Parsing Mimikatz Log Files

Overview

On internal penetration tests and simulated attacks, mimikatz (or one of its derivatives) usually forms part of the standard toolkit. It has a huge number of features but perhaps the most common is the logonPasswords verb, which effectively dumps cleartext passwords from all of the usual locations. It usually displays output in the form:

*     Username :
*     Domain :
*     Password :

Although some tools will parse this output, there are occasions in which it is useful to be able to parse several files which may include mimikatz output, perhaps interleaved with other output. Examples include the output from mimikatz when used with a LSASS memory dump file or parsing raw output from a range of RATs or shells which may not include built-in mimikatz parsing functionality. My solution to this problem was to write a relatively quick tool which uses regular expressions to locate interesting mimikatz output from streamed input and inserts it into a SQLite database. This has the advantage of being able to be quickly searched, joined with other reference material (e.g. the ADOffline post, which could allow you to quickly correlate compromised credentials with the groups/access levels that these credentials would provide access to), or simply exported in a variety of other formats.

Location

The source code can be obtained at https://github.com/stufus/parse-mimikatz-log or by cloning the git repository.

git clone https://github.com/stufus/parse-mimikatz-log.git

Usage

It is a commandline tool which accepts two switches, each of which requires a parameter:

SwitchExplanation
-d Specifies the database file to use.
If it exists, the assumption is that the schema is correct.
If it doesn't exist, it will be created.
If this parameter is not specified, a temporary file will be created.
-i The mimikatz output file to use.
If - is passed to it as a parameter, STDIN will be used.

Database

The database itself has only one table - creds - which stores the credentials which have been imported.

FieldExplanation
domain The domain that the credentials are relevant for.
This is captured from the '* Domain:' part of the log file.
username The username, captured from the '* Username:' part of the log file. This is always the first part of the credential block that appears in the log file.
password The cleartext password which has been recovered, captured from the '* Password:' part of the credential block.
ntlm The NTLM hash which has been recovered, captured from the '* NTLM:' part of the credential block.
sha1 The SHA1 hash which has been recovered, captured from the '* SHA1:' part of the credential block.

There is also a view (view_usercreds) which comprises username, domain and password and excludes all usernames with a trailing dollar (which would designate a computer account).

Example

Populating the database

One option is to use a command to cat the entire log file to screen and read from STDIN:

$ find ./ -name \*.log -exec cat {} \; | pml.py -d /tmp/passwords.db -i -

       .mMMMMMm.             MMm    M   WW   W   WW   RRRRR
      mMMMMMMMMMMM.           MM   MM    W   W   W    R   R
     /MMMM-    -MM.           MM   MM    W   W   W    R   R
    /MMM.    _  \/  ^         M M M M     W W W W     RRRR
    |M.    aRRr    /W|        M M M M     W W W W     R  R
    \/  .. ^^^   wWWW|        M  M  M      W   W      R   R
       /WW\.  .wWWWW/         M  M  M      W   W      R    R
       |WWWWWWWWWWW/
         .WWWWWW.           Quick & Dirty Mimikatz Log Parser
                        stuart.morgan@mwrinfosecurity.com | @ukstufus

Opening database: /tmp/passwords.db
Reading from STDIN
  Processing line 236676/236676 (100%)

        Sets of credentials: 949
    Unique 'user' usernames: 355
    Unique 'user' passwords: 278

An alternative is to find all log files and run it individually for each one:

find ./ -name \*.log -exec ./pml.py -d /tmp/passwords.db -i {} \;

Extracting credentials

The database needs to be loaded into SQLite:

sqlite3 /tmp/tmpyIJeAn.20161011103852.mimikatz.db
SQLite version 3.14.1 2016-08-11 18:53:32
Enter ".help" for usage hints.
sqlite> 

All user credentials can be listed:

sqlite> select * from view_usercreds;

The credentials could be exported in a username:password format ('||' is the concatenation operator in SQLite and '.once' writes the output to a file):

sqlite> .once /tmp/credentials.txt
sqlite> select distinct username||':'||password from view_usercreds;

The credentials could also be exported in a DOMAIN\username:password format using the same technique as above:

sqlite> select distinct domain||'\'||username||':'||password from view_usercreds;

The number of users sharing the same password could be found by a query such as the below, which would display each password and the number of users with that password:

sqlite> select password,count(username) from view_usercreds group by password;