Mimikatz
General
Some commands need elevated/debug privileges you can enable them with token::elevate
and privilege::debug
.
Useful commands to dump everything we can:
Creates tickets from hashes instead of passing hashes directly
Dump remote credentials
DPAPI
Manual
Note: Make you are in a session of type 1, if not migrate to a process that has it. Otherwise these steps don't need special privileges.
Note guidMasterKey and pdData. Then there should be matching directories in:
This will show a key file at the bottom, the actual MasterKey. Now we can decrypt the blob:
Run a combination of attacks:
Decrypt the secret of the user you are logged in as:
Resources
https://www.exploit-db.com/docs/48589
DCSync
Golden Ticket
Allows us to sign valid TGTs for the domain (requires the krbtgt hash).
This can be converted to base64 and then used with Rubeus to pass the ticket:
It can also be used in mimikatz:
Alternatively this can be done in Metasploit's Kiwi:
Silver Ticket
Silver tickets are rarely used, the only allow access to services on a single box. To create it we need the machine account hash:
Remove process protection
Running !+
loads 'mimidrv', which one needs to copy into the same directory as mimikatz.exe in order for this to work.
Alternatively we can use PPLKiller which uses a signed driver by MSI to disable process protection (really a matter of detection, mimidrv works just fine with AV disabled).
Misc
DC Shadow Attack (Stealthbits)
Last updated