Part 1 - Exploring mimikatz
Video Activity
This lesson covers exploring Mimikatz. Participants learn how to use different features of the metasploit framework and layers upon what was covered in previous sections. Mimikatz is a post exploitation tool which has a bunch of commands within it.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers exploring Mimikatz. Participants learn how to use different features of the metasploit framework and layers upon what was covered in previous sections. Mimikatz is a post exploitation tool which has a bunch of commands within it.
Video Transcription
00:03
>> In this next section of clips,
00:03
we're going to be talking about
00:03
the ways that you can use some of
00:03
the extended features of Metasploit Framework.
00:03
These are different
00:03
>> modules and extensions that allow you
00:03
>> to enhance what we've
00:03
already covered in previous sections.
00:03
First thing that we're going to look at
00:03
is verifying my environment.
00:03
You can see I've got a couple of sessions
00:03
connected to the victim system.
00:03
I'm interacting with session 12,
00:03
which gives me my system account,
00:03
which you do need in this particular instance.
00:03
[NOISE] We can see
00:03
again that we're interacting with
00:03
a 32-bit Windows 7 system.
00:03
The tool that we're going to use is called Mimikatz.
00:03
We have to use the load command,
00:03
the same as the use command. No difference.
00:03
Uses just a little shorter.
00:03
We'll look at our help.
00:03
As we can see, we've got quite a few different commands
00:03
here that we can run within Mimikatz.
00:03
This is a post-exploitation tool
00:03
obviously because we already compromised a system.
00:03
I'm already running as my system account.
00:03
What I'm going to do is poke
00:03
around and show some of the different features that
00:03
we can explore or we can take advantage
00:03
of, with this extension.
00:03
First I want to run a Mimikatz command,
00:03
which allows me to run a custom command.
00:03
I can check the version number of the tool itself.
00:03
Another thing I can do is look to see
00:03
>> I can just make up
00:03
>> a name of the module
00:03
in order to look at the list of available modules,
00:03
a weird thing that you have to
00:03
do this by just the way it works.
00:03
Blog doesn't exist, but all of these other ones do.
00:03
As we'll see here in a moment,
00:03
some of these are very powerful.
00:03
You've probably already noticed that this is in French.
00:03
But luckily, the commands that
00:03
you actually need to type in are in English,
00:03
so it's not too hard to use.
00:03
It should be fairly straightforward for those
00:03
of you who are exploring,
00:03
trying to see what this module can actually do.
00:03
One of the first things I want to look at
00:03
is to see if I can get any credentials.
00:03
There's lots of different choices here.
00:03
I can look at SSP credentials,
00:03
WDigest, Kerberos, LiveSSP.
00:03
We're going to try those first
00:03
>> just to see what comes up.
00:03
>> I ran the Kerberos command.
00:03
We can see right away
00:03
that whatever it was able to find in memory.
00:03
In particular, my administrator account,
00:03
these other accounts,
00:03
for whatever reason it doesn't have a token for those,
00:03
so they don't show up.
00:03
But still definitely something to think about.
00:03
Depending on how you got your access to the system,
00:03
you may not have some of this information,
00:03
so it's definitely worth exploring.
00:03
We can try running LiveSSP.
00:03
This does give me some other good information,
00:03
but doesn't appear to be useful in my current context.
00:03
I can also look for my MSV creds.
00:03
It found some information here
00:03
for some credentials information.
00:03
Again, depending on what your context is.
00:03
Also, try SSP.
00:03
I had that, didn't give me anything.
00:03
I can run TS Package and WDigest.
00:03
Nothing new there.
00:03
WDigest actually gave me
00:03
some good information confirming that
00:03
certain accounts having a password that's searchable.
00:03
If I was interested, let's say
00:03
some of these passwords don't share,
00:03
or rather, none of these passwords show up,
00:03
what I can then do is,
00:03
>> I can run a command again.
00:03
>> In this case, I'm going to use CM dump.
00:03
If you run into the or rather if you specify
00:03
the section of commands that you'd like to run.
00:03
For instance, if I run a dash h here,
00:03
I can run the section of
00:03
the command that I want to run without any arguments.
00:03
[NOISE] Then it shows me
00:03
>> what subcommands are available.
00:03
>> For instance, I can display my hashes.
00:03
For my administrator guest account,
00:03
IEUser and victim,
00:03
these are my NTLM hashes.
00:03
Maybe I didn't get the passwords
00:03
but I was able to get access.
00:03
I could get the hashes and try to do a Rainbow Tech or
00:03
something or pass a dictionary tech.
00:03
Rainbow Tech is obviously better,
00:03
but I can also look for the boot key,
00:03
which is needed for certain other operations.
00:03
System name and the boot key information.
00:03
There's other modules I can run as well.
00:03
Hold on one second here. Here we go.
00:03
Let's see, I can get some information
00:03
about a crypto certificates.
00:03
We're just going to keep trying these and see
00:03
which ones give us interesting info.
00:03
List providers, list stores, list keys.
00:03
It looks like it might be case-sensitive.
00:03
Is K there?
00:03
Nothing can give me anything there,
00:03
may not have anything available.
00:03
I'll try looking at the providers.
00:03
Those are all the providers available,
00:03
but I don't have any keys to show at this point.
00:03
I can list the stores showing where
00:03
the keys might exist if they were available.
00:03
I'll go back to my blog
00:03
to see the other options available.
00:03
I can load the system module.
00:03
Within here I can see information
00:03
>> about my current user,
00:03
>> which we can get from other places.
00:03
But it's nice to have more than one ways to skin a cat,
00:03
if you understand the expression,
00:03
I can look at information about
00:03
processes so getting a list of processes.
00:03
We can get this with PS, of course,
00:03
but it's nice to have other options.
00:03
I can start and stop and resume processes.
00:03
Also pretty powerful.
00:03
I can do the same thing with services.
00:03
[NOISE] I can do a service list.
00:03
A lot of good information here.
00:03
Quite a lot of information.
00:03
[NOISE] I can start
00:03
and stop services or even remove them, also very handy.
00:03
I can look at my current privilege levels,
00:03
so I can list the privileges that I have.
00:03
We saw this again with
00:03
the get proves command from interpreter.
00:03
But it tells you which ones are enabled,
00:03
which ones are not enabled by default.
00:03
A little bit more information.
00:03
As we see, I can try to impersonate a privilege,
00:03
shutdown the system, take ownership.
00:03
There's lots of different things there to explore.
00:03
There's also the handles that are being used to manage
00:03
all the processes and
00:03
services that are currently running on the system.
00:03
I can list these,
00:03
is going to be a lot of information,
00:03
but it shows me all the different programs
00:03
that are running and all the different
00:03
handles that are active on
00:03
the system with process IDs and everything else.
00:03
If you're really digging
00:03
deep into a system to see what it's
00:03
doing and where the vulnerabilities might exist,
00:03
these are great tools for expanding your reach.
00:03
I can also dump the same database.
00:03
We saw this in a different area,
00:03
but it's very similar.
00:03
I can look at the hashes, I can look at the boot keys.
00:03
I can also interact with the terminal server.
00:03
I can inject information into processes,
00:03
but very useful stuff.
00:03
It lets you interact with the system in a way that
00:03
is a little bit extended
00:03
from what the Meterpreter shell normally offers.
00:03
That's the end of our introduction to Mimikatz,
00:03
>> hope you enjoy it. Thank you.
Up Next
Similar Content
