📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Win Attack LAB: Credential Dumping with Mimikatz
  • 1. Introduction
  • 2. Credential Dumping with mimikatz
  • 3. Questions
  • 4. Answers

Was this helpful?

  1. Windows Hacking
  2. WinAttack LAB

Module 04

PreviousModule 03NextModule 05

Last updated 3 years ago

Was this helpful?

Win Attack LAB: Credential Dumping with Mimikatz

1. Introduction

If you have local administrative privileges on a Windows machine, you can abuse this to retrieve various forms of credentials stored on the respective machine. This includes credentials of local user accounts (stored in the SAM file) as well as temporarily cached credentials of currently logged-in users (kept in the memory of the lsass process).

There are many ways to do this. In this exercise we will use the famous tool Mimikatz.

2. Credential Dumping with mimikatz

In order to access credentials stored on the machine (and in process memory), Mimikatz needs to be run with administrative privileges. Therefore, we need to start a command prompt as admin.

In the Windows menu, type cmd and then right-click the Command prompt and choose "Run as administrator".

cd c:\temp\tools\Mimikatz_x64

mimikatz.exe

With Mimikatz up and running, we can start to retrieve stored credentials. We will start with credentials stored in the memory of the lsass.exe process.

First, we have to acquire debug privileges, so Mimikatz has enough rights to access the credentials (this will fail when not running as administrator in an elevated context).

Type the following command in the Mimikatz prompt:

privilege::debug

You can also enable logging with the following command:

log my_log.txt

Now we are ready to retrieve our credentials with the following command:

sekurlsa::logonpasswords

Next, we will also dump the passwords of the local Windows accounts from the Security Account Manager (SAM). In the mimikatz prompt, type the following command to elevate our permissions to SYSTEM (necessary to access SAM):

token::elevate lsadump::sam

3. Questions

  1. Why does Mimikatz need debug privileges?

  2. What are the prerequisites that your current session has SeDebugPrivileges

  3. What are you going to do next with the NTLM hash of user aalfort?

  4. Explain what Mimikatz does in the background to reveal these credentials?

  5. Why can user aalfort’s credentials be found in the LSASS memory of Client1

4. Answers

  1. Mimikatz requires this privilege as it interacts with processes such as LSASS.exe. Otherwise we won’t be able to dump sensitive informations from the memory. In a Windows System the LSASS.exe process is responsible for the following things:

  • Verifying and storing users credentials

  • Writing to the windows security log

  • Enforcing the security policy on the system

2. The debug privilege according to Microsoft determines which users can attach a debugger to any process or to the kernel. By default this privilege is given to Local Administrators! We have two ways to go:

  • become (local) Administrator

  • become local system

3. After gaining hashes it is up to the attacker to what they decide to do with the hash. They can try their hand at cracking it. But as we all know that it is difficult, time-consuming, and still no guarantee of gaining the correct password. Then there is this other way. During authentication, the basic procedure is the password is collected from the user, then it is encrypted and then the encrypted hash of the correct password is used for future authentication. During Credential Dumping, we see that we have extracted lots and lots of hashes. Now as an attacker we don’t know the password. So, during the authentication, we provide the hash instead of the password. Windows compares the hashes and welcomes the attacker with open arm.

4. Mimikatz is doing a memory dump of the process LSASS.exe to generate an output of sensitive logon informations.

5. After the initial authentication, Windows keeps the hash in its memory so that the user doesn’t have to enter the password again and again. The User Aalfort has an interactive session to our client and that’s the reason why we found the NTLM Hash in the memory.