Mimikatz
Overview
A little tool to play with Windows security.
Mimikatz cheat sheet
Executing Mimikatz
Binary execution inline
PowerShell in memory
sekurlsa
Sekurlsa is a Mimikatz module that can be used to perform various memory-related attacks and extract sensitive information from the LSASS process.
Extracting cleartext and hashed credentials from LSASS
This command extracts plaintext passwords from memory for all logged-in users on the system.
LSASS running with RunAsPPL
Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
To bypass this we'll have to load the mimidriver.sys
from the Mimikatz repo. This driver need to be in the same folder from where mimikatz
is run.
Extracting Kerberos tickets from memory
This command extracts Kerberos tickets from memory and saves them to a file.
These tickets can then be used for pass-the-ticket attacks or offline password cracking.
Perform pass the hash
This command generates a new access token for the specified user using a specified NTLM hash. This can be used to bypass authentication on systems where NTLM authentication is used.
Loading memory dump file
This command creates a memory dump of the LSASS process and saves it to the specified file. This dump can then be analyzed offline for password cracking or other attacks.
lsadump
The lsadump module in Mimikatz allows for the extraction of sensitive information from the Local Security Authority (LSA) subsystem of the Windows operating system.
SAM dump
This command dumps the SAM (Security Account Manager) database, which contains information about local user accounts and their password hashes.
LSA dump
/inject – Inject LSASS to extract credentials
/name – account name for target user account
/id – RID for target user account
/patch – patch LSASS.
This command patches the LSA subsystem to allow for the addition of new users or the modification of existing users without authentication.
This command injects a DLL into the specified service and captures its credentials, which can include plaintext passwords and hashes.
LSA cache dump
This command dumps cached domain credentials from the LSA subsystem. These credentials can be used to authenticate to other systems on the network.
LSA dump secrets
This command dumps various secrets stored in the LSA subsystem, including cached domain credentials, LSA secrets, and NTLM hashes.
DCSync
This command retrieves the password hash for a specified user account on a specified domain, allowing an attacker to potentially impersonate the user.
kerberos
Golden ticket
A Golden Ticket attack is a technique used by attackers to gain persistent access to a Windows domain. It involves the use of a forged Kerberos ticket, which allows an attacker to impersonate any user account in the domain and gain unrestricted access to any resource in the domain.
Obtaining the krbtgt hash
This command injects a DLL into the specified service and captures the credentials of the service account, including the service account's NTLM hash.
Creating the Golden ticket
This command creates a Golden Ticket for the specified user account, using the captured service account's NTLM hash and the domain's krbtgt hash.
Example:
Silver ticket
A Silver Ticket attack is another technique used by attackers to gain access to resources in a Windows domain. It involves the creation of a forged Kerberos ticket for a specific service, allowing an attacker to impersonate the service account and gain access to the resources associated with that service.
Creating the Silver ticket
Example:
vault
Mimikatz includes a module for extracting credentials from the Windows Credential Manager, also known as the "vault". This module is called "vault".
References
Last updated