Mimikatz – a cute name, but a dangerous Offensive Security Tool

The Windows security tool Mimikatz may have a cute name – but it also has a great potential for damage. It was originally developed to demonstrate the security vulnerabilities of Windows systems, as there is a gap in the authentication process. It quickly evolved from a tool for white-hat hackers to one for black-hat hackers. Nevertheless, even today, admins still use the tool to detect and then close security holes in their own systems. Therefore, Mimikatz is one of the best known Offensive Security Tools (OST), which is freely available as open-source.

How does Mimikatz work?

With the help of Mimikatz, it is possible to read passwords, PINs, and Kerberos tickets from Windows systems, which is why it is often used by malware attackers. For this purpose, Mimikatz uses the Windows Single-Sign-On function, which has the so-called “WDigest” feature. This feature is used to load encrypted passwords and their keys into memory. Especially companies or other organizations use this feature to authenticate user groups. Although WDigest is disabled by default in Windows 10, anyone with administrative rights can enable it. And thus read out the passwords of the user groups using Mimikatz.

This makes the software a powerful tool for hackers

Root Access is required to successfully introduce Mimikatz into a system. Once the software is in the system, there are different ways how Mimikatz can work:

Pass-the-hash – In earlier versions, Windows saved passwords in a so-called NTLM hash when logging in. Attackers can therefore use Mimikatz to copy this exact hash string and use it on the target computer to log in. The password does not even have to be known for this, since this character string is sufficient for authentication.

Pass-the-Ticket – Newer versions of Windows no longer use an NTLM hash for authentication, but so-called Kerberos tickets. Mimikatz is now able to read this ticket and pass it on to another computer so that you can log in there as this user.

Over-Pass the Hash (Pass-the-Key) – With the help of the key obtained in this way, hackers can pretend to be users who can be accessed via a domain controller.

Kerberos Golden Ticket – A golden ticket gives you domain administration rights for each computer on the network. Perfidious: Golden tickets do not expire.

Kerberos Silver Ticket – Kerberos gives a user a TGS ticket that is used to log on to all services on the network. This is possible because Windows does not check TGS tickets at every login.

Pass-the-Cache– In general, this is the same tactic as a pass-the-ticket attack. However, no Windows system is compromised here, but the stored and entered login data is used on a Mac, UNIX, or Linux system.

To protect your system

Ideally, Mimikatz should not be able to access your system at all. A prerequisite for an initially secure Windows system is an upgrade to Windows 10 (or at least 8.1). If this is not possible, it is at least advisable to disable WDigest manually, although this should probably only be a small hurdle for a skilled attacker. Regardless of the Windows version used, a configuration of the Local Security Authority (LSA) is necessary.

Unfortunately, an overriding admin password is still common practice in companies today, although this is a well-known security hole. Every Windows machine needs its own unique administrator password. The combination of LSASS and safe mode makes Mimikatz ineffective under the newer Windows versions.

You should also educate your employees about the dangers of phishing emails and limit the use of macros,

Discover mimic cat

Detecting facial expressions is a difficult task since most detection solutions do not work with the software. The only real solution to reliably identify Mimikatz is to specifically examine your own system for it. The use of a manual network monitoring component is therefore highly recommended.

So what to do?

In the end, Mimikatz remains a highly dangerous and efficient tool for hackers that can easily slip past automated security checks. It is therefore the human being’s duty to remain vigilant. Simple security installations like unique admin passwords for each machine. Only necessary admin and remote access and multi-factor authentication, which does not work with the logic of Windows systems, form a strong hurdle.