Understanding Mimikatz - The basics

Mimikatz - What is it and what can you do against it?
Mimikatz is a self-exploitation tool designed mainly to steal a password.

But nothing is as simple as it sounds because it doesn’t really steal passwords, it steals authentication Tokens\Tickets or password hashes. Sound baffling? Actually, it’s a lot simpler than it sounds.

It is a common misconception to think that in order to gain access to a certain resource on a computer or a network, all you need is the username and password that allows you access to that specific resource. In theory that is correct, but in the background something completely different is happening.

In order to gain the desired access, you need the correct key, and the correct key is what happens after you punch in your password. Let me explain:
In order to prevent the stealing of the password by various mechanics, the password is never stored as it is. Instead, it is stored as Hash: a mathematical function that changes the password into something unique, but more importantly: you cannot recreate the password from the created hash.

To make thing simpler: When you type your login or use your password to access a computer resource, the computer reverts the password to the hash and then compares it to its stored hash.

You can find more information about the hash function in the following Wikipedia link: https://en.wikipedia.org/wiki/Hash_function

So, the computer never stores the password, but it does store the result, which is protected, in its core memory. If you have access to the core memory and know where to look for it, you can find it. This is (a “dump” of a process called Lassas (you can use the Task manager to do it))

Why is it there? Because you don't want to punch the password every time you access something.

A similar thing is true for authentication Tokens\Ticket.
The authentication Tokens/Tickets is used to give you access to a certain location for a limited time, for example, a secure website or a specific program.
Without making things too much complicated, the authentication Tokens/Tickets stores your credential on a a temporary “key” (most of the time it is temporary), and as long as you have that key you don't need to re-authenticate your password.

So, if a hacker has managed to get your Tokens\Ticket, he can gain the same access to the same privileges that you have, for.... Basically everything.

Naturally, it is not as simple as it sounds. There is a lot of coding involved (although if you search the web, most of the coding has already been done for you), and you also need to bypass a lot of security measures in order to actually be able to run it.

As fearsome as it sounds, in order for this attack to work, a code must run on your computer.
And while most antivirus and defense programs will detect it, a new variation of it can still manage its way into your computer and start stealing your passwords and your information and your files.
So even if you have an updated antivirus, with a fully patched computer, it can still find a way.

But here comes the good part. You can easily defend your computer against it!

In order to work, Mimikatz attack needs admin privileges. Deny them those privileges and you deny them access to the information.
Simply, don't work with your admin user Sounds easy, doesn’t it? That's because it is.
If you are a network admin, don't let your users run with admin privileges on their computers
and at home, set up another user with lower privileges, and work with that. 99% of the time you will not need the admin privileges, and when you do, the computer will ask you for them  

Here is the best method of defending against Mimikatz, Cyber 2.0 Chaos engine
Its unique technology will prevent malicious code from gaining access to network resources, even if they manage to obtain Full Admin privileges!
More information can be found here: www.cyber20.com

Next week, I will post how to change/add non admin user to the computer, and some more helpful tips.

Comments

Post a Comment

Popular posts from this blog

Cyber 2.0 vs Traditional antivirus and Organizational Firewall

Current security standards in an organization consists of the following base components: ·          Antivirus (standard and or next gen) ·          EDR or IDS\IPS systems ·          Organizational Firewall Each defense mechanism Is designed to stop Cyber Threats in its own way: Standard Antivirus: Search for signatures of known virus and malware codes Next Gen Antivirus: Search for anomaly in either the code or the behaviors of the programs EDR and IDS\IPS system: analyses the traffic of the network for known signatures, anomaly’s or suspicious behavior The firewalls (internal or external): minimize the allowed traffic per ports and\or applications. All of these different defense mechanisms, suffer from a vital flow that is inherit in the system: They can only protect what they know! Even the anomaly and behavior-based system, are limite...
Read more

Cyber ​​2.0 introduces: "Work in Time of Corona"

Cyber ​​2.0 introduces: "Work in Time of Corona" Nowadays, when the demand for employees working from home is growing, employees who leave the organizational security system, find themselves exposed to cyber attacks that exploit the fact, that their computers are exposed to threats when working from home. Massive new-generation cyber protection is required for employees working from home: protection that allows the organization's employees transparency, receiving threat alert notifications, and even blocking the threats that employees are exposed to. This protection will allow protection of the organizational components that employees are addressing, while at the same time allowing employees to maintain their privacy Cyber ​​2.0, which provides a service that essentially prevents and blocks any spread of cyber - attack, including new and unknown attacks, within and outside the organizational system, has already begun moving its customers into a configurati...
Read more

Protecting yourself in the Cyber Arena – Understanding Admin rights

Step 1 – Understanding Admin rights More important: Who has them, and why they(you) don’t need them. Let's start at the very beginning: What exactly are Admin rights (or Admin privileges /Access)? Admin rights are the ultimate access to a given resource in a computerized environment. It means that the one that has Admin rights, can do whatever he wants with that specific resource. A resource on a computer can be a lot of things, for example, it can be a file (doc, spreadsheet and similar), a folder, a program/application/game/ configuration changes and it can even be the Computer itself. A resource on a Network can be all of the above, plus it can also be a trillion more things, a minor example can be: Network folders, files or shares, database, apps, web apps, printers, cameras, camera server…. and so much more, as much as you can imagine. Everything in the computer world every object, has an access right: when you interact with an object, the level of rights...
Read more