-
Notifications
You must be signed in to change notification settings - Fork 4k
Home
mimikatz is a tool I've made to learn C and make somes experiments with Windows security.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ...
maybe make coffee?
Its symbol/icon is a kiwi, sometimes the animal, but mostly the fruit!
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
- sources (Visual Studio solution) on GitHub/mimikatz - see howto ~ build-mimikatz
- binaries are availables on GitHub/mimikatz/releases
Despite some antivirus results, mimikatz is not dangerous (not a virus, malware, or other things). You can inspect the code 😉
I sign mimikatz binaries with my personnal code-signing certificate, its sha1 digest is AB9E92B943ED47D915BC26939E24A58303ACAA7E:
C:\Users\gentilkiwi>powershell -command get-authenticodesignature c:\security\mimikatz\Win32\mimikatz.exe
[...]
SignerCertificate Status Path
----------------- ------ ----
AB9E92B943ED47D915BC26939E24A58303ACAA7E Valid mimikatz.exe
mimikatz comes in two flavors: x64 or Win32, depending on your windows version (32 or 64 bits).
Win32 flavor cannot access 64 bits process memory (like lsass), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM token, so be aware of UAC from Vista version.
After launching mimikatz:
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz #
... you have the command prompt mimikatz #, you can type instructions like exit, cls, crypto::certificates
Instructions can be in the form: modulename::commandname arguments..., eg:
kerberos::tgtcrypto::certificates /systemstore:local_machine /store:my /exportcls
see Module section below for others.
commands from standard module can be typed without modulename; cls is the same as standard::cls (see standard)
You can quit mimikatz with exit command.
For remote execution, see howto ~ remote execution
You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted.
C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # version
mimikatz 2.0 alpha (arch x64)
NT - Windows NT 6.1 build 7601 (arch x64)
mimikatz(commandline) # crypto::certificates /systemstore:local_machine
* System Store : 'local_machine' (0x00020000)
* Store : 'My'
0. example.nirvana.local
Key Container : example.nirvana.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
mimikatz(commandline) # exit
Bye!
Instructions from command line are marked with (commandline) on the prompt.
- standard
- privilege
- crypto
- sekurlsa
- kerberos
- lsadump
- vault
- token
- event
- ts
- process
- service
- net
- misc
- library
mimilib - driver
mimidrv
I'm a kiwi.
mimikatz is now 2.0, but is born in 2007, it was known by other names:
-
kdll; a simple DLL injector -
kdllpipe; first version to accomplish Pass-The-Hash, with interaction on a named pipe -
katz; -
mimikatz!
I started to code it for some reasons:
- improve my knowledge, especially in C/C++ for Windows ;
- explain security concepts ;
- prove to Microsoft that sometimes they must change old habits.
-
Meterpreter extension for
mimikatz 1.0by Ben Campbell (https://twitter.com/Meatballs__ / https://github.com/Meatballs1)
https://github.com/rapid7/meterpreter/tree/master/source/extensions/mimikatz
https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/mimikatz -
DLL reflection in PowerShell by Joseph Bialek (https://twitter.com/JosephBialek / https://github.com/clymb3r)
https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1 -
Volatility plugin by Francesco Picasso (https://plus.google.com/+francescopicasso / https://code.google.com/p/hotoloti)
http://blog.digital-forensics.it/2014/03/et-voila-le-mimikatz-offline.html
http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html -
Meterpreter extension for
mimikatz 2.0in progress by Oliver Reeves (https://twitter.com/TheColonial / https://github.com/OJ)
https://github.com/rapid7/meterpreter/pull/79
https://github.com/rapid7/metasploit-framework/pull/3121
-
wce(cleartext passwords part) by Hernan Ochoa @ Amplia security (https://twitter.com/hernano / https://twitter.com/AmpliaSecurity)
http://www.ampliasecurity.com/research/wcefaq.html / http://seclists.org/fulldisclosure/2013/May/226
Details here: http://fr.slideshare.net/gentilkiwi/mimikatz-phdays/29 -
sessiondumpby Steeve Barbeau @ HSC (https://twitter.com/steevebarbeau / https://github.com/steeve85)
http://www.hsc.fr/ressources/outils/sessiondump / https://github.com/rapid7/metasploit-framework/pull/1750
https://github.com/steeve85/metasploit-framework/tree/sessiondump/external/source/meterpreter/source/extensions/sessiondump
Details here: core.c