In This Article

What is Mimikatz and How Does it Work?

Iain Roberts
| 3 min read| Updated On - September 13, 2022

mimikatz

Mimikatz (French for “cute cat”) is an open-source tool that both attackers and penetration testers can use to steal credentials and escalate privileges within Active Directory (AD). The tool allows you to exploit various kinds of vulnerabilities in order to extract passwords, hashes, and Kerberos tickets from memory.

How Mimikatz Can Be Used to Access Resources

Below is a round-up of the techniques used to gain access to resources using Mimikatz.

Pass-the-Hash

This technique enables the attacker to obtain an NTLM or LanMan hash of a user’s password, and use it to authenticate to a remote server or service. The attackers use Mimikatz to directly pass the hash of the password to the target login page, as opposed to providing the plaintext password, which is normally required.

Pass-the-Ticket

This attack method shares similarities with Golden and Silver Ticket attacks, in that it exploits what is said to be an irremediable vulnerability in the Microsoft Windows Local Security Authority Subsystem Service (LSASS). However, unlike Golden and Silver Ticket attacks, a Pass-the-Ticket attack doesn’t require forging Kerberos tickets. Instead, the attacker will steal a valid ticket that has already been created and issued. Using Mimikatz, they can pass the ticket from one system to another in order to gain access to resources, as a legitimate privileged user.

Over-Pass-the-Hash

With overpass-the-hash, the goal is to obtain an NTLM hash of the password of a user account and use that hash to obtain a Kerberos ticket, which can then be used to gain access to the network resources. Overpass-the-hash is essentially a combination of pass-the-hash and pass-the-ticket techniques.

Kerberos Silver Ticket

A Silver Ticket is a forged Kerberos ticket. The attacker is able to forge a ticket by first brute-force-guessing an account password, and then using this password to create a fake authentication ticket.

Kerberos Golden Ticket

This technique obtains a ticket from the hidden key Distribution Center Service Account (KRBTGT), which in turn provides access to any admin-level domain on the network.

Pass-the-Key

This type of exploit is not very well documented, although the general purpose of it is to obtain a unique key, which can be used multiple times to gain access to a domain controller.

Pass-the-Cache

This technique is essentially the same as a pass-the-ticket attack, in that it will steal a valid ticket that has already been created. The main difference is that it is designed for UNIX-based systems, as opposed to Windows-based systems.

How To Use Mimikatz

You can download the Mimikatz executable from Benjamin Delpy’s GitHub page. However, it should be noted that downloading and installing Mimikatz is not always straightforward as modern browsers and many endpoint security solutions (including Microsoft’s own Windows Defender) will try to block it. Once you have installed and run the Mimikatz executable, a console will open up in interactive mode, which allows you to run commands in real-time. Even if you are using an administrator account, it still needs to be “Run as Admin” in order to function properly. In addition to using the command line, Mimikatz can also be run automatically by executing a custom script.

Iain Roberts

A highly experienced cyber security consultant with 12 years experience in the security arena.

Popular Blog Posts