Modules

Modules

  • ​crypto: This modules deals with the Microsoft Crypto Magic world.
  • ​dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.
  • ​event: this module deals with the Windows Event logs (to clear footprints after compromise).
  • ​kerberos: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.
  • ​lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.
  • ​misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.
  • ​net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.
  • ​privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.
  • ​process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.
  • ​rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.
  • ​sekurlsa: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than sekurlsa::logonpasswords. Hope we made some effort on this Benjamin.
  • ​service: This module can interact with Windows services plus installing the mimikatzsvc service.
  • ​sid: This module deals with the Security Identifier.
  • ​standard: This module contains some general functionalities which are not related to exploitation.
  • ​token: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM).
  • ​ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.
  • ​vault: This module dumps passwords saved in the Windows Vault.

Commands

crypto

  • ​crypto::capi patches CryptoAPI layer for easy export (Experimental
    ⚠
    )
  • ​crypto::certificates lists or exports certificates
  • ​crypto::certtohw tries to export a software CA to a crypto (virtual) hardware
  • ​crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental
    ⚠
    )
  • ​crypto::extract extracts keys from the CAPI RSA/AES provider (Experimental
    ⚠
    )
  • ​crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
  • ​crypto::keys lists or exports key containers
  • ​crypto::providers lists cryptographic providers
  • ​crypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard
  • ​crypto::scauth it creates a authentication certificate (smartcard like) from a CA
  • ​crypto::stores lists cryptographic stores
  • ​crypto::system it describes a Windows System Certificate
  • ​crypto::tpminfo displays information for the Microsoft's TPM Platform Crypto Provider

dpapi

event

  • ​event::clear clears a specified event log
  • ​event::drop patches event services to avoid new events (
    ⚠
    experimental)

kerberos

lsadump

  • ​lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)
  • ​lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)
  • ​lsadump::changentlm can be used to change the password of a user
  • ​lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry
  • ​lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly
  • ​lsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates
  • ​lsadump::netsync can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer account
  • ​lsadump::packages lists the available Windows authentication mechanisms
  • ​lsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd
  • ​lsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to
    πŸ€·β™‚
    )
  • ​lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump)
  • ​lsadump::secrets can be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entries
  • ​lsadump::setntlm can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenario
  • ​lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts
  • ​lsadump::zerologon detects and exploits the ZeroLogon vulnerability

misc

net

privilege

process

rpc

sekurlsa

service

  • ​service::- removes the mimikatzsvc service
  • ​service::+ installs the mimikatzsvc service by issuing rpc::server service::me exit
  • ​service::preshutdown pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal
  • ​service::remove removes the specified service (It must be used with caution)
  • ​service::resume resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal
  • ​service::shutdown shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal
  • ​service::start starts a service
  • ​service::stop stops a specified service by sending a SERVICE_CONTROL_STOP signal
  • ​service::suspend suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal

sid

standard

token

  • ​token::elevate can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEM
  • ​token::list lists all tokens on the system
  • ​token::revert reverts to the previous token
  • ​token::run executes a process with its token
  • ​token::whoami displays the current token

ts

  • ​ts::logonpasswords extracts clear text credentials from RDP running sessions (server side)
  • ​ts::mstsc extracts cleartext credentials from the mstsc process (client side)
  • ​ts::multirdp enables multiple RDP connections on the target server
  • ​ts::remote performs RDP takeover/hijacking of active sessions
  • ​ts::sessions lists the current RDP sessions. It comes in handy for RDP hijacking

vault

  • ​vault::cred enumerates vault credentials
  • ​vault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user