Mimikatz

Original Author: Pavandeep Singh

Table of Contents

Abstract................................................................................................................................................... 3
What is Mimikatz? .................................................................................................................... 4
Generate Skeleton Key with Mimikatz............................................................................. 4
Blue Screen of Death (BSOD) with Mimikatz ................................................................. 8
Display Hostname ................................................................................................................... 10
Golden Ticket Generation with Mimikatz ..................................................................... 11
Remotely Generating Golden Ticket .............................................................................. 14
Hack the Minesweeper Game ............................................................................................ 19
Conclusion ............................................................................................................................................ 23
References ........................................................................................................................................... 23

Page | 2
 Credits to Hacking Articles

Abstract
Mimikatz, a powerful post-exploitation tool, is renowned for its ability to extract
sensitive information from Windows systems, posing significant challenges to
Windows users.
In this report, we will delve into the intricacies of Mimikatz, exploring its
functionalities, potential risks it introduces to Windows security. The aim of this
report is to provide valuable insights into the world of Mimikatz and equip
cybersecurity professionals with the tools to assess vulnerabilities on Windows
systems.
Disclaimer: This report is provided for educational and informational
purpose only (Penetration Testing). Penetration Testing refers to legal
intrusion tests that aim to identify vulnerabilities and improve cybersecurity,
rather than for malicious purposes.

Page | 3
 Credits to Hacking Articles

What is Mimikatz?

Mimikatz is a Tool made in C Language by Benjamin Delpy. It is a great tool to extract plain
text passwords, hashes and Kerberos Tickets from Memory. It can also be used to generate
Golden Tickets.

You can get Mimikatz on the Internet from Github repos.

Mimikatz comes in 2 architectures: x32 and x64. Here is a screenshot of the x64 mimikatz
bash.

Generate Skeleton Key with Mimikatz

Victim: Windows Server 2012 R2 (Domain Controller)

Attacker: Mimikatz (On Windows Server 2012 R2)

In this attack, what mimikatz installs the patch on the Domain Controller to accept
“mimikatz” as a new login password? It can be thought as a Master Key which will open the
Active Directory to the attacker. This attack can be performed as shown below.

First, I will try to login on my Server using mimikatz as a password.

Page | 4
 Credits to Hacking Articles

As you can see clearly that we cannot login into the server using ‘mimikatz’ as a password.

Now I will log in the server using its password which is ‘T00r’.

Page | 5
 Credits to Hacking Articles

And as you can see below, I have logged in the Server using the correct password

If you ever are logged in on a server or have a server unlocked, you can create a skeleton key
to be stored inside the memory of the Server by using Mimikatz.

Launch the Mimikatz Terminal according to the architecture of the server (x32, x64). Now
first we will get the debugging privilege in Mimikatz using

privilege::debug

And then we will inject the mimikatz skeleton key in the memory of server using

Page | 6
 Credits to Hacking Articles

misc::skeleton

With this, we have our skeleton key successfully injected on the server.

Note: You will have to open mimikatz with Administrative Privilege to create a Skeleton
Key.

Now I will try to login the server using the skeleton key “mimikatz” we just injected in the
memory. Remember last time we tried to log in the server using mimikatz as a password we
were unsuccessful.

But this time ‘mimikatz’ was accepted as a password. This does not mean that we reset the
original password ‘T00r’. The server will continue to log in using ‘T00r’ but now it will also
accept ‘mimikatz’ as a password too.

Page | 7
 Credits to Hacking Articles

Now, remember that we injected the skeleton key in the memory, not in storage so the next
time that admin restarts the server we will lose the access. So, the best way to protect your
Domain Controller from Skeleton Key is a practice of restarting the Server Frequently or
prevents mimikatz from accessing the memory.

Blue Screen of Death (BSOD) with Mimikatz

Attacker: Mimikatz (on Windows 7)

Victim: Windows 7

We can perform a Blue Screen of Death or BSOD attack using mimikatz. This shows how
powerful this tool is. To perform the BSOD on a System follow the steps mentioned below:

• Run mimikatz with Administrator

!+

!+

Page | 8
 Credits to Hacking Articles

Now Initiate the BSOD as given below in the following command.

!bsod

As you can see below, we have the Blue Screen of Death Error

Note: This attack can corrupt data and potentially harm the system. Use Carefully!!

Page | 9
 Credits to Hacking Articles

Display Hostname

You can extract hostname of the Victim System by typing hostname in the mimikatz
Terminal.

hostname

We have extracted the hostname of the system as Pavan-pc

Page | 10
 Credits to Hacking Articles

Golden Ticket Generation with Mimikatz

Attacker: Mimikatz on Windows Server 2012 R2

Victim: Windows Server 2012 R2

To Generate a Golden Ticket, we will require the following information:

1. Domain
2. SID
3. NTLM Hash

Let’s get the Domain First.

To get the Domain we will run the ipconfig /all from the Command Line or PowerShell

• Domain on my Server is Pavan.local

Page | 11
 Credits to Hacking Articles

Now we will mimikatz itself to extract the NTLM hash required to generate the Ticket.

First, we will get the Debugging Privilege using the following command given below.

privilege::debug

And now to extract hashes we will run following command given below.

sekurlsa::logonpasswords

And now we have it all that we need to generate the Ticket.

Syntax: Kerberos::golden /domain:[Domain] /sid:[SID] /rc4:[NTLM Hash] /user:[Username

kerberos::golden /domain:PAVAN.LOCAL /sid:S-1-5-21-1118594253-

Page | 12
 Credits to Hacking Articles

Here I am creating the golden key for a user named ‘hacker’; you can use any of the existing
users of the Domain or create a new one.

I am using the [/ppt] option to pass the ticket in the current session.

Now run the command prompt to the access of Share Folder and execute given below
command:

pushd \\WINSERVER01\c$

Now we are in Z: drive execute given below command for NT directory services

cd WINDOWS\NTDS

DIR

As you can see that we get the access to the shared folder which cannot be accessed without
Admin Access but we had obtained it without using CMD as administrator. From given
below image you can observe that it is showing 8 files and 2 folders.

Page | 13
 Credits to Hacking Articles

Remotely Generating Golden Ticket

Attacker: Kali

Victim: Windows Server 2012 R2

Firstly, get a Meterpreter Access of the Server:

Page | 14
 Credits to Hacking Articles

Once gaining the meterpreter upload the mimikatz folder to the victim system using the
command

upload -r /root/Desktop/mimi c:\

Remember to use -r so that upload command uploads recursively.

Open the shell and extract Domain using ipconfig /all

And SID using the whoami /user

Page | 15
 Credits to Hacking Articles

Now go to the location where we uploaded the mimikatz earlier and run mimikatz.exe as
shown below

Now let’s extract the krbtgt NTLM hash using the following command

lsadump::lsa /inject /name:krbtgt

Page | 16
 Credits to Hacking Articles

Now using all the information extracted let’s generate a golden ticket in the same way we did
above.

kerberos::golden /domain:pavan.loc /sid:S-1-5-21-97841242-

Page | 17
 Credits to Hacking Articles

Now let’s take the access of Share Folder and as you can see that we get access to the shared
folder which cannot be accessed without Admin Access.

Hence, we successfully generated a golden ticket in a Windows Server Remotely via Kali

Now let’s take the access of Share Folder and as you can see that we get access to the shared
folder which cannot be accessed without Admin Access.

Hence, we successfully generated a golden ticket in a Windows Server Remotely via Kali

Page | 18
 Credits to Hacking Articles

Hack the Minesweeper Game

We all have played Minesweeper Game, and it is tough to get all the mines right but those
days of worry are over. To show that the Mimikatz is a powerful but a playful Tool, here I
will hack the minesweeper game using Mimikatz.

Firstly, open Mimikatz of your respective architecture.

Page | 19
 Credits to Hacking Articles

And then open the Minesweeper Game

To load minesweeper in the mimikatz by using

minesweeper::infos

Page | 20
 Credits to Hacking Articles

You can see in the above screenshot that the minesweeper grid is shown in the mimikatz
shell.

Now click on any Random block on the minesweeper.

Now run the previous command again and now we have locations of mine on the grid.

Page | 21
 Credits to Hacking Articles

You can verify this image with the One with Mimikatz shell.

Page | 22
 Credits to Hacking Articles

Conclusion
Hence, one can make use of these commands as a cybersecurity professional to
assess vulnerabilities on systems and keep these systems away from threat.

References
• https://www.hackingarticles.in/understanding-guide-mimikatz/
• https://github.com/ParrotSec/mimikatz

Page | 23