mimikatz使用方法

Home

gentilkiwi edited this page on 8 Sep 2014 · 36 revisions

mimikatz is a tool I've made to learn C and make somes experiments with Windows security.

It's well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ... maybe make coffee?

Its symbol/icon is a kiwi, sometimes the animal, but mostly the fruit!

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */

How can you get it?

• sources (Visual Studio solution) on GitHub/mimikatz - see GitHub/mimikatz/README # build
• binaries are availables on GitHub/mimikatz/releases

Basics

mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.

After launching mimikatz:

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz #

... you have the command prompt mimikatz #, you can type instructions like exit, cls, crypto::certificates

Instructions can be in the form: modulename::commandname arguments..., eg:

• kerberos::tgt
• crypto::certificates /systemstore:local_machine /store:my /export
• cls

see Module section below for others.
commands from standard module can be typed without modulename; cls is the same as standard::cls (see module ~ standard)

You can quit mimikatz with exit command.
For remote execution, see howto ~ remote execution

Command line

You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted.

C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                    with  14 modules * * */


mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK

mimikatz(commandline) # version

mimikatz 2.0 alpha (arch x64)
NT     -  Windows NT 6.1 build 7601 (arch x64)

mimikatz(commandline) # crypto::certificates /systemstore:local_machine
 * System Store  : 'local_machine' (0x00020000)
 * Store         : 'My'

 0. example.nirvana.local
        Key Container  : example.nirvana.local
        Provider       : Microsoft Software Key Storage Provider
        Type           : CNG Key (0xffffffff)
        Exportable key : NO
        Key size       : 2048

mimikatz(commandline) # exit
Bye!

Instructions from command line are marked with (commandline) on the prompt.

Modules

• standard
• privilege
• crypto
• sekurlsa
• kerberos
• lsadump
• vault
• token
• event
• ts
• process
• service
• net
• misc
• library mimilib
• driver mimidrv

About me

I'm a kiwi.

History

mimikatz is now 2.0, but is born in 2007, it was known by other names:

• kdll ; a simple DLL injector
• kdllpipe ; first version to accomplish Pass-The-Hash, with interaction on a named pipe
• katz ;
• mimikatz !

I started to code it for some reasons:

• improve my knowledge, especially in C/C++ for Windows ;
• explain security concepts ;
• prove to Microsoft that sometimes they must change old habits.

External resources

Some amazing alternative versions of mimikatz, w00t!

• Meterpreter extension for mimikatz 1.0 by Ben Campbell
  Meterpreter & Metasploit

• Meterpreter extension for mimikatz 2.0 by Oliver Reeves
  Meterpreter & Metasploit

• DLL reflection in PowerShell by Joseph Bialek
  Script & Information

• Volatility plugin by Francesco Picasso
  Plugin & Information

Some ressources inspired by my work

• wce (cleartext passwords part) by Hernan Ochoa @ Amplia security
  WCE faq & Seclists
  Details here: Slides PHDays 2012 #29

• sessiondump by Steeve Barbeau @ HSC
  HSC advertising & Source & Pull request
  Details here: core.c