What is Mimikatz? And how to defend against this password stealing tool

Mimikatz definition

Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers.

Mimikatz, described by the author as just “a little tool to play with Windows security,” is an incredibly effective offensive security tool developed by Benjamin Delpy. It is used by penetration testers and malware authors alike. The destructive 2017 NotPetya malware rolled leaked NSA exploits like EternalBlue together with Mimikatz to achieve maximum damage.

Originally conceived as a research project by Delpy to better understand Windows security, Mimikatz also includes a module that dumps Minesweeper from memory and tells you where all the mines are located.

Mimikatz is not difficult to use, and Mimikatz v1 comes bundled as a meterpreter script as part of Metasploit. The new Mimikatz v2 upgrade has not yet been integrated into Metasploit as of this writing.

The name “mimikatz” comes from the French slang “mimi” meaning cute, thus “cute cats.” (Delpy is French and he blogs on Mimikatz in his native language.)

How does Mimikatz work?

Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also lets Mimikatz exploit this feature by dumping memory and extracting the passwords.

In 2013, Microsoft made it possible to disable this feature as of Windows 8.1, and it is disabled by default in Windows 10. However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz.

Worse, so many legacy machines around the world run older versions of Windows that Mimikatz is still an incredibly powerful too and will likely remain so for many years to come.