-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Home
mimikatz
is a tool I've made to learn C and make somes experiments with Windows security.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz
can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ...
maybe make coffee?
Its symbol/icon is a kiwi, sometimes the animal, but mostly the fruit!
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
- sources (Visual Studio solution) on GitHub/mimikatz - see howto ~ build-mimikatz
- binaries are availables on GitHub/mimikatz/releases
Despite some antivirus results, mimikatz
is not dangerous (not a virus, malware, or other things). You can inspect the code 😉
I sign mimikatz
binaries with my personnal code-signing certificate, its sha1 digest is AB9E92B943ED47D915BC26939E24A58303ACAA7E
:
C:\Users\gentilkiwi>powershell -command get-authenticodesignature c:\security\mimikatz\Win32\mimikatz.exe
[...]
SignerCertificate Status Path
----------------- ------ ----
AB9E92B943ED47D915BC26939E24A58303ACAA7E Valid mimikatz.exe
mimikatz
comes in two flavors: x64
or Win32
, depending on your windows version (32 or 64 bits).
Win32
flavor cannot access 64 bits process memory (like lsass
), but can open 32 bits minidump under Windows 64 bits.
Some operations need administrator privileges, or SYSTEM
token, so be aware of UAC
from Vista version.
After launching mimikatz
:
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz #
... you have the command prompt mimikatz #
, you can type instructions like exit
, cls
, crypto::certificates
Instructions can be in the form: modulename::commandname arguments...
, eg:
kerberos::tgt
crypto::certificates /systemstore:local_machine /store:my /export
cls
see Module section below for others.
commands from standard
module can be typed without modulename
; cls
is the same as standard::cls
(see module ~ standard)
You can quit mimikatz
with exit
command.
For remote execution, see howto ~ remote execution
You can pass instructions on mimikatz
command line, those with arguments/spaces must be quoted.
C:\security\mimikatz\x64>mimikatz log version "crypto::certificates /systemstore:local_machine" exit
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Apr 26 2014 00:25:11)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 14 modules * * */
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # version
mimikatz 2.0 alpha (arch x64)
NT - Windows NT 6.1 build 7601 (arch x64)
mimikatz(commandline) # crypto::certificates /systemstore:local_machine
* System Store : 'local_machine' (0x00020000)
* Store : 'My'
0. example.nirvana.local
Key Container : example.nirvana.local
Provider : Microsoft Software Key Storage Provider
Type : CNG Key (0xffffffff)
Exportable key : NO
Key size : 2048
mimikatz(commandline) # exit
Bye!
Instructions from command line are marked with (commandline)
on the prompt.
- standard
- privilege
- crypto
- sekurlsa
- kerberos
- lsadump
- vault
- token
- event
- ts
- process
- service
- net
- misc
- library
mimilib
- driver
mimidrv
I'm a kiwi.
mimikatz
is now 2.0, but is born in 2007, it was known by other names:
-
kdll
; a simple DLL injector -
kdllpipe
; first version to accomplish Pass-The-Hash, with interaction on a named pipe -
katz
; -
mimikatz
!
I started to code it for some reasons:
- improve my knowledge, especially in C/C++ for Windows ;
- explain security concepts ;
- prove to Microsoft that sometimes they must change old habits.
-
Meterpreter extension for
mimikatz 1.0
by Ben Campbell
https://github.com/rapid7/meterpreter/tree/master/source/extensions/mimikatz
https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/mimikatz -
DLL reflection in PowerShell by Joseph Bialek
https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1 -
Volatility plugin by Francesco Picasso
http://blog.digital-forensics.it/2014/03/et-voila-le-mimikatz-offline.html
http://blog.digital-forensics.it/2014/03/mimikatz-offline-addendum_28.html -
Meterpreter extension for
mimikatz 2.0
by Oliver Reeves
https://github.com/rapid7/meterpreter/tree/master/source/extensions/kiwi
https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/kiwi
-
wce
(cleartext passwords part) by Hernan Ochoa @ Amplia security
http://www.ampliasecurity.com/research/wcefaq.html
http://seclists.org/fulldisclosure/2013/May/226
Details here: http://fr.slideshare.net/gentilkiwi/mimikatz-phdays/29 -
sessiondump
by Steeve Barbeau @ HSC
http://www.hsc.fr/ressources/outils/sessiondump
https://github.com/rapid7/metasploit-framework/pull/1750
https://github.com/steeve85/metasploit-framework/tree/sessiondump/external/source/meterpreter/source/extensions/sessiondump
Details here: core.c