Understanding Mimikatz - The basics
Mimikatz - What is it and what can you do against it?
Mimikatz is a self-exploitation tool designed mainly to steal a password.
But nothing is as simple as it sounds because it doesn’t really steal passwords, it steals authentication Tokens\Tickets or password hashes. Sound baffling? Actually, it’s a lot simpler than it sounds.
It is a common misconception to think that in order to gain access to a certain resource on a computer or a network, all you need is the username and password that allows you access to that specific resource. In theory that is correct, but in the background something completely different is happening.
In order to gain the desired access, you need the correct key, and the correct key is what happens after you punch in your password. Let me explain:
In order to prevent the stealing of the password by various mechanics, the password is never stored as it is. Instead, it is stored as Hash: a mathematical function that changes the password into something unique, but more importantly: you cannot recreate the password from the created hash.
To make thing simpler: When you type your login or use your password to access a computer resource, the computer reverts the password to the hash and then compares it to its stored hash.
You can find more information about the hash function in the following Wikipedia link: https://en.wikipedia.org/wiki/Hash_function
So, the computer never stores the password, but it does store the result, which is protected, in its core memory. If you have access to the core memory and know where to look for it, you can find it. This is (a “dump” of a process called Lassas (you can use the Task manager to do it))
Why is it there? Because you don't want to punch the password every time you access something.
A similar thing is true for authentication Tokens\Ticket.
The authentication Tokens/Tickets is used to give you access to a certain location for a limited time, for example, a secure website or a specific program.
Without making things too much complicated, the authentication Tokens/Tickets stores your credential on a a temporary “key” (most of the time it is temporary), and as long as you have that key you don't need to re-authenticate your password.
So, if a hacker has managed to get your Tokens\Ticket, he can gain the same access to the same privileges that you have, for.... Basically everything.
Naturally, it is not as simple as it sounds. There is a lot of coding involved (although if you search the web, most of the coding has already been done for you), and you also need to bypass a lot of security measures in order to actually be able to run it.
As fearsome as it sounds, in order for this attack to work, a code must run on your computer.
And while most antivirus and defense programs will detect it, a new variation of it can still manage its way into your computer and start stealing your passwords and your information and your files.
So even if you have an updated antivirus, with a fully patched computer, it can still find a way.
But here comes the good part. You can easily defend your computer against it!
In order to work, Mimikatz attack needs admin privileges. Deny them those privileges and you deny them access to the information.
Simply, don't work with your admin user Sounds easy, doesn’t it? That's because it is.
If you are a network admin, don't let your users run with admin privileges on their computers
and at home, set up another user with lower privileges, and work with that. 99% of the time you will not need the admin privileges, and when you do, the computer will ask you for them
Here is the best method of defending against Mimikatz, Cyber 2.0 Chaos engine
Its unique technology will prevent malicious code from gaining access to network resources, even if they manage to obtain Full Admin privileges!
More information can be found here: www.cyber20.com
Next week, I will post how to change/add non admin user to the computer, and some more helpful tips.