In the context of CompTIA PenTest+ and the domain of Attacks and Exploits, Mimikatz is a premier open-source post-exploitation tool primarily utilized for credential dumping and privilege escalation on Windows systems. Its significance lies in its ability to manipulate the Local Security Authority …In the context of CompTIA PenTest+ and the domain of Attacks and Exploits, Mimikatz is a premier open-source post-exploitation tool primarily utilized for credential dumping and privilege escalation on Windows systems. Its significance lies in its ability to manipulate the Local Security Authority Subsystem Service (LSASS) process to extract plain-text passwords, hashes, PINs, and Kerberos tickets directly from memory.
For the exam, candidates must understand specific attacks facilitated by Mimikatz. The most ubiquitous command, `sekurlsa::logonpasswords`, attempts to extract logon credentials. If protocols like WDigest are enabled, this yields cleartext passwords; otherwise, it retrieves NTLM hashes. These artifacts enable lateral movement techniques, specifically **Pass-the-Hash (PtH)**, where an attacker authenticates using the hash without cracking it, and **Pass-the-Ticket (PtT)**, which involves harvesting and reusing Kerberos tickets.
Furthermore, Mimikatz allows for persistence via the creation of **Golden Tickets** (forging a TGT using the domain's KRBTGT hash to become a domain admin with long-term validity) and **Silver Tickets** (forging service tickets). To function effectively, Mimikatz generally requires Debug privileges (`SeDebugPrivilege`), meaning the attacker needs Local Admin or SYSTEM access. It is often executed via PowerShell (e.g., Invoke-Mimikatz) or through C2 frameworks like Metasploit's Kiwi extension to operate purely in memory and evade antivirus detection. Understanding Mimikatz is essential for demonstrating the risks of weak credential management and the necessity of defenses like Windows Defender Credential Guard.
Mimikatz Usage: Post-Exploitation and Credential Dumping
What is Mimikatz? Mimikatz is one of the most notorious and powerful open-source post-exploitation tools used by penetration testers and red teams. Created by Benjamin Delpy, it allows users to view and steal authentication credentials such as Kerberos tickets, NTLM hashes, and sometimes plaintext passwords directly from the memory of a compromised Windows system.
Why is it Important? In the context of the CompTIA PenTest+ exam, Mimikatz is the primary tool associated with Credential Dumping and Lateral Movement. Once an attacker gains administrative access to a machine, Mimikatz is used to harvest credentials that allow the attacker to move to other machines in the network or escalate privileges to Domain Admin.
How it Works Mimikatz interacts with the Local Security Authority Subsystem Service (LSASS) process. Windows stores credentials in this process's memory to facilitate Single Sign-On (SSO). Mimikatz can extract these secrets using several modules: 1. sekurlsa::logonpasswords: The most common command. It extracts passwords and hashes for currently logged-on users. 2. lsadump::sam: Dumps the contents of the local Security Account Manager (SAM) database to get local account hashes. 3. kerberos::golden: Used to generate a Golden Ticket (a forged TGT), allowing indefinite persistence and domain administrative rights.
Key Attack Vectors Understanding Mimikatz requires understanding the specific attacks it enables: Pass-the-Hash (PtH): Using a captured NTLM hash to authenticate without cracking it. Pass-the-Ticket (PtT): Injecting a stolen Kerberos ticket to authenticate to the domain. Overpass-the-Hash: Using a hash to request a valid Kerberos ticket.
Exam Tips: Answering Questions on Mimikatz usage When facing scenario-based questions on the PenTest+ exam, keep these tips in mind: 1. Identify the Artifacts: If a question shows a command-line output containing "wdigest", "tspkg", or output showing "NTLM :" followed by a hash string, you are looking at Mimikatz output. 2. Prerequisites: Mimikatz generally requires local administrator or SYSTEM privileges to read LSASS memory. If a question asks why the tool failed, check if the user had `privilege::debug` rights enabled. 3. Remediation: If asked how to prevent Mimikatz attacks, look for answers involving Windows Defender Credential Guard, disabling the WDigest protocol, or restricting Debug privileges. 4. Keywords: Associate the terms "LSASS", "Golden Ticket", "Silver Ticket", and "Dumping Memory" immediately with Mimikatz.