Hacking Book | Free Online Hacking Learning


on the attack and defense of mimikatz

Posted by forbes at 2020-03-04

Author of this paper: hl0rey (member of the author team of Xin'an Road & leader of the red blue confrontation team of Xin'an Road)

Recruit new article: red and blue resistance team of Xin'an Road recruit like-minded friends

Make complaints about the mimikatz defense, but I feel adorable. But there is a slight lack of content. There is also a translation in China, but it is just translated according to the wrong way. So, we have sprouted the excellent article, translated it back, and added some other contents. This article is just a brick, and if there is a mistake, welcome to Tucao.

Mimikatz is a very useful tool in Intranet penetration. It may allow an attacker to grab the plaintext password from memory. We all know that this tool is very powerful, and Microsoft must know it, so it has made some security mechanisms to prevent mimikatz from catching the password. But we can still get the password on the system before win2008. In general, password can be retrieved from memory as long as you have local administrator permission. Generally, after catching the password, you can carry out horizontal movement and right lifting.

Debug Privilege

In windows, debugging permissions can be used to debug processes, even the kernel. For mimikatz, in general, if he wants to read memory, he has to get debugging permission and then open the process. By default, the local Administrators group is granted this permission. However, unless the administrator is a programmer, generally he should not use this permission.

Local security policy gives Administrators group permission by default.

However, the default group policy for a domain is undefined in this entry.

According to the effectiveness level of windows policy, the administrator group finally has the authority.

Supplement the lower effective force level:

Influence of different configurations on mimikatz

By default, debugging permission is successfully obtained.

Set the group with debugging permission to null. Log out and log in again.

Failed to get debugging permission by running mimikatz.


Wdigest protocol has been introduced as early as XP era. At that time, the protocol was designed to store the plaintext password in LSASS for HTTP authentication. It is enabled by default before win2008. Then the attacker can get the plaintext from it.

But on systems after win2008, it is off by default. If kb2871997 is applied to the system before win2008, you can enable or disable wdigest, and configure the following key values:

When the uselogoncredential value is set to 0, wdigest does not cache the credentials in memory; when the uselogoncredential value is set to 1, wdigest caches the credentials in memory.

Influence of different configurations on mimikatz

It's very comfortable to enable caching and grasp plaintext directly.

After the cache is turned off, restart and catch again. Nothing is caught.

Credential Caching

Domain cached credentials is short for DDC, also known as mscache. There are two versions, XP / 2003 is called the first generation, and the second generation after Vasta / 2008.

After joining the domain, the computer must be authenticated by Kerberos. After passing the Kerberos authentication, the domain controller must participate. However, if the domain member cannot access the domain controller temporarily, it cannot be authenticated? Domain credential caching is to solve this problem. If domain control is temporarily inaccessible, windows attempts to use the locally cached credentials for authentication, with 10 cached by default.

Cache location (default local administrator also does not have permission to access):

If the number of modified group policy cache entries is 0, it is not cached.

Influence of different configurations on mimikatz

The default configuration cache is 10. Log in to the local administrator, raise the authority to the system authority, and then run mimikatz to successfully catch mscachev2.

Set the cache number to 0, stop the domain control, and then log in to the domain account. Domain member discovery failed to log in.

Log in the local administrator account, extract to system, and then catch nothing.

Protected Users Group

Protected user groups can be used to enable high-level users like local administrators to authenticate only through Kerberos (a ratio of six). This is a new security group introduced after win2012 (this security group will also be added if the system before win2008 is patched with kb2871997). To prevent plaintext storage in memory and NTLM hash from leaking (because it is authenticated by Kerberos, net NTLM hash will not be leaked). This configuration is relatively simple. Just add the users you want to protect to this group (due to the limitation of the local hardware, it's impossible to reproduce. Running a win2016 and another win10 will not work).

Restricted Admin Mode

Restricted administrator mode, anyway, is a security measure to keep your account from being exposed in the target system. Introduced in win8.1/win2012r2 (remember R2). If you want to use this function in win7 / win2008, you have to call kb2871997 and kb2973351. The use of this function requires the cooperation between the client and the server. The way to open on the server side is to add the following key values to the registry.

Right click about to check whether the client version is rdp8.1.

Potential risk - RDP PTH

Restricted administrator mode can directly log in with the current login credentials, so the "always require credentials" check must not be checked.

The domain location can be either computer name or IP. (administrator permission is required to get debug permission)

Just make sure it goes all the way.

The administrator on domain control was successfully toppled.

Take a look at the traffic of RDP by the way.


1. Disabling debugging privileges has no effect on an attacker who gets the system.

2. Wdigest is disabled by default, but we open it manually, dig a hole and wait for you to jump.

3. At present, it seems that mscache can only be cracked with hashcat to break the plaintext for reuse.

4. The protected users group needs to study again and wait until the computer is configured to 23333.

5. Under restricted admin mode, PTH attack can only be applied to a specific version, but there are still many restrictions. If you restrict the internal network (135 and 445 traffic are forbidden), this is a breakthrough technique.

Reference material