Links

Modules

Modules

  • crypto: This modules deals with the Microsoft Crypto Magic world.
  • dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.
  • event: this module deals with the Windows Event logs (to clear footprints after compromise).
  • kerberos: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.
  • lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.
  • misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.
  • net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.
  • privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.
  • process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.
  • rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.
  • sekurlsa: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than sekurlsa::logonpasswords. Hope we made some effort on this Benjamin.
  • service: This module can interact with Windows services plus installing the mimikatzsvc service.
  • sid: This module deals with the Security Identifier.
  • standard: This module contains some general functionalities which are not related to exploitation.
  • token: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM).
  • ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.
  • vault: This module dumps passwords saved in the Windows Vault.

Commands

crypto

  • crypto::capi patches CryptoAPI layer for easy export (Experimental
    )
  • crypto::certificates lists or exports certificates
  • crypto::certtohw tries to export a software CA to a crypto (virtual) hardware
  • crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental
    )
  • crypto::extract extracts keys from the CAPI RSA/AES provider (Experimental
    )
  • crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
  • crypto::keys lists or exports key containers
  • crypto::providers lists cryptographic providers
  • crypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard
  • crypto::scauth it creates a authentication certificate (smartcard like) from a CA
  • crypto::stores lists cryptographic stores
  • crypto::system it describes a Windows System Certificate
  • crypto::tpminfo displays information for the Microsoft's TPM Platform Crypto Provider

dpapi

event

  • event::clear clears a specified event log
  • event::drop patches event services to avoid new events (
    experimental)

kerberos

lsadump

  • lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)
  • lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)
  • lsadump::changentlm can be used to change the password of a user
  • lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry
  • lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly
  • lsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates
  • lsadump::netsync can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer account
  • lsadump::packages lists the available Windows authentication mechanisms
  • lsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd
  • lsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to
    🤷♂
    )
  • lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump)
  • lsadump::secrets can be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entries
  • lsadump::setntlm can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenario
  • lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts
  • lsadump::zerologon detects and exploits the ZeroLogon vulnerability

misc

net

privilege

process

rpc

sekurlsa

service

  • service::- removes the mimikatzsvc service
  • service::+ installs the mimikatzsvc service by issuing rpc::server service::me exit
  • service::preshutdown pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal
  • service::remove removes the specified service (It must be used with caution)
  • service::resume resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal
  • service::shutdown shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal
  • service::start starts a service
  • service::stop stops a specified service by sending a SERVICE_CONTROL_STOP signal
  • service::suspend suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal

sid

standard

token

ts

  • ts::logonpasswords extracts clear text credentials from RDP running sessions (server side)
  • ts::mstsc extracts cleartext credentials from the mstsc process (client side)
  • ts::multirdp enables multiple RDP connections on the target server
  • ts::remote performs RDP takeover/hijacking of active sessions
  • ts::sessions lists the current RDP sessions. It comes in handy for RDP hijacking

vault

  • vault::cred enumerates vault credentials
  • vault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user
Last modified 11mo ago