With the exponential rise in cyber-attacks, and the attackers using defense evading tools and frameworks; it has become important to know the tricks and techniques of the cyber offenders and the arsenal that attackers may use to exfiltrate data from, or penetrate into, a compromised system.
We’ll be looking into one such tools and creating an attack scenario where the attacker will compromise a Windows 10 system and then exfiltrate sensitive data using Mimikatz. Below is the lab setup:
Attacking System: Kali Linux
Target System: Windows 10
First let’s have a brief introduction of Mimikatz.
What is Mimikatz?
If you’re into penetration testing and windows red teaming then you might have probably heard of mimikatz, but in case you’re wondering or have heard of the tool but don’t know what it does, let’s see what is mimikatz. Written in C-language, Mimikatz is a very powerful post-exploitation tool and as described by CrowdStrike CTO and Co-Founder, “The AK-47 of Cyber Attacks.” Some even claim mimikatz to be a Swiss Army Knife of Windows Credentials. Benjamin Delpy, who is the developer of this tool, claims that he created this tool to play with Windows Security. He maintains his own GitHub repository where he has provided the source code for the tool and updates it on a regular basis.
What can be done using Mimikatz?
Although known widely for credential dumping, this is not the only thing that it can do. Mimikatz is also capable of assisting in lateral movements and privilege escalations. Attacks like Pass-the-Hash, Pass-the-Ticket, Over-Pass-the-Hash, Kerberoasting etc. can also be achieved with Mimikatz.
Anatomy of a Mimikatz Attack:
Mimikatz abuses and exploits the Single Sign-On functionality of Windows Authentication that allows the user to authenticate himself only once in order to use various Windows services. After a user logs into Windows, a set of credentials is generated and stored in the Local Security Authority Subsystem Service (LSASS) in the memory. As the LSASS is loaded in memory, when invoked mimikatz loads its dynamic link library (dll) into the library from where it can extract the credential hashes and dumps them onto the attacking system, and might even give us cleartext passwords.
A malware is created using msfvenom in a .exe format and transferred to the target system (Note: Windows Defender is disabled). Simultaneously, the Metasploit Framework is launched onto the attacking system and the meterpreter listener is run.
As soon as the victim runs the .exe file, meterpreter gets the session of the active user on the target machine.
As mimikatz requires a privileged context to run and get credentials, we first attempt to escalate our privileges. Using the post module of Metasploit Framework, the local_exploit_suggester, we have 2 exploits that the target is prone to. Using the bypass_uac_dotnet_profiler exploit, we escalate our privileges and transfer the mimikatz.exe binary onto the target machine.
Dropping into the system shell, and then running the mimikatz.exe binary, we use the privilege::debug command, to get the debug privileges needed to dump credentials from LSASS.
Using sekurlsa::logonPasswords command, we dump the credential data including the logged on user’s SHA1 and NTLM hash.
The hashes are then cracked using hashcat and cleartext passwords can be obtained very easily.
$ hashcat -m 1000 NTLM.hash /usr/share/wordlist/rockyou.txt
$ hashcat -m 100 SHA1.hash /usr/share/wordlist/rockyou.txt
With Windows Defender enabled, it readily caught the malware when it was transferred to the target system and identified it as a meterpreter payload; also when the Mimikatz binary was transferred it was also readily identified and following logs were generated, respectively.
Though the meterpreter malware was not deleted and it remained there in the target system, but the session was not reliable and was terminated soon after being started. In case of Mimikatz, the binary was deleted as soon as the it was transferred onto the target.