Greetings. In this short video presentation, we're going to take a look at how we go about cracking passwords using Mimi cat. For this lab demonstration, we'll be using my full install of Kali Linux, and my victim will be a Windows XP Professional SP two. So let's go ahead and get started. To begin the lab, we're going to open up our terminal and we're going to launch misquote. We're going to launch meta sploit by typing in an MSF console at the terminal and we're going to hit Enter, and in just a moment, misquote will start to come up the next step the lab we're going to use the Nmap scripting engine to scan my network for machines that may have vulnerabilities on any of their first 1000 ports.
So I'm going to assume that I don't know where my victim is. But I do know that the network IP, which is the first three octets The network or the IP address of meaning machine on the network is 192 dot 168 dot 145. And I want to tell an Nmap. To use a scripting engine and scan that last octet for any of the 255 hosts that may be present on the network, I'm going to go ahead and hit enter. Now this is my network IP address, yours will differ. So make sure that you run an IF config or an IP config on one of your Windows machine to get those first three octets.
So my scan has completed. Now from my network scan results, I find that I have a machine with the IP address of 192 dot 168 that 145 dot 129 that is vulnerable for a certain exploit. This is the MS 08067 SMB exploitation, exploit. So that's good because we are we are familiar with With this exploit, so we're going to use this to establish that backdoor that we need with meta predator. Let's go ahead and see how we do that. So we got a target machine and IP address of 129.
Well, we need to find out some more information. So we're going to dig just a little bit deeper with another end map script. So I'm gonna go ahead and post or paste in the command from my lab. And this is a SMB LS discovery script. And I want to find out exactly how vulnerable this one to nine target actually is. This end map script is going to tell me all the information I need to know about the OSS, the service pack all the good information that we want to know before we launch our attack.
I'm gonna go ahead and hit Enter. And just a moment, the scan results are going to be returned. My second scan has completed against my potential target and we see that the results come back and it tells us that this is a Windows XP machine. tells us the name of the machine tells us as a member of a workgroup. But we're mostly interested in the fact that it's a Windows XP machine. So we're going to go ahead and continue on with trying to exploit this meta squad is already up and running inside of the terminal.
And we know that it does have a exploit for this particular vulnerability, so we're going to search for it. So at the command prompt, I'm just going to type in search for Ms 08 underscore 067. To see what results we get with this. And now it's looking for this particular exploit. And then it's going to give us some results such as what type of machines we can run it against, exploit has come back with with its results and it found a matching module. So what we're going to do now is we're just going to copy the name of the exploit just like that.
We're going to right click, Copy that. Now we're going to go back down to the MSF crop, and we're going to type in use. Now I'm going to right click, and I'm going to paste the name of that exploit, and I'm going to hit Enter, and it comes back letting me know that it has loaded the exploit forming. To find out what options have to be set for this exploit. I can now type in the word options and hit Enter. And it tells us that the remote host must be set that is going to use Port 445.
That's the SMP service port also tells us that the pipe name to use is browser service SMBs. And so we're going to set the IP address for the remote host. That is a requirement. So let's see how we go about doing that. We start off with the set command and then we type in the name of the option that we want to set. In this case, I want to set the IP address for the arrows or the remote host.
And we know that my victim from the scan results has a host IP of 129 on the 145 network. So we're going to go ahead and type all that in. So it's set space, our host, the IP address, or of the target. Now this is my target, yours will different. I'm going to go ahead and hit Enter, and it comes back letting me know that the remote host IP address has been set. Now you can go ahead and type in options again, if you like.
And look at those results. And you'll see that the current setting reflects what we've just configured for the remote host. Now that we have a target identified to launch the exploit to we can go ahead and launch the exploit up inside of meta sploit. by just typing in the exploit command at the prompt. I'm going to go ahead and hit Enter. And in just a moment, it'll reach over and it will find the remote host and come back and get us a medal.
Creditor prompt. If you don't see the Prop, then the export did not complete successfully. And that's probably going to be 99% of the time a connectivity issue. So make sure that both of these machines can see each other. The metal credit prop tells me that we have connected to the target machine. So what I'm going to do now is load the mimic cats on to the target machine so that we can try to capture some passwords.
So use the command load Mimi cats, and this is going to load this on to their remote target, and it comes back letting me know that that did succeed successfully. If you would like to see what version of Mimi cats you are running, you can use the following command. Mimi cats underscore command space dash f space version. I'll go ahead and run that. And we're going to hit enter and it comes back letting me know that the following version is to find out one option are available for password cracking in Mimi cats, we can use the help command in conjunction with its name so it's helped space Mimi cats. I'm going to go ahead and hit enter, it comes back letting me know that the following options are available.
To see what commands are available with Mimi cats, we can type in the following at the prompt. Mimi cats underscore command space dash f space, f, u, colon colon. Now you see that this is all in French, but you get an idea of what commands we're going to be wanting to use here. For instance, the the SAM dump, that's gonna be one, and the other one is going to be that sec here, LSA. So those are a couple of the commands that we're going to be utilizing for this lab. So we know that all passwords that are stored on any Windows machine are stored in a hash, but Mimi Katz is powerful enough to find that hash password and decrypt it.
So let's see how it does that. So the first thing we have to do is who Locate and see those hash passwords on the witness machine. And to do this, we're going to use the cd command at the prompt. So I'm going to go ahead and hit Enter. And Mimi Katz brings up the hash passwords that it found on the target machine. Now we know that Windows likes to use Kerberos as his algorithm for hashing passwords.
So we're going to tell Mimi Katz to decrypt these passwords, or to decrypt the hash using the Kerberos command. So I'm now going to go ahead and hit Enter, and it comes back up and it has cracked those passwords. Notice that the administrator password is password. We know that from the previous labs. And so that's how easy it was for me to do this. Now, of course, this is just an example.
If it had been a very complicated password, it could have taken longer So we use Mimi cats in this example, to pull passwords out of memory. And it was then able to encrypt those hash passwords that were in memory and bring to us in clear text. Our next command is going to find the SAM file, and it's going to dump the hash passwords for us onto our screen. So I'm gonna type in mimikatz underscore command space dash f space Sam dump, colon, colon hashes going to go ahead and hit Enter. And there are the hashed passwords from the SAM file. Now that mimikatz has located the SAM file and pulls down the hash passwords, we need to decrypt them.
To do that, we're going to use the Mimi cats underscore command space dash f space, secure LSA colon colon search passwords. Again, remember that everything here is case sensitive. I'm going to go ahead and do that. Enter. In just a moment, it comes back to the prompt letting me know that the command completed successfully and it brings me the passwords decrypt from the SAM file. That concludes this short video presentation on how we go about cracking passwords using Mimi cats.
In this short video presentation, we got to look at how we go about capturing passwords that were stored up inside of the memory, and how we break that encryption using Mimi Katz and also how we locate the SAM file, how we pull those passwords out of the SAM file with their hash and then decrypt them using another command up inside of mimic cat. So if you have any questions or you have any concerns about what we just saw in this lab, please don't hesitate to contact your instructor and I'll see you in my next video.