IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [mimikatz]

mimikatz is a tool for exploring Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.

From the author:

It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

20 questions
5
votes
1 answer

Are passwords for Windows accounts always stored in cleartext in memory, while the account is logged on?

Are passwords for Windows accounts always stored in cleartext in memory, while the account is logged on? Using Mimikatz I've seen lots of examples where passwords are stored in memory, either for domain/local accounts or service accounts. Therefore…
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
5
votes
1 answer

Decrypting SAM hive after Windows 10 anniversary update?

After a lot of frustration, I've finally cracked my local Windows 10 password using mimikatz to extract the proper NTLM hash. In particular, samdump2 decrypted the SAM hive into a list of users with "blank" passwords: samdump2 system sam -o…
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
5
votes
2 answers

Are we safe from infection of Bad Rabbit?

I'm doing an assessment on the potential outspread of Bad Rabbit in our organization. Our staff do not have admin privileges on their host machines. We have also blocked the IOCs. Am I safe to say without admin privileges, the ransomware wouldn't be…
George
  • 739
  • 1
  • 6
  • 22
5
votes
1 answer

Inject hash into sam file. Is possible?

I have a very uncommon scenario. I have a Windows 10 laptop with a specific configuration. On that configuration there is a user (local user, not domain user) which I don't know its password. I want to migrate that user to other Windows 10 computer…
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
3
votes
1 answer

Kerberos golden ticket works with DNS only - access denied with IP address

I'm playing with mimikatz kerberos::golden, e.g., kerberos::golden /domain:XXX /sid:XXX /user:XXX /aes256:XXX /endin:864000 /renewmax:10240 /ptt Then I tried to access a domain joined machine, but I got access denied: dir \\IP_address\C$ But if I…
daisy
  • 1,735
  • 3
  • 25
  • 39
3
votes
0 answers

How does local pass-the-hash (mimikatz's sekurlsa::pth) work?

Mimikatz's sekurlsa::pth documentation states: mimikatz can perform the well-known operation 'Pass-The-Hash' to run a process under another credentials with NTLM hash of the user's password, instead of its real password. For this, it starts a…
Nico
  • 95
  • 8
3
votes
1 answer

Active Directory Server and Mimikatz

Is it possible to use mimikatz to dump plaintext passwords of users in network by injecting mimilsa into lsass in Active Directory server? Basically other than dumping SAM which contains all hashes of everyone in the AD domain, can you do anything…
GMX Rider
  • 345
  • 2
  • 4
  • 9
1
vote
1 answer

Windows 10 master key folder empty

I am currently trying to decrypt my files from my old laptop. I have a backup of the user folder of the old laptop and I am trying to find the old user master key to decrypt my files based on mimikatz wiki. However, when I look at the master key…
ChrisG661
  • 11
  • 2
1
vote
0 answers

Finding a mimikatz file on a compromised host?

So I am currently struggling with a cyber security lab, and after searching various online sources and reading documentation I can't find a solution. The 2 tasks are as follows: "The attacker has deployed the Mimikatz tool to attempt to capture…
Ismaeel Ali
  • 21
  • 5
1
vote
0 answers

Decrypt DPAPI blob offline

mimikatz can decrypt DPAPI with masterkey: dpapi::blob /in:"test" /masterkey:X /unprotectXXX How can I dump the masterkey and do the decrypt job offline?
daisy
  • 1,735
  • 3
  • 25
  • 39
1
vote
0 answers

Questions regarding pass the ticket

In the blackhat talk by Gentikwiki on Mimikatz back in 2014, he mentioned that you can pass the service ticket also, but i am unable to replicate it in a lab. It throws an access denied. Passing the TGT works all good. Trying to troubleshoot the…
AirSnow
  • 51
  • 4
1
vote
0 answers

How does the so-called skeleton key (master password) in Mimikatz work?

I've used Mimikatz to patch the domain controller with a skeleton key misc::skeleton, which makes it possible for any domain user to authenticate with the password "mimikatz", while still being able to use their original password. However, what is…
Shuzheng
  • 1,097
  • 4
  • 22
  • 37
0
votes
0 answers

Abusing Saved mscash2 Credentials in Active Directory

Is it possible, with NT Authority/SYSTEM access, to reuse mscash2 credentials in any way on a local system or AD network? Perhaps with runas /savecred or mimikatz or something similar? I know that the mscash2 cannot be passed in a traditional pass…
Seamus099
  • 1
0
votes
1 answer

What can prevent Mimikatz from accessing LSA?

I used to run Mimikatz in one of my computers. Then, I did something to block its action and I do not recall what it was. I am trying to revert it unsuccessfully. .#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A…
user1156544
  • 456
  • 3
  • 14
0
votes
0 answers

Issue replacing cached domain user credentials using mimikatz kiwi

I run the following command: # lsadump::cache /user: /kiwi mimikatz respond "User cache replace mode" with the right user name, the new password and it's corresponding hash. However, few lines later it dumps the cached users and their…
Aviv
  • 1
1
2