Mimikatz on MrAzoth

Kerberos Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Prerequisite	Output
Kerberoasting	Rubeus, PowerView	Domain user, SPN exists	RC4/AES hash → offline crack
AS-REP Roasting	Rubeus	Domain user, pre-auth disabled on target	AS-REP hash → offline crack
Pass-the-Ticket	Rubeus, Mimikatz	Valid .kirbi or base64 ticket	Ticket injected into session
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES hash	TGT obtained, ticket injected
Pass-the-Key	Mimikatz	AES256 hash	TGT obtained via AES pre-auth
Ticket Extraction	Rubeus, Mimikatz	Local admin (for other users’ tickets)	.kirbi files / base64 tickets
TGT Delegation	Rubeus tgtdeleg	Domain user, no local admin needed	Usable TGT
Ticket Harvesting	Rubeus harvest/monitor	Local admin	Ongoing TGT collection
Unconstrained Delegation Abuse	Rubeus monitor + coerce	Local admin on delegation host	Victim TGT captured

Hashcat Cracking Modes Reference

Mode	Hash Type	Attack Context
13100	Kerberoast — RC4 (TGS-REP)	Kerberoasting with /rc4opsec
19600	Kerberoast — AES128 (TGS-REP)	Kerberoasting with /aes
19700	Kerberoast — AES256 (TGS-REP)	Kerberoasting with /aes
18200	AS-REP — RC4 (krb5asrep)	AS-REP Roasting
17200	DPAPI masterkey	Seatbelt / Mimikatz DPAPI
1000	NTLM	Pass-the-Hash, secretsdump output
5600	NTLMv2 (Net-NTLMv2)	Responder / NTLM relay capture
7500	Kerberos 5 AS-REQ (etype 23)	Pre-auth brute force
3000	LM	Legacy — rarely seen

Kerberoasting

Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking.

Credential Attacks — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Privilege Required
LSASS dump (live)	Mimikatz	LocalAdmin + SeDebugPrivilege
LSASS dump (ProcDump)	ProcDump / comsvcs.dll	LocalAdmin
DCSync	Mimikatz lsadump::dcsync	Domain Admin (or replication rights)
Local SAM	reg save + secretsdump	LocalAdmin
LSA Secrets	Mimikatz lsadump::lsa	SYSTEM
Cached domain creds	Mimikatz lsadump::cache	SYSTEM
GPP passwords	PowerSploit Get-GPPPassword	Domain User (SYSVOL read)
DPAPI triage	SharpDPAPI	LocalAdmin (backup key needs DA)
WDigest cleartext	Mimikatz sekurlsa::wdigest	LocalAdmin + WDigest enabled
Skeleton key	Mimikatz misc::skeleton	Domain Admin (DC access)
SSP injection	Mimikatz misc::memssp	SYSTEM on DC
Password spray	DomainPasswordSpray / Rubeus	Domain User
PPL bypass	mimidrv.sys kernel driver	SYSTEM + vulnerable driver

Mimikatz — Core Commands

Mimikatz is the primary credential extraction tool for Windows. Most operations require SeDebugPrivilege at minimum, and many require SYSTEM.

Lateral Movement — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement
Pass-the-Hash (PtH)	Mimikatz, Invoke-TheHash, PsExec	Local Admin / NTLM hash
Pass-the-Ticket (PtT)	Rubeus, Mimikatz	Valid Kerberos ticket (.kirbi / base64)
Overpass-the-Hash	Mimikatz, Rubeus	NTLM or AES256 hash
WMI Exec	PowerShell WMI, wmic, SharpWMI	Local Admin on target
DCOM Exec	PowerShell COM objects	Local Admin / DCOM permissions
PowerShell Remoting	Enter-PSSession, Invoke-Command	WinRM enabled, appropriate rights
PsExec	Sysinternals PsExec	Local Admin, ADMIN$ writable
Remote Service	sc.exe	Local Admin on target
Scheduled Task	schtasks.exe	Local Admin / valid credentials
Token Impersonation	Incognito, Invoke-TokenManipulation	SeImpersonatePrivilege
RDP	mstsc, tscon	RDP enabled, valid credentials or SYSTEM

Pass-the-Hash (PtH)

Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential.

Domain & Forest Trusts — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Enumerating and exploiting Active Directory domain and forest trusts from a Windows foothold: SID history injection, golden ticket cross-domain, inter-realm key abuse.

Persistence — From Windows

Mon, 01 Jan 0001 00:00:00 +0000

Domain persistence techniques after AD compromise: Golden/Silver/Diamond Tickets, DCSync backdoors, AdminSDHolder, ACL abuse, WMI subscriptions, and DPAPI backup keys.