There is a thin line that separates black hat hackers (malicious hackers) and white hat hackers (ethical hackers), both possess skills that can harm networks, systems, and computers if they wish to do so. The good thing is ethical hackers helps lessen the chances that blackhat hackers become successful with their campaigns. They do this through a process called penetration testing, where both equipment and people of the company who hired their services are subject to a “controlled hacking” scenario.
Ethical hacking requires a delicate balance of tasks, as a wrong use of tools may damage the company being targeted for penetration testing instead of actually only looking for ways to find weaknesses on the system. Both hacker types tools that crossover, since the tools themselves are not harmful or useful in itself, it heavily depends on how it is used. One such tool that is making a lot of waves in the hacking scene is Mimikatz.
Mimikatz is a password extraction tool, when used it can “steal” the passwords stored from memory, hidden from a hash or stored in a Kerberos-compatible domain, like the Microsoft Active Directory Domain Controller. Developed by Benjamin Delpy, Mimikatz is very powerful with what it does, to a point that the malware author bundled it to NotPetya instead of programming a similar password extraction capability from scratch.
Anyone who is curious with Mimikatz may download it for their own purposes, very useful for Windows versions older than Windows 10. Mimikatz scans the computer memory for the existence of a decryption key, it is then used to unlock the encrypted password loaded into memory. The program can also dump the contents of memory into a file and capture the password from the dump file. Windows 8.x provides a mechanic for system administrators to disable WDigest, the feature that is exploited by Mimikatz for dumping memory. Of course, not all system administrators are aware of this, hence many Windows installations left WDigest enabled by default.
With the release of Windows 10, Microsoft decided to have WDigest disabled by default. However, Mimikatz using administrative privilege can edit the registry, enabling WDigest on the fly even in Windows 10. Companies need to make sure their system is hardened against Mimikatz, as it is covering the basics of security. It is still unknown if a more powerful version or a variant of it is already being used by blackhat hackers in the wild.
History should tell everyone to learn from the mistakes of others, the story of how a once successful Certificate Authority lost their business altogether due to being lax with security. The company’s name was Diginotar, which in 2011 fell to a memory password extraction cyber attack, losing their business as the aftermath which led to them filing for bankruptcy.
Microsoft’s suggestion is for SeDebugPrivilege to be disabled, it is a system service that handles debug functions in Windows, which is not used by a typical office Windows users. This can be disabled for workstations that are exclusively used for office applications (non-development), and will make Mimikatz and other similar utilities from reading the decrypted contents of memory on the fly. Of course, if Mimikatz already inherited system admin access from the user, a new variant of it capable of enabling SeDebugPrivilege can be created which cancels this mitigation. System administrators and the IT team should keep themselves updated of the new technologies hackers use regularly. They can be made aware of the latest tools by engaging with ethical hacking teams.