mimikatz使用方法 mimikatz

Home gentilkiwi edited this page on 8 Sep 2014 · 36 revisions
mimikatz is a tool I've made to learn C and make somes experiments with Windows security.
It's well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ... maybe make coffee?
Its symbol/icon is a kiwi, sometimes the animal, but mostly the fruit!

.#####.mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11) .## ^ ##. ## / \ ##/* * * ## \ / ##Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'http://blog.gentilkiwi.com/mimikatz(oe.eo) '#####'with14 modules * * */

How can you get it?

sources (Visual Studio solution) on GitHub/mimikatz - see GitHub/mimikatz/README # build
binaries are availables on GitHub/mimikatz/releases

Basics mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32/64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.
After launching mimikatz:

.#####.mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11) .## ^ ##. ## / \ ##/* * * ## \ / ##Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'http://blog.gentilkiwi.com/mimikatz(oe.eo) '#####'with14 modules * * */mimikatz #

... you have the command prompt mimikatz #, you can type instructions like exit, cls, crypto::certificates
Instructions can be in the form: modulename::commandname arguments..., eg:

kerberos::tgt
crypto::certificates /systemstore:local_machine /store:my /export
cls

see Module section below for others.
commands from standard module can be typed without modulename; cls is the same as standard::cls (see module ~ standard)
You can quit mimikatz with exit command.
For remote execution, see howto ~ remote execution
Command line
You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted.

C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit.#####.mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11) .## ^ ##. ## / \ ##/* * * ## \ / ##Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'http://blog.gentilkiwi.com/mimikatz(oe.eo) '#####'with14 modules * * */mimikatz(commandline) # log Using 'mimikatz.log' for logfile : OKmimikatz(commandline) # versionmimikatz 2.0 alpha (arch x64) NT-Windows NT 6.1 build 7601 (arch x64)mimikatz(commandline) # crypto::certificates /systemstore:local_machine * System Store: 'local_machine' (0x00020000) * Store: 'My' 0. example.nirvana.local Key Container: example.nirvana.local Provider: Microsoft Software Key Storage Provider Type: CNG Key (0xffffffff) Exportable key : NO Key size: 2048mimikatz(commandline) # exit Bye!

Instructions from command line are marked with (commandline) on the prompt.
Modules

standard
privilege
crypto
sekurlsa
kerberos
lsadump
vault
token
event
ts
process
service
net
misc
library mimilib
driver mimidrv

About me I'm a kiwi.
History mimikatz is now 2.0, but is born in 2007, it was known by other names:

kdll ; a simple DLL injector
kdllpipe ; first version to accomplish Pass-The-Hash, with interaction on a named pipe
katz ;
mimikatz !

I started to code it for some reasons:

improve my knowledge, especially in C/C++ for Windows ;
explain security concepts ;
prove to Microsoft that sometimes they must change old habits.

External resources Some amazing alternative versions of mimikatz, w00t!

Meterpreter extension for mimikatz 1.0 by Ben Campbell
Meterpreter & Metasploit
Meterpreter extension for mimikatz 2.0 by Oliver Reeves
Meterpreter & Metasploit
DLL reflection in PowerShell by Joseph Bialek
Script & Information
Volatility plugin by Francesco Picasso
Plugin & Information

Some ressources inspired by my work

wce (cleartext passwords part) by Hernan Ochoa @ Amplia security
WCE faq & Seclists
Details here: Slides PHDays 2012 #29
【mimikatz使用方法】sessiondump by Steeve Barbeau @ HSC
HSC advertising & Source & Pull request
Details here: core.c